SlideShare a Scribd company logo

Webinar: Insights from Cyren's 2016 cyberthreat report

Cyren, Inc
Cyren, Inc

Learn why detection is not the new prevention in this slide deck. To view the on-demand webinar in its entirety, click here: http://bit.ly/2jJugBL

Related slideshows

Webinar: How hackers are making your security obsolete
Webinar: How hackers are making your security obsoleteWebinar: How hackers are making your security obsolete
Webinar: How hackers are making your security obsolete
 
Webinar: 10 steps you can take to protect your business from phishing attacks
Webinar: 10 steps you can take to protect your business from phishing attacksWebinar: 10 steps you can take to protect your business from phishing attacks
Webinar: 10 steps you can take to protect your business from phishing attacks
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
 
1 of 28
Download to read offline
1  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  This  document  and  the  contents  therein  are  the  sole  property  of  CYREN  and  may  not  be  transmiHed  or  reproduced  without  CYREN’s  express  wriHen  permission.   CYREN  2016  Cyberthreat  Report   Lior  Kohavi  —  CTO   Avi  Turiel  —  Director  of  Threat  Research   John  Callon  —  Sr.  Director,  Product  Marke@ng  
2  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   §  In  2016:  Detec@on  is  not  the  new  preven@on   §  Sandbox-­‐aware  malware   §  Demo  of  automated  analysis     •  Big  data  and  threat  detec@on   •  Malware  success  indicates  future  trends   •  Incremental  aHack  improvements   •  Yearly  trends       Agenda  
3  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Detec:on   •  Based  on  a  false  percep@on  that  sophis@cated  aHacks  are  too  difficult   to  prevent   •  Detec@ng  breaches  a[er  the  fact  is  all  that  can  be  done     Preven:on   •  Complete  automa@on  of  the  detec@on  framework   •  Includes  advanced  analysis  of  poten@al  threats  to  improve  preven@on   In  2016,  Detec:on  is  not  the  new  preven:on  
4  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   More  and  more  malware  will  learn  and  become  ‘aware’   of  specific  sandboxes,  preven@ng  “detona@on”  of  the   malware  and  subsequent  detec@on.  Cloud-­‐based  mul@-­‐ sandbox  arrays  will  prevent  this,  since  the  malware   can’t  recognize  every  possible  environment.   Predic:on:  Prolifera:on  of  sandbox-­‐aware  malware  
5   Sandbox-­‐aware  malware   Challenges:   §  Malware  detects  OS  features   §  Detects  virtualiza@on  &  debug  tools   §  Runs  only  when  specific  files/registry  keys  are  found   §  Runs  only  on  32/64  bit,  Windows  7/8/10  or  XP   §  Malware  detects  environment  condi@ons   §  Runs  only  in  specific  Domain  names   §  Runs  only  when  specific  systems  are  found  in  network   §  Detects  proxy  sehngs   §  Time  aware  malware   §  Runs  only  in  specific  @mes  of  the  day/week/month   §  Runs  only  in  specific  intervals   §  Runs  only  in  specific  @me  zones   §  Requires  long  run@me  –  hours,  even  days   §  Geo-­‐loca@on  aware  malware   §  Runs  only  in  specific  regions/countries   §  Communica@on   §  Malware  uses  TLS/SSL  to  call  home   §  C&C  server  unavailable  due  to  many  reasons  
6  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   CYREN  Advanced  Malware  Analysis   Arbitrator   Sandbox   A     Sandbox   B   IDS   External     Feeds   Reputa@on   Mobile   Sandbox   Sandbox   Less   OS  Heuris@cs   Network  Heuris@cs   Conclusions    (RSS)                            API    (Raw  Data)                  Repor@ng   URLs,  Malware  samples,  Emails  for  Analysis  
7  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  Show  automated  analysis  process   Live  malware  analysis  
8  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  “Audible  message”  email  aHachment   •  Bayrob,  Nivdort,  or  Symmi   •  Password  stealer,  bitcoin  miner   •  Uses  memory  dumping  to  prevent   analysis   •  Domain  genera@on  algorithm  (DGA)   u  “simpleques@on.net”   u  “mountainmeasure.net”   u  “winteranger.net”   u  “subjectafraid.net”   •  Evaded  one  sandbox,  detonated  in  the   second  sandbox  allowing  detec@on   “WhatsApp”  audible  message  aPack  
9  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Large  data  analysis  will  help  flag  poten@ally  dangerous   URLs,  IP  addresses,  and  malware  objects  before   employees  fall  vic@m  to  these  threats.   Predic:on:  Big  Data  Analysis  will  find  threats  
10  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  Large  data  sources  used  to  stop  known  or  large  threats   •  Also  find  hints  of  lesser-­‐known  threats  hidden  in  malicious  sources   •  Example:   •  CYREN  highlighted  suspicious  URLs  and  IP  addresses  being  accessed  by   employees  at  a  company  that  uses  CYREN  WebSecurity   •  invoice-­‐myups.org   •  217.71.50.24   •  URLs  and  IP  addresses  marked  as  suspicious  based  on  a  range  of   factors   Triggering  “Big  Data”  analysis  
11  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Reputa@on  Calcula@on  –  A  Synergy  of  Insights   webfeed.so[update.org   invoice-­‐myups.org   terminal.vla-­‐engineering.com   217.71.50.24   178.132.203.166   invoiceid-­‐[a-­‐ z0-­‐9]{20}.doc   invoiceid-­‐[a-­‐ z0-­‐9] {20}.pdf.zip   spam  campaign  aHachments   D20aeb6ccc9f9 c258ef158b47c 3f33613141f7af ebfd7bd0e61b0 f76c7061f97   5a6e6396d0573 9f08109c8f9e9e 8eacc2f395c220 1d560963cd39c eb5c36d728   Hash  value   1e5dd90edb81 2ce1d741b6343 9c28cf2934693 e292c8b47fd06 519d7449d7c1c   app.invoice-­‐myups.org   Subdomain  of   Zeus   www-­‐myups.org   okfnjcds@126.co   Registrant  is   no-­‐replays-­‐[0-­‐9a-­‐z]{6}@ups.invoice   no@fica@ons-­‐[0-­‐9a-­‐z]{6} @ups.invoice  
12  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Using  Big  Data  to  Predict  Malware  Trends  
13  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   §  40  to  50  million  emails  distributed  in  short  bursts  las@ng  only  three-­‐   to  five-­‐minutes  each   Map  the  APack  
14  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Malware  will  con@nue  to  be  distributed  via  email,   macro  malware  is  here  to  stay,  con@nued  focus  on  POS   systems,  regional  diversity  of  C&C   Predic:on:  Malware  success  will  be  repeated  
15  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Gunpowder   •  Distributed  via  SMS  messages  through   the  phone’s  contact  list,  under  the   message  “a  fun  game  ^_^.”   •  Hidden  in  old  Nintendo  games  for   Android  and  bundled  with  aggressive   adware   •  Informa@on  stealer   •  Spreads  further  via  SMSs   Notable  2015  Malware  -­‐  Android  
16  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Stegaloader/Gatak   •  Steganography  Malware   •  Malware  arrives  as  a  bundled  file  in  so[ware   cracking  tools   •  Malware  retrieves  the  image,  then  the  hidden   encrypted  data  inside  via  a  steganography   technique   •  Encryp@on  used  for  communica@on  with  C&C   Notable  2015  Malware  -­‐  Windows  
17  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Alina     •  Distribu@on  via  USB  but  also  emailed  macro  malware   •  Targets  credit  card  swipe  systems   •  Most  POS  systems  running  Windows  OS  encrypt  credit  card  data   •  Data  is  briefly  available  unencrypted  in  the  system’s  memory   •  Alina  uses  a  memory  scraping  technique   •  Includes  features  such  as  screen  capture  and  keylogging   •  MalumPoS  targets  POS  so[ware  developed  by  MICROS  (owned  by   Oracle)  widely  used  by  hotels,  restaurants,  and  retailers  in  the  US   Notable  2015  Malware  -­‐  POS  
18  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Malware  year  in  Review  
19  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Increasingly  cybercriminals  will  use  sophis:cated,  yet   subtle,  incremental  changes  in  their  approach  to   cybercrime.   Predic:on:  Incremental  changes  to  threat  techniques  
20  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  Subtle,  yet  powerful  changes  to   malware  and  spam  distribu@on   methods  to  improve  the  overall   success  of  threats  and  breach   aHempts   •  Example  –  “the  invoice  that  you   requested”   Incremental  Changes  
21  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  Harvest  legi@mate  email  headers   from  compromised  email  accounts   •  Creates  the  appearance  of  a   legi@mately  redirected  newsleHer   •  Designed  to  outwit  an@-­‐spam   systems   Advanced  fake  email  headers    
22  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   §  Sophis@cated  social  engineering   §  Demonstrates  extensive  tools  available  to  cybercriminals   •  Using  aHack  vectors  that  are  ignored     Con:nued  use  of  macro  malware  
23  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Phishing/Spam  Year  in  Review  
24  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Protec:ng  the  world  against  Internet  threats  
25  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2015.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Protect  users   Manage  web  use   Cloud-­‐based  protec0on  for  any  user,  anywhere,  on  any  device   Any  loca:on,  any  device  
26  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Managing  Security  Incidents  
27  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Managing  Security  Incidents  
28  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   You  can  also  find  us  here:   www.CYREN.com   twiHer.com/cyreninc   linkedin.com/company/cyren   ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Thank  You.  Any  Ques:ons  or  Thoughts?  

More Related Content

Webinar: Insights from Cyren's 2016 cyberthreat report

  • 1. 1  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  This  document  and  the  contents  therein  are  the  sole  property  of  CYREN  and  may  not  be  transmiHed  or  reproduced  without  CYREN’s  express  wriHen  permission.   CYREN  2016  Cyberthreat  Report   Lior  Kohavi  —  CTO   Avi  Turiel  —  Director  of  Threat  Research   John  Callon  —  Sr.  Director,  Product  Marke@ng  
  • 2. 2  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   §  In  2016:  Detec@on  is  not  the  new  preven@on   §  Sandbox-­‐aware  malware   §���  Demo  of  automated  analysis     •  Big  data  and  threat  detec@on   •  Malware  success  indicates  future  trends   •  Incremental  aHack  improvements   •  Yearly  trends       Agenda  
  • 3. 3  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Detec:on   •  Based  on  a  false  percep@on  that  sophis@cated  aHacks  are  too  difficult   to  prevent   •  Detec@ng  breaches  a[er  the  fact  is  all  that  can  be  done     Preven:on   •  Complete  automa@on  of  the  detec@on  framework   •  Includes  advanced  analysis  of  poten@al  threats  to  improve  preven@on   In  2016,  Detec:on  is  not  the  new  preven:on  
  • 4. 4  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   More  and  more  malware  will  learn  and  become  ‘aware’   of  specific  sandboxes,  preven@ng  “detona@on”  of  the   malware  and  subsequent  detec@on.  Cloud-­‐based  mul@-­‐ sandbox  arrays  will  prevent  this,  since  the  malware   can’t  recognize  every  possible  environment.   Predic:on:  Prolifera:on  of  sandbox-­‐aware  malware  
  • 5. 5   Sandbox-­‐aware  malware   Challenges:   §  Malware  detects  OS  features   §  Detects  virtualiza@on  &  debug  tools   §  Runs  only  when  specific  files/registry  keys  are  found   §  Runs  only  on  32/64  bit,  Windows  7/8/10  or  XP   §  Malware  detects  environment  condi@ons   §  Runs  only  in  specific  Domain  names   §  Runs  only  when  specific  systems  are  found  in  network   §  Detects  proxy  sehngs   §  Time  aware  malware   §  Runs  only  in  specific  @mes  of  the  day/week/month   §  Runs  only  in  specific  intervals   §  Runs  only  in  specific  @me  zones   §  Requires  long  run@me  –  hours,  even  days   §  Geo-­‐loca@on  aware  malware   §  Runs  only  in  specific  regions/countries   §  Communica@on   §  Malware  uses  TLS/SSL  to  call  home   §  C&C  server  unavailable  due  to  many  reasons  
  • 6. 6  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   CYREN  Advanced  Malware  Analysis   Arbitrator   Sandbox   A     Sandbox   B   IDS   External     Feeds   Reputa@on   Mobile   Sandbox   Sandbox   Less   OS  Heuris@cs   Network  Heuris@cs   Conclusions    (RSS)                            API    (Raw  Data)                  Repor@ng   URLs,  Malware  samples,  Emails  for  Analysis  
  • 7. 7  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  Show  automated  analysis  process   Live  malware  analysis  
  • 8. 8  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  “Audible  message”  email  aHachment   •  Bayrob,  Nivdort,  or  Symmi   •  Password  stealer,  bitcoin  miner   •  Uses  memory  dumping  to  prevent   analysis   •  Domain  genera@on  algorithm  (DGA)   u  “simpleques@on.net”   u  “mountainmeasure.net”   u  “winteranger.net”   u  “subjectafraid.net”   •  Evaded  one  sandbox,  detonated  in  the   second  sandbox  allowing  detec@on   “WhatsApp”  audible  message  aPack  
  • 9. 9  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Large  data  analysis  will  help  flag  poten@ally  dangerous   URLs,  IP  addresses,  and  malware  objects  before   employees  fall  vic@m  to  these  threats.   Predic:on:  Big  Data  Analysis  will  find  threats  
  • 10. 10  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  Large  data  sources  used  to  stop  known  or  large  threats   •  Also  find  hints  of  lesser-­‐known  threats  hidden  in  malicious  sources   •  Example:   •  CYREN  highlighted  suspicious  URLs  and  IP  addresses  being  accessed  by   employees  at  a  company  that  uses  CYREN  WebSecurity   •  invoice-­‐myups.org   •  217.71.50.24   •  URLs  and  IP  addresses  marked  as  suspicious  based  on  a  range  of   factors   Triggering  “Big  Data”  analysis  
  • 11. 11  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Reputa@on  Calcula@on  –  A  Synergy  of  Insights   webfeed.so[update.org   invoice-­‐myups.org   terminal.vla-­‐engineering.com   217.71.50.24   178.132.203.166   invoiceid-­‐[a-­‐ z0-­‐9]{20}.doc   invoiceid-­‐[a-­‐ z0-­‐9] {20}.pdf.zip   spam  campaign  aHachments   D20aeb6ccc9f9 c258ef158b47c 3f33613141f7af ebfd7bd0e61b0 f76c7061f97   5a6e6396d0573 9f08109c8f9e9e 8eacc2f395c220 1d560963cd39c eb5c36d728   Hash  value   1e5dd90edb81 2ce1d741b6343 9c28cf2934693 e292c8b47fd06 519d7449d7c1c   app.invoice-­‐myups.org   Subdomain  of   Zeus   www-­‐myups.org   okfnjcds@126.co   Registrant  is   no-­‐replays-­‐[0-­‐9a-­‐z]{6}@ups.invoice   no@fica@ons-­‐[0-­‐9a-­‐z]{6} @ups.invoice  
  • 12. 12  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Using  Big  Data  to  Predict  Malware  Trends  
  • 13. 13  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   §  40  to  50  million  emails  distributed  in  short  bursts  las@ng  only  three-­‐   to  five-­‐minutes  each   Map  the  APack  
  • 14. 14  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Malware  will  con@nue  to  be  distributed  via  email,   macro  malware  is  here  to  stay,  con@nued  focus  on  POS   systems,  regional  diversity  of  C&C   Predic:on:  Malware  success  will  be  repeated  
  • 15. 15  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Gunpowder   •  Distributed  via  SMS  messages  through   the  phone’s  contact  list,  under  the   message  “a  fun  game  ^_^.”   •  Hidden  in  old  Nintendo  games  for   Android  and  bundled  with  aggressive   adware   •  Informa@on  stealer   •  Spreads  further  via  SMSs   Notable  2015  Malware  -­‐  Android  
  • 16. 16  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Stegaloader/Gatak   •  Steganography  Malware   •  Malware  arrives  as  a  bundled  file  in  so[ware   cracking  tools   •  Malware  retrieves  the  image,  then  the  hidden   encrypted  data  inside  via  a  steganography   technique   •  Encryp@on  used  for  communica@on  with  C&C   Notable  2015  Malware  -­‐  Windows  
  • 17. 17  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Alina     •  Distribu@on  via  USB  but  also  emailed  macro  malware   •  Targets  credit  card  swipe  systems   •  Most  POS  systems  running  Windows  OS  encrypt  credit  card  data   •  Data  is  briefly  available  unencrypted  in  the  system’s  memory   •  Alina  uses  a  memory  scraping  technique   •  Includes  features  such  as  screen  capture  and  keylogging   •  MalumPoS  targets  POS  so[ware  developed  by  MICROS  (owned  by   Oracle)  widely  used  by  hotels,  restaurants,  and  retailers  in  the  US   Notable  2015  Malware  -­‐  POS  
  • 18. 18  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Malware  year  in  Review  
  • 19. 19  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Increasingly  cybercriminals  will  use  sophis:cated,  yet   subtle,  incremental  changes  in  their  approach  to   cybercrime.   Predic:on:  Incremental  changes  to  threat  techniques  
  • 20. 20  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  Subtle,  yet  powerful  changes  to   malware  and  spam  distribu@on   methods  to  improve  the  overall   success  of  threats  and  breach   aHempts   •  Example  –  “the  invoice  that  you   requested”   Incremental  Changes  
  • 21. 21  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   •  Harvest  legi@mate  email  headers   from  compromised  email  accounts   •  Creates  the  appearance  of  a   legi@mately  redirected  newsleHer   •  Designed  to  outwit  an@-­‐spam   systems   Advanced  fake  email  headers    
  • 22. 22  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   §  Sophis@cated  social  engineering   §  Demonstrates  extensive  tools  available  to  cybercriminals   •  Using  aHack  vectors  that  are  ignored     Con:nued  use  of  macro  malware  
  • 23. 23  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Phishing/Spam  Year  in  Review  
  • 24. 24  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Protec:ng  the  world  against  Internet  threats  
  • 25. 25  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2015.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Protect  users   Manage  web  use   Cloud-­‐based  protec0on  for  any  user,  anywhere,  on  any  device   Any  loca:on,  any  device  
  • 26. 26  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Managing  Security  Incidents  
  • 27. 27  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Managing  Security  Incidents  
  • 28. 28  ©2014.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.  ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   You  can  also  find  us  here:   www.CYREN.com   twiHer.com/cyreninc   linkedin.com/company/cyren   ©2016.  CYREN  Ltd.  All  Rights  Reserved.  Proprietary  and  Confiden@al.   Thank  You.  Any  Ques:ons  or  Thoughts?