Pune, India, April 20, 2021 (GLOBE NEWSWIRE) -- The global endpoint security market size is expected to grow from USD 13.99 billion in 2021 to reach USD 24.58 billion by 2028, exhibiting a CAGR of 8.3% during the forecast period. The growing implementation of artificial intelligence (AI), the internet of things (IoT), connected devices, and others for the development of endpoint solutions by major IT companies can have an outstanding effect on the market growth, states Fortune Business Insights, in a report, titled “Endpoint Security Market, 2021-2028.” The market size stood at USD 12.93 billion in 2020.

• Sophos Limited Wiki

Sophos is headquartered in Abingdon, United Kingdom and has 28 office locations across 23 countries. See the full list at Craft. Apply online for jobs at Sophos Ltd. Screen readers cannot read the following searchable map. Follow this link to reach our Job Search page to search for available jobs in a more accessible format.

To get to know more about the short-term and long-term impacts of COVID-19 on this market, please visit: https://www.fortunebusinessinsights.com/industry-reports/endpoint-security-market-100614

Driving Factor:

Surging Number of Connected Devices to Spur Demand for Endpoint Security Solutions

The growing number of attacks due to the rising digitalization and connected devices will incite the development of the market. Attackers infiltrate secured enterprise networks through laptops, smartphones, wearable devices. Moreover, the rising adoption of solutions such as the internet of things, industrial control system, and smart sensors to counter cyber-attacks will bode well for the global market. According to a 2017 Global Enterprise Security Survey by Fortinet, more than half of enterprises respondents reported endpoint data breach attacks. Furthermore, the growing number of unknown attacks can create lucrative opportunities for the market. For instance, in 2018 Cisco Systems, Inc. declared to block 20 billion risks per day for its customers. These instant detection and response solutions are boosting the adoption of endpoint security solutions.

The report on endpoint security market incorporates:

• All-inclusive analysis of all the segments
• Key market trends
• Latest industry development
• Future projections
• Leading regions in the market
• COVID-19 impact

Shift towards Work-from-home to Lift Endpoint Security Business During COVID-19

The global pandemic has been encouraging to the IT industry, as many companies shifted to work-from-home, thus spurring opportunities for this market. The changing policies of companies due to high-security risks have resulted in high demand for endpoint security amid coronavirus. According to IDC, 70% of breaches targeted endpoint devices in the year 2020. Similarly, according to a PWC report, cyber-attacks in India doubled in the starting three months of the year 2020. Furthermore, the high number of data breaches in the healthcare industry will aid the expansion of the market during the coronavirus. According to the Fortified report, 47% of data breaches have been reported by the healthcare industry during the first half of 2020.

Get Sample PDF Brochure: https://www.fortunebusinessinsights.com/enquiry/request-sample-pdf/endpoint-security-market-100614

Market Segments:

The Cloud-based Endpoint Solution Segment to Hold the Largest Share

Based on components, the market is categorized as software and services. The software segment is expected to hold the largest share during the forecast period due to rapidly increasing unknown attacks on the enterprises.

By deployment analysis, the endpoint security market is divided into cloud and on-premises. The on-premises segment is likely to hold the lion’s share during the forecast period. The organizations prefer on-premises security solutions. The cloud-based endpoint solution segment is expected to account for the largest share during the forecast period due to its deployment and scalability.

Based on end-users, the market is categorized into commercial and consumer. The commercial segment covers industries such as BFSI, IT and telecommunications, retail, healthcare, government & public sector, transportation, and others. The commercial is predicted to grow rapidly due to the unknown attacks on healthcare and government organizations.

Based on enterprise analysis, the market is sorted into large enterprises and small & medium enterprises. The increasing adoption of BYOD policy and advanced connected technology in large enterprises will boost the segment’s growth.

The industry segment is characterized into BFSI, IT and telecommunications, retail, healthcare, government & public sector, transportation, and others.

Geographically, the market is divided into North America, Asia Pacific, Europe, Latin America, the Middle East, and Africa.

List of companies profiled in Endpoint Security Market report:

• AhnLab, Inc. (Gyeonggi-do, South Korea)
• Alert Logic, Inc. (Texas, United States)
• AO Kaspersky Lab (Moscow, Russia)
• Bitdefender S.R.L. (Bucharest, Romania)
• BlackBerry Limited (Cylance) (Waterloo, Canada)
• Check Point (Tel Aviv-Yafo, Israel)
• Cisco System, Inc. (California, United States)
• Comodo Security Solutions, Inc. (New Jersey, United States)
• CrowdStrike, Inc. (California, United States)
• CurrentWare (New York, United States)
• Cybereason, Inc. (Massachusetts, United States)
• Druva Inc. (California, United States)
• Fidelis Cybersecurity (Maryland, US)
• FireEye, Inc. (California, United States)
• Forcepoint LLC (Texas, United States)
• Fortinet (California, United States)
• F-Secure Corporation (Helsinki Finland)
• GoSecure, Inc. (California, United States)
• Intel Corporation (California, United States)
• Ivanti (Utah, United States)
• LogMeIn, Inc. (Massachusetts, United States)
• Malwarebytes Ltd. (California, United States)
• McAfee, LLC (California, United States)
• New Net Technologies LLC (Florida, United States)
• Palo Alto Network Inc. (California, United States)
• Panda Security (Bilbao, Spain)
• RSA Security LLC (Massachusetts, United States)
• SentinelOne (California, United States)
• Sophos Ltd (Abingdon, United Kingdom)
• Symantec Corporation (California, United States)
• Trend Micro Inc. (Tokyo, Japan)
• VMware, Inc (Carbon Black Inc.) (California, United States)
• Webroot, Inc. (Colorado, United States)

Get your Customized Research Report: https://www.fortunebusinessinsights.com/enquiry/customization/endpoint-security-market-100614

Regional Insights:

Rising Adoption of Connected Devices to Boost Market in North America

The market in North America is expected to hold the largest share during the forecast period. The region earned USD 5.04 billion in terms of revenue in 2020. The growth is attributed to the growing adoption of connected devices and the internet of things across several industries. The presence of numerous security solution providers in the US will enable speedy expansion of the market in North America. Europe is expected to hold the largest share during the forecast period due to the expanding cybersecurity infrastructure.

Germany and the UK are expected to expand the endpoint security market share in Europe. The German organizations have increased their IT budget to deal with cyber-attacks. Likewise, the UK government has rolled out end-user device guidance for the organizations offering deployment of external devices. Asia Pacific is expected to experience a rapid growth rate during the forecast period due to the increasing IT spending across various industries. The implementation of AI, internet of things, connected devices, and cloud services by industries will boost this industry in the region.

Quick Buy – Endpoint Security Market Research Report: https://www.fortunebusinessinsights.com/checkout-page/100614

Detailed Table of Content:

• Introduction
  • Definition, By Segment
  • Research Methodology/Approach
  • Data Sources
• Executive Summary
• Market Dynamics
  • Macro and Micro Economic Indicators
  • Drivers, Restraints, Opportunities and Trends
  • Impact of COVID-19
    • Short-term Impact
    • Long-term Impact
• Competition Landscape
  • Business Strategies Adopted by Key Players
  • Consolidated SWOT Analysis of Key Players
  • Porter’s Five Force Analysis
  • Global Market Share Analysis and Matrix, 2021
• Key Market Insights and Analysis, By Segments
• Companies Profiled
  • Overview
    • Key Management
    • Headquarters etc
  • Offerings/Business Segments
  • Key Details
    • Employee Size
    • Past and Current Revenue
    • Geographical Share
    • Business Segment Share
  • Recent Developments
• Annexure/Appendix
  • Global Endpoint Security Market Size Estimates and Forecasts (Quantitative Data), By Segments, 2016-2027
    • By Component (Value)
      • Software
      • Services
    • By Deployment (Value)
      • Cloud
      • On-Premises
    • By End-user (Value)
      • Commercial
      • Consumer
    • By Enterprise Size (Value)
      • Large Enterprises
      • Small & Medium Enterprises
    • By Industry (Value)
      • BFSI
      • IT and Telecommunications,
      • Retail,
      • Healthcare
      • Government & Public Sector
      • Transportation
      • Others
    • By Region (Value)
      • North America
      • Europe
      • Asia Pacific
      • Middle East & Africa
      • Latin America

Key Development:

January 2019: Sophos Ltd. acquired an endpoint security platform provider DarkBytes. DarkBytes offers unified platform and enterprise endpoint solutions. Sophos Ltd. aims to gain the expertise of the company and provide endpoint, firewall, mobile devices security services.

Speak to Analyst: https://www.fortunebusinessinsights.com/enquiry/speak-to-analyst/endpoint-security-market-100614

Have a Look at Related Research Insights:

Smart Parcel Locker Market Size, Share & COVID-19 Impact Analysis, By Type (Modular Parcel Locker, Cooling Lockers for Fresh Food, Postal Lockers, and Laundry Lockers), By Deployment (Indoor and Outdoor), By Application (Commercial Buildings, Condos and Apartments, Retail BOPIS, Universities & Colleges, and Others), and Regional Forecast, 2020-2027

Customer Experience Management Market Size, Share & COVID-19 Impact Analysis, By Component (Solution, Services), By Deployment (Cloud, On-Premise), By Organization Size (SMEs, Large Enterprises), By Touchpoint (Call Center, Website, Mobile Applications, Email, Social Media, and Others), By End-User (BFSI, Rental and Consumer Goods, IT and Telecom, Healthcare, Automotive, Media and Entertainment, Government), and Regional Forecast, 2020-2027

Encryption Software Market Size, Share & Covid-19 Impact Analysis, By Component (Software, Services), By Application (Disk Encryption, Database Encryption, Cloud Encryption), By Enterprise Size (Large Enterprises, SMEs), By Deployment Model (On-Premises, Cloud), By Industry Vertical (IT and Telecommunications, Banking, Finance, Security and Insurance (BFSI), Healthcare and Life Sciences, Manufacturing, Retail), and Regional Forecast, 2020-2027

Memoir 44 2020. Business Intelligence Market Size, Share & COVID-19 Impact Analysis, By Component (Solution, and Services), By Deployment (Cloud, and On-Premise) By Enterprise Size (Large Enterprises, Small and Medium-Sized Enterprises (SMEs)), By Application (Supply Chain Analytic Applications, CRM Analytic Applications, Financial Performance), By End-User (IT and Telecommunications, BFSI, Healthcare), and Regional Forecast, 2020-2027

Referral Marketing Software Market Size, Share & COVID-19 Impact Analysis, By Deployment (Cloud and On-Premises), By Enterprise Size (Small & Medium Enterprises, and Large Enterprises), By End-user (BFSI, Retail, E-Commerce, Education, Hospitality, And Others), and Regional Forecast, 2020-2027

About Us:

Fortune Business Insights™ delivers accurate data and innovative corporate analysis, helping organizations of all sizes make appropriate decisions. We tailor novel solutions for our clients, assisting them to address various challenges distinct to their businesses. We aim to empower them with holistic market intelligence, providing a granular overview of the market they are operating in.

Contact Us:

Fortune Business Insights™ Pvt. Ltd.

308, Supreme Headquarters,

Survey No. 36, Baner,

Pune-Bangalore Highway,

Pune - 411045, Maharashtra, India.

Phone:

US: +1 424 253 0390

UK : +44 2071 939123

APAC : +91 744 740 1245

Email: sales@fortunebusinessinsights.com

LinkedIn: https://www.linkedin.com/company/fortune-business-insights

Facebook: https://www.facebook.com/FortuneBusinessInsightsPvtLtd

Twitter: https://twitter.com/FBInsightPvtLtd

Read Press Release: https://www.fortunebusinessinsights.com/press-release/endpoint-security-market-9228

Transport Layer Security has been one of the greatest contributors to the privacy and security of Internet communications over the past decade. The TLS cryptographic protocol is used to secure an ever-increasing portion of the Internet’s web, messaging and application data traffic. The secure HTTP (HTTPS) web protocol, StartTLS email protocol, Tor anonymizing network, and virtual private networks such as those based on the OpenVPN protocol all leverage TLS to encrypt and encapsulate their contents—protecting them from being observed or modified in transit.

Over the past decade, and particularly in the wake of revelations about mass Internet surveillance, the use of TLS has grown to cover a majority of Internet communications. According to browser data from Google, the use of HTTPS has grown from just over 40 percent of all web page visits in 2014 to 98 percent in March of 2021.

It should come as no surprise, then, that malware operators have also been adopting TLS for essentially the same reasons: to prevent defenders from detecting and stopping deployment of malware and theft of data. We’ve seen dramatic growth over the past year in malware using TLS to conceal its communications. In 2020, 23 percent of malware we detected communicating with a remote system over the Internet were using TLS; today, it is nearly 46 percent.

There’s also a significant fraction of TLS communications that use an Internet Protocol port other than 443—such as malware using a Tor or SOCKS proxy over a non-standard port number. We queried against certificate transparency logs with the host names associated with malware Internet communications on ports other than 443, 80, and 8080, and found that 49 percent of the hosts had TLS certificates associated with them that were issued by a Certificate Authority (CA). A small fraction of the others manually checked used self-signed certificates.

But a large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS—such as Discord, Pastebin, Github and Google’s cloud services—as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware. It is also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them.

Google’s cloud services were the destination for nine percent of malware TLS requests, with India’s BSNL close behind. During the month of March 2021, we saw a rise in the use of Cloudflare-hosted malware—largely because of a spike in the use of Discord’s content delivery network, which is based on Cloudflare, which by itself accounted for 4 percent of the detected TLS malware that month. We reported over 9,700 malware related links to Discord; many were Discord-specific, targeting the theft of user credentials, while others were delivery packages for other information stealers and trojans.

In aggregate, nearly half of all malware TLS communications went to servers in the United States and India.

We’ve seen an increase in the use of TLS use in ransomware attacks over the past year, especially in manually-deployed ransomware—in part because of attackers’ use of modular offensive tools that leverage HTTPS. But the vast majority of what we detect day-to-day in malicious TLS traffic is from initial-compromise malware: loaders, droppers and document-based installers reaching back to secured web pages to retrieve their installation packages.

To gain insight into how usage of TLS in malware has changed, we took a deep dive into our detection telemetry to both measure how much TLS is used by malware, identify the most common malware that leverage TLS, and how those malware make use of TLS-encrypted communications. Based on our detection telemetry, we found that while TLS still makes up an average of just over two percent of the overall traffic Sophos classifies as “malware callhome” over a three-month period, 56 percent of the unique C2 servers (identified by DNS host names) that communicated with malware used HTTPS and TLS. And of that, nearly a quarter is with infrastructure residing in Google’s cloud environment.

Surprise packages

Malware communications typically fall into three categories: downloading additional malware, exfiltration of stolen data, and retrieval or sending of instructions to trigger specific functions (command and control). All these types of communications can take advantage of TLS encryption to evade detection by defenders. But the majority of TLS traffic we found tied to malware was of the first kind: droppers, loaders and other malware downloading additional malware to the system they infected, using TLS to evade basic payload inspection.

It doesn’t take much sophistication to leverage TLS in a malware dropper, because TLS-enabled infrastructure to deliver malware or code snippets is freely available. Frequently, droppers and loaders use legitimate websites and cloud services with built-in TLS support to further disguise the traffic. For example, this traffic from a Bladabindi RAT dropper shows it attempting to retrieve its payload from a Pastebin page. (The page no longer exists.)

We’ve seen numerous cases of malware behaving this way in our research. The PowerShell-based dropper for LockBit ransomware was observed retrieving additional script from a Google Docs spreadsheet via TLS, as well as from another website. And a dropper for AgentTesla (discussed later in this report) also has been observed accessing Pastebin over TLS to retrieve chunks of code. While Google and Pastebin often quickly shut down malware-hosting documents and sites on its platform, many of these C2 sources are abandoned after a single spam campaign, and the attackers simply create new ones for their next attack.

Sometimes malware uses multiple services this way in a single attack. For example, one of the numerous malware droppers we found in Discord’s content delivery network dropped another stage also hosted on Discord, which in turn attempted to load an executable directly from GitHub. (The GitHub code had already been removed as malicious; we disclosed the initial stages of the malware attack to Discord, along with numerous other malware, who removed them.)

Malware download traffic actually makes up the majority of the TLS-based C2 traffic we observed. In February 2021, for instance, droppers made up over 90 percent of the TLS C2 traffic—a figure that closely matches the static C2 detection telemetry data associated with similar malware month-to-month from January through March of 2021.

Covert channels

Malware operators can use TLS to obfuscate command and control traffic. By sending HTTPS requests or connecting over a TLS-based proxy service, the malware can create a reverse shell, allowing commands to be passed to the malware, or for the malware to retrieve blocks of script or required keys needed for specific functions. Command and control servers can be a remote dedicated web server, or they can be based on one or more documents in legitimate cloud services. For example, the Lampion Portuguese banking trojan used a Google Docs text document as the source for a key required to unlock some of its code—and deleting the document acted as a kill-switch. By leveraging Google Docs, the actors behind Lampion were able to conceal controlling communications to the malware and evade reputation-based detection by using a trusted host.

The same sort of connection can be used by malware to exfiltrate sensitive information—transmitting user credentials, passwords, cookies, and other collected data back to the malware’s operator. To conceal data theft , malware can encapsulate it in a TLS-based HTTPS POST, or export it via a TLS connection to a cloud service API, such as Telegram or Discord “bot” APIs.

SystemBC

One example of how attackers use TLS maliciously is SystemBC, a multifaceted malicious communications tool used in a number of recent ransomware attacks. The first samples of SystemBC, spotted over a year ago, acted primarily as a network proxy, creating what amounted to a virtual private network connection for attackers based on SOCKS5 remote proxy connection encrypted with TLS—providing concealed communications for other malware. But the malware has continued to evolve, and more recent samples of SystemBC are more full-featured remote access trojans (RATs) that provide a persistent backdoor for attackers once deployed. The most recent version of SystemBC can issue Windows commands, as well as deliver and run scripts, malicious executables, and dynamic link libraries (DLLs)—in addition to its role as a network proxy.

SystemBC is not entirely stealthy, however. There’s a lot of non-TLS, non-Tor traffic generated by SystemBC—symptomatic of the incremental addition of features seen in many long-lived malware. The sample we recently analyzed has a TCP “heartbeat” that connects over port 49630 to a host hard-coded into the SystemBC RAT itself.

The first TLS connection is an HTTPS request to a proxy for IPify, an API that can be used to obtain the public IP address of the infected system. But this request is sent not on port 443, the standard HTTPS port—instead, it’s sent on port 49271. This non-standard port usage is the beginning of a pattern.

SystemBC then attempts to obtain data about the current Tor network consensus, connecting to hard-coded IP addresses with an HTTP GET request, but via ports 49272 and 49273. SystemBC uses the connections to download information about the current Tor network configuration.

Web scraping with Apify Apify offers several different ways to scrape. You can start from scratch with your own solution, build upon existing tools, use ready-made tools, or get a solution created for you. Scraping with Web Scraper Learn how to scrape a website using Apify's Web Scraper. Build an actor's page function, extract information from a web page and download your data. This scraping tutorial will go into the nitty gritty details of extracting data from using Web Scraper. Web Scraper is an actor developed specifically for scraping. It presents nice UI and doesn't force you to write much code yourself. If you remember our old Crawler platform, Web Scraper will feel very familiar. You can start using it immediately if you go to its page on in our library and press Try for free. Web Scraper is a generic easy-to-use actor for crawling arbitrary web pages and extracting structured data from them using a few lines of JavaScript code. The actor loads web pages in the Chromium browser and renders dynamic content. Web Scraper can either be configured and run manually in a user interface, or programmatically using the API. Apify can automate anything you can do manually in a web browser, and run it at scale. We're your one-stop shop for web scraping, data extraction, and web RPA.

Next, SystemBC establishes a TLS connection to a Tor gateway picked from the Tor network data. Again, it uses another non-standard port: 49274. And it builds the Tor circuit to the destination of its Tor tunnel using directory data collected via port 49275 via another HTTP request. There, the progression of sequential ports ends, and in the sample we analyzed it tries to fetch another malware executable via an open HTTP request over the standard port.

The file retrieved by this sample, henos.exe, is another backdoor that connects over TLS on the standard port (443) to a website that returns links to Telegram channels—a sign that the actor behind this SystemBC instance is evolving tactics. SystemBC is likely to continue to evolve as well, as its developers address the mixed use of HTTP and TLS and the somewhat predictable non-standard ports that allow SystemBC to be easily fingerprinted.

AgentTesla

Like SystemBC, AgentTesla—an information stealer that can also function in some cases as a RAT—has evolved over its long history. Active for more than seven years, AgentTesla has recently been updated with an option to use the Tor anonymizing network to conceal traffic with TLS.

We’ve also seen TLS used in one of AgentTesla’s most recent downloaders, as the developers have used legitimate web services to store chunks of malware encoded in base64 format on Pastebin and a lookalike service called Hastebin. The first stage downloader further tries to evade detection by patching Windows’ Anti-Malware Software Interface (AMSI) to prevent in-memory scanning of the downloaded code chunks as they’re joined and decoded.

The Tor addition to AgentTesla itself can be used to conceal communications over HTTP. There is also another optional C2 protocols in AgentTesla that that could be TLS protected—the Telegram Bot API, which uses an HTTPS server for receiving messages. However, the AgentTesla developer didn’t implement HTTPS communications in the malware (at least for now)—it fails to execute a TLS handshake. Telegram accepts unencrypted HTTP messages sent to its bot API.

Dridex

Dridex is yet another long-lived malware family that has seen substantial recent evolution. Primarily a banking Trojan, Dridex was first spotted in 2011, but it has evolved substantially. It can load new functionality through downloaded modules, in a fashion similar to the Trickbot Trojan. Dridex modules may be downloaded together in an initial compromise of the affected system, or retrieved later by the main loader module. Each module is responsible for performing specific functions: stealing credentials, exfiltrating browser cookie data or security certificates, logging keystrokes, or taking screenshots.

Dridex’s loader has been updated to conceal communications, encapsulating them with TLS. It uses HTTPS on port 443 both to download additional modules from and exfiltrate collected data to the C2 server. Exfiltrated data can additionally be encrypted with RC4 to further conceal and secure it. Dridex also has a resilient infrastructure of command and control (C2) servers, allowing installed malware to fail over to a backup if its original C2 server goes down.

These updates have made Dridex a continuing threat, and Dridex loaders are among the most common families of malware detected using TLS—overshadowed only by the next group of threats in our TLS rogues’ gallery: off-the-shelf “offensive security” tools repurposed by cybercriminals.

Metasploit and Cobalt Strike

Offensive security tools have long been used by malicious actors as well as security professionals. These commercial and open-source tools, including the modular Cobalt Strike and Metasploit toolkits, were built for penetration testing and “red team” security evaluations—but they’ve been embraced by ransomware groups for their flexibility.

Over the last year, we’ve seen a surge in the use of tools derived from offensive security platforms in manually-deployed ransomware attacks, used by attackers to execute scripts, gather information about other systems on the network, extract additional credentials, and spread ransomware and other malware.

Taken together, Cobalt Strike beacons and Metasploit “Meterpreter” derivatives made up over 1 percent of all detected malware using TLS—a significant number in comparison to other major malware families.

And all the rest

Potentially unwanted applications (PUAs), particularly on the macOS platform, also leverage TLS, often through browser extensions that connect surreptitiously to C2 servers to exfiltrate information and inject content into other web pages. We’ve seen the Bundlore use TLS to conceal malicious scripts and inject advertisements and other content into web pages, undetected. Overall, we found over 89 percent of macOS threats with C2 communications used TLS to call home or retrieve additional harmful code.

There are many other privacy and security threats lurking in TLS traffic beyond malware and PUAs. Phishing campaigns increasingly rely on websites with TLS certificates—either registered to a deceptive domain name or provided by a cloud service provider. Google Forms phishing attacks may seem easy to spot, but users trained to “look for the lock” alongside web addresses in their browser may casually type in their personally identifying data and credentials.

Traffic analysis

All of this adds up to a more than 100 percent increase in TLS-based malware communications since 2020. And that’s a conservative estimate, as it’s based solely on what we could identify through telemetry analysis and host data.

As we’ve noted, some use TLS over non-standard IP ports, making a completely accurate assessment of TLS usage impossible without deeper packet analysis of their communications. So the statistics sited in this report do not reflect the full range of TLS-based malicious communications—and organizations should not rely on the port numbers related to communications alone to identify potential malicious traffic. TLS can be implemented over any assignable IP port, and after the initial handshake it looks like any other TCP application traffic.

Even so, the most concerning trend we’ve noted is the use of commercial cloud and web services as part of malware deployment, command and control. Malware authors’ abuse of legitimate communication platforms gives them the benefit of encrypted communications provided by Google Docs, Discord, Telegram, Pastebin and others—and, in some cases, they also benefit from the “safe” reputation of those platforms.

We also see the use of off-the-shelf offensive security tools and other ready-made tools and application programming interfaces that make using TLS-based communications more accessible continuing to grow. The same services and technologies that have made obtaining TLS certificates and configuring HTTPS websites vastly simpler for small organizations and individuals have also made it easier for malicious actors to blend in with legitimate Internet traffic, and have dramatically reduced the work needed to frequently shift or replicate C2 infrastructure.

All of these factors make defending against malware attacks that much more difficult. Without a defense in depth, organizations may be increasingly less likely to detect threats on the wire before they have been deployed by attackers.

Sophos Limited Wiki

SophosLabs would like to acknowledge Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado and Andrew Brandt for their contributions to this report.