SESSION ID: SPO3-R11 Protecting You Better with Advanced Research

Robert Lipovsky Juraj Janosik Senior Malware Researcher Head of AI/ML team ESET ESET

#RSAC #RSAC

Robert Lipovsky Juraj Janosik Senior Malware Researcher Head of AI/ML team #RSAC #RSAC 300,000+ unique malware samples daily #RSAC Malware researcher

What my friends think I do. What my mom thinks I do. What users think I do.

What Finance thinks I do. What I think I do. What I really do. Fighting cybercrime #RSAC ESET works with cybercrime-fighting units #RSAC #RSAC #RSAC #RSAC 25,000+ infected servers 35m+ spam messages per day #RSAC Internet of ThingsTargets #RSAC Smart Home in the Lab #RSAC #RSAC Malware attack firsts…

Brain Storm BlackEnergy 1st PC virus 1st major botnet 1st power grid cyberattack 1986 2006 2015

1989 2010 2018 1st 1st cyberweapon 1st UEFI rootkit AIDS trojan in-the-wild Lojax #RSAC UEFI Scanner #RSAC

Do you trust your providers…? … for example ISPs? #RSAC#RSAACC #RSAC

BlackEnergy #RSAC

Credit: Andy Greenberg from Wired #RSAC Industroyer #RSAC Industroyer #RSAC

BlackEnergy Te l e B o t s GreyEnergy

2015 GreyEnergy targets BlackEnergy attack Industroyer attack Attacks on (Not) attack Exaramel backdoor Polish energy company causing a blackout causing a blackout financial via the M.E.Doc discovered in Ukraine in Ukraine sector backdoor in the wild 2016 GreyEnergy deploys predecessor DEC 2015 DEC 2016 DEC 2016 JUN 2017 APRIL 2018 of (Not)Petya MAR 2017 2017 – 2018 Most recent GreyEnergy activity recorded in Ukraine

2015 2016 2017 2018 #RSAC #RSAC

BlackEnergy Te l e B o t s GreyEnergy

2015 GreyEnergy targets BlackEnergy attack Industroyer attack Attacks on (Not)Petya attack Exaramel backdoor Polish energy company causing a blackout causing a blackout financial via the M.E.Doc discovered in Ukraine in Ukraine sector backdoor in the wild 2016 GreyEnergy deploys predecessor DEC 2015 DEC 2016 DEC 2016 JUN 2017 APRIL 2018 of (Not)Petya MAR 2017 2017 – 2018 Most recent GreyEnergy activity recorded in Ukraine

2015 2016 2017 2018 #RSAC

Pety…ent Zero #RSAC #RSAC #RSAC $129m $300m

$870m $400m #RSAC

$10 BILLION total estimated damage from NotPetya

Source: U.S.White House as quoted by Wired #RSAC

EternalBlue detection Network Attack Protection #RSAC Petya Chimera PadCrypt TeslaCrypt GandCrab Crysis NanoLocker ZeroLock Rokku DMALocker CryptoWall KeRanger Tox TorrentLocker WannaCryptor Mischa CryptVault CryptoJoker 7ev3n CTBLocker

Locky SynoLocker NotPetya HydraCrypt RotoCrypt Ransom32 CryptoLocker Cerber Juraj Janosik Head of ESET AI/ML team #RSAC #RSAC DNA detection model

Endpoint DNA detections DNA Detections #RSAC 100% 7.7 million detected attacks 80% 3 million attacks covered with 60% single DNA detection

40%

20%

0% Artificial Intelligence Artificial Intelligence Machine Learning #RSAC Machine Learning evolution

Neural Networks DNA Detections Expert System for AutomatedAutomated ThreatThreat in Product (Online Learning) Mass Processing Mapping

1998 2005 2006 2012 #RSAC

+˒ =

„panda“ „gibbon“ 57.7% confidence 99.3% confidence

Source: OpenAI #RSAC #RSAC Old ML model vs. new malware samples

200+ ransomware Detection ratio samples NotPetya BadRabbit Crysis 99.7% WannaCryptor #RSAC

“Public” ESET ML VirusTotal model samples from October 2018 December 2018 #RSAC

Detection ratio

99.65 100% 91.69 90% 87.92 79.55 78.78 80%

70%

60% 53.02 50%

40%

30%

20% 13.97 10%

0% Vendor A Vendor B Vendor C Vendor D Vendor E Vendor F Vendor G #RSAC

25,65%

False positives

8% 7.43%

7%

6%

5%

4% 3.17% 3% 2.52% 2.42% 2.11% 2%

1% 0.10% 0% Vendor A Vendor B Vendor C Vendor D Vendor E Vendor F Vendor G #RSAC

Big Data Machine Human Expertise Learning #RSAC

UEFI Scanner Dynamic Threat Exploit Defense Blocker Network Attack Protection Botnet Ransomware Protection Shield Reputation & Cache

Advanced Memory In-Product Scanner Script Sandbox Scanner DNA Detections (AMSI)