Intercept X Early Access Program: Sophos Tester Overview
The Intercept X Early Access Program encompasses the Sophos Tester, a tool designed by Karl Ackerman, Principal Product Manager of Endpoint Security Group, in July 2017. This tool allows users to demonstrate attack techniques without harming their PCs. It is safe to use and functions with Intercept X to showcase detection events in Sophos Central. The Sophos Tester runs on Windows platforms and does not validate all exploit methods in Intercept X. Additionally, it does not remove the tool upon detection.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Intercept X Early Access Program Sophos Tester Karl Ackerman Principal Product Manager Endpoint Security Group July 2017
Agenda Overview FAQ Tests described Platform Results
Overview FAQ What is Sophos Tester? o Demonstration of attack techniques from exploits and ransomware to atom bombing Is this safe to use? o Sophos tester will not harm your PC - It performs the techniques for multiple attack methods but does not deliver malware, communicate with command and control servers, or encrypt your documents - NOTE running the tool with Intercept X will create detection events and they will show in Sophos Central so if that console is monitored by another team, they may wonder what the heck you are doing. Can I run Sophos Tester on a machine with a competitors AV? o The tool is not intended for competitive comparisons, and was built to confirm detection methods available in Intercept X o Some AV Vendors block the tool as malicious, or unknown, others may block some of the techniques of the attack as well What platforms does the tool run on? o Sophos tester was built for Windows 7 32bit and should run on Windows XP, 7, 8, 10 for 32 and 64 bit systems o Some issues with OS s other than windows 7 32bit are known with tests failing to run correctly
Overview FAQ (continued) Does the test tool have a test for ALL the mitigations in Intercept X o No this tool does not validate all exploit methods, just the most common ones Why don t I see any tests for Disk-Wiping, Credential Theft of Process Protection? o For these tests the test tool needs to be run as administrator o Right click on the Sophos Tester.exe and select Run as Administrator When run with Intercept X, do detections generate events in the console? o Yes, when run with Intercept X, the admin console will show the detection events and an Root Cause Analysis may also be generated Will Sophos Clean remove the test tool on detection? o No Sophos Clean will allow sophos tester to remain after detections o Ransomware detections by Intercept will identify the target application and block similar attacks until a reboot or sufficient time has elapsed for Intercept to unblock the application. 4
Agenda Overview FAQ Tests described Platform Results
Attack Targets Target o We look for common infection vectors (Applications) used by malware on the machine and display these as target applications - Using a target application will launch the application to perform the attack tecnique o Dummy (Default) - This is the sophos tester executable itself and can be used to demonstrate attacks o Note some attacks on a protected system will identify the Sophos tester or target application and lock its use for a period of time - A good way to avoid having to reboot is to try each ransomware test with a different target application 6
Category Attack Techniques Code exploits Attacks that take advantage of vulnerabilities in the software being used Memory exploits Attacks that manipulate process and system memory to execute their code Logic Flaws Preventing malicious behaviors even when the application is allowed to perform them Safe Browsing Detect man in the browser activity that present one view to the user and another to the site Ransomware Malicious rapid file encryption Often the application target is now blocked from similar activity, reboot to clear this state on Intercept protected devices See Settings for additional configurations Disk-wiping Attacks on the master boot record Credential Theft Attacks that steal authentication credentials Process Protection Newer exploits using Asynchronous Procedure Calls (Wanacry, eternal blue, double pulsar) Run Sophos Tester as Administrator 7
Agenda Overview FAQ Tests described Platform Results
Platform tests (Target Dummy-Default) Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Code Exploit StackPivot1 Exploit Success Blocked Success StackPivot2 Success Blocked Success VirtualProtect ROP Success Blocked Success VirtualProtect ROP via legit call Succeeded Success Success (Test passed, legitimate) NtProtectVirtual Memory ROP Success Blocked Success WinExec Rop Success Blocked Success IAF VirtualProtect Via Legit Call Success Blocked Success Memory Exploit Nop Sled Heap Spray Success Blocked Success 9
Platform tests (Target Dummy-Default) Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Memory Exploit Polymorphic Nop Sled Heap Spray Success Blocked Success Date Execution Prevention Success Blocked Success Logic Flaws Create, Execute Success Blocked Success Create, Execute elevated Blocked (Note MS warnings) Success Success Create, Rename, Execute Success Blocked Success Create, Execute via WMI Success Blocked Success Safe Browsing WinINet hijack Must run with a target browser. (Detected) Success Success Blocked1 Ransomware* CryptoLocker Crypto Guard Success Success 1 After an attack the target application(Sophos Tester) is temporarily blocked from similar activity, reboot may be required 10
Platform tests (Target Dummy-Default) Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Blocked1 Ransomware* CTB-Locker Crypto Guard Success Success Blocked1 TorrentLocker Crypto Guard Success Success Blocked1 CryptoWall 3 Crypto Guard Success Success Blocked1 Locky Crypto Guard Success Success Blocked1 HydraCrypt Crypto Guard Success Success Blocked1 Cerber 3 Crypto Guard Success Success Blocked1 Dharma Crypto Guard Success Success Dharma Alternative Blocked1 Crypto Guard Success Success Blocked1 CryptoShield Crypto Guard Success Success Disk-wiping Master Boot Record Disk and Boot Protection Success Blocked Success 1 After an attack the target application(Sophos Tester) is temporarily blocked from similar activity, reboot may be required 11
Platform tests (Target Dummy-Default) Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Credential Theft Read LSASS memory Member of EAP protected devices Blocked2 Blocked3 Success Open SAM registry Member of EAP protected devices Success Blocked Success Process protection APC Exploit (Atom Bombing) Member of EAP protected devices Success Blocked Success APC Exploit (Start shellcode) Member of EAP protected devices Success Blocked Success Know Issues we have had some reported issues with Sophos Tester not executing the tests correctly on some X64 devices we are investigating Support on Servers and MAC With the exception of crypto-guard, is not yet available for Windows Servers or MAC OS Supported Operating Systems Supported on Windows XP and above, NOT available for MAC OS 2 This attack is shown as unsuccessful in the Sophos Tester, but no notification is presented to the user, well fix it 3 Windows 8 64 bit protected the LSASS memory from non-authorized processes 12
Notifications on the desktop Detections from Sophos Tester will generate notifications on the device o A Clean scan will be run and the Sophos Tester will remain on the device Events will be registered in Sophos Central and in a few minutes an Root Cause Analysis report will be available for review When running ransomware tests the target application is identified and Intercept will block the detected behavior from that application until a reboot 13
Notifications in Sophos Central Sophos test results in a notification to the end user and in Sophos Central 14
Sophos Central Root Cause Analysis Root Cause Analysis reports should be generated for most detection events 15