New research on ransomware by Sophos reveals that the average total cost of an attack is US$ 133,000 (£94,000), including ransom, downtime, manpower, device cost, network cost, and lost opportunities - but for the top five percent most impacted organisations, costs were US$1.3 million to US$6.6 million (£900,000 to £4.7 million).
More than half of all organisations surveyed were hit by ransomware last year and on average they were struck twice. The research also showed that more than 50 percent of organisations do not have anti-exploit technology, which Sophos says means they are easy prey for data breaches and complex threats like WannaCry.
The findings were announced to coincide with this month's release of Intercept X 2.0, which is designed by Sophos to use machine learning to help detect ransomware and exploits more effectively.
Dan Schiappa, SVP and general manager of products, Sophos, told SC Media UK in a recent interview, “It's a pretty big fundamental leap forward,” explaining improvements in the offering, saying “We've improved detection for blocking ransomware; previously we used encryption, now we are using compression techniques which are predictive so we don't need past information. As a result it doesn't have to learn simply by looking at previous ransomware and exploits - it can look for and identify the techniques scammers use.”
Sophos comes across 390,000 new malware programs every day - which is more than 16,000 per hour. The data collected via Sophos Sandstorm or Intercept X is transferred to Sophos Labs where it is used to help collect data and train its machine-learning model. Malicious URLs or spam also provide learning material, and in addition to malware, good files are needed to prevent the detection of false positives.
Traditionally monitoring scans files to see what's in them, but increasingly attackers deliver malware without files, so the new approach is to look for techniques used. Intercept X 2.0 now has an inventory of 27 techniques which it looks for as ways that may be used to exploit any vulnerability - heat sprays, stack pivots, etc and it knows if there is an exploit taking place. Usually only one or two new techniques are developed a year, explained Schiappa, however he adds that with machine learning also potentially used by the attackers, we can expect to see more.
Referring to the NSA exploit Eternal Blue, stolen from the NSA and released by Shadow Brokers, and subsequently used in WannaCry, Schiappa described it as very difficult to block, the sort of exploit that you might see once every 15 years. Sophos has built for the APC protocol used there, and it has triggered already with Schiappa saying he believes it is the only company able to detect that exploit API.
Another attack approach identified is code caves, where the malicious exploit is hidden inside conventional code, but the new system looks inside to see how it is executed and triggered.
For credential theft, the need is to get to elevation of access or additional resources, using say Mimikatz for a credential cache dump until they find the right privileges, and Intercept X 2.0 is reported to have improved around that.
“The big new thing is deep learning neural network machine learning,” says Schiappa, adding, “There's a lot of machine learning but not its not neural. It's often simply a decision tree - a cyber 20 questions, and not at all sophisticated; them comes an ‘over-fit' on variance data which is Bayesian-based - which is a bit more sophisticated. It extracts a characteristic of of a file, looks at the calls it makes etc, and the more you pull out and measure the more accurate your results. But there is a limit on the features that can be provided, and a need for deep knowledge, so it requires iterative training and hands on management, using tens of millions of sets to train on.”
In contrast Schiappa says that a neural grid learns on its own using hundreds of millions of data sets, and learns what to extract on its own, providing more accuracy on detection and false positives - claiming 150 to 400 percent gains on detecting new malwares (or 40 to 50 percent gains on traditional machine learning).
Schiappa also says that performance is thanks to having, “the best data science team in industry, from the cyber-genome team, coupled with Sophos Labs where we get 300,000 new pieces each day. Well curated and well labelled, global, 24 hours, and it's been around 30 years.”
He explained that when Sophos detects ransomware it does a forensic analysis before cleaning it. In its own survey of 2,700 IT professionals, 54 percent had had a ransomware event, and been hit twice because they didn't clean it properly, though 70 percent said they thought they had deployed the most recent product.
Schiappa said there is a need for a fundamental shift to vendor innovation as attackers will use our tools against us. “There are 27 different techniques we block. Sometimes there are four or five techniques used in an attack as the attackers know some will get blocked. The bad news for industry is that most software vendors have a handful of techniques, whereas hackers using more than a handful, and go down through them to get through so you need depth of protection.”
The commercialisation and capitalisation of hacking was also remarked upon, about how cyber-crime is now a huge criminal enterprise, well funded, employing intelligent people, using sophisticated tools - high end commercial grade products that are well thought through - such as Showbar which even collects money on your behalf.
On the defence side, Schiappa says that if you don't have predictiveness you are in trouble, or don't have breadth, in trouble - so Sophos' focus is on having the most breadth of coverage, and that it recognised the need for defenders to out innovate the innovators on the criminal side, saying, “ We have to be on this path, asking what's coming next?” He adds that use of 30,000 channel partners allows the company to “touch every corner of globe, act as and expert partner to get get pricing down. (so that the solution is) Not just for major enterprises - the focus area is the mid-market - 100 to 5,000 employee range, and many below.”
A parting shot was to ask when AI might overtake human cognitive ability, with some predictions suggesting 2029. Schiappa responds, “At some point it will happen, but I wouldn't predict when.”