Insights On Emerging Threats
16 BILLION
Cloud to Core
Coverage
web requests a day
3.4 BILLION
AMP queries a
day
600 BILLION
email messages a day
T H R E AT L A N D S C A P E
T H R E AT L A N D S C A P E
T H R E AT L A N D S C A P E
1.5 Million
WHY? - Opportunity
T H R E AT L A N D S C A P E
Low Hanging Fruit on Decline
80%
70%
60%
• Network Accessible
• Low Complexity
• No Authentication
50%
40%
30%
20%
10%
2003 2005 2007 2009 2011 2013 2015
Zepto - Spam
WHY? - Profit
Extortion Racket
“shame if something was to
happen to your business”
DDoS Attack
All your servers will be DDoS-ed starting Friday if you don't
pay 20 Bitcoins @ <redacted>
When we say all, we mean all - users will not be able to
access sites host with you at all.
Right now we will start 15 minutes attack on your site's IP
<redacted>. It will not be hard, we will not crash it at the
moment to try to minimize eventual damage, which we want to
avoid at this moment. It's just to prove that this is not a
hoax. Check your logs!
If you don't pay by Friday , attack will start, price to stop
will increase to 40 BTC and will go up 20 BTC for every day of
attack.
DDoS as a Service
Image source: The Register
SSH Psychos Update
SSHPsychos
•
•
•
•
•
SSH Brute Force
Attempts
Brute Force SSH Attacks until
password guess
300K Unique Passwords
Login from different address
space
Drop DDoS Rootkit on server
Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
I o T Vu l n e r a b i l i t i e s
CVE-2015-2868 buffer overflow, remote code execution
CVE-2015-2867 hard coded credential
IoT DDoS 620 Gbps
Source: Krebs on Security
Acquisitive Crime
“The Conjurer”
Hieronymus Bosch c.1480
Cyber Crime Business Model
Compromised
System
Steal CPU Cycles
Mine bitcoins
Steal Bandwidth
DDOS
Send spam
Steal Data
Credential theft
Identity theft
GozNym - Distribution
M a l i c i o u s O ff i c e D o c s
Malware Downloader
Malvertising
A Major News Site
26 Domains
39 Hosts
171 Objects
557 Connections
An “Advert”
Exploit Kits
Patched?
✔
✔
✖
Check vuln 1
Check vuln 2
Vuln 3 success!
EXPLOIT
SERVER
To f s e e S p a m m i n g M a l w a r e
S p a m Vo l u m e s
S p a m Vo l u m e s
Ransomware - A New Model
Ransomware Rogues Gallery
Name
AIDS Trojan
Date
Dec 1989
Spread
Diskette
Ransom
$189 (by post)
Encryption
Symmetric
(file names only)
Ransomware Rogues Gallery
Name
Reveton
Cryptolocker
Cryptowall 2.0
Locky
Date
May 2012
Sep 2013
Sep 2014
Feb 2016
Spread
Exploit kits
(web)
Email
Malvertising
Email
Ransom
$200
by Ukash,
Bitcoin
$400 by Ukash $500 or bitcoin
or Bitcoin
$300 - $400
Tor, Bitcoin
Encryption
various
RSA-2048 bit Including
network drives
RSA-2048 + AES-256
including network
drives also web site
version.
RSA- 2048 bit
C r y p t o Wa l l 4 - K e y E x c h a n g e
CryptoWall 4
1
Initial announcement to C2
C2 Server Ack
3
Request PubKey, Wallpaper
Send PubKey, Wallpaper
5
6
2
4
Verify PubKey, Encrypt
Files
Files Encrypted, Success
C2 Server Ack
7
C2 Server
SamSam – March 2016
Scan for JBoss
vulnerability
Install
SamSam
malware
Encrypt files &
demand payment
Install web shell
Expand presence
on network
SamSam – March 2016
Parasitic Ransomware
TALOS
M U LT I - T I E R E D D E F E N S E
Talos is divided into 5 departments
TA L O S I N T E L B R E A K D O W N
250+
Full Time Threat
Intel Researchers
THREAT INTEL
INTEL SHARING
1.5 MILLION
600 BILLION
Daily Malware
Samples
Daily Email
Messages
MILLIONS
Aspis
Internet-Wide
Scanning
Telemetry
Of Telemetry
Agents
Crete
16 BILLION
Daily Web
Requests
Honeypots
4
ISACs
AEGIS
Global Data
Centers
Over 100
Vulnerability
Discovery (Internal)
Open Source
Communities
3rd Party Programs
(MAPP)
Threat Intelligence
Partners
1100
Threat Traps
M U LT I - T I E R E D D E F E N S E
Cloud to Core Coverage
•
•
•
•
•
•
WEB: Reputation, URL Filtering, AVC
END POINT: Software – ClamAV, Razorback, Moflow
CLOUD: FireAMP & ClamAV detection content
EMAIL: Reputation, AntiSpam, Outbreak Filters
NETWORK: Snort Subscription Rule Set, VDB –
FireSIGHT Updates & Content, SEU/SRU Product
Detection & Prevention Content
Global Threat Intelligence Updates
Open Source
Public Facing Tools
•
•
Threat detection and
prevention: Snort, ClamAV,
Razorback, & Daemonlogger
Vulnerability detection and
mitigation: Moflow, FreeSentry
talosintel.com
@talossecurity