Upload
cyren
View
14
Download
0
Embed Size (px)
Citation preview
1 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. This document and the contents therein are the sole property of CYREN and may not be transmiHed or reproduced without CYREN’s express wriHen permission.
CYREN 2016 Cyberthreat Report Lior Kohavi — CTO Avi Turiel — Director of Threat Research John Callon — Sr. Director, Product Marke@ng
2 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
§ In 2016: Detec@on is not the new preven@on § Sandbox-‐aware malware
§ Demo of automated analysis
• Big data and threat detec@on • Malware success indicates future trends • Incremental aHack improvements • Yearly trends
Agenda
3 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Detec:on • Based on a false percep@on that sophis@cated aHacks are too difficult
to prevent • Detec@ng breaches a[er the fact is all that can be done
Preven:on • Complete automa@on of the detec@on framework
• Includes advanced analysis of poten@al threats to improve preven@on
In 2016, Detec:on is not the new preven:on
4 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
More and more malware will learn and become ‘aware’ of specific sandboxes, preven@ng “detona@on” of the malware and subsequent detec@on. Cloud-‐based mul@-‐sandbox arrays will prevent this, since the malware can’t recognize every possible environment.
Predic:on: Prolifera:on of sandbox-‐aware malware
5
Sandbox-‐aware malware
Challenges: § Malware detects OS features
§ Detects virtualiza@on & debug tools § Runs only when specific files/registry keys are found § Runs only on 32/64 bit, Windows 7/8/10 or XP
§ Malware detects environment condi@ons § Runs only in specific Domain names § Runs only when specific systems are found in network § Detects proxy sehngs
§ Time aware malware § Runs only in specific @mes of the day/week/month § Runs only in specific intervals § Runs only in specific @me zones § Requires long run@me – hours, even days
§ Geo-‐loca@on aware malware § Runs only in specific regions/countries
§ Communica@on § Malware uses TLS/SSL to call home § C&C server unavailable due to many reasons
6 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
CYREN Advanced Malware Analysis
Arbitrator
Sandbox A
Sandbox B IDS External
Feeds Reputa@on Mobile Sandbox
Sandbox Less
OS Heuris@cs Network Heuris@cs
Conclusions
(RSS) API (Raw Data) Repor@ng
URLs, Malware samples, Emails for Analysis
7 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
• Show automated analysis process
Live malware analysis
8 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
• “Audible message” email aHachment • Bayrob, Nivdort, or Symmi
• Password stealer, bitcoin miner • Uses memory dumping to prevent
analysis • Domain genera@on algorithm (DGA)
u “[email protected]” u “mountainmeasure.net” u “winteranger.net” u “subjectafraid.net”
• Evaded one sandbox, detonated in the second sandbox allowing detec@on
“WhatsApp” audible message aPack
9 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Large data analysis will help flag poten@ally dangerous URLs, IP addresses, and malware objects before employees fall vic@m to these threats.
Predic:on: Big Data Analysis will find threats
10 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
• Large data sources used to stop known or large threats • Also find hints of lesser-‐known threats hidden in malicious sources
• Example: • CYREN highlighted suspicious URLs and IP addresses being accessed by
employees at a company that uses CYREN WebSecurity • invoice-‐myups.org • 217.71.50.24 • URLs and IP addresses marked as suspicious based on a range of
factors
Triggering “Big Data” analysis
11 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Reputa@on Calcula@on – A Synergy of Insights
webfeed.so[update.org
invoice-‐myups.org
terminal.vla-‐engineering.com
217.71.50.24
178.132.203.166
invoiceid-‐[a-‐z0-‐9]{20}.doc
invoiceid-‐[a-‐z0-‐9]
{20}.pdf.zip spam campaign
aHachments
D20aeb6ccc9f9c258ef158b47c3f33613141f7afebfd7bd0e61b0f76c7061f97
5a6e6396d05739f08109c8f9e9e8eacc2f395c2201d560963cd39ceb5c36d728
Hash value
1e5dd90edb812ce1d741b63439c28cf2934693e292c8b47fd06519d7449d7c1c
app.invoice-‐myups.org
Subdom
ain of
Zeus
www-‐myups.org
Registrant is
no-‐replays-‐[0-‐9a-‐z]{6}@ups.invoice
no@fica@ons-‐[0-‐9a-‐z]{6}@ups.invoice
12 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Using Big Data to Predict Malware Trends
13 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
§ 40 to 50 million emails distributed in short bursts las@ng only three-‐ to five-‐minutes each
Map the APack
14 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Malware will con@nue to be distributed via email, macro malware is here to stay, con@nued focus on POS systems, regional diversity of C&C
Predic:on: Malware success will be repeated
15 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Gunpowder • Distributed via SMS messages through
the phone’s contact list, under the message “a fun game ^_^.”
• Hidden in old Nintendo games for Android and bundled with aggressive adware
• Informa@on stealer • Spreads further via SMSs
Notable 2015 Malware -‐ Android
16 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Stegaloader/Gatak • Steganography Malware • Malware arrives as a bundled file in so[ware
cracking tools • Malware retrieves the image, then the hidden
encrypted data inside via a steganography technique
• Encryp@on used for communica@on with C&C
Notable 2015 Malware -‐ Windows
17 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Alina • Distribu@on via USB but also emailed macro malware • Targets credit card swipe systems
• Most POS systems running Windows OS encrypt credit card data • Data is briefly available unencrypted in the system’s memory • Alina uses a memory scraping technique
• Includes features such as screen capture and keylogging • MalumPoS targets POS so[ware developed by MICROS (owned by
Oracle) widely used by hotels, restaurants, and retailers in the US
Notable 2015 Malware -‐ POS
18 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Malware year in Review
19 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Increasingly cybercriminals will use sophis:cated, yet subtle, incremental changes in their approach to cybercrime.
Predic:on: Incremental changes to threat techniques
20 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
• Subtle, yet powerful changes to malware and spam distribu@on methods to improve the overall success of threats and breach aHempts
• Example – “the invoice that you requested”
Incremental Changes
21 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
• Harvest legi@mate email headers from compromised email accounts
• Creates the appearance of a legi@mately redirected newsleHer
• Designed to outwit an@-‐spam systems
Advanced fake email headers
22 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
§ Sophis@cated social engineering § Demonstrates extensive tools available to cybercriminals
• Using aHack vectors that are ignored
Con:nued use of macro malware
23 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Phishing/Spam Year in Review
24 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Protec:ng the world against Internet threats
25 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Protect users Manage web use
Cloud-‐based protec0on for any user, anywhere, on any device
Any loca:on, any device
26 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Managing Security Incidents
27 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Managing Security Incidents
28 ©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al. ©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
You can also find us here:
www.CYREN.com
twiHer.com/cyreninc
linkedin.com/company/cyren
©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confiden@al.
Thank You. Any Ques:ons or Thoughts?