The Current Malware Threat Landscape –and Best Practices for Enterprise-Grade Remediation

Krishnan Natarajan Malwarebytes

2

KrishnanNatarajan

Senior Director, Malwarebytes

Krishnan Natarajan is Senior Director for Malwarebytes, based in Santa Clara California. He has experience with multiple areas of information security: web application security, user and entity behavior analytics, insider threat, data loss prevention, and endpoint security. Prior to Malwarebytes, Krishnan has held leadership roles at several S.F. Bay Area companies including Whitehat Security, Dtex Systems, and Hewlett-Packard.

BIOQ U I C K

3

AGENDA

01 02 03Introduction The Current

Malware Threat Landscape

Addressing the

Malware Threat:

Enterprise-Grade

Remediation

4

BACKGROUNDC O M P A N Y

By the numbers Locations

Santa Clara, CA (HQ)

Tampa Bay, FL

Cork, Ireland

Tallinn, Estonia

Singapore

Syndey

100MB2C Customers

60K+B2B Customers

4M+Threats blocked

every day

500KDownloads

per day

5

CUSTOMERS

B R O A D R A N G E O F

60,000businesses

worldwide

6

The Current

Threat Landscape

What’s New / What’s the Same

7

CHALLENGET H E

Perception

2%of Endpoints

Reality

60%Have hidden

threats

vs.

30% of threats are criticalTrojans | Backdoors | Rootkits

98%preventionis a myth!

8

CYBERSECURITY THREATSI M P A C T O F

73%Organizations impacted by

security event in past 12 months

$1.9MAnnual spend on

cybersecurity-related costs

$430kCost to remediate a major

security event

Employee Downtime / Loss of Productivity

9

10

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

2017-2018B U S I N E S S D E T E C T I O N S :

11

2018B U S I N E S S D E T E C T I O N S B R E A K D O W N

Generic.Malware

32%

Generic.Trojan

23%

Trojan.Emotet

19%

Trojan.TrickBot

6%

Backdoor.Vools

6%

RiskWare.BitCoinMiner

5%

RiskWare.IFEOHijack

3%

Hijack.Tray

2%

Generic.Backdoor

2%Ransom.WannaCrypt

2%

12

Business Detections 2017/2018

Pos. Threat Y/Y% Change

1 Trojan 132%

2 Hijacker 43%

3 Riskware Tool 126%

4 Backdoor 173%

5 Adware 1%

6 Spyware 142%

7 Ransom 9%

8 Worm -9%

9 Rogue -52%

10 HackTool -45%

Overall Detections

2017 39.970.81279%

2018 71.823.114

2017 vs 2018W H A T ’ S C H A N G E D

13

Business Detections 2017/2018

Pos. Threat Y/Y% Change

1 Trojan 132%

2 Hijacker 43%

3 Riskware Tool 126%

4 Backdoor 173%

5 Adware 1%

6 Spyware 142%

7 Ransom 9%

8 Worm -9%

9 Rogue -52%

10 HackTool -45%

Overall Detections

2017 39.970.81279%

2018 71.823.114

2017 vs 2018W H A T ’ S C H A N G E D

14

US EMOTET BUSINESS

DETECTIONS 2018

15

US TRICKBOT BUSINESS

DETECTIONS 2018

16

‘ETERNAL’ MALWARE FAMILIES

Emotet

▪ Originally a banking trojan

▪ Downloader

▪ Built-in Spam Module

▪ Eternal exploits utilizedfor lateral movement

▪ Greater focus onbusiness in 2018

17

‘ETERNAL’ MALWARE FAMILIES

Trickbot

▪ Originally a banking trojan

▪ Downloader

▪ Credential stealer / brute force

▪ Eternal exploits utilizedfor lateral movement

▪ Greater focus onbusiness in 2018

0

20,000

40,000

60,000

80,000

100,000

120,000

2017 - 2018 Global Business Trickbot Detections

18

CRYPTOMINERS

▪ First half of year, miner domination

▪ Large spikes in value match large

spikes in detections

▪ Detection numbers have returned to

normal

2017 - 2018 Business Cryptominer Detections

19

PREDICTIONS

‘Eternal’ malware will become the norm

▪ Eternal exploits used with in-the-wild malware

▪ Already we have seen 3+ families use this in 2018

▪ More malware will follow suit as long as its effective

Cryptominingis dead

▪ Value of crypto currencies dropped mid 2018

▪ Mining infections followed closely behind

▪ Unless value spikes, we wont’ see too many miners in 2019

New attacktechnology

▪ Attack technology in constant development

▪ State-sponsored malware tools being leaked

▪ ‘Soundloggers’ possible threat in 2019 for states

20

PREDICTIONS

Artificial Intelligence

▪ AI will likely play a part in malware development in 2019

▪ Expected to see if used to distribute undetected malware first

BYOS grows

▪ Less confidence in business security

▪ Users take control of their own security

▪ Less reliance on storing data remotely

21

SUMMARY

Spike in business attacks in 2018

Significant ‘Eternal’ exploits employed by Emotet / Trickbot

Networked computers vs Eternal worm functionality is a far better ROI than individuals

Old ‘Eternal’ threats like WannaCry still around.

22

Addressing the

Malware Threat

23

RESPONSE

E N D P O I N T D E T E C T I O N A N D

Antivirus Misses an Infection

EDR Logs Analyzed

Enrich with Threat Intel

Alert Created

SOC Engineer Investigates

What is the Response?

oading

24

WHAT COMPANIES TYPICALLY DO

25

PREVENT

Multiple Protection Layers

DETECT

Advanced Detection Techniques

RESPOND

Comprehensive

Remediation

THREE PART SOLUTION

A B E T T E R W A Y

26

LAYERSP R O T E C T I O NWeb Protection

Application Hardening

Application Behavior

Exploit Mitigation

Payload Analysis

Anomaly Detection Machine Learning

Ransomware Mitigation

Suspicious Activity Monitor (Flight Recorder)

Endpoint Isolation

Linking Engine Remediation

Ransomware Rollback

Matching-based

Signature-less

Responsecapabilities

Pre- Delivery

Pre- Execution

Post-Execution

27

LAYERSD E T E C T I O NWeb Protection

Application Hardening

Application Behavior

Exploit Mitigation

Payload Analysis

Anomaly Detection Machine Learning

Ransomware Mitigation

Suspicious Activity Monitor (Flight Recorder)

Endpoint Isolation

Linking Engine Remediation

Ransomware Rollback

Matching-based

Signature-less

Responsecapabilities

Pre- Delivery

Pre- Execution

Post-Execution

28

LAYERSR E M E D I A T I O NWeb Protection

Application Hardening

Application Behavior

Exploit Mitigation

Payload Analysis

Anomaly Detection Machine Learning

Ransomware Mitigation

Suspicious Activity Monitor (Flight Recorder)

Endpoint Isolation

Linking Engine Remediation

Ransomware Rollback

Matching-based

Signature-less

Responsecapabilities

Pre- Delivery

Pre- Execution

Post-Execution

29

COMPONENTSE N T E R P R I S E G R A D E R E M E D I A T I O N

Granular Endpoint Isolation

▪ Isolates endpoints to stop the bleeding

▪ Prevents malware from connecting to C&C

▪ Locks remote attackers out

rocess

solation

Desktop

solation

Network

solation

Thorough Remediation

▪ Cleans up primary payload

▪ Detects and removes all dynamic and related threat artifacts

▪ Minimizes end-user impact

RansomwareRollback

▪ Performs just-in-time backups of file changes

▪ Logs/associates changes with specific processes

▪ Rollback damage up to72 hours

30

LEARNED?W H A T H A V E W E

▪ Malware threats continue to grow

▪ Businesses have been hit especially hard in 2018

▪ Malware continues to leverage ‘Eternal’ exploits

▪ Patching software is a necessary first step

▪ Endpoint security software is critical

▪ “Enterprise-grade” remediation is the final ”failsafe” measure to address malware threats

THANK YOU!

Learn More: malwarebytes.com/business

Latest News: blog.malwarebytes.com

Request a Trial: malwarebytes.com/business/trial

See What Others Miss: malwarebytes.com/remediationmap

APPENDIX