2016 cybersecurity threat landscape - sogeti finland · security for saas-based applications...
TRANSCRIPT
2016 Cybersecurity Threat Landscape
Kimmo Vesajoki Country Manager, Finland & Baltics Trend Micro EMEA Ltd.
Copyright 2014 Trend Micro Inc.
Trend Micro
27 years focused on security software, largest independent vendor
Consistent – A World Safe for Exchanging Digital Information
Headquartered in Japan, Tokyo Exchange Nikkei Index (4704)
8 consecutive years on Dow Jones Sustainability Indexes
Customers include 48 of top 50 global corporations
5300+ employees, 50 countries worldwide
500k commercial customers & 155M endpoints protected
Small Business
Midsize Business
Enterprise
Consumer
Consumers
Copyright 2016 Trend Micro Inc. 3
Data Center
Hyper-competitive
Age of the Modern Enterprise
Social
Mobile
Connected
IoT
Cloud
Global
Rapid adoption
Copyright 2016 Trend Micro Inc. 4
Data Center
Copyright 2016 Trend Micro Inc. 5
Data Center
500,000 NEW unique threats
EVERY day!
74% of attacks begin with a spear-phishing
90% of malware only affects 1 device
60% of malicious domains are alive for
less than an hour
Source: Trend Research 2015
Copyright 2016 Trend Micro Inc. 6
Cloud and Virtualization
Consumerization
Complex Networks
Cloud and Virtualization
Consumerization
Complex Networks
Copyright 2016 Trend Micro Inc. 9
10
Multinational research, development and support center with an extensive regional presence (1300+ researchers)
Copyright 2014 Trend Micro Inc. 11
Current Threat activity
2015 Threat Landscape
Copyright 2016 Trend Micro Inc. 12
Trend Micro Smart Protection Network blocked over 52 billion
threats in 2015
Attackers have become more selective of their targets
Data breach information used for online extortion
Technologies used include file-less malware installations and not only malware-based threats such as exploit kits
2015 Threat Landscape in Review
Global Risks Landscape - 2016
http://www3.weforum.org/docs/Media/TheGlobalRisksReport2016.pdf
1 2016 will be “the Year of Online Extortion”
2 Data breaches will be used to destroy hacktivists’ targets
3 Mobile malware will grow to 20M by the end of 2016
4 IoT smart device failures may become lethal
2016 Security Predictions
• Healthcare the most affected industry Anthem and Premera Blue Cross breaches combined
over 90 million patient records exposed
• U.S. Office of Personnel Management Data breach exposed the personal information of
around 21.5 million federal employees & retirees
• Around 41% of data breaches in the US have
been caused by device loss Remote device wipe, disk encryption, virtual
infrastructure and stricter security policies needed
• Breaches involving malware and hacking
require breach detection and network
security solutions
Confidential | Copyright 2013 Trend Micro Inc.
Confidential | Copyright 2013 Trend Micro Inc.
Threat Landscape Evolution
CRIMEWARE
DA
MA
GE
CA
US
ED
Worm
Outbreaks
Vulnerabi l i t ies
Spam
Mass Mai lers
Spyware
Intel l igent
Botnets
Web Threats
2001 2003 2004 2005 2007 2010 2012
Targeted
Attacks
Mobi le
Attacks
2015
Destructive
Attacks/
Crypto-
ransomware
Confidential | Copyright 2013 Trend Micro Inc.
Ransomware Evolution
Confidential | Copyright 2013 Trend Micro Inc.
Crypto-Ransom
ware 83%
Ransomware 17 %
Q4’2015 Ratio of Ransomware vs Crypto-ransomware
Crypto-ransom
ware 20 %
Ransomware 80 %
Q4’2014 Ratio of Ransomware vs Crypto-ransomware
Crypto-ransomware Ransomware
January 2016
2016 RANSOMWARE February 2016
LOCKY CRYDAP CRYPHYDRA CRYPTRITU CRYPJOKER MEMEKAP EMPER LECTOOL
INFECTION VECTOR
MODE OF PAYMENT
ENCRYPTED DATA
ENCRYPTION
SPAM SPAM SPAM SPAM SPAM SPAM MACRO AND JS DOWNLOAD
DISGUISHED AS PDF ATTACHEMENT
DISGUISHED AS PDF ATTACHEMENT
EXPLOIT KIT INVOICE SPAM
SPAM SPAM
2 BITCOINS 13 BITCOINS 0.5 BITCOIN 1 BITCOIN 0.1 BITCOIN 400 DOLLARS with instruction from author how to pay
1 BITCOIN 0.8 BITCOIN 350 DOLLARS
1.505 BITCOINS
2 BITCOINS 536 GPB
0.5-1 BITCOIN
KEYS ARE GENERATED LOCALLY
KEYS ARE GENERATED LOCALLY
KEYS ARE GENERATED LOCALLY
KEYS ARE GENERATED LOCALLY
KEYS ARE GENERATED LOCALLY
KEYS ARE GENERATED LOCALLY AND THEN
DELETED
PRIVATE KEY IN THE SERVER
PUBLIC KEY OBTAINED FROM
C&C
ENCRIPTION JKEY IN THE SERVER
PUBLIC KEY OBTAINED FROM
C&C
PUBLIC KEY OBTAINED FROM
C&C
ENCRYPTION KEY OBTAINED FROM
C&C
PERSONAL FILES
DB FILES DB FILES
DB FILES
DB FILES WEBPAGEFILES
DB FILES
WEBPAGEFILES
SYNC MANGER LOGGER
DB FILES
CODES
DB FILES WALLET.DAT
need to email malware author to receive
instructions how to pay
NO RANSOM
NOTE
NO ADDIOTIONAL TO PERSONAL
FILES
NO ADDIOTIONAL TO PERSONAL
FILES
NO ADDIOTIONAL TO PERSONAL
FILES
KEYS ARE GENERATED LOCALLY
CRYPRADAM CRYPNISCA CRYPZUQUIT MADLOCKER CRYPGPCODE
March 2016 - Ransomwares
SPN DETECTION HITS
INFECTION VECTOR
ENCRYPTION
SELF-DESTRUCT
ENCRYPTED DATA
PERSONAL FILES PERSONAL FILES
KeRanger
MACOS FILES
GAMES
CRIPTOSO
1.18 – 2.37 BTC $500 - $1000
TEAM VIEWER
OVERWRITES MBR & BSOD
0.99 – 1.98 BTC $431 - $862
1 BTC then increases by 1 BTC
daily
US TAX RETURN FILES
COVERTON
1 BTC
EXPLOIT KIT SPAM TERMS-OF_SERVICE
(TOS) SPAM MACRO DOWNLOADER
ATTACHMENT
JOB APPLICATION WITH DROPBOX
LINK
MACRO OR JS ATTACHMENT EXPLOIT KIT
+
1.24-2.48 BTC 1 BTC 1.3 BTC
DB FILES DB FILES
1.4 – 3.9 BTC $588 - $1638
0.5 to 25 BTC
DB FILES CODES
GAMES WALLET ACCOUNTING/ FINANCE FILES
PUBLIC KEY FROM C&C
AES KEY GENERATED LOCALLY PUBLIC KEY
FROM C&C
5 KEY PAIRS GENERATED LOCALLY
1 KEY REQUIRES RSA KEY PRIVATE KEY IS OBTAINED
AFTER PAYMENT PRIVATE KEY IS OBTAINED
AFTER PAYMENT
PRIVATE KEY IS OBTAINED AFTER PAYMENT PRIVATE KEY IS OBTAINED
AFTER PAYMENT PRIVATE KEY IS OBTAINED
AFTER PAYMENT
MODE OF PAYMENT
It speaks!! Power shell script
<under reversing>
<under reversing>
<under reversing>
<under reversing>
<under reversing>
<under reversing>
TESLA 4.0 CERBER CRYPAURA PETYA MAKTUB SURPRISE
Powerware
NO NO NO NO NO NO NO
CERBER CRYPAURA
KERANGER TESLA
MAKTUB SURPRISE PETYA POWERWARE CRYPTOSO
COVERTON
APPSTORE
CRYPTOHASU
PRIVATE KEY IS OBTAINED AFTER PAYMENT
NO
CRYPTOHASU
1 BTC $300
Increased /day
KIMCIL
NO
Website files
Targets Magento
eCommerce
1 BTC $140
NO
KIMCIL
HACK
MRAWARE
MIRAWARE
<under reversing>
<under reversing>
<under reversing>
<under reversing>
SPAM
SCRIPTS & PROGRAMS
<under reversing>
Tax fraud
April 2016 - Ransomwares
SPN DETECTION HITS
ENCRYPTION
SELF-DESTRUCT
ENCRYPTED DATA
PERSONAL FILES PERSONAL FILES
CRYPSALAM
EXPLOIT KIT
1 BTC increased by 1
periodically
0.35 BTC
NO ADDITION TO PERSONAL FILES
KEYS ARE GENERATED LOCALLY
MODE OF PAYMENT
INFECTION VECTOR
CRYPTOHOST
NO NO YES
CRYPSAM CRYPSALAM CRYPTOHOST
CRYPSAM
HACK
1 BTC
SPAM
KEYS ARE GENERATED LOCALLY
Password protected RAR archive
0.5 BTC
JIGSAW
JIGSAW
$150
Files are deleted w/o pay
DB FILES SCRIPTS & PROGRAMS
KEYS ARE GENERATED LOCALLY
NO
XORBAT
XORBAT
JS ATTACHMENT
SCRIPTS & PROGRAMS
KEYS ARE GENERATED LOCALLY
YES
WALTRIX ZIPPY
<under reversing>
<under reversing>
<under reversing>
<under reversing>
<under reversing>
<under reversing>
JBOSS CVE
1 Holistic security review including policies and processes needed to minimize the
risk of ransomware
2 Network segmentation to ensure any infection is contained
3 Offline back-ups to ensure that if ransomware hits an IT system, it doesn't also
encrypt the backed-up files
4 Whitelisting to help reduce risk and allow only trusted programs to run on your
network
5 Email blocking most ransomwares can be stopped on gateway level
6 Sandboxing and behaviour monitoring to catch new malware variants and
quaranteen unlawful crypto-processes
7 Fake ransomware attacks at employee inboxes periodically for user education
and improved resilience to ransomware
8 User rights management and access controls to further lower the risk of infection
Best practises against crypto-ransomware
Copyright 2016 Trend Micro Inc. 28
Risk Management Requires Layered Protection
Servers
Protect server workloads wherever
they may be -- physical, virtual or cloud
Copyright 2016 Trend Micro Inc. 29
Networks
Risk Management Requires Layered Protection
Servers
Detect and block threats hitting the data center
and user environments, maximizing efficiency
Copyright 2016 Trend Micro Inc. 30
Users
Networks
Risk Management Requires Layered Protection
Protect user activities anywhere on any
device reducing initial point of infection Need for connected
threat defense and centralized visibility
increases
Servers
Gartner Magic Quadrant for Endpoint Protection Platforms
“Trend Micro is a good shortlist candidate for all types of buyers.”
Source: Gartner, Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook and Eric Ouellet , 1 February 2016
A “Leader” in the MQ for Endpoint Protection
14 consecutive years
Security for SaaS-based applications
Advanced Threat Detection • Finds zero-day and hidden threats • Sandbox file analysis in the cloud DLP • Discovery and visibility into confidential
data usage • 240 customizable templates
Direct cloud-to-cloud integration
Trend Micro Cloud App Security
Ransomware Detection
• Traditional Methods
– Relies on signatures to detect the ransomware
– Provide specific tools that stop it from spreading
• Advanced Method
– Behavior monitoring of applications for changes to files or encrypting of files
– Filter out known good apps
– Terminate & quarantine
Both methods used by Trend Micro OfficeScan endpoint protection
Application Control
• Quickly build application lists with saved search criteria
+ The reputation score is ≥ “★★★☆☆”
+ Usage is ≥ Medium in North America
+ Was first detected over 7 days ago
– The category is not “Browser and Browser Tools”
Copyright 2016 Trend Micro Inc. 35
• Prevent vulnerability exploits (Shellshock, Heartbleed)
• Reduce the need for emergency patching
• Accelerate compliance with key regulations like PCI
Patch Available
Patch applied, Protected
Test Begin Deployment
Zero day Vulnerability Disclosed
Traditional Patch management time line
Virtual patch available in <24 hours
Protected against attack
Virtual Patching / Host-IPS Protect against vulnerabilities
Copyright 2016 Trend Micro Inc. 36
World’s best zero-day vulnerability research
Delivers 11 zero-day filters/week
DV Labs
Over 650 vulnerabilities published in 2015
Copyright 2016 Trend Micro Inc. 37
Greatly Enhancing Our Zero-Day Protection
Delivers 11 zero-day filters/week
DV Labs
Siloed protection:
Central Visibility Hard
Investigation / Forensics
Modern Anti-Malware
Data Protection
Behavior Monitoring / Sandboxing
Application Control
Vulnerability Shielding
Investigation / Forensics
Modern Anti-Malware
Data Protection
Behavior Monitoring / Sandboxing
Application Control
Vulnerability Shielding
Central visibility helps, but manual correlation too difficult and slow!
Behavior Monitoring / Sandboxing
A connected threat defense is required for
timely, adaptive protection
Modern Anti-Malware
Investigation / Forensics
Data Protection
Vulnerability Shielding
Application Control
Gain centralized
visibility across the
system, and
analyze and assess
impact of threats
Enable rapid response through
shared threat intelligence and
delivery of real-time security updates
Detect advanced
malware, behavior and
communications
invisible to standard
defenses
Assess potential vulnerabilities and proactively protect endpoints, servers and applications
PREVENT
DETECT
VISIBILITY & CONTROL
RESPOND
Connected Threat Defense
100% of the top 10 automotive
companies.
96% of the top 50 global
corporations.
100% of the top 10 telecom
companies.
80% of the top 10 banks.
90% of the top 10 oil companies.
5500+ Employees in 50+ Countries
Founded
Headquarters
2014 Sales
Customers
1988, United States
Tokyo, Japan
$1.1B USD
500,000 businesses, Millions of consumers
A world safe for exchanging digital information
“We secure the continuity of your business in a manner
that doesn’t burden your IT department and visualize
your organization’s security posture in a single
pane-of-glass with centralized management of
information security across your entire IT infrastructure”
Questions?
Thank you!