SOPHOS

Stopping Tomorrow’s
Attacks Today: a next-gen
approach for advanced
threats

Lars Putteneers
7 June 2015

1
Sophos Snapshot
1985 $450M 2,200 HQ
FOUNDED IN FY15 BILLING EMPLOYEES OXFORD, UK
OXFORD, UK (APPX.) (APPX.)

200,000+ 100M+ 90+% 15,000+

BEST IN CLASS CHANNEL
CUSTOMERS USERS RENEWAL RATES PARTNERS

OEM PARTNERS:

KEY DEV
CENTERS
OFFICES

2
Sophos Complete Security in an Enterprise
Reputation Data • Active Protection SophosLabs Correlated intelligence • Content Classification

AT HOME AND ON THE MOVE REMOTE OFFICE 1 REMOTE OFFICE 2

UTM
NextGen Firewall
Secure Web Gateway
Secure Email Gateway Secure Wi-Fi Secure VPN RED Secure Wi-Fi
Web Application Firewall
Mobile Control Endpoint Security
SafeGuard Encryption
Secure VPN Endpoint Security Mobile Control Endpoint Security Mobile Control
Client SafeGuard Encryption SafeGuard Encryption

SOPHOS CLOUD
HEADQUARTERS Network Storage Antivirus
Server Security

Administration

Web Application Firewall

Mobile Control Endpoint Security
SafeGuard Encryption

Secure Web NextGen Firewall Secure Email

Secure Wi-Fi Gateway Gateway Guest Wi-Fi

3
Tomorrow’s attacks

4
Anatomy of a ransomware attack
Installation via an exploit kit or spam with an infected attachment
Once installed the ransomware modifies the registry keys

Contact with the command & control server of the attacker

The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this
computer.

Encryption of assets
Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of
the Windows OS (shadow copies) are often deleted to prevent data recovery.

Ransom demand
A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of
e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to.

And gone
The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.

5
 Angler: an all-too-well-known exploit kit
• Grown in notoriety since mid
2014
￮ The payload is stored in memory
and the disk file is deleted
￮ Detects security products and
virtual machines
￮ Ability to spread many
infections: banking Trojans,
backdoor, rootkits, ransomware
• Easy to use
￮ Doesn’t require any particular
technical competence
￮ Available for a few thousand
USD on the Dark Web

6
Angler’s evolution into the dominant exploit
kit

Sep 2014 Jan 2015 May 2015

7
 Another one bites the dust
• 350,000 new
malware programs
per day
• 70% of
organisations
reported a
compromise in the
last 12 months
• $500 billion WW
damages
• Estimated to rise to
$1.5 trillion by
2019

8
The next-gen approach:
Sophos Clean
Hitman Pro
Sophos Sandstorm

9
Sophos Clean
• All new business product
• Removal complete part of Hitman Pro => standalone product

10
Should I Stay Or Should I Go

11
Bullet in the head

12
Hitman Pro
• Product of Surfright
• For consumer and business market
• Signature less protection
• Will come in Cloud and on premise solutions

13
Hitman Pro: Risk Reduction

14
Hitman Pro: Risk Reduction

15
 CryptoGuard – Say Goodbye to Ransomware
Ransomware
Cryptowall costs users $325M
in 2015
￮ 2 out of 3 infections driven by
phishing attack
￮ DeliveredCryptoGuard
by drive by exploit kits
￮ • Simple and
100’s of thousands of Comprehensive
victims
world wide
• Universally prevents
More variantsspontaneous
– Locky and
encryption of
Samas data
￮ Now for •MAC andactivation
Simple Windowsinusers
Sophos
CRYPTOGU
Central
Targeting bigger Phish ARD
￮ $17K payment from California
hospital

16
CryptoGuard
• 1. monitors file system activity
• 2. when file is opened-for-write, create just-in-time backup of
the file
• 3. when the file is closed, compare contents
• 4. when file is no longer a document, mark as suspicious
• 5. if this happens on many files (3 or more), rollback files from
above backup, revoke write-access from process (or client IP)
that did the changes
• 6. all modifications are tracked per process or per client-IP; so
if a remote client modifies files, they are tracked, rolled back
and blocked if needed

17
Hitman Pro: Exploit Mitigation

18
Hitman Pro: Exploit Mitigation

19
Hitman Pro: Exploit Mitigation

20
Hitman Pro: Exploit Mitigation

21
Hitman Pro: Safe Browsing

22
Hitman Pro: Safe Browsing

23
Hitman Pro: Removal Complete

24
Hitman Pro: Removal Complete

25
Sophos Sandstorm
Advanced Threat Defense Made Simple How Sophos Sandstorm works

1. If the file has known malware

it’s blocked immediately. If
it’s otherwise suspicious, and
hasn’t been seen before, it
will be sent to the sandbox
for further analysis. When
web browsing, users see a
patience message while they
wait.

2. The file is detonated in the

safe confines of the sandbox
and monitored for malicious
behaviour. A decision to
allow or block the file will be
sent to the security solution
once the analysis is
complete.

3. A detailed report is provided

for each file analyzed.

Secure Web Secure Email Unified Threat Next-Gen

Gateway Gateway Management Firewall

26
Summary
27
 I just want to be your everything
Exposure prevention
80% malicious URL blocking, malicious web script
TRADITIONAL MALWARE

detection
download reputation

Pre-execution analytics and heuristics

10% Generic matching using heuristics and
component level rules

ADVANCED THREATS
Signatures
5% Signature match of malware
or malware components (1-1)

Run-time behavior
analytics
3% Behavior matching
and runtime analytics
And Sophos Labs
Methods and techniques never stops Exploit
vary depending on detection
device type and
innovating and
2%
operating system
(Windows, Mac, Linux/Unix
assessing new
variants, Android, iOS) techniques
28
More information
• Sophos whitepaper on how to stay protected from ransomware
https://www.sophos.com/en-
us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprot
ectionwpna.pdf?la=en
• Sophos technical whitepaper on ransomware
https://www.sophos.com/en-
us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-
ransomware.pdf?la=en
• Naked Security – regular stories on Locky and other ransomware attacks
https://nakedsecurity.sophos.com/
• IT Security DOs and DON'Ts
https://www.sophos.com/en-
us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf?
la=en
• Threatsaurus
https://www.sophos.com/en-
us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en 29
Questions?

30
© Sophos Ltd. All rights reserved.
31