Trends in Security

Jerco Veltjen Senior Sales Engineer

March 2017

Agenda Infectie methoden Phishing Malvertising Exploit Kits

Malware Document Malware Data Stealing Malware Ransomware

Toekomst 2017

What are we facing?

4

Phishing

The good news: spam drops However not for long …

How not to phish / early days of phishing

7

Modern phishing

8

Modern phishing

9

HD phishing

10

Malvertising

12

RTB Ad network Third party

Malvertising threat chain

No site is immune

14

Exploit kits Crimeware as a Service

15

A decade of misery

16

2006 2013 2016

Exploits as a Service

17

Initial Request

Victims

Exploit Kit Customers Redirection

Malicious Payloads

Stats

Landing Page

Exploits

Payloads

Get Current Domain

Get Stats

Update payloads

Management Panel Malware Distribution Servers

Gateway Servers

VPN

Exploit Kit Admin Spammer/Malvertiser Exploit merchant

Ransomware author

EK prominence – October 2016

18

RIG

Nuclear

Chinese EK

Da Gong/Gondad

Angler

Fiesta

Neutrino v2

Other

Document malware

19

Why does document malware work?

20

•Out of the spotlight

•Familiarity and trust

•Email as file transfer protocol

•Patching failure

•Call to action

Curiosity infected the cat

21

Build Your Own

22

How to protect against document malware?

23

•Email filtering

•Sandbox

•Cloud services

•Document viewers

•Share files differently

Data stealing malware

24

Why does data stealing malware work?

25

•Multiple security failures

•Needs a human actor

•Poor network segregation

•Over privileged users

•Poor outbound filtering

•Unknown baseline

How does data stealing malware work?

26

Target(ed) exfiltration

27

New fileless malware uses DNS queries to recieve powershell commands

28

Source: Talos Security

How to protect against data stealing malware?

29

•Multiple security failures

•Needs a human actor

•Poor network segregation

•Over privileged users

•Poor outbound filtering

•Unknown baseline

Ransomware

30

Why does ransomware work?

31

•Complex threat chain

•Social Engineering

•No need for persistence

•Uses existing tools

•Geographically targeted, locally customized

•It’s your data

Locky/Zepto/Odin

32

Locky/Zepto/Odin

33

CryptoWall 4.0

34

Zcrypt: Cryptolocker Virus

35

Stampado/Philadelphia

36

8 tips for preventing ransomware

37

1. Back up your files regularly and keep them offline

2. Don’t enable macros

3. Consider installing Microsoft Office viewers

4. Be very careful about opening unsolicited attachments

5. Don’t give yourself more login power than necessary

6. Patch, Patch, Patch

7. Train and retrain your users

8. Segment your network

2017

38

2017 Predictions

39

1. Linux and IOT Malware/Ransomware • Mirai

2. Mobile Malware/Ransomware • Andr/Ransom-l

3. OSX Malware/Ransomware • KeRanger

40

Root Cause Analysis