Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Next Generation Threat Protection Charles Wilkerson, Sr. Security Engineer

Similar presentations


Presentation on theme: "Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Next Generation Threat Protection Charles Wilkerson, Sr. Security Engineer"— Presentation transcript:

1 Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Next Generation Threat Protection Charles Wilkerson, Sr. Security Engineer

2 Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2 Introduction "While traditional antivirus [vendors] may be able to spot and deflect many kinds of attacks, they're not well-equipped to handle targeted attacks. But there are technologies able to detect such attacks, if not entirely prevent them, Pescatore said, from the likes of vendors such as FireEye, not McAfee or Kaspersky." About every five years, we get in a phase when attacks get ahead of defenses, and we're in one now," said Pescatore. Source: CIO Magazine, Aug. 23 rd

3 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3 The New Breed of Cyber Attacks Nature of threats changing Today’s attacks sophisticated and successful “Organizations face an evolving threat scenario that they are ill-prepared to deal with….threats that have bypassed their traditional security protection techniques and reside undetected on their systems.” Gartner, Advanced Persistent Threats Zero-Day Targeted Attacks Dynamic Trojans Stealth Bots Worms Viruses Disruption Spyware/ Bots Cybercrime Cyber-Espionage and Cybercrime Damage of Attacks

4 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4 High Profile Attacks are Increasingly Common

5 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5 Numbers Show a Harsh Reality 2/3 of U.S. firms report that they have been the victim of cyber attacks 40% of all IT executives expect a major cybersecurity incident 115% CAGR unique malware since ,000+ malicious websites identified per day Every second 14 adults become a victim of cyber crime 6.5x Number of cyber attacks since new vulnerabilities discovered each week

6 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6 What’s Changed? NEW THREAT LANDSCAPE Dynamic, Polymorphic Malware Coordinated Persistent Threat Actors Multi-Vector AttacksMulti-Staged Attacks

7 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7 ADVANCED TRADITIONAL Advanced Targeted Attack Advanced Targeted Attacks Defined Stealthy Unknown and Zero Day TargetedPersistent Open Known and Patchable BroadOne Time The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted IPS and AV Signatures bypassed by:  Dynamic zero-day malware  Targeted attacks  Polymorphic malware URL Filtering & Reputation bypassed by:  Dynamic, disposable, malicious domains  Framed and deep embedded content  Compromised legitimate Web sites Heuristics, Correlation, & Basic Emulation techniques are bypassed by:  Targeted attacks  Zero-day vulnerability attacks

8 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8 Commercial Tool Kits

9 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9 The Attack Life Cycle – Multiple Stages Exploitation of system 1 3 Callbacks and control established 2 Malware executable download Compromised Web server, or Web 2.0 site 1 Callback Server IPS 3 2 Malware spreads laterally 4 Data exfiltration 5 File Share 2 File Share 1 5 4

10 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10 Traditional Defenses Don’t Work Firewalls/ NGFW Secure Web Gateways IPS Anti-Spam Gateways Desktop AV THREAT The new breed of attacks evade signature-based defenses

11 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11 A New Model is Required Signature-Based Reactive Only known threats False positives Signature-less Dynamic, real-time Known/unknown threats Minimal false positives Legacy Pattern-Matching Detection Model New Virtual Execution Model MATCH MATCH

12 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12 Malware Analysis What types of Malware Analysis should you do? Malware Analysis Static Analysis SignatureHeuristics Dynamic Analysis Discrete Object analysis Contextual Analysis

13 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13 Building Blocks of the FireEye Platform Multi-Vector Virtual Execution engine Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability Dynamic Threat Intelligence (CLOUD) Dynamic Threat Intelligence (CLOUD)

14 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14 Multi-Flow Virtual Execution (MVX) Blocks Inbound Exploit Attempts Blocks Outbound C&C Callbacks Dynamic Threat Intelligence Uploaded to FireEye Cloud Zero-Day DTI Profile Shared across FireEye Installation Dynamic Threat Intelligence Hourly Content Updates Aggressive Capture of Suspicious Traffic Purpose-built Virtual Execution Contextual Detonation of Malware in Virtual Victim Visibility & Forensics of Full Attack LifeCycle Block Inbound Attack, Outbound Callbacks to C2 Crowd-Sourced DTI for Scalable, Global Protection

15 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15 Advanced Malware Protection Architecture Anti-Spam Mail Servers File Share 2 File Share 1 LAN IPS Web MPS MPS File MPS CMS Real-time Web, , & File Security to stop Advanced Targeted Attacks Centralized Management, Reporting Augments Zero-Day gaps traditional security misses FireEye Platform shares DTI with 3rd party products Automation ensures higher detection accuracy & low TCO Dynamic Threat Intelligence provides unique, zero-day intelligence Dynamic Threat Intelligence MAS Firewall

16 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16 SIA Partner Member FireEye Platform – Extending DTI Closer to the Breach Network Monitoring Endpoint

17 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17 Council of Foreign Relations (CFR) Attack Zero-day attack  Targets IE 8.0 browsers with OS language English, Chinese, Japanese, Korean, or Russian  Delivered only once per user Infection vector: Drive-by downloads targeting visitors to Exploits vulnerability in Internet Explorer 8.0 CFR influential in US foreign policy decisions  Accessed by high ranking government officials, including former presidents, secretaries of state, ambassadors, and leaders of industry Perpetrated by nation state actors  Goal seems to be to gather business and/or military intelligence Zero-day attack  Targets IE 8.0 browsers with OS language English, Chinese, Japanese, Korean, or Russian  Delivered only once per user Infection vector: Drive-by downloads targeting visitors to Exploits vulnerability in Internet Explorer 8.0 CFR influential in US foreign policy decisions  Accessed by high ranking government officials, including former presidents, secretaries of state, ambassadors, and leaders of industry Perpetrated by nation state actors  Goal seems to be to gather business and/or military intelligence

18 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18 HTTP Independent, nonpartisan membership organization, think tank, and publisher: Influential in US foreign policy decisions Preeminent personalities and corporations as members Develops foreign policy leaders Accessed by lawmakers, govt. officials Independent, nonpartisan membership organization, think tank, and publisher: Influential in US foreign policy decisions Preeminent personalities and corporations as members Develops foreign policy leaders Accessed by lawmakers, govt. officials Custom tools Multi-Flow Analysis of Council of Foreign Relations Attack C&C Server: Dynamic DNS provide.yourtrap.com 1 Check browser version, country, first visit XOR (0x83) 3 Exploit for IE8 5 Client PC Compromised domain Exploit file Backdoor JavaScript in compromised page 1 – User visits compromised or tainted website 2 – JavaScript in page checks infection criteria 3 – Exploit code downloaded after checks 4 – Backdoor downloaded with exploit 5 – Backdoor decoded on client machine 6 – Infected client connects with C&C server 7 – Infected client infects other devices on network Lateral spread 6 C&C Callback Dec Dec Dec Dec Jan FireEye DTI recorded malicious content First instance of attack reported Microsoft advisory published Microsoft MSHTML workaround Microsoft security bulletin released Exploit detection is critical Following phases of the attack can be hidden or obfuscated Exploit detection is critical Following phases of the attack can be hidden or obfuscated Open window of attack

19 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19 Operation Beebus Attack APT campaign targeting aerospace and defense industry in waves  No pattern to attack  Multiple weaponized s some day; single targeted on others Infection vector: and drive-by downloads Exploits common vulnerabilities in PDF and DOC Familiar document names used in attack Encrypted communications with C&C server Backdoor contains modules to download and execute additional payloads and updates Potentially same nation state actors that breached RSA  Same server domain seen in callbacks  Known to be behind information stealing from at least 70 organizations APT campaign targeting aerospace and defense industry in waves  No pattern to attack  Multiple weaponized s some day; single targeted on others Infection vector: and drive-by downloads Exploits common vulnerabilities in PDF and DOC Familiar document names used in attack Encrypted communications with C&C server Backdoor contains modules to download and execute additional payloads and updates Potentially same nation state actors that breached RSA  Same server domain seen in callbacks  Known to be behind information stealing from at least 70 organizations

20 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20 Multi-vectored attack Multi-Vector Analysis of Operation Beebus Attack Apr 2011 update.exe Sept 2011 UKNOWN Dec 2011 RHT_SalaryGuide_2012.pdf Feb 2012 Mar 2012 Apr 2012 May 2012 Jul 2012 Aug 2012 Sept 2012 Nov 2012 Jan 2013 install_flash_player.tmp2 Conflict-Minerals-Overview-for-KPMG.doc dodd-frank-conflict-minerals.doc update.exe Boeing_Current_Market_Outlook_…pdf Understand your blood test report.pdf RHT_SalaryGuide_2012.pdf sensor environments.doc FY2013_Budget_Request.doc Dept of Defense FY12 …Boeing.pdf April is the Cruelest Month.pdf National Human Rights…China.pdf Security Predictions…2013.pdf rundll32.exe UKNOWN сообщить.doc install_flash_player.ex install_flash_player.tmp2 Global_A&D_outlook_2012.pdf Defense Industry UAV/UAS Manufacturers Aerospace Industry 1 – /Web with weaponized malware 2 – Backdoor DLL dropped 3 – Encrypted callback over HTTP to C&C 1 – /Web with weaponized malware 2 – Backdoor DLL dropped 3 – Encrypted callback over HTTP to C&C 2 C&C Server: worldnews.alldownloads.ftpserver.biz Backdoor Encrypted callback 3 SMTP / HTTP 1 Timeline of attack – multiple vectors, multiple campaigns Weaponized (RHT_SalaryGuide_2012.pdf) Key Attack Characteristics 1.Nation state driven attack using multiple vectors & files in campaigns spread over 2 years 2.Exploits known vulnerabilities in several Adobe products such as Reader and Flash Player 3.Targeted attacks - each campaign tried to compromise few specific individuals 4.Encrypted callback communications to hide exfiltrated data Key Attack Characteristics 1.Nation state driven attack using multiple vectors & files in campaigns spread over 2 years 2.Exploits known vulnerabilities in several Adobe products such as Reader and Flash Player 3.Targeted attacks - each campaign tried to compromise few specific individuals 4.Encrypted callback communications to hide exfiltrated data

21 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21 APT Protection Requirements 1.Multi-Vector protection (web, , file, mobile) 2.Address all stages of advanced attacks (inbound attacks, outbound callbacks, malware executable downloads) 3.Understand the full context of an attack using multi-flow analysis 4.Share threat data in real time locally and globally (Dynamic Threat Intelligence)

22 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22 Summary Today’s new breed of attacks are more advanced and sophisticated Affects all verticals and segments Traditional defenses can’t stop these attacks Real-time, integrated signature- less solution is required across Web, and file attack vectors Integrated, cross-enterprise platform to stop today’s new breed of cyber attacks Complete Protection Against Today’s New Breed of Cyber Attacks Web Malware Protection System Malware Protection System File Malware Protection System

23 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23 GuidePoint Security - Uniquely Positioned Boutique Shops Highly-technical consultants Security R&D Consulting Firms Professional consultants Broad client experience System Integrators Comprehensive solutions Extensive program knowledge Partnering/teaming Small Business (BPA/IDIQ) Value-Added Resellers Vendor agnostic Experienced engineers System Integrators Value-Added Resellers Consulting Firms Boutique Shops

24 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24 Technology Integration Services Architecture and Design Optimization Technology Implementation Security Architecture Review Target Architecture Design Technology Implementation Architecture Rack and Stack Configuration and Hardening Functionality, Regression and Performance Testing Technology Support Security Technology Review Consolidation Assessment Technology Optimization

25 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25 Information Assurance Services Security Program Strategy Third Party Management Compliance Services Security Assessments Security Program Review / Implementation Cloud Migration Strategy Trusted Advisory Services Incident Response / Forensics Security Policy & Standards Application Penetration Testing Perimeter Security Assessment Cloud Security Assessments Security Code Reviews Social Engineering PCI DSS Compliance Program Management PCI DSS QSA Assessment Services HIPAA / HITECH Compliance ISO Compliance Third Party Management Program Design Third Party Assessments

26 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26 Thank You


Download ppt "Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Next Generation Threat Protection Charles Wilkerson, Sr. Security Engineer"

Similar presentations


Ads by Google