Webinar: Insights from Cyren's 2016 cyberthreat report
- 1. 1
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
This
document
and
the
contents
therein
are
the
sole
property
of
CYREN
and
may
not
be
transmiHed
or
reproduced
without
CYREN’s
express
wriHen
permission.
CYREN
2016
Cyberthreat
Report
Lior
Kohavi
—
CTO
Avi
Turiel
—
Director
of
Threat
Research
John
Callon
—
Sr.
Director,
Product
Marke@ng
- 2. 2
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
§ In
2016:
Detec@on
is
not
the
new
preven@on
§ Sandbox-‐aware
malware
§��� Demo
of
automated
analysis
• Big
data
and
threat
detec@on
• Malware
success
indicates
future
trends
• Incremental
aHack
improvements
• Yearly
trends
Agenda
- 3. 3
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Detec:on
• Based
on
a
false
percep@on
that
sophis@cated
aHacks
are
too
difficult
to
prevent
• Detec@ng
breaches
a[er
the
fact
is
all
that
can
be
done
Preven:on
• Complete
automa@on
of
the
detec@on
framework
• Includes
advanced
analysis
of
poten@al
threats
to
improve
preven@on
In
2016,
Detec:on
is
not
the
new
preven:on
- 4. 4
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
More
and
more
malware
will
learn
and
become
‘aware’
of
specific
sandboxes,
preven@ng
“detona@on”
of
the
malware
and
subsequent
detec@on.
Cloud-‐based
mul@-‐
sandbox
arrays
will
prevent
this,
since
the
malware
can’t
recognize
every
possible
environment.
Predic:on:
Prolifera:on
of
sandbox-‐aware
malware
- 5. 5
Sandbox-‐aware
malware
Challenges:
§ Malware
detects
OS
features
§ Detects
virtualiza@on
&
debug
tools
§ Runs
only
when
specific
files/registry
keys
are
found
§ Runs
only
on
32/64
bit,
Windows
7/8/10
or
XP
§ Malware
detects
environment
condi@ons
§ Runs
only
in
specific
Domain
names
§ Runs
only
when
specific
systems
are
found
in
network
§ Detects
proxy
sehngs
§ Time
aware
malware
§ Runs
only
in
specific
@mes
of
the
day/week/month
§ Runs
only
in
specific
intervals
§ Runs
only
in
specific
@me
zones
§ Requires
long
run@me
–
hours,
even
days
§ Geo-‐loca@on
aware
malware
§ Runs
only
in
specific
regions/countries
§ Communica@on
§ Malware
uses
TLS/SSL
to
call
home
§ C&C
server
unavailable
due
to
many
reasons
- 6. 6
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
CYREN
Advanced
Malware
Analysis
Arbitrator
Sandbox
A
Sandbox
B
IDS
External
Feeds
Reputa@on
Mobile
Sandbox
Sandbox
Less
OS
Heuris@cs
Network
Heuris@cs
Conclusions
(RSS)
API
(Raw
Data)
Repor@ng
URLs,
Malware
samples,
Emails
for
Analysis
- 7. 7
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
• Show
automated
analysis
process
Live
malware
analysis
- 8. 8
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
• “Audible
message”
email
aHachment
• Bayrob,
Nivdort,
or
Symmi
• Password
stealer,
bitcoin
miner
• Uses
memory
dumping
to
prevent
analysis
• Domain
genera@on
algorithm
(DGA)
u “simpleques@on.net”
u “mountainmeasure.net”
u “winteranger.net”
u “subjectafraid.net”
• Evaded
one
sandbox,
detonated
in
the
second
sandbox
allowing
detec@on
“WhatsApp”
audible
message
aPack
- 9. 9
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Large
data
analysis
will
help
flag
poten@ally
dangerous
URLs,
IP
addresses,
and
malware
objects
before
employees
fall
vic@m
to
these
threats.
Predic:on:
Big
Data
Analysis
will
find
threats
- 10. 10
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
• Large
data
sources
used
to
stop
known
or
large
threats
• Also
find
hints
of
lesser-‐known
threats
hidden
in
malicious
sources
• Example:
• CYREN
highlighted
suspicious
URLs
and
IP
addresses
being
accessed
by
employees
at
a
company
that
uses
CYREN
WebSecurity
• invoice-‐myups.org
• 217.71.50.24
• URLs
and
IP
addresses
marked
as
suspicious
based
on
a
range
of
factors
Triggering
“Big
Data”
analysis
- 11. 11
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Reputa@on
Calcula@on
–
A
Synergy
of
Insights
webfeed.so[update.org
invoice-‐myups.org
terminal.vla-‐engineering.com
217.71.50.24
178.132.203.166
invoiceid-‐[a-‐
z0-‐9]{20}.doc
invoiceid-‐[a-‐
z0-‐9]
{20}.pdf.zip
spam
campaign
aHachments
D20aeb6ccc9f9
c258ef158b47c
3f33613141f7af
ebfd7bd0e61b0
f76c7061f97
5a6e6396d0573
9f08109c8f9e9e
8eacc2f395c220
1d560963cd39c
eb5c36d728
Hash
value
1e5dd90edb81
2ce1d741b6343
9c28cf2934693
e292c8b47fd06
519d7449d7c1c
app.invoice-‐myups.org
Subdomain
of
Zeus
www-‐myups.org
okfnjcds@126.co
Registrant
is
no-‐replays-‐[0-‐9a-‐z]{6}@ups.invoice
no@fica@ons-‐[0-‐9a-‐z]{6}
@ups.invoice
- 12. 12
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Using
Big
Data
to
Predict
Malware
Trends
- 13. 13
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
§ 40
to
50
million
emails
distributed
in
short
bursts
las@ng
only
three-‐
to
five-‐minutes
each
Map
the
APack
- 14. 14
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Malware
will
con@nue
to
be
distributed
via
email,
macro
malware
is
here
to
stay,
con@nued
focus
on
POS
systems,
regional
diversity
of
C&C
Predic:on:
Malware
success
will
be
repeated
- 15. 15
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Gunpowder
• Distributed
via
SMS
messages
through
the
phone’s
contact
list,
under
the
message
“a
fun
game
^_^.”
• Hidden
in
old
Nintendo
games
for
Android
and
bundled
with
aggressive
adware
• Informa@on
stealer
• Spreads
further
via
SMSs
Notable
2015
Malware
-‐
Android
- 16. 16
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Stegaloader/Gatak
• Steganography
Malware
• Malware
arrives
as
a
bundled
file
in
so[ware
cracking
tools
• Malware
retrieves
the
image,
then
the
hidden
encrypted
data
inside
via
a
steganography
technique
• Encryp@on
used
for
communica@on
with
C&C
Notable
2015
Malware
-‐
Windows
- 17. 17
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Alina
• Distribu@on
via
USB
but
also
emailed
macro
malware
• Targets
credit
card
swipe
systems
• Most
POS
systems
running
Windows
OS
encrypt
credit
card
data
• Data
is
briefly
available
unencrypted
in
the
system’s
memory
• Alina
uses
a
memory
scraping
technique
• Includes
features
such
as
screen
capture
and
keylogging
• MalumPoS
targets
POS
so[ware
developed
by
MICROS
(owned
by
Oracle)
widely
used
by
hotels,
restaurants,
and
retailers
in
the
US
Notable
2015
Malware
-‐
POS
- 18. 18
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Malware
year
in
Review
- 19. 19
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Increasingly
cybercriminals
will
use
sophis:cated,
yet
subtle,
incremental
changes
in
their
approach
to
cybercrime.
Predic:on:
Incremental
changes
to
threat
techniques
- 20. 20
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
• Subtle,
yet
powerful
changes
to
malware
and
spam
distribu@on
methods
to
improve
the
overall
success
of
threats
and
breach
aHempts
• Example
–
“the
invoice
that
you
requested”
Incremental
Changes
- 21. 21
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
• Harvest
legi@mate
email
headers
from
compromised
email
accounts
• Creates
the
appearance
of
a
legi@mately
redirected
newsleHer
• Designed
to
outwit
an@-‐spam
systems
Advanced
fake
email
headers
- 22. 22
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
§ Sophis@cated
social
engineering
§ Demonstrates
extensive
tools
available
to
cybercriminals
• Using
aHack
vectors
that
are
ignored
Con:nued
use
of
macro
malware
- 23. 23
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Phishing/Spam
Year
in
Review
- 24. 24
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Protec:ng
the
world
against
Internet
threats
- 25. 25
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2015.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Protect
users
Manage
web
use
Cloud-‐based
protec0on
for
any
user,
anywhere,
on
any
device
Any
loca:on,
any
device
- 26. 26
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Managing
Security
Incidents
- 27. 27
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Managing
Security
Incidents
- 28. 28
©2014.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
You
can
also
find
us
here:
www.CYREN.com
twiHer.com/cyreninc
linkedin.com/company/cyren
©2016.
CYREN
Ltd.
All
Rights
Reserved.
Proprietary
and
Confiden@al.
Thank
You.
Any
Ques:ons
or
Thoughts?