Presentation on theme: "Next Generation Threat Protection"— Presentation transcript:
1 Next Generation Threat Protection Charles Wilkerson, Sr. Security Engineer
2 Introduction"While traditional antivirus [vendors] may be able to spot and deflect many kinds of attacks, they're not well-equipped to handle targeted attacks. But there are technologies able to detect such attacks, if not entirely prevent them, Pescatore said, from the likes of vendors such as FireEye, not McAfee or Kaspersky."About every five years, we get in a phase when attacks get ahead of defenses, and we're in one now," said Pescatore.Source: CIO Magazine, Aug. 23rd
3 The New Breed of Cyber Attacks Nature of threats changingToday’s attacks sophisticated and successfulCyber-Espionage and CybercrimeAdvanced Persistent ThreatsZero-DayTargeted AttacksDynamic TrojansStealth BotsDamage of AttacksCybercrimeSpyware/ BotsDisruptionWormsViruses20052007200920112013STAT: The pace of attacks are way up. 10 X from 2007 (according to Intel’s threat data reports) and 5 X from 2009 (again according to Intel’s threat data reports).And, the nature of these attacks have changed from broad, scattershot attacks to very targeted attacks with persistent adversaries (often times nation-states)GARTNER is re-affirming the fact that today’s new breed of cyber attacks have evolved to a point that has bypassed the capabilities of traditional tools.(TRANSITION: Let’s take a look at some of these high-profile victims.)“Organizations face an evolving threat scenario that they are ill-prepared to deal with….threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”Gartner, 2012
4 High Profile Attacks are Increasingly Common Ever since the Operation Aurora attack 5 years ago, the game has changed – State Agencies, Hacktivists and Organized Crime (frequently collaborating on attacks) have upped the ante. The Daily headlines now show Zero-Day attacks have become the norm. Traditional security methods such as firewalls, IPS, Host AntiVirus and Web Filtering are in place at most organizations, yet these threats continue to penetrate organizations. Data breaches are increasingly common due to flaws in common application and plug-ins like Adobe Reader, Java and browser exploits. Persistent threats are commercial-grade and virtual machine aware. In November of 2012, VMware realized that their source code has been leaked for over 7 years! It’s no wonder that ‘add-on Generic Sandboxes’ used recently by vendors are ineffective, since most use Vmware ESX-based inspection. Attacking at-will, attackers are now commonly breaching organizations that are large, small, local, global, public and private.
5 Numbers Show a Harsh Reality 2/3of U.S. firmsreport thatthey have been thevictim of cyber attacksEvery second 14 adults become a victim of cyber crime00.016.5x40%of all IT executives expect a major cybersecurity incidentNumber of cyber attacks since 2006959,000+115% CAGR unique malware since 2009Beyond the headlines, there are a range of attacks that very commonly penetrate defenses.Well-known brands get the publicity, but for every one we hear about there are thousands that are not mentioned below the surface.This is due to the sophistication of attacksmalicious websites identified per daynew vulnerabilities discovered each week
6 NEW THREAT LANDSCAPE What’s Changed? Dynamic, Polymorphic Malware Coordinated Persistent Threat ActorsNEW THREAT LANDSCAPEMalware became known to many computer users through widespread infections caused by Melissa (in 1999) and LoveLetter (in 2000). Both were -based, and LoveLetter spread via an infected attachment. When the attachment was opened, the malware overwrote a variety of different types of files on the user’s PC and ed itself to others in the user’s address book. LoveLetter quickly became the most costly incident of its kind to that point in time. Despite the damage that Melissa and LoveLetter caused, it could be argued that they had three positive effects: they caused computer malware to come under increasing scrutiny; they increased social awareness about computer malware (through peer pressure from many upset message recipients); and they underscored the importance of backups (because LoveLetter overwrote files which were lost if backups were not available). As more software developers create less vulnerable solutions, malicious outsiders need to develop more sophisticated programs capable of detecting and exploiting weaknesses. This has led to the evolution of socially engineered attacks that lure users with infected advertisements, attachments and the like, Dark Reading reported. "I think some people get lulled into a false sense of security by having antivirus software," McKenney said. "The truth is hackers can get around antivirus software pretty easily if you don't have all your programs updated with the latest security patches. It's like building a fence and leaving your gate wide open.The Definition of APT. “Advanced” means it gets through your existing defenses. “Persistent” means it succeeds in hiding from your existing level of detection. “Threat” means it causes you harm. We think the targeted aspect is more important to focus on and, for the purposes of this research, will use the term “advanced targeted threat.” The reality is that the most important issues are the vulnerabilities Contextual analysis of the overall attack is critical to understand-An attack has commenced-The attack is active-What is transpiring (data theft, lateral spread in the network, deep system compromise, etc.)FireEye uses multi-flow analysis to understand the full context of an APT attackStateful attack analysis enables customers to address each stage of an attack and mitigate damagesPoint products see only a single attack flow; thereby missing the full attack view and lifecycleBut APT attack continues by using other vectors or re-visiting an attack stageMulti-Vector AttacksMulti-Staged Attacks
7 Advanced Targeted Attacks Defined IPS and AV Signatures bypassed by:Dynamic zero-day malwareTargeted attacksPolymorphic malwareThe New Threat LandscapeThere is a new breed of attacks that are advanced, zero-day, and targetedADVANCEDStealthyUnknown and Zero DayTargetedPersistentURL Filtering & Reputation bypassed by:Dynamic, disposable, malicious domainsFramed and deep embedded contentCompromised legitimate Web sitesAdvanced Targeted AttackCyber criminals have figured out how to evade detection by traditional defenses. Using toolkits to design polymorphic threats that change with every use, move slowly, and exploit Zero-Day vulnerabilities.Holes left open by traditional and next-generation Firewalls, IPS, Anti-Virus and Web Gateways. This new generation of organized cybercrime is persistent, capitalizing on organizational data available on social networking sites to create very targeted 'phishing' s and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries.Advanced Targeted Attacks use advanced malware, zero-day and APT tactics to penetrate networks for the purpose of control, espionage and theft. Advanced Malware uses a variety of tactics like zero-day exploits, dynamism (e.g. fast flux DNS, polymorphism), and is often targeted / personalized.We are now in the age of the “Cyber Industrial Complex” in which criminals have commercial qualify toolkits to build the cyber weapons (malware) so effective at penetrating networks.Many in the IT security industry call these cyber criminal actors – Advanced, Persistent ThreatsTRANSITION: Why are advanced targeted attacks so effective?Heuristics, Correlation, & Basic Emulation techniques are bypassed by:Targeted attacksZero-day vulnerability attacksOpenKnown and PatchableBroadOne TimeTRADITIONAL
8 Commercial Tool KitsCybercriminals are always looking for easier ways to accomplish their goals of making money. One of the tools that has been most successful for them over the past few years has been web exploit toolkits. These toolkits consist of a number of exploits, a control panel to configure various aspects of the kit - what exploits to use, IP addresses to blacklist, how to view statistcs, etc - and also configuration for the backend database where all the information is stored. Installation guidance via text file is often included, and many kits utilize web-base install processes. Kits can cost anywhere between free to thousands of dollars.
9 The Attack Life Cycle – Multiple Stages CompromisedWeb server, orWeb 2.0 site1Callback Server1Exploitation of system42Malware executable download3Callbacks and control establishedFile Share 2IPS54Data exfiltrationThe Cyber Attack Lifecycle:Stage 1: System exploitationThey start out initially by attempting to exploit your system using “drive-by attacks” in casual browsing. The attack may be delivered via the Web or , with the containing malicious URLs, for example. It’s a blended attack across Web and threat vectors to setup the first stage, system exploitation.Stage 2: Binary payloads are downloadedWith exploitation successful, more malware binaries are downloaded, such as key loggers, Trojan backdoors, password crackers, and file grabbers.Just one exploit translates into dozens of infections on the same system. Stage 3: Malware calls backs and control establishedOnce the malware installs, they have cracked the first step to establishing a control point from within your defenses. The malware, once in place, calls out to criminal servers for further instructions. It can also replicate itself and disguise itself to avoid scans. Some will turn off antivirus scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed right through the firewall. It will go through all the different layers of the network.At this point, the criminals have built long-term control mechanisms into the system.Stage 4: Data exfiltrationNext, data acquired from infected servers is staged for exfiltration. The data is exfiltrated over any commonly allowed protocol, like ftp or HTTP, to an external server controlled by the criminal, say at a hosting provider.Stage 5: Malware spreads laterallyThe criminal works to move beyond the single system and establish long-term control in the network. The advanced malware looks for mapped drives on infected laptops and desktops, and then it will spread laterally deeper into network file shares, for example. It will conduct reconnaissance and map out network infrastructure, determine key assets, and establish a network foothold on target servers.File Share 1235Malware spreads laterally
10 Traditional Defenses Don’t Work The new breed of attacks evade signature-based defensesIPSAnti-Spam GatewaysTHREATFirewalls/ NGFWSecure Web GatewaysAnd what do they all have in common? The attacks are targeted, persistent and unknown, enabling them to evade traditional signature-based defenses. Traditional or next generation firewalls, IPS, gateways or AV. It doesn’t matter. They are all completely defenseless in the face of these new attacks. As a result, traditional defenses are ineffective against today’s advanced targeted attacks.Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted APT malware. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers.Also, advanced attacks bypass heuristics-based technologies in existing IT security defenses as well. Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. Signal-to-Noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.Desktop AV
11 Legacy Pattern-Matching Detection Model New Virtual Execution Model A New Model is RequiredLegacy Pattern-Matching Detection ModelNew Virtual Execution ModelMATCHMATCHSignature-BasedReactiveOnly known threatsFalse positivesSignature-lessDynamic, real-timeKnown/unknown threatsMinimal false positivesA typical attack follows a cycle of a) exploit, b) callback, c) malware download, and d) data exfiltration. Exploit detection is critical to catching the next generation threats since the following phases can be hidden or obfuscated. File-level analysis focuses on the downloaded files and hence may miss exploit phase of detection, thereby resulting in false-negatives. The FireEye MVX technology monitors the attack lifecycle through the various stages and has the ability to catch exploits even when the ensuing file download occurs over encrypted channels.
12 Discrete Object analysis Malware AnalysisWhat types of Malware Analysis should you do?Malware AnalysisStatic AnalysisSignatureHeuristicsDynamic AnalysisDiscrete Object analysisContextual AnalysisMalware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it. And you don’t need to be an uber-hacker to perform malware analysis.Most often, when performing malware analysis, you’ll have only the malware executable, which won’t be human-readable. In order to make sense of it, you’ll use a variety of tools and tricks, each revealing a small amount of information. You’ll need to use a variety of tools in order to see the full picture.There are two fundamental approaches to malware analysis: static and dynamic. Static analysis involves examining the malware without running it. Dynamic analysis involves running the malware. Both techniques are further categorized as basic or advanced.Basic Static AnalysisBasic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviors.Basic Dynamic AnalysisBasic dynamic analysis techniques involve running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both. However, before you can run malware safely, you must set up an environment that will allow you to study the running malware without risk of damage to your system or network. Like basic static analysis techniques, basic dynamic analysis techniques can be used by most people without deep programming knowledge, but they won’t be effective with all malware and can miss important functionality.
13 Building Blocks of the FireEye Platform DynamicThreat Intelligence (CLOUD)Multi-VectorVirtual ExecutionengineDynamicThreat Intelligence (ENTERPRISE)The FireEye threat protection platform defeats today’s cyber attacks that aggressively evade signature-based defenses and compromise the majority of today’s networks. The unique FireEye platform is based on:1. The FireEye Multi-Vector Virtual Execution™ (MVX) engine detects today’s new breed of cyber attacks2. The FireEye Dynamic Threat Intelligence™ Cloud shares anonymized threat intelligence from MVX analysis3. Security interoperability with a broad ecosystem of partners using standards-based malware metadata and FireEye APIsTechnology Interoperability
14 Multi-Flow Virtual Execution (MVX) Dynamic ThreatIntelligenceUploaded toFireEye CloudZero-DayDTI ProfileShared acrossFireEyeInstallationDynamicThreatIntelligenceAggressive Capture of Suspicious TrafficPurpose-builtVirtual ExecutionContextual Detonation of Malware in Virtual VictimVisibility & Forensics of Full Attack LifeCycleBlock Inbound Attack, Outbound Callbacks to C2Crowd-Sourced DTI for Scalable, Global ProtectionHourlyContentUpdates(Recommended to have SE cover this slide)Traditional Security such as Firewalls, IPS, Host AV, Proxies and use signatures, lists and rules, which require some knowledge.Phase 1:The FireEye WebMPS appliance will also be able to identify known targeted and opportunistic attacks if they match our Attack Profiles. Attack Profiles may match inbound exploits or outbound C&C Communication.However unknown, zero-day, targeted attacks won’t be detected since they are highly custom.Aggressive Capture is used for identifying suspicious traffic. Because action isn’t taken in Phase 1, you don’t experience the high false positive rates of IPS, while uncovering the false negatives that Traditional Security is missing.The suspicious captures are moved to Phase 2.Phase 2:The captures of your real user traffic, from your real network are REPLAYED IN VIRTUAL EXECUTION. Unlike generic sandboxes, FireEye uses a Purpose-Built Hypervisor built to Evade AV-Aware Malware, and built for speed – up to 32 Virtual Victims, 300 microsecond VM instantiation rate and more.Your PC’s user-agent data is profiles to match our Preloaded Guest Images providing detection and contextREPLAY IN VIRTUAL EXECUTION provides Visibility into the Entire Attack Lifecycle. This automated Validation phase ensures Near-Zero False Positive Rates, and uncovers what other security layers are missing.This side-by-side analysis of “Patient Zero” machine traffic doesn’t cause latency, but does create an Attack Profile from the combined Static and Dynamic analysis.Phase 3:This Dynamic Threat Intelligence is updated in the local appliance, as well as EVERY OTHER FireEye appliance in your local network.This stops the attack in it’s tracks – No additional hosts can be exploited by the Inbound Attack. WebMPS will also block all C&C Communication from “Patient Zero” machine, while allowing legitimate requests to continue.The DTI then is uploaded to the FireEye Cloud, where it is Crowd-Sourced with the entire FireEye community’s DTITRANSITION:(MOVE TO NEXT SLIDE)Blocks Inbound Exploit AttemptsBlocks Outbound C&C Callbacks
15 Advanced Malware Protection Architecture Real-time Web, , & File Security to stop Advanced Targeted AttacksCentralized Management, ReportingAugments Zero-Day gaps traditional security missesFireEye Platform shares DTI with 3rd party productsAutomation ensures higher detection accuracy & low TCODynamic Threat Intelligence provides unique, zero-day intelligenceDynamicThreatIntelligenceFirewallAnti-SpamCMSIPSFile Share 2MPSWeb MPSTypically during a POC, and in production, FireEye appliances deploy:Web – Typically the WebMPS appliance deploys on your “Core” network (not “Access” or “Distribution” networks), inside the Firewall, in front of your corporate users. That typically means desktops, but may also include servers, etc. depending on your network. We can deploy both Inline (“L2 Bridge”), and off of a SPAN/Tap port, the later is how we typically run POCs.– Typically MPS is deployed to filter Inbound mail, AFTER the SPAM/Hygiene layer, and BEFORE your MTAs (Exchange, etc.). MPS is your “Last Line of Defense”CMS – Valuable in Centralizing Alerts, Correlating the entire blended attack Lifecycle, Content updates and centralizing patch management.Malware Analysis System (MAS) – MAS is used by customers who want additional forensics on attacks forwarded by WebMPS. It allows for customization of Guest Images, Time, “Live” Mode and Unattended Mode. Unattended mode is also used by those responsible reimaging infected machines – MAS ensures that backed up files are clean before Restoring to Reimaged desktops.FileMPS – Can run different types of Scan jobs, through network-based scans of CIFS file shares. If you require a “FireEye Only” solution for Validation and Remediation in addition to Detection, FileMPS can be used to scan suspected machines, identify the main malware binaries, and Remediate them through Quarantine, with Quarantine management in the FileMPS UI.File MPSFile Share 1LANMail ServersMAS
16 FireEye Platform – Extending DTI Closer to the Breach NetworkMonitoringEndpointSIA Partner MemberFIREEYE PLATFORM:As touched on before, FireEye typically sites at the center of our customer’s Security Architecture.Their FireEye appliances uncover the time-sensitive, highly valuable Zero-Day, targeted threat, and then feed that information to your other systems.With over 25 Technology Alliance Partners and Rapidly Growing, the FireEye Platform allows local integration with your Existing Security Investment.A Few Example Use Cases:AV - FireEye MPS identifies a Targeted Attack, creates zero-day malware signatures as part of the Local Attack Profile. This DTI is shared with your local McAfee, Symantec, or other Antivirus Server. These zero-day signatures supplement the known signatures your AV company provides. This allows (ideally) automated Validation and Remediation using tools you’re already familiar with, requiring little to no learning curve. Note: May require professional servicesNAC -FireEye MPS can identify an infected host – either by Dynamically identifying the inbound exploit, or C&C communication, and feed the infected host IP address to a NAC product, or switch directly. This allows the infected machine to be moved off the Access VLAN, to an Isolation VLAN where it cannot exfiltrate sensitive data, not spread laterally.Gateway - FireEye MPS can identify the C&C Architecture, and feed Proxies and Firewalls the destination IP addresses to ensure the infected host doesn’t communicate out, as well as protection for the broader network.Data - FireEye MPS can identify an infected host, send the infected Host IP to Imperva SecureSphere. Imperva would ensure that the Data Policy changes, so the user who normally has access to sensitive data, no longer does from an infected host.SIEM – FireEye integrates with all the major security information and event monitoring products: ArcSight/HP, Q1Labs/IBM, LogRhythm, Splunk>, RSA natively, as well others through JSON, Syslog or XML based integration.Consultancies – FireEye MPS products are used by many consultancies such as Dell/Secureworks and many others.
19 Operation Beebus Attack APT campaign targeting aerospace and defense industry in wavesNo pattern to attackMultiple weaponized s some day; single targeted on othersInfection vector: and drive-by downloadsExploits common vulnerabilities in PDF and DOCFamiliar document names used in attackEncrypted communications with C&C serverBackdoor contains modules to download and execute additional payloads and updatesPotentially same nation state actors that breached RSASame server domain seen in callbacksKnown to be behind information stealing from at least 70 organizationsFireEye discovered an APT campaign consistently targeting companies in the aerospace and defense industries. The campaign has been in effect for sometime now.Infection VectorWe have seen this campaign use both and drive-by downloads as a means of infecting end users. The threat actor has consistently used attachment names of documents/white papers released by well-known companies. The malicious attachment exploits some common vulnerabilities in PDF and DOC filesThe malware uses a well-documented vulnerability in the Windows OS known as DLL search order hijacking. There is an order in which executables load DLLs on the Windows operating system. This particular malware takes advantage of this vulnerability and drops a DLL called ntshrui.DLL in the C:Windows directory. The first place from where the executable looks to load the DLL is its own directory. By dropping the ntshrui.DLL in the directory C:Windows, the malware achieves persistence.The malware communicates with a remote command and control (CnC) server. The GET request in Figure 4 is the initial request that the compromised machine makes to "check in" with the CnC server. It encrypts information it collects with the base64 algorithm and then sends it to the remote CnC server as seen in Figure 4. It is interesting to note that the base64 data is subjected to some substitutions before it is sent out preventing run of the mill inspection on the wire. It replaces the ‘/’ (forward slash) and ‘+’ (plus) characters which are part of the base64 character set with ‘_’ (underscore) and ‘-‘ (hyphen) respectively. The code that performs this operation is shown in Figure 5.
20 Multi-Vector Analysis of Operation Beebus Attack Multi-vectored attackApr 2011update.exeSept 2011UKNOWNDec 2011RHT_SalaryGuide_2012.pdfKey Attack CharacteristicsNation state driven attack using multiple vectors & files in campaigns spread over 2 yearsExploits known vulnerabilities in several Adobe products such as Reader and Flash PlayerTargeted attacks - each campaign tried to compromise few specific individualsEncrypted callback communications to hide exfiltrated dataDefense IndustryWeaponized (RHT_SalaryGuide_2012.pdf)1Timeline of attack – multiple vectors, multiple campaignsFeb 2012Mar 2012Apr 2012May 2012Jul 2012Aug 2012Sept 2012Nov 2012Jan 2013install_flash_player.tmp2Conflict-Minerals-Overview-for-KPMG.docdodd-frank-conflict-minerals.docupdate.exeBoeing_Current_Market_Outlook_…pdfUnderstand your blood test report.pdfRHT_SalaryGuide_2012.pdfsensor environments.docFY2013_Budget_Request.docDept of Defense FY12 …Boeing.pdfApril is the Cruelest Month.pdfNational Human Rights…China.pdfSecurity Predictions…2013.pdfrundll32.exeUKNOWNсообщить.docinstall_flash_player.exGlobal_A&D_outlook_2012.pdfSMTP / HTTPUAV/UAS ManufacturersAerospace IndustryBackdoor2BackdoorC&C Server:worldnews.alldownloads.ftpserver.biz3FireEye discovered an APT campaign consistently targeting companies in the aerospace and defense industries. The campaign has been in effect for sometime now.Infection Vector - We have seen this campaign use both and drive-by downloads as a means of infecting end users. The threat actor has consistently used attachment names of documents/white papers released by well-known companies. The malicious attachment exploits some common vulnerabilities in PDF and DOC files.The malware uses a well-documented vulnerability in the Windows OS known as DLL search order hijacking. There is an order in which executables load DLLs on the Windows operating system. This particular malware takes advantage of this vulnerability and drops a DLL called ntshrui.DLL in the C:Windows directory. The first place from where the executable looks to load the DLL is its own directory. By dropping the ntshrui.DLL in the directory C:Windows, the malware achieves persistence.Encrypted callback1 – /Web with weaponized malware2 – Backdoor DLL dropped3 – Encrypted callback over HTTP to C&C
21 APT Protection Requirements Multi-Vector protection (web, , file, mobile)Address all stages of advanced attacks (inbound attacks, outbound callbacks, malware executable downloads)Understand the full context of an attack using multi-flow analysisShare threat data in real time locally and globally (Dynamic Threat Intelligence)
22 SummaryToday’s new breed of attacks are more advanced and sophisticatedAffects all verticals and segmentsTraditional defenses can’t stop these attacksReal-time, integrated signature- less solution is required across Web, and file attack vectorsIntegrated, cross-enterprise platform to stop today’s new breed of cyber attacksComplete Protection Against Today’s New Breed of Cyber AttacksDynamic Threat Intelligence CloudCentral Management SystemMalware Analysis SystemWeb Malware Protection SystemMalware Protection SystemFileMalware Protection SystemWit the pace of today’s new breed of cyber attacks accelerating, all verticals and all segments are affected.Because traditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacks, companies need a real-time, proactive signature-less solution is required across Web, and file sharesFireEye has engineered the most advanced threat protection to supplement traditional defenses and stop today’s new breed of cyber attacks.