Cryptolocker & het gevecht tegen IT’s grootste nieuwe vijand

Martijn NielenSr. Sales Engineer WatchGuard

Houston, we have a problem!• « My antivirus and IPS are updated but I got infected anyway »

First reason: « Zero Day »• The vulnerabilty is still unkown• Or the fix is still not available

Second reason: Technology changes, including hackers…

• “Antivirus is Dead” Brian Dye Senior VP of Symantec

*Malwise - An Effective and Efficient Classification System for Packed and Polymorphic Malware, Deakin University, Victoria, June 2013

Nearly 88% of malware morphs to evade signature-based antivirus solutions*

Antivirus can’t keep up

AV Vendor Review

7

http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up

• Average of 2 days for at least one AV scanner to detect what was not detected on day 0

• Detection rates increase to 61% after two weeks• After a year 10% of scanners still do not detect some malware• The 1-perecentile of malware least likely to be detected was undetected by

a majority of AV scanners for Months• In some cases the malware was never detected

Advanced Persistent Threat (APT)

• Nation-State techniques now used for financial gain• Antivirus can’t keep up. New malware has been created as a

variant of existing malware to avoid detection by classic techniques

8

9

Evolution of APTs

Today, normal criminal malware exploits the same advanced tactics as nation-state APTs.

Every organization is at risk of advanced threats!

Zeus copies Stuxnet 0day

Criminals use 0day malware (Cryptolocker)

Zeus uses stolen certificates

Criminal spear phishing

Criminal watering hole attacks

10

« Cryptolockers »

APT or not APT…

11

13

Simple Threats

Opp

ortu

nist

ic A

ttack

s

APT Solutions

AntivirusSolutions

Targ

eted

Atta

cks

Packing

Sophisticated Threats

Plain Virus

Poly-morphic

C&C

Fluxing

PersistentThreats

EvasiveThreats

Malware (r)evolution

AV OS / Application SandBox

Malware And Virus Detection

Zero Day Threat Curve

Sandbox

OS – XP /Win 7

Hypervisor

Server

Process Emulation

XP /Win 7Functions

XP /Win 7Functions

XP /Win 7Functions

XP /Win 7Functions

CPU Memory

Server

System Emulation

OS – XP /Win 7

CPU / Memory

Server

High FidelityLow Visibility

Low FidelityHigh Visibility

High FidelityHigh Visibility

Advanced Malware Analysis

1st 2nd 3rd

APT Blocker with Code Emulation• Evasion detection is critical

17

Zero Day Malware

Stalling

Looping

Malware?

Exploit

Key logger C&C Network Traffic

Inaction

• Malware Checks the Environment• Multi-Path execution

• Next step based on results

• Stalling / Looping • Wait long enough for analysis to time out

Malware Checks the Environment Stalling / Looping

Multi-Path execution Wait long enough for analysis to time out

Next step based on results

Dynamic evasions

AntiVirus

URL Filtering

AntiSpam

IPS

App Control

Data Loss Prevention

APT

PlatformWatchGuard Management

WatchGuard Best of Breed Defense in Depth

Lastline recommended by NSS: 2015 BDS Security Value Map

23

Unified Threat Management Platform Security Eco System

24

Default Threat Protection

Proxy – Web, Email, FTP

Application Control / IPS

Webblocker / RED / SpamBlocker

AV - Malware APTBlocker

25

APT Blocker: Configuration

APTBlocker Local Cache

Remote “Cache”

File inspection

APT Blocker

Did you get Locky ?

http://watchguardsecuritycenter.comOnce I verified that many of our UTM’s security services could detect Locky, I ran through one last test… I personally tried to download the malicious file “Rechnung-263-0779.xls” from my webmail. I’ve configured my WatchGuard Firebox with HTTPS Deep Inspection. This feature allows WatchGuard’s security services, such as GAV and Intrusion Prevention Service (IPS), to run security scans even on encrypted web traffic, like the webmail I was using to download this ransomware. Despite the encrypted webmail connection, our Firebox detected and blocked the Locky invoice file with the GAV service. It was unable to reach my workstation.As you can see, WatchGuard XTM and Firebox appliances have several features that can help prevent ransomware like Locky. However, these protections only work if you turn them on and configure them properly. If you want to keep Locky off your network , I highly recommend you read the Knowledgebase Article “How to prevent ransomware and other malicious malware with your Firebox” — Jonas Spieckermann

You need to enable HTTPS DPI on your Firebox!

34

An APT solution should• not be dependent on (AV) signatures• not depend on traditional sandbox technology• detect evasions• take prompt actions in real-time

35

36

Advanced Malware in Security Dashboard

Visibility in WatchGuard Dimension

True APT’s – even obvious from the Dutch file-names• Advanced: trigger interest• Targeted e.g. containing

the name of the organization

• Threats: True APT’s • Watering holes –

“Eucharistieviering”, Dutch

• Chain-of-Trust: by using ‘religious activities’ and social engineering based factors

• Non-profit organizations targeted

38

40