1  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  This  document  and  the  contents  therein  are  the  sole  property  of  CYREN  and  may  not  be  transmiHed  or  reproduced  without  CYREN’s  express  wriHen  permission.  

CYREN  2016  Cyberthreat  Report  Lior  Kohavi  —  CTO  Avi  Turiel  —  Director  of  Threat  Research  John  Callon  —  Sr.  Director,  Product  Marke@ng  

2  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

§  In  2016:  Detec@on  is  not  the  new  preven@on  §  Sandbox-­‐aware  malware  

§  Demo  of  automated  analysis    

•  Big  data  and  threat  detec@on  •  Malware  success  indicates  future  trends  •  Incremental  aHack  improvements  •  Yearly  trends      

Agenda  

3  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Detec:on  •  Based  on  a  false  percep@on  that  sophis@cated  aHacks  are  too  difficult  

to  prevent  •  Detec@ng  breaches  a[er  the  fact  is  all  that  can  be  done  

 Preven:on  •  Complete  automa@on  of  the  detec@on  framework  

•  Includes  advanced  analysis  of  poten@al  threats  to  improve  preven@on  

In  2016,  Detec:on  is  not  the  new  preven:on  

4  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

More  and  more  malware  will  learn  and  become  ‘aware’  of  specific  sandboxes,  preven@ng  “detona@on”  of  the  malware  and  subsequent  detec@on.  Cloud-­‐based  mul@-­‐sandbox  arrays  will  prevent  this,  since  the  malware  can’t  recognize  every  possible  environment.  

Predic:on:  Prolifera:on  of  sandbox-­‐aware  malware  

5  

Sandbox-­‐aware  malware  

Challenges:  §  Malware  detects  OS  features  

§  Detects  virtualiza@on  &  debug  tools  §  Runs  only  when  specific  files/registry  keys  are  found  §  Runs  only  on  32/64  bit,  Windows  7/8/10  or  XP  

§  Malware  detects  environment  condi@ons  §  Runs  only  in  specific  Domain  names  §  Runs  only  when  specific  systems  are  found  in  network  §  Detects  proxy  sehngs  

§  Time  aware  malware  §  Runs  only  in  specific  @mes  of  the  day/week/month  §  Runs  only  in  specific  intervals  §  Runs  only  in  specific  @me  zones  §  Requires  long  run@me  –  hours,  even  days  

§  Geo-­‐loca@on  aware  malware  §  Runs  only  in  specific  regions/countries  

§  Communica@on  §  Malware  uses  TLS/SSL  to  call  home  §  C&C  server  unavailable  due  to  many  reasons  

6  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

CYREN  Advanced  Malware  Analysis  

Arbitrator  

Sandbox  A    

Sandbox  B   IDS   External    

Feeds  Reputa@on   Mobile  Sandbox  

Sandbox  Less  

OS  Heuris@cs   Network  Heuris@cs  

Conclusions  

 (RSS)                            API    (Raw  Data)                  Repor@ng  

URLs,  Malware  samples,  Emails  for  Analysis  

7  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

•  Show  automated  analysis  process  

Live  malware  analysis  

8  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

•  “Audible  message”  email  aHachment  •  Bayrob,  Nivdort,  or  Symmi  

•  Password  stealer,  bitcoin  miner  •  Uses  memory  dumping  to  prevent  

analysis  •  Domain  genera@on  algorithm  (DGA)  

u  “simpleques@on.net”  u  “mountainmeasure.net”  u  “winteranger.net”  u  “subjectafraid.net”  

•  Evaded  one  sandbox,  detonated  in  the  second  sandbox  allowing  detec@on  

“WhatsApp”  audible  message  aPack  

9  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Large  data  analysis  will  help  flag  poten@ally  dangerous  URLs,  IP  addresses,  and  malware  objects  before  employees  fall  vic@m  to  these  threats.  

Predic:on:  Big  Data  Analysis  will  find  threats  

10  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

•  Large  data  sources  used  to  stop  known  or  large  threats  •  Also  find  hints  of  lesser-­‐known  threats  hidden  in  malicious  sources  

•  Example:  •  CYREN  highlighted  suspicious  URLs  and  IP  addresses  being  accessed  by  

employees  at  a  company  that  uses  CYREN  WebSecurity  •  invoice-­‐myups.org  •  217.71.50.24  •  URLs  and  IP  addresses  marked  as  suspicious  based  on  a  range  of  

factors  

Triggering  “Big  Data”  analysis  

11  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Reputa@on  Calcula@on  –  A  Synergy  of  Insights  

webfeed.so[update.org  

invoice-­‐myups.org  

terminal.vla-­‐engineering.com  

217.71.50.24  

178.132.203.166  

invoiceid-­‐[a-­‐z0-­‐9]{20}.doc  

invoiceid-­‐[a-­‐z0-­‐9]

{20}.pdf.zip  spam  campaign  

aHachments  

D20aeb6ccc9f9c258ef158b47c3f33613141f7afebfd7bd0e61b0f76c7061f97  

5a6e6396d05739f08109c8f9e9e8eacc2f395c2201d560963cd39ceb5c36d728  

Hash  value  

1e5dd90edb812ce1d741b63439c28cf2934693e292c8b47fd06519d7449d7c1c  

app.invoice-­‐myups.org  

Subdom

ain  of  

Zeus  

www-­‐myups.org  

okfnjcds@126.co  

Registrant  is  

no-­‐replays-­‐[0-­‐9a-­‐z]{6}@ups.invoice  

no@fica@ons-­‐[0-­‐9a-­‐z]{6}@ups.invoice  

12  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Using  Big  Data  to  Predict  Malware  Trends  

13  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

§  40  to  50  million  emails  distributed  in  short  bursts  las@ng  only  three-­‐  to  five-­‐minutes  each  

Map  the  APack  

14  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Malware  will  con@nue  to  be  distributed  via  email,  macro  malware  is  here  to  stay,  con@nued  focus  on  POS  systems,  regional  diversity  of  C&C  

Predic:on:  Malware  success  will  be  repeated  

15  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Gunpowder  •  Distributed  via  SMS  messages  through  

the  phone’s  contact  list,  under  the  message  “a  fun  game  ^_^.”  

•  Hidden  in  old  Nintendo  games  for  Android  and  bundled  with  aggressive  adware  

•  Informa@on  stealer  •  Spreads  further  via  SMSs  

Notable  2015  Malware  -­‐  Android  

16  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Stegaloader/Gatak  •  Steganography  Malware  •  Malware  arrives  as  a  bundled  file  in  so[ware  

cracking  tools  •  Malware  retrieves  the  image,  then  the  hidden  

encrypted  data  inside  via  a  steganography  technique  

•  Encryp@on  used  for  communica@on  with  C&C  

Notable  2015  Malware  -­‐  Windows  

17  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Alina    •  Distribu@on  via  USB  but  also  emailed  macro  malware  •  Targets  credit  card  swipe  systems  

•  Most  POS  systems  running  Windows  OS  encrypt  credit  card  data  •  Data  is  briefly  available  unencrypted  in  the  system’s  memory  •  Alina  uses  a  memory  scraping  technique  

•  Includes  features  such  as  screen  capture  and  keylogging  •  MalumPoS  targets  POS  so[ware  developed  by  MICROS  (owned  by  

Oracle)  widely  used  by  hotels,  restaurants,  and  retailers  in  the  US  

Notable  2015  Malware  -­‐  POS  

18  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Malware  year  in  Review  

19  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Increasingly  cybercriminals  will  use  sophis:cated,  yet  subtle,  incremental  changes  in  their  approach  to  cybercrime.  

Predic:on:  Incremental  changes  to  threat  techniques  

20  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

•  Subtle,  yet  powerful  changes  to  malware  and  spam  distribu@on  methods  to  improve  the  overall  success  of  threats  and  breach  aHempts  

•  Example  –  “the  invoice  that  you  requested”  

Incremental  Changes  

21  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

•  Harvest  legi@mate  email  headers  from  compromised  email  accounts  

•  Creates  the  appearance  of  a  legi@mately  redirected  newsleHer  

•  Designed  to  outwit  an@-­‐spam  systems  

Advanced  fake  email  headers    

22  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

§  Sophis@cated  social  engineering  §  Demonstrates  extensive  tools  available  to  cybercriminals  

•  Using  aHack  vectors  that  are  ignored    

Con:nued  use  of  macro  malware  

23  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Phishing/Spam  Year  in  Review  

24  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Protec:ng  the  world  against  Internet  threats  

25  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2015.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Protect  users   Manage  web  use  

Cloud-­‐based  protec0on  for  any  user,  anywhere,  on  any  device  

Any  loca:on,  any  device  

26  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Managing  Security  Incidents  

27  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Managing  Security  Incidents  

28  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

You  can  also  find  us  here:  

www.CYREN.com  

twiHer.com/cyreninc  

linkedin.com/company/cyren  

©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  

Thank  You.  Any  Ques:ons  or  Thoughts?