egambit Endpoint Security agent versus WannaCrypt Ransomware

Transcription

1 egambit Endpoint Security agent versus WannaCrypt Ransomware 1 0 Let s explore egambit features to fight against massive ransomware attacks WannaCrypt, 12 May 2017 Discover how Cyber Robots + Artificial Intelligence engines might get stronger than malwares egambit is a french product created by TEHTRIS Consultants

2 Introduction oon May 12, 2017 before noon, the cybersecurity community discovered a massive spread of a new ransomware abusing a well know vulnerability against Microsoft Windows operating systems MS security issues, with a patch proposed on 14 th March 2017 Many computers were not protected against related threats Old Windows XP, etc And many recent unpatched Windows as well (Production Infrastructures like SCADA stuff, Unmanaged PC ) Many infrastructures were not applying these needed principles : Containment & Detection othis document will not focus on the attack itself, as many web sites already shared interesting information oinstead, we will explain how enhanced mechanisms proposed in egambit product had the power to detect and/or neutralize the threats automatically, worldwide without human actions Note to egambit customers : you shall definitely apply for the automatic neutralization options Contact your egambit support if needed! TEHTRIS 2

3 egambit Appliance egambit Endpoint Security agents TEHTRIS, France (Bordeaux) egambit TEHTRIS 3

4 Few words about egambit oegambit is a full defensive cyber security arsenal offering a 360 unified overview of your IT Security infrastructure, where you can deploy what you exactly need with flexibility and scalability oin this document we will focus on specific components proposed by egambit The egambit Endpoint Security agent running on Windows (XP, 7, 10, 2003, 2012 ) The egambit Forensics portal, offering a strong API to our robots worldwide The egambit Artificial Intelligence engine, that is able to detect new threats without signatures othe egambit Endpoint Security agent is currently deployed worldwide and when a new unknown threat or behavior appears somewhere on earth, it is fully deeply analyzed so that any egambit Endpoint Security agent know what to do We transformed the IT Security from manual analysis, to quick automatic defensive fights Done by our robots (strong programs on our appliances), our machine learning and artificial intelligence engines Moreover, TEHTRIS Consultants are working on cutting edge technologies to improve Cybersecurity daily TEHTRIS 4

5 egambit, mid-2017 oegambit overview SIEM Endpoint Security Honeypots Forensics Artificial Intelligence Audits NIDS Inventory TEHTRIS 5

6 egambit Endpoint Security Threat Intelligence Assets Inventory Security Assessments Post Intrusion egambit 360 System & App Monitoring Network Detection System Protection Network Monitoring

7 How egambit Endpoint Security agent can detect and block advanced attacks Many Antiviruses + Threats Intelligence Databases + our Sandboxes + egambit Artificial Intelligence + Continuous & Global activities + Consultants analysis + Sandbox Windows egambit Intelligence in TEHTRIS cloud Threats Local egambit agent Data from the Ground Checks / Analysis / Answers Appliance Local egambit Intelligence Defensive Cyberarsenal

8 AMTSO Compliant Certification oamtso is the Anti-Malware Testing Standards Organization oegambit with tested against unknown malwares Detection rate of egambit Artificial Intelligence Engine 2016 è 95.5% 2017 è 98.1% (tested in April 2017 in Beijing) owe got certified by SKD-LABS Company Certification recognized by Microsoft (MVI Program) and by Google (VirusTotal) owe got awarded as the best real time threat analysis solution worldwide for 2016 TEHTRIS 8

9 egambit: Awarded recognized product and services 2017 Cybersecurity Award: best Cybersecurity Solution worldwide in the category Real-time Threat Analysis by a leading independent testing facility 2016 egambit selected as a cybersecurity solution for the French public sector through the central public purchasing office (UGAP) 2016 "Starcheck Certification for egambit Artificial Intelligence, recognized by the security industry, Microsoft (Microsoft Virus Initiative), AMTSO (Anti- Malware Testing Standards Organization) and Google (VirusTotal) 2015 "Label France Cybersecurity": Guarantee that the certified products and services are made in France and possess clear and well-defined functionalities, with a high level of quality 2016 Most innovating solution, trophy won in the "Security" category during the "IT Innovation Forum" organized in Paris by the CRIP (Club of directors for Infrastructure and Production) sponsored by the Secretary of State in charge of the digital TEHTRIS 9

10 About the WannaCrypt Ransomware This malware got multiple names such as Wcry, WanaCry, WanaCrypt, Wanna Decryptor Multiple virus strains were observed (with or without the famous kill switch ) TEHTRIS 10

11 About the Ransomware Dropper oaccording to our security experts at TEHTRIS, the malware WannaCrypt was poorly written, as the attackers decided to work with a mass market feeling Indeed, as explained by our stealth pentesters at TEHTRIS, it would have been more efficient for the attackers if they had built a file-less attack thanks to the EternalBlue exploit Hopefully, the attack was not that dangerous despite what was said in some newspapers. A far more horrible attack could have exist, destroying tons of computers worldwide (especially when exploits are known for months) oanyway, this is extremely interesting because egambit is able to analyze and to fight against unknown programs when they appear on an infrastructure TEHTRIS 11

12 Automatic Fight against unknown threats othe full egambit arsenal is able to automatically work against unknown threats oquick scenario example regarding a new threat (Ransomware, APT ) An egambit Endpoint Security agent detects an unknown programs (unknown worldwide) This program is analyzed and sent back to the nearest available connected appliance for further analysis The egambit Forensics portal with its API is used by multiple robots to cut and analyze potential weapons Analyzed with Internal Antivirus engines à Might remain an unknown threat (signatures cannot always work with new stuff) Requests into worldwide databases like VirusTotal à Unknown threat until someone would submit it egambit Internal Sandboxes à DETECTION + Interesting IOC è egambit Endpoint Security agent will know it in minutes egambit Artificial Intelligence à DETECTION è Detection rate = 98.1% even with unknown Windows malwares oconclusion: egambit can automatically detect & fight new threats like WannaCrypt Survival time is less than few minutes for the malware worldwide TEHTRIS 12

13 Network Analysis through egambit Forensics oegambit robots are able to automatically analyze new threats like humans would do, thanks to our powerful egambit Forensics portal. This allows egambit end-users to have a 24/7 protection with humans + robots & artificial intelligence oexample: with the WannaCry Ransomware, here are the evidences of network traffic found TEHTRIS 13

14 DNS Request osecurity experts quickly found out that the binary code in order to connect to a specific web site ewrwergwea.com othis HTTP ping-like mechanism was a kind of kill-switch already included in the malware (!?) What would happen if this domain name was not created quickly enough? The attack slowed down when this domain was registered by a security expert Nevertheless, new versions came out without the kill switch option TEHTRIS 14

15 Network Behavior Analysis recorded automatically and available in egambit Forensic portal TEHTRIS 15

16 Behavior analysis thanks to egambit honeytoken files oegambit use honey token files such as fake Office Documents Each time a program will try to attack these files, it will trigger an alert oransomwares are easily detected with this method This Ransomware added new file extensions to multiple modified files (WNCRY, WNCRYT) The Recycle Bin was also removed Shadow Copies were potentially deleted And egambit detected many weird related executions (see next slide) on these fake Microsoft binaries TEHTRIS 16

17 Behavior Analysis through executed commands available in egambit Forensic portal oexecution of multiple commands easily found by the egambit Sandboxing system (not stealth) Beyond the fact that TOR was detected, new startups keys were detected in the Registry TEHTRIS 17

18 The dropper tried to create a non stealth Windows service looking like MS stuff TEHTRIS 18

19 egambit Forensics versus WannaCrypt 1 0 oour egambit Forensics portal and its related API, were able to detect WannaCrypt and to share the related IOC to all our robots worldwide in few minutes, without human interaction othe powerful Sandboxing system was able to automatically identify these threats TEHTRIS 19

20 egambit A.I. versus WannaCrypt Detection Rate = 100% 1 0 obeyond previous egambit sensors, our Artificial Intelligence engine had to work on the malware othe programs used by the WannaCrypt Ransomware (dropper, etc) were fully detected by the egambit Artificial Intelligence engine with a strong confidence Recently, an independent testing company in China (SKD-Labs) credited egambit Artificial Intelligence engine with 98.1% of detection. This engine has no signature (deep learning & neural networks) TEHTRIS 20

21 egambit Endpoint Security agent versus WannaCrypt 1 0 ofighting against the ransomware with the egambit Endpoint Security agent worked better than traditional security, though we remain humble as new threats could try to be more stealth Once the programs were identified automatically thanks to our robots and artificial intelligence engines worldwide, then the threats could be detected and neutralized directly Customers just need to apply for a good neutralization inside egambit TEHTRIS 21

22 Interesting related Hashes (IOC) 00fdb4c1c49aef198f37b8061eb585b8f9a4d5e6c fe2f6a0a25b7 043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba f70c2 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c c89b2c9 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea b1022c 2584e e45ec3c17767c fc6291c091097ea8b22c8a502c41dd 2ca2d550e603d74dedda b38da3630cb014e3d00b c5f00d cb6706f9d51167fb0f14cd3f8fcfb f62b10a15f7d9a6c8d982 4a468603fdcb7a2eb cf9ef37aade532a ecd705a74794b79 4b76e54de f97430b26624c44694fbde3289ed81a160e0754ab9f56f32 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff c0b9 7108d6793a003695ee cfb17af305fa82ff6c16b7a5db45f15e5c9e12d 76a3666ce bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf 7c465ea7bcccf4f94147add808f be11c0ba4823f16e8c19e0090f0ff 7e369022da b3efe6c57f824f05cf43cbd66b4a24367a19488d2939e4 9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db aee20f9188a5c c6b0e6623ec90d5cd3fdec4e e c b9c5d e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 be22645c61949ad6a077373a7d6cd85e3fae f161adc4c99d5a8e6844 c365ddaa345cfcaff3d a484cff d68e4a52130b8bb7badaf9 ca29de1dc c93e54b09f557fe14e40083c df5bd91f52ba469c8 dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696 ed01ebfbc9eb5bbea545af4d01bf5f c6e5babe8e080e41aa f7c7b5e4b051ea5bd f40af13bed224c4b0fd60b890b6784df5bd63494 f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85 fc626fe1e0f4d77b34851a8c60cdd da3b9325bfe288ac8342f6c710a TEHTRIS 22

23 Conclusions TEHTRIS 23

24 Final words onothing will replace a good patch management policy, and this terrible incident worldwide reminds all of us, that nobody shall wait for attacks We will all remain humble regarding the IT Security threats that can happen, especially because of the related proliferation of advanced weapons like the exploits used by WannaCrypt (~Nation State sponsored) oon top of the basic Windows security principles, we strongly recommend to deploy advanced Endpoint Security agents with enhanced features (like egambit for example) Help your antivirus against unknown threats (Sandbox, Artificial Intelligence ) Follow local system activity (Spawn tree protections, persistent threats tracking, real time process tracking ) Analyze your Windows system logs (SIEM features, even on Workstations) Audit your Windows Security (check CVE issues and improve patch management ) ofor now, we recorded 0 compromising worldwide, by the WannaCrypt threat, for all the Windows protected by the egambit Endpoint Security agent with the neutralization activated TEHTRIS 24

25 egambit Endpoint Security agent [advanced HIPS / EDR] otwo complementary levels of work Live Intrusion Detection alerts (monitoring) Retaliation and interaction against threats (mitigation) omultiple skills and features added to your security Follow the activity in your Windows boxes Improve your security and check compliance issues Detect unusual and unwanted programs Follow weird behaviors and anomalies Detect hidden software, insiders threats Retrieve APT, lateral movements, malwares Increase SOC/CSIRT capacities and speed Ease Forensics and Incident Management Add SIEM features against the logs of your workstations and laptops Launch audits against your endpoints with thousands of security checks

26 Example of features (samples) Standard Security (classical Antivirus) Advanced Security (standard Endpoint) Enhanced Security (egambit Endpoint) GUI System Tray Security Policies Cleaning Features Antivirus features Threats Intelligence Database Heuristic Protections Real Time Process Tracking Memory Analysis? Persistant Threats Tracking USB Security Live Office Protection Spawn Tree Protections Sandboxing Full Powershell Protection Security Audits of Endpoints SIEM (logs from stations) Ransomware Tracking TEHTRIS 26 Artificial Intelligence

27 Compatibility matrix oegambit Endpoint Security agent was successfully running on this list of environments so far Windows XP Windows 2003 Windows 2008 Windows 2012 Windows 2016 Windows 7 Windows 8 Windows 10 othe deployment is pretty easy as it contains hardened auto-configuration protocol and features Just launch the MSI on your Windows, and the cyber protection against malwares and intruders will works automatically. Moreover this is fully managed by TEHTRIS as a Managed Security Service Provider.

28 egambit Endpoint Security agent oall in one solution (EDR + SIEM + Audits +...) Easy to deploy à MSI file Managed à SaaS: fully managed by TEHTRIS Detection à detect known/unknow threats Protection à automatic neutralization of main threats Response à manual cleaning for specific threats (crisis) SIEM : Security monitoring à SIEM for workstations! Audits : Security assessment à System & Applications audit! High-tech solutions à Artificial Intelligence...

29 Reclaim your Cybersecurity Let s adopt egambit J