Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
The Current Malware Threat Landscape –and Best Practices for Enterprise-Grade Remediation
Krishnan Natarajan Malwarebytes
2
KrishnanNatarajan
Senior Director, Malwarebytes
Krishnan Natarajan is Senior Director for Malwarebytes, based in Santa Clara California. He has experience with multiple areas of information security: web application security, user and entity behavior analytics, insider threat, data loss prevention, and endpoint security. Prior to Malwarebytes, Krishnan has held leadership roles at several S.F. Bay Area companies including Whitehat Security, Dtex Systems, and Hewlett-Packard.
BIOQ U I C K
3
AGENDA
01 02 03Introduction The Current
Malware Threat Landscape
Addressing the
Malware Threat:
Enterprise-Grade
Remediation
4
BACKGROUNDC O M P A N Y
By the numbers Locations
Santa Clara, CA (HQ)
Tampa Bay, FL
Cork, Ireland
Tallinn, Estonia
Singapore
Syndey
100MB2C Customers
60K+B2B Customers
4M+Threats blocked
every day
500KDownloads
per day
5
CUSTOMERS
B R O A D R A N G E O F
60,000businesses
worldwide
6
The Current
Threat Landscape
What’s New / What’s the Same
7
CHALLENGET H E
Perception
2%of Endpoints
Reality
60%Have hidden
threats
vs.
30% of threats are criticalTrojans | Backdoors | Rootkits
98%preventionis a myth!
8
CYBERSECURITY THREATSI M P A C T O F
73%Organizations impacted by
security event in past 12 months
$1.9MAnnual spend on
cybersecurity-related costs
$430kCost to remediate a major
security event
Employee Downtime / Loss of Productivity
9
10
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
2017-2018B U S I N E S S D E T E C T I O N S :
11
2018B U S I N E S S D E T E C T I O N S B R E A K D O W N
Generic.Malware
32%
Generic.Trojan
23%
Trojan.Emotet
19%
Trojan.TrickBot
6%
Backdoor.Vools
6%
RiskWare.BitCoinMiner
5%
RiskWare.IFEOHijack
3%
Hijack.Tray
2%
Generic.Backdoor
2%Ransom.WannaCrypt
2%
12
Business Detections 2017/2018
Pos. Threat Y/Y% Change
1 Trojan 132%
2 Hijacker 43%
3 Riskware Tool 126%
4 Backdoor 173%
5 Adware 1%
6 Spyware 142%
7 Ransom 9%
8 Worm -9%
9 Rogue -52%
10 HackTool -45%
Overall Detections
2017 39.970.81279%
2018 71.823.114
2017 vs 2018W H A T ’ S C H A N G E D
13
Business Detections 2017/2018
Pos. Threat Y/Y% Change
1 Trojan 132%
2 Hijacker 43%
3 Riskware Tool 126%
4 Backdoor 173%
5 Adware 1%
6 Spyware 142%
7 Ransom 9%
8 Worm -9%
9 Rogue -52%
10 HackTool -45%
Overall Detections
2017 39.970.81279%
2018 71.823.114
2017 vs 2018W H A T ’ S C H A N G E D
14
US EMOTET BUSINESS
DETECTIONS 2018
15
US TRICKBOT BUSINESS
DETECTIONS 2018
16
‘ETERNAL’ MALWARE FAMILIES
Emotet
▪ Originally a banking trojan
▪ Downloader
▪ Built-in Spam Module
▪ Eternal exploits utilizedfor lateral movement
▪ Greater focus onbusiness in 2018
17
‘ETERNAL’ MALWARE FAMILIES
Trickbot
▪ Originally a banking trojan
▪ Downloader
▪ Credential stealer / brute force
▪ Eternal exploits utilizedfor lateral movement
▪ Greater focus onbusiness in 2018
0
20,000
40,000
60,000
80,000
100,000
120,000
2017 - 2018 Global Business Trickbot Detections
18
CRYPTOMINERS
▪ First half of year, miner domination
▪ Large spikes in value match large
spikes in detections
▪ Detection numbers have returned to
normal
2017 - 2018 Business Cryptominer Detections
19
PREDICTIONS
‘Eternal’ malware will become the norm
▪ Eternal exploits used with in-the-wild malware
▪ Already we have seen 3+ families use this in 2018
▪ More malware will follow suit as long as its effective
Cryptominingis dead
▪ Value of crypto currencies dropped mid 2018
▪ Mining infections followed closely behind
▪ Unless value spikes, we wont’ see too many miners in 2019
New attacktechnology
▪ Attack technology in constant development
▪ State-sponsored malware tools being leaked
▪ ‘Soundloggers’ possible threat in 2019 for states
20
PREDICTIONS
Artificial Intelligence
▪ AI will likely play a part in malware development in 2019
▪ Expected to see if used to distribute undetected malware first
BYOS grows
▪ Less confidence in business security
▪ Users take control of their own security
▪ Less reliance on storing data remotely
21
SUMMARY
Spike in business attacks in 2018
Significant ‘Eternal’ exploits employed by Emotet / Trickbot
Networked computers vs Eternal worm functionality is a far better ROI than individuals
Old ‘Eternal’ threats like WannaCry still around.
22
Addressing the
Malware Threat
23
RESPONSE
E N D P O I N T D E T E C T I O N A N D
Antivirus Misses an Infection
EDR Logs Analyzed
Enrich with Threat Intel
Alert Created
SOC Engineer Investigates
What is the Response?
oading
24
WHAT COMPANIES TYPICALLY DO
25
PREVENT
Multiple Protection Layers
DETECT
Advanced Detection Techniques
RESPOND
Comprehensive
Remediation
THREE PART SOLUTION
A B E T T E R W A Y
26
LAYERSP R O T E C T I O NWeb Protection
Application Hardening
Application Behavior
Exploit Mitigation
Payload Analysis
Anomaly Detection Machine Learning
Ransomware Mitigation
Suspicious Activity Monitor (Flight Recorder)
Endpoint Isolation
Linking Engine Remediation
Ransomware Rollback
Matching-based
Signature-less
Responsecapabilities
Pre- Delivery
Pre- Execution
Post-Execution
27
LAYERSD E T E C T I O NWeb Protection
Application Hardening
Application Behavior
Exploit Mitigation
Payload Analysis
Anomaly Detection Machine Learning
Ransomware Mitigation
Suspicious Activity Monitor (Flight Recorder)
Endpoint Isolation
Linking Engine Remediation
Ransomware Rollback
Matching-based
Signature-less
Responsecapabilities
Pre- Delivery
Pre- Execution
Post-Execution
28
LAYERSR E M E D I A T I O NWeb Protection
Application Hardening
Application Behavior
Exploit Mitigation
Payload Analysis
Anomaly Detection Machine Learning
Ransomware Mitigation
Suspicious Activity Monitor (Flight Recorder)
Endpoint Isolation
Linking Engine Remediation
Ransomware Rollback
Matching-based
Signature-less
Responsecapabilities
Pre- Delivery
Pre- Execution
Post-Execution
29
COMPONENTSE N T E R P R I S E G R A D E R E M E D I A T I O N
Granular Endpoint Isolation
▪ Isolates endpoints to stop the bleeding
▪ Prevents malware from connecting to C&C
▪ Locks remote attackers out
rocess
solation
Desktop
solation
Network
solation
Thorough Remediation
▪ Cleans up primary payload
▪ Detects and removes all dynamic and related threat artifacts
▪ Minimizes end-user impact
RansomwareRollback
▪ Performs just-in-time backups of file changes
▪ Logs/associates changes with specific processes
▪ Rollback damage up to72 hours
30
LEARNED?W H A T H A V E W E
▪ Malware threats continue to grow
▪ Businesses have been hit especially hard in 2018
▪ Malware continues to leverage ‘Eternal’ exploits
▪ Patching software is a necessary first step
▪ Endpoint security software is critical
▪ “Enterprise-grade” remediation is the final ”failsafe” measure to address malware threats
THANK YOU!
Learn More: malwarebytes.com/business
Latest News: blog.malwarebytes.com
Request a Trial: malwarebytes.com/business/trial
See What Others Miss: malwarebytes.com/remediationmap
APPENDIX