The AI-driven SOC
Join Josh Saxe’s keynote session at the Sophos Cybersecurity Summit on December 1st, 2021
Publications Our peer-reviewed research
Using Undocumented Hardware Performance Counters to Detect Spectre-Style Attacks
In this paper, we’ll first introduce our version of Spectre variant 4 with evasive changes that can bypass any detections using conventional cache miss, branch miss, and branch misprediction counters. We’ll then show how our model using select undocumented counters is able to detect this new edited variant, and how it is also able to detect a novel Spectre implementation submitted to Virus Total.
SOREL-20M: A Large Scale Benchmark Dataset for Malicious PE Detection
CatBERT: Context-Aware Tiny BERT for Detecting Targeted Social Engineering Emails
Targeted phishing emails are a major cyber threat on the Internet today and are insufficiently addressed by current defenses. In this paper, we leverage industrial-scale datasets from Sophos cloud email security service, which defends tens of millions of customer mailboxes, to propose a novel Transformer-based architecture for detecting targeted phishing emails. Our model leverages both natural language and email header inputs, is more computationally efficient than competing transformer approaches, and we show that it is less prone to adversarial attacks which deliberately replace keywords with typos or synonyms.
IPs that are malicious together, stay together
While the threat landscape is extremely sophisticated and diverse, almost all threats involve communication with the internet at some stage of their attack. This communication could include attackers transmitting malicious payloads for initial access, ransomware communicating with command and control to exchange encryption keys, or espionage tools exfiltrating sensitive information to sharing sites.
Catastrophic Forgetting Explained
Keeping malware detections up to date is a never-ending journey and one that is made harder for defenders since the latest-and-greatest malware is rarely completely “new.” Instead, it is more likely to be a combination of “something old, something borrowed, and something new.” Take document malware for example, it spent years in dormancy then resurfaced in 2014 when Dridex used documents to deploy its payload, and it still remains on the SophosLabs team’s “Most Wanted” list, as referenced in Sophos’ 2021 Threat Report.
Sharing Threat Intelligence Gives Defenders an Edge
Cybersecurity is a fiercely competitive industry. It is unique in the information technology space in that we don’t just face competition from other vendors, we also have human adversaries, and they are the real competition. While our products and services must compete in the market against those from other vendors, it must never happen at the expense of our ability to protect our customers.