Sophos – Intercept X: the engineer’s view
Machine learning requires amazing people, so let’s meet one…
We know that Intercept X can stop known and unknown threats dead in their tracks, but how was it developed?
We met with Mark Loman, Director of Engineering at Sophos, to find out what went on behind the scenes during the creation of Intercept X.
Hi Mark, tell us about how you contributed to Intercept X…
At the core of Intercept X are the exploit mitigation and anti-ransomware components. I lead the team here in Holland that developed these components.
My specific role involved creating a solution to prevent new exploit and ransomware attack techniques, without requiring signatures. Normally you would need to have signatures or prior knowledge, like a URL or IP address, of an attack in order to block it but Intercept X doesn’t rely on this information.
What significant changes are you seeing in the threat landscape?
The majority of the exploits currently being used are based on what we call ‘living off the land’ attacks, meaning that hackers try to use functionality that’s already on the victim’s machine, for example using Powershell or scripting languages, to infect it.
Unlike drive by exploits, these attacks require interaction with the victim. Users infect their own machines by opening or running scripts sent in emails.
Attackers are using a lot of scripting, which makes detection harder, because scripts are also used in genuine network scenarios where admins perform administrative tasks on your endpoint, such as installing software. Block the scripting outright and you lose all of your legitimate functionality as well, but there’s a fine line between what you do and don’t allow.
This is also where Intercept X shines. Without any configuration it allows normal, day-to-day network operations while still blocking malicious actions.
Why is Intercept X the best solution to tackle those changes?
Intercept X is built to stop hackers in every phase of their attack. For example, in a ransomware attack, cybercriminals might weaponise a document and send it by email to a victim’s device. The document tries to exploit the device, install the malware and then encrypt its data before finally showing a ransom screen.
Those stages together are what we call the ‘cyber threat lifecycle’ or ‘cyber kill chain’. We aim to stop the attack at each phase of its lifecycle, regardless of which techniques are used.
From its initial creation, Intercept X was built to block known and unknown attack techniques and tricks. This meant that in cases like NotPetya, WannaCry or Bad Rabbit that made headlines last year, it was ready for them. Even out of the box, without any updates, the original version that was released in 2016 was well equipped to stop the attacks that happened in 2017.
What are you most proud of in Intercept X?
To be honest, Intercept X was already a kickass product anyway, but one of the new cool features is our Code Cave Mitigation. It detects if malware has been laced into a legitimate file that still functions as it is supposed to, but, for example, has had a backdoor put into it.
Describe Intercept X in one word