2The 1981 book School, Work and Play (World of Tomorrow) features this beautiful two-page spread. Apparently, thanks to computers, there's no crime in the future outside of the computerized variety.
3Company Overview The leader in stopping advanced targeted attacks Marquee customers across every industryTop banks, hi-tech, oil and gas, governmentAll major Internet search engines, top social networks, and auction sitesOne of the fastest growing enterprise technology companies in the worldFireEye is the leader in stopping advanced targeted attacks that use advanced malware, zero-day exploits, and APT tactics.FireEye’s solutions supplement traditional and next-generation firewalls, IPS, antivirus and gateways, which cannot stop advanced threats, leaving security holes in networks.Customers across every vertical in every industry. Named examples include NetApp, Heartland Payment Systems, and UC Berkeley.FireEye offers the industry’s only solution that detects and blocks attacks across Web and threat vectors as well as malware resident on file shares. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis. Based in Milpitas, California, FireEye is backed by premier financial partners including Sequoia Capital, Norwest Venture Partners, Juniper Networks, and In-Q-Tel, the venture arm of the Intelligence Community.These organizations have confirmed FireEye is among the fastest growing technology companies in the world.TRANSITION: Let’s take a look at a sample of the customer base.
4We Are Only Seeing the Tip of the Iceberg HEADLINE GRABBING ATTACKSTHOUSANDS MORE BELOW THE SURFACEAPT AttacksZero-Day AttacksPolymorphic AttacksTargeted AttacksBeyond the headlines, there are a range of attacks that very commonly penetrate defenses.Well-known brands get the publicity, but for every one we hear about there are thousands that are not mentioned below the surface.This is due to the sophistication of attacks.(Transition to diving into what an Advanced Targeted Attack really is about.)
10Characteristics of Malware Stealth LevelRanges from High to LowTarget VulnerabilityUnpatched machines, plug-ins, browsersIntended victim(s)Specific victims - using SpearphishingObjectivesTheft? Disruption? Fear?
11High Profile APT Attacks Are Increasingly Common You may have seen these headlines, but one key point is that all companies are at risk.Interestingly, many attacks are actually designed with the express purpose to enable further attacks on even more valuable targets. (RSA attack led to attacks on Lockheed, L3, and Northrup.)Net-net: Data breaches are increasingly common due to flaws in common applications/plug-ins like Adobe Reader. Persistent foes show that break-ins like the RSA data breach or theft of Symantec source code are straightforward given today’s traditional defenses.TRANSITION: Getting beyond the headlines
12Defining Advanced Targeted Attacks Utilizes advanced techniques and/or malwareUnknownTargetedPolymorphicDynamicPersonalizedUses zero-day exploits, commercial quality toolkits, and social engineeringOften targets IP, credentials and often spreads laterally throughout networkAKA—Advanced Persistent Threat (APT)The New Threat LandscapeThere is a new breed of attacks that are advanced, zero-day, and targetedADVANCEDStealthyUnknown and Zero DayTargetedPersistentAdvanced Targeted AttackAdvanced Targeted Attacks is the term we will use to describe the attacks in this market (it is also what Gartner has just coined and uses). What are advanced targeted attacks? They use advanced malware, zero-day and APT tactics to penetrate networks for the purpose of control, espionage and theft.Advanced Malware uses a variety of tactics like zero-day exploits, dynamism (e.g. fast flux DNS, polymorphism), and is often targeted / personalized.We are now in the age of the “Cyber Industrial Complex” in which criminals have commercial qualify toolkits to build the cyber weapons (malware) so effective at penetrating networks.Many in the IT security industry call these cyber criminal actors – Advanced, Persistent ThreatsTRANSITION: Why are advanced targeted attacks so effective?OpenKnown and PatchableBroadOne TimeTRADITIONAL
13Traditional Defenses Don’t Work Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses Like NGFW, IPS, AV, and GatewaysAdvanced attacks bypass both signature and heuristics-based technologies in existing IT security defensesAs a result, traditional defenses are ineffective against today’s advanced targeted attacks.Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted APT malware. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers.Also, advanced attacks bypass heuristics-based technologies in existing IT security defenses as well. Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. Signal-to-Noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.
14Typical Enterprise Security Architecture Firewalls/ NGFWIPSSecure Web GatewaysAnti-Spam GatewaysDesktop AVBlock IP/port connections, application-level control, no visibility into exploits and ineffective vs. advanced targeted attacksAttack-signature based detection, shallow application analysis, high-false positives, no visibility into advanced attack lifecycleSome analysis of script-based malware, AV, IP/URL filtering; ineffective vs. advanced targeted attacksRelies largely on antivirus, signature-based detection (some behavioral); no true spear phishing protectionSignature-based detection (some behavioral); ineffective vs. advanced targeted attacksTraditional defenses lack any true integration and are easily bypassed by blending threat vectors and taking place over time, in stages. Remember, all current defenses are signature-based so they can’t stop what they haven’t seen before.Firewalls/Next-gen firewall – rely on port/protocol/IP addresses to enforce connection policies. They have no visibility into exploits and are ineffective vs. advanced targeted attacks.IPS - Attack-signature based detection, shallow application-level analysis, high-false positives, no visibility into advanced attack lifecycleSWG - Some analysis of script-based malware, AV, IP/URL filtering; ineffective vs. advanced targeted attacksAnti-Spam - Relies largely on antivirus, signature-based detection (some behavioral); no true spear phishing protectionDesktop Antivirus - Signature-based detection (some behavioral); ineffective vs. advanced targeted attacksCyber criminals have figured out how to evade detection by traditional defenses. Using toolkits to design polymorphic threats that change with every use, move slowly, and exploit zero-day vulnerabilities, the criminals have broken in through the hole left by traditional and next-generation firewalls, IPS, antivirus and Web gateways. This new generation of organized cybercrime is persistent, capitalizing on organizational data available on social networking sites to create very targeted 'phishing' s and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries.
15Attacks Increasingly Sophisticated Dynamic Web AttacksMulti-VectorDelivered via Web orBlended attacks with containing malicious URLsUses application/OS exploitsMulti-StageInitial exploit stage followed by malware executable download, callbacks and exfiltrationLateral movement to infect other network assetsThe main reason advanced attacks are so effective is that they use:* Multiple threat vectors like Web or to bypass signature-based defenses.* Multiple stages that take place over time, allowing criminals to penetrate uncoordinated, traditional security that is blind to the attack lifecycle.Initial exploit stage followed by malware binary (executable) download, callbacks and exfiltrationTraditional protections, like traditional and next-generation firewalls, intrusion prevention systems, antivirus and Web gateways, only scan for the first move, the inbound attack. These systems rely heavily on signatures and known patterns of misbehavior to identify and block threats. This leaves a gaping hole in network defenses that remain vulnerable to zero-day and targeted APT attacks.Malicious ExploitsSpear Phishing s
16The Attack Lifecycle – Multiple Stages CompromisedWeb server, orWeb 2.0 site1Callback Server1Exploitation of system42Malware executable download3Callbacks and control establishedFile Share 2IPS54Data exfiltrationThe Advanced Attack Lifecycle:Stage 1: System exploitationThey start out initially by attempting to exploit your system using “drive-by attacks” in casual browsing. The attack may be delivered via the Web or , with the containing malicious URLs, for example. It’s a blended attack across Web and threat vectors to setup the first stage, system exploitation.Stage 2: Binary payloads are downloadedWith exploitation successful, more malware binaries are downloaded, such as key loggers, Trojan backdoors, password crackers, and file grabbers.Just one exploit translates into dozens of infections on the same system. Stage 3: Malware calls backs and control establishedOnce the malware installs, they have cracked the first step to establishing a control point from within your defenses. The malware, once in place, calls out to criminal servers for further instructions. It can also replicate itself and disguise itself to avoid scans. Some will turn off antivirus scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed right through the firewall. It will go through all the different layers of the network.At this point, the criminals have built long-term control mechanisms into the system.Stage 4: Data exfiltrationNext, data acquired from infected servers is staged for exfiltration. The data is exfiltrated over any commonly allowed protocol, like ftp or HTTP, to an external server controlled by the criminal, say at a hosting provider.Stage 5: Malware spreads laterallyThe criminal works to move beyond the single system and establish long-term control in the network. The advanced malware looks for mapped drives on infected laptops and desktops, and then it will spread laterally deeper into network file shares, for example. It will conduct reconnaissance and map out network infrastructure, determine key assets, and establish a network foothold on target servers.File Share 1235Malware spreads laterally
17FireEye Malware-VM™ Filter Global loop sharing into MAX Cloud IntelligencePhase 3XML/SNMP alerts on infections as well as C&C destinationsFast Path Real-time Blocking in AppliancePhase 1: Aggressive capture heuristicsDeploys out-of-band/passive or inlineMulti-protocol capture of HTML, files (e.g. PDF), & EXEsMaximizes capture of potential zero-day attacksPhase 2: Virtual machine analysisConfirmation of malicious attacksRemoval of false positivesPhase 3: Block Call BackStop data/asset theftKEY POINT:More in-depth with the FireEye Malware VM analysis* Proprietary VM technology* Ability to detect even VM aware malware* Runs the full OS and browser software stack
18The FireEye Difference Multi-Vector ProtectionProtection against Web attacksProtection against attacksProtection against file-based attacksMulti-Stage ProtectionInbound zero-day exploit detectionOutbound malware callback blockingMalware binary payload analysisLatent malware quarantineMulti-VectorMulti-StageFireEye offers true multi-vector protection addressing all stages of the attack lifecycle.Criminals are so effective because they blend tactics and take their time working in stages to penetrate the network.FireEye has been designed to address both the multi-vector nature of today’s advanced targeted attacks and address each stage of an advanced attack to completely mitigate against the threat of an advanced targeted attack.TRANSITION: let’s talk a bit more about multi-vector protection.
19Multi-Vector Protection Blended Web/ ThreatsMPSWeb MPSFile MPSCMSWeb ThreatsThreatsMulti-vector protection requires :* Dealing with Web and threats* Dealing with malware resident in file shares brought into the network by users (aka unintentional “Malware Mules”). The Web and MPS protect all the desktops and the File MPS protects all the servers and file shares.* Integrating protection mechanisms so that a malicious URL can be traced back to the originating Spear Phishing .* Blended protection to stop blended attacks.TRANSITION: Now, let’s dive into how FireEye stops across the multiple stages of an attack lifecycleInternal Lateral Movement of Threats
20Multi-Staged Attack Pieces Connected Point ProductsCALLBACKWEB EXPLOITWEB OR EXPLOITMALWARE EXECUTABLEDOWNLOADDATA EXFILTRATIONCALLBACKLATERALMOVEMENTMALWARE EXECUTABLEDOWNLOADLATERALSPREADDATA EXFILTRATIONPoint products attempt to deal with specific aspects of the attack lifecycle and poorly at that. E.g. callback blocking using URL filters is largely ineffective. Criminals use dynamic, one-time URLs, host them on high-reputation domains, and/or use non-HTTP callback channels.However, FireEye pulls the pieces together in real-time using dynamic, signature-less analysis. We connect the dots of an attack to mitigate the impact of APT threat actors. We see the actual exploit AND every other stage to connect the dots while others may only see the binary download or a callback. The exploit phase is very key. Spectrum or Wildfire have no visibility into the exploit phase. A sophisticated attack will mask the binary download. Therefore, any other solution other than FireEye does not pick this up.Finally, we also detect malware that has moved laterally in an organization.
22Email Malware Protection System Protection against spear phishing and blended attacksAnalyzes all s for malicious attachments and URLsIn-line MTA active security or SPAN/BCC for monitoringBrute-force analysis of all attachments in VX EngineWeb MPS integration for malicious URL analysis/blockingWeb MPS integration for blocking of newly discovered callback channelsFEATURESSupports large range of file types (PDF, Office formats, ZIP, etc.)Attachment analysisURL analysisCorrelation of malicious URLs to s at the CMSThe FireEye Malware Protection SystemIt protects against spear phishing and blended attacksIt analyzes all s for malicious attachments and URLsIt can be deployed in in-line MTA active security or SPAN/BCC for monitoringKEY: Web MPS integration for malicious URL analysis/blockingThen, the Web MPS dynamically generates zero-day malware and malicious URL security contentThe correlation of malicious URLs to s is done at the CMSThis content is shared locally to other MPS’ via the CMS and shared globally through Malware Protection Cloud network
23File Malware Protection System Protects file sharing servers from latent malwareAddresses malware brought into the network via web or or file sharing as well as other manual meansDetects the lateral spread of malware through network file sharesContinuous and incremental network file share analysisWeb MPS integration for blocking of newly discovered callback channelsFEATURESSupports large range of file types (PDF, Office, ZIP, etc.)CIFS supportMalicious file quarantineIntegration via CMSThe File Malware Protection System protects file shares from resident malware brought into the network by users through Web downloads, cloud storage, and other manualmeans.This halts the lateral spread of malware through network file sharesThe File MPS offers continuous and incremental file share analysis, CIFS support, as well as file quarantine and CMS integration to share malware intelligence with local MPS appliances (Web/ /File).
24Multi-Layered Threat Intelligence Sharing Local SharingCross-Enterprise SharingGlobal SharingCentral Management SystemWeb MPSSecondsInternal Feedback LoopMany 3rd party Feeds Validated by FireEye TechnologyAnother look at the benefit of joining the FireEye security feedback loop.* Internal feedback loop – Zero-day malware intelligence is inserted into the local appliances fast path to block subsequent inbound infections from that location as well as callbacks from the patient zero callback. We terminate the attack in real-time, preventing the infection from fully succeeding as well as subsequent infections. Dynamic, real-time exploit, callback, and payload analysis to stop zero-day attacks.Local loop protection – Via the CMS, local MPS appliances (Web/ /File/MAS) receive that malware intel as well. Shared in real-time to local deployment via CMSGlobal loop protection – This worldwide cloud efficiently shares auto-generated malware security intelligence. Local FireEye MPS’s auto-generate advanced malware security intelligence to mitigate zero-days and this feeds into the global Malware Protection CloudCross-Enterprise Web MPS Deployment
25SummaryPace of advanced targeted attacks is accelerating, affecting all verticals and all segmentsTraditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacksReal-time, integrated signature-less solution is required across Web, and file attack vectorsFireEye has engineered the most advanced threat protection to supplement traditional defenses and stop advanced targeted attacksComplete Protection Against Advanced Targeted AttacksMalware Protection CloudCentral Management SystemMalware Analysis SystemWeb Malware Protection SystemMalware Protection SystemFileMalware Protection SystemWit the pace of advanced targeted attacks accelerating, all verticals and all segments are affected.Because traditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacks, companies need a real-time, proactive signature-less solution is required across Web, and file sharesFireEye has engineered the most advanced threat protection to supplement traditional defenses and stop advanced targeted attacks.