1. Next Generation Threat Protection
Charles Wilkerson, Sr. Security Engineer

2. Introduction
"While traditional antivirus [vendors] may be able to spot and deflect many kinds of attacks, they're not well-equipped to handle targeted attacks. But there are technologies able to detect such attacks, if not entirely prevent them, Pescatore said, from the likes of vendors such as FireEye, not McAfee or Kaspersky."
About every five years, we get in a phase when attacks get ahead of defenses, and we're in one now," said Pescatore.
Source: CIO Magazine, Aug. 23rd

3. The New Breed of Cyber Attacks
Nature of threats changing
Today’s attacks sophisticated and successful
Cyber-Espionage and Cybercrime
Advanced Persistent Threats
Zero-Day
Targeted Attacks
Dynamic Trojans
Stealth Bots
Damage of Attacks
Cybercrime
Spyware/ Bots
Disruption
Worms
Viruses
2005
2007
2009
2011
2013
STAT: The pace of attacks are way up. 10 X from 2007 (according to Intel’s threat data reports) and 5 X from 2009 (again according to Intel’s threat data reports).
And, the nature of these attacks have changed from broad, scattershot attacks to very targeted attacks with persistent adversaries (often times nation-states)
GARTNER is re-affirming the fact that today’s new breed of cyber attacks have evolved to a point that has bypassed the capabilities of traditional tools.
(TRANSITION: Let’s take a look at some of these high-profile victims.)
“Organizations face an evolving threat scenario that they are ill-prepared to deal with….threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”
Gartner, 2012

4. High Profile Attacks are Increasingly Common
Ever since the Operation Aurora attack 5 years ago, the game has changed – State Agencies, Hacktivists and Organized Crime (frequently collaborating on attacks) have upped the ante. The Daily headlines now show Zero-Day attacks have become the norm. Traditional security methods such as firewalls, IPS, Host AntiVirus and Web Filtering are in place at most organizations, yet these threats continue to penetrate organizations. Data breaches are increasingly common due to flaws in common application and plug-ins like Adobe Reader, Java and browser exploits. Persistent threats are commercial-grade and virtual machine aware. In November of 2012, VMware realized that their source code has been leaked for over 7 years! It’s no wonder that ‘add-on Generic Sandboxes’ used recently by vendors are ineffective, since most use Vmware ESX-based inspection. Attacking at-will, attackers are now commonly breaching organizations that are large, small, local, global, public and private.

5. Numbers Show a Harsh Reality
2/3
of U.S. firms
report that
they have been the
victim of cyber attacks
Every second 14 adults become a victim of cyber crime
00.01
6.5x
40%
of all IT executives expect a major cybersecurity incident
Number of cyber attacks since 2006 95
9,000+
115% CAGR unique malware since 2009
Beyond the headlines, there are a range of attacks that very commonly penetrate defenses.
Well-known brands get the publicity, but for every one we hear about there are thousands that are not mentioned below the surface.
This is due to the sophistication of attacks
malicious websites identified per day
new vulnerabilities discovered each week

6. NEW THREAT LANDSCAPE What’s Changed? Dynamic, Polymorphic Malware
Coordinated Persistent Threat Actors
NEW THREAT LANDSCAPE
Malware became known to many computer users through widespread infections caused by Melissa (in 1999) and LoveLetter (in 2000). Both were -based, and LoveLetter spread via an infected attachment. When the attachment was opened, the malware overwrote a variety of different types of files on the user’s PC and ed itself to others in the user’s address book. LoveLetter quickly became the most costly incident of its kind to that point in time. Despite the damage that Melissa and LoveLetter caused, it could be argued that they had three positive effects: they caused computer malware to come under increasing scrutiny; they increased social awareness about computer malware (through peer pressure from many upset message recipients); and they underscored the importance of backups (because LoveLetter overwrote files which were lost if backups were not available). As more software developers create less vulnerable solutions, malicious outsiders need to develop more sophisticated programs capable of detecting and exploiting weaknesses. This has led to the evolution of socially engineered attacks that lure users with infected advertisements, attachments and the like, Dark Reading reported. "I think some people get lulled into a false sense of security by having antivirus software," McKenney said. "The truth is hackers can get around antivirus software pretty easily if you don't have all your programs updated with the latest security patches. It's like building a fence and leaving your gate wide open.
The Definition of APT. “Advanced” means it gets through your existing defenses. “Persistent” means it succeeds in hiding from your existing level of detection. “Threat” means it causes you harm. We think the targeted aspect is more important to focus on and, for the purposes of this research, will use the term “advanced targeted threat.” The reality is that the most important issues are the vulnerabilities Contextual analysis of the overall attack is critical to understand
-An attack has commenced
-The attack is active
-What is transpiring (data theft, lateral spread in the network, deep system compromise, etc.)
FireEye uses multi-flow analysis to understand the full context of an APT attack
Stateful attack analysis enables customers to address each stage of an attack and mitigate damages
Point products see only a single attack flow; thereby missing the full attack view and lifecycle
But APT attack continues by using other vectors or re-visiting an attack stage
Multi-Vector Attacks
Multi-Staged Attacks

7. Advanced Targeted Attacks Defined
IPS and AV Signatures bypassed by:
Dynamic zero-day malware
Targeted attacks
Polymorphic malware
The New Threat Landscape
There is a new breed of attacks that are advanced, zero-day, and targeted
ADVANCED
Stealthy
Unknown and Zero Day
Targeted
Persistent
URL Filtering & Reputation bypassed by:
Dynamic, disposable, malicious domains
Framed and deep embedded content
Compromised legitimate Web sites
Advanced Targeted Attack
Cyber criminals have figured out how to evade detection by traditional defenses. Using toolkits to design polymorphic threats that change with every use, move slowly, and exploit Zero-Day vulnerabilities.
Holes left open by traditional and next-generation Firewalls, IPS, Anti-Virus and Web Gateways. This new generation of organized cybercrime is persistent, capitalizing on organizational data available on social networking sites to create very targeted 'phishing' s and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries.
Advanced Targeted Attacks use advanced malware, zero-day and APT tactics to penetrate networks for the purpose of control, espionage and theft. Advanced Malware uses a variety of tactics like zero-day exploits, dynamism (e.g. fast flux DNS, polymorphism), and is often targeted / personalized.
We are now in the age of the “Cyber Industrial Complex” in which criminals have commercial qualify toolkits to build the cyber weapons (malware) so effective at penetrating networks.
Many in the IT security industry call these cyber criminal actors – Advanced, Persistent Threats
TRANSITION: Why are advanced targeted attacks so effective?
Heuristics, Correlation, & Basic Emulation techniques are bypassed by:
Targeted attacks
Zero-day vulnerability attacks
Open
Known and Patchable
Broad
One Time
TRADITIONAL

8. Commercial Tool Kits
Cybercriminals are always looking for easier ways to accomplish their goals of making money. One of the tools that has been most successful for them over the past few years has been web exploit toolkits. These toolkits consist of a number of exploits, a control panel to configure various aspects of the kit - what exploits to use, IP addresses to blacklist, how to view statistcs, etc - and also configuration for the backend database where all the information is stored. Installation guidance via text file is often included, and many kits utilize web-base install processes. Kits can cost anywhere between free to thousands of dollars.

9. The Attack Life Cycle – Multiple Stages
Compromised
Web server, or
Web 2.0 site 1
Callback Server 1
Exploitation of system 4 2
Malware executable download 3
Callbacks and control established
File Share 2
IPS 5 4
Data exfiltration
The Cyber Attack Lifecycle:
Stage 1: System exploitation
They start out initially by attempting to exploit your system using “drive-by attacks” in casual browsing. The attack may be delivered via the Web or , with the containing malicious URLs, for example. It’s a blended attack across Web and threat vectors to setup the first stage, system exploitation.
Stage 2: Binary payloads are downloaded
With exploitation successful, more malware binaries are downloaded, such as key loggers, Trojan backdoors, password crackers, and file grabbers.
Just one exploit translates into dozens of infections on the same system.  
Stage 3: Malware calls backs and control established
Once the malware installs, they have cracked the first step to establishing a control point from within your defenses. The malware, once in place, calls out to criminal servers for further instructions. It can also replicate itself and disguise itself to avoid scans. Some will turn off antivirus scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed right through the firewall. It will go through all the different layers of the network.
At this point, the criminals have built long-term control mechanisms into the system.
Stage 4: Data exfiltration
Next, data acquired from infected servers is staged for exfiltration. The data is exfiltrated over any commonly allowed protocol, like ftp or HTTP, to an external server controlled by the criminal, say at a hosting provider.
Stage 5: Malware spreads laterally
The criminal works to move beyond the single system and establish long-term control in the network. The advanced malware looks for mapped drives on infected laptops and desktops, and then it will spread laterally deeper into network file shares, for example. It will conduct reconnaissance and map out network infrastructure, determine key assets, and establish a network foothold on target servers.
File Share 1 2 3 5
Malware spreads laterally

10. Traditional Defenses Don’t Work
The new breed of attacks evade signature-based defenses
IPS
Anti-Spam Gateways
THREAT
Firewalls/ NGFW
Secure Web Gateways
And what do they all have in common? The attacks are targeted, persistent and unknown, enabling them to evade traditional signature-based defenses. Traditional or next generation firewalls, IPS, gateways or AV. It doesn’t matter. They are all completely defenseless in the face of these new attacks. As a result, traditional defenses are ineffective against today’s advanced targeted attacks.
Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted APT malware. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers.
Also, advanced attacks bypass heuristics-based technologies in existing IT security defenses as well. Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. Signal-to-Noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.
Desktop AV

11. Legacy Pattern-Matching Detection Model New Virtual Execution Model
A New Model is Required
Legacy Pattern-Matching Detection Model
New Virtual Execution Model
MATCH
MATCH
Signature-Based
Reactive
Only known threats
False positives
Signature-less
Dynamic, real-time
Known/unknown threats
Minimal false positives
A typical attack follows a cycle of a) exploit, b) callback, c) malware download, and d) data exfiltration. Exploit detection is critical to catching the next generation threats since the following phases can be hidden or obfuscated. File-level analysis focuses on the downloaded files and hence may miss exploit phase of detection, thereby resulting in false-negatives. The FireEye MVX technology monitors the attack lifecycle through the various stages and has the ability to catch exploits even when the ensuing file download occurs over encrypted channels.

12. Discrete Object analysis
Malware Analysis
What types of Malware Analysis should you do?
Malware Analysis
Static Analysis
Signature
Heuristics
Dynamic Analysis
Discrete Object analysis
Contextual Analysis
Malware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it. And you don’t need to be an uber-hacker to perform malware analysis.
Most often, when performing malware analysis, you’ll have only the malware executable, which won’t be human-readable. In order to make sense of it, you’ll use a variety of tools and tricks, each revealing a small amount of information. You’ll need to use a variety of tools in order to see the full picture.
There are two fundamental approaches to malware analysis: static and dynamic. Static analysis involves examining the malware without running it. Dynamic analysis involves running the malware. Both techniques are further categorized as basic or advanced.
Basic Static Analysis
Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviors.
Basic Dynamic Analysis
Basic dynamic analysis techniques involve running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both. However, before you can run malware safely, you must set up an environment that will allow you to study the running malware without risk of damage to your system or network. Like basic static analysis techniques, basic dynamic analysis techniques can be used by most people without deep programming knowledge, but they won’t be effective with all malware and can miss important functionality.

13. Building Blocks of the FireEye Platform
Dynamic
Threat Intelligence (CLOUD)
Multi-Vector
Virtual Execution
engine
Dynamic
Threat Intelligence (ENTERPRISE)
The FireEye threat protection platform defeats today’s cyber attacks that aggressively evade signature-based defenses and compromise the majority of today’s networks. The unique FireEye platform is based on:
1. The FireEye Multi-Vector Virtual Execution™ (MVX) engine detects today’s new breed of cyber attacks
2. The FireEye Dynamic Threat Intelligence™ Cloud shares anonymized threat intelligence from MVX analysis
3. Security interoperability with a broad ecosystem of partners using standards-based malware metadata and FireEye APIs
Technology Interoperability

14. Multi-Flow Virtual Execution (MVX)
Dynamic Threat
Intelligence
Uploaded to
FireEye Cloud
Zero-Day
DTI Profile
Shared across
FireEye
Installation
Dynamic
Threat
Intelligence
Aggressive Capture of Suspicious Traffic
Purpose-built
Virtual Execution
Contextual Detonation of Malware in Virtual Victim
Visibility & Forensics of Full Attack LifeCycle
Block Inbound Attack, Outbound Callbacks to C2
Crowd-Sourced DTI for Scalable, Global Protection
Hourly
Content
Updates
(Recommended to have SE cover this slide)
Traditional Security such as Firewalls, IPS, Host AV, Proxies and use signatures, lists and rules, which require some knowledge.
Phase 1:
The FireEye WebMPS appliance will also be able to identify known targeted and opportunistic attacks if they match our Attack Profiles. Attack Profiles may match inbound exploits or outbound C&C Communication.
However unknown, zero-day, targeted attacks won’t be detected since they are highly custom.
Aggressive Capture is used for identifying suspicious traffic. Because action isn’t taken in Phase 1, you don’t experience the high false positive rates of IPS, while uncovering the false negatives that Traditional Security is missing.
The suspicious captures are moved to Phase 2.
Phase 2:
The captures of your real user traffic, from your real network are REPLAYED IN VIRTUAL EXECUTION. Unlike generic sandboxes, FireEye uses a Purpose-Built Hypervisor built to Evade AV-Aware Malware, and built for speed – up to 32 Virtual Victims, 300 microsecond VM instantiation rate and more.
Your PC’s user-agent data is profiles to match our Preloaded Guest Images providing detection and context
REPLAY IN VIRTUAL EXECUTION provides Visibility into the Entire Attack Lifecycle. This automated Validation phase ensures Near-Zero False Positive Rates, and uncovers what other security layers are missing.
This side-by-side analysis of “Patient Zero” machine traffic doesn’t cause latency, but does create an Attack Profile from the combined Static and Dynamic analysis.
Phase 3:
This Dynamic Threat Intelligence is updated in the local appliance, as well as EVERY OTHER FireEye appliance in your local network.
This stops the attack in it’s tracks – No additional hosts can be exploited by the Inbound Attack. WebMPS will also block all C&C Communication from “Patient Zero” machine, while allowing legitimate requests to continue.
The DTI then is uploaded to the FireEye Cloud, where it is Crowd-Sourced with the entire FireEye community’s DTI
TRANSITION:
(MOVE TO NEXT SLIDE)
Blocks Inbound Exploit Attempts
Blocks Outbound C&C Callbacks

15. Advanced Malware Protection Architecture
Real-time Web, , & File Security to stop Advanced Targeted Attacks
Centralized Management, Reporting
Augments Zero-Day gaps traditional security misses
FireEye Platform shares DTI with 3rd party products
Automation ensures higher detection accuracy & low TCO
Dynamic Threat Intelligence provides unique, zero-day intelligence
Dynamic
Threat
Intelligence
Firewall
Anti-Spam
CMS
IPS
File Share 2
MPS
Web MPS
Typically during a POC, and in production, FireEye appliances deploy:
Web – Typically the WebMPS appliance deploys on your “Core” network (not “Access” or “Distribution” networks), inside the Firewall, in front of your corporate users. That typically means desktops, but may also include servers, etc. depending on your network. We can deploy both Inline (“L2 Bridge”), and off of a SPAN/Tap port, the later is how we typically run POCs.
– Typically MPS is deployed to filter Inbound mail, AFTER the SPAM/Hygiene layer, and BEFORE your MTAs (Exchange, etc.). MPS is your “Last Line of Defense”
CMS – Valuable in Centralizing Alerts, Correlating the entire blended attack Lifecycle, Content updates and centralizing patch management.
Malware Analysis System (MAS) – MAS is used by customers who want additional forensics on attacks forwarded by WebMPS. It allows for customization of Guest Images, Time, “Live” Mode and Unattended Mode. Unattended mode is also used by those responsible reimaging infected machines – MAS ensures that backed up files are clean before Restoring to Reimaged desktops.
FileMPS – Can run different types of Scan jobs, through network-based scans of CIFS file shares. If you require a “FireEye Only” solution for Validation and Remediation in addition to Detection, FileMPS can be used to scan suspected machines, identify the main malware binaries, and Remediate them through Quarantine, with Quarantine management in the FileMPS UI.
File MPS
File Share 1
LAN
Mail Servers
MAS

16. FireEye Platform – Extending DTI Closer to the Breach
Network
Monitoring
Endpoint
SIA Partner Member
FIREEYE PLATFORM:
As touched on before, FireEye typically sites at the center of our customer’s Security Architecture.
Their FireEye appliances uncover the time-sensitive, highly valuable Zero-Day, targeted threat, and then feed that information to your other systems.
With over 25 Technology Alliance Partners and Rapidly Growing, the FireEye Platform allows local integration with your Existing Security Investment.
A Few Example Use Cases:
AV - FireEye MPS identifies a Targeted Attack, creates zero-day malware signatures as part of the Local Attack Profile. This DTI is shared with your local McAfee, Symantec, or other Antivirus Server. These zero-day signatures supplement the known signatures your AV company provides. This allows (ideally) automated Validation and Remediation using tools you’re already familiar with, requiring little to no learning curve. Note: May require professional services
NAC -FireEye MPS can identify an infected host – either by Dynamically identifying the inbound exploit, or C&C communication, and feed the infected host IP address to a NAC product, or switch directly. This allows the infected machine to be moved off the Access VLAN, to an Isolation VLAN where it cannot exfiltrate sensitive data, not spread laterally.
Gateway - FireEye MPS can identify the C&C Architecture, and feed Proxies and Firewalls the destination IP addresses to ensure the infected host doesn’t communicate out, as well as protection for the broader network.
Data - FireEye MPS can identify an infected host, send the infected Host IP to Imperva SecureSphere. Imperva would ensure that the Data Policy changes, so the user who normally has access to sensitive data, no longer does from an infected host.
SIEM – FireEye integrates with all the major security information and event monitoring products: ArcSight/HP, Q1Labs/IBM, LogRhythm, Splunk>, RSA natively, as well others through JSON, Syslog or XML based integration.
Consultancies – FireEye MPS products are used by many consultancies such as Dell/Secureworks and many others.

17. Council of Foreign Relations (CFR) Attack
Zero-day attack
Targets IE 8.0 browsers with OS language English, Chinese, Japanese, Korean, or Russian
Delivered only once per user
Infection vector: Drive-by downloads targeting visitors to
Exploits vulnerability in Internet Explorer 8.0
CFR influential in US foreign policy decisions
Accessed by high ranking government officials, including former presidents, secretaries of state, ambassadors, and leaders of industry
Perpetrated by nation state actors
Goal seems to be to gather business and/or military intelligence
On December 27, we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised
at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21—right before a major U.S. holiday.
We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.
In the meantime, the initial JavaScript hosting the exploit has some interesting features. To start, it appears the JavaScript only served the exploit to browsers whose operating system language was either English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian:

18. Multi-Flow Analysis of Council of Foreign Relations Attack
HTTP
Compromised domain
Client PC 1
Custom tools
Microsoft MSHTML workaround
First instance of attack reported
Independent, nonpartisan membership organization, think tank, and publisher:
Influential in US foreign policy decisions
Preeminent personalities and corporations as members
Develops foreign policy leaders
Accessed by lawmakers, govt. officials
Dec
Dec
Dec
Dec
Jan 7 5
Check browser version, country, first visit 2
JavaScript in compromised page
Open window of attack
Lateral spread
FireEye DTI recorded malicious content
Microsoft advisory published
Microsoft security bulletin released 3
Exploit for IE8
Exploit file
XOR
(0x83) 4
Exploit detection is critical
Following phases of the attack can be hidden or obfuscated
Backdoor
On December 27, we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised
at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21—right before a major U.S. holiday.
We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.
In the meantime, the initial JavaScript hosting the exploit has some interesting features. To start, it appears the JavaScript only served the exploit to browsers whose operating system language was either English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian:
C&C Server:
Dynamic DNS
provide.yourtrap.com 6
C&C Callback
1 – User visits compromised or tainted website
2 – JavaScript in page checks infection criteria
3 – Exploit code downloaded after checks
4 – Backdoor downloaded with exploit
5 – Backdoor decoded on client machine
6 – Infected client connects with C&C server
7 – Infected client infects other devices on network

19. Operation Beebus Attack
APT campaign targeting aerospace and defense industry in waves
No pattern to attack
Multiple weaponized s some day; single targeted on others
Infection vector: and drive-by downloads
Exploits common vulnerabilities in PDF and DOC
Familiar document names used in attack
Encrypted communications with C&C server
Backdoor contains modules to download and execute additional payloads and updates
Potentially same nation state actors that breached RSA
Same server domain seen in callbacks
Known to be behind information stealing from at least 70 organizations
FireEye discovered an APT campaign consistently targeting companies in the aerospace and defense industries. The campaign has been in effect for sometime now.
Infection Vector
We have seen this campaign use both and drive-by downloads as a means of infecting end users. The threat actor has consistently used attachment names of documents/white papers released by well-known companies. The malicious attachment exploits some common vulnerabilities in PDF and DOC files
The malware uses a well-documented vulnerability in the Windows OS known as DLL search order hijacking. There is an order in which executables load DLLs on the Windows operating system. This particular malware takes advantage of this vulnerability and drops a DLL called ntshrui.DLL in the C:Windows directory. The first place from where the executable looks to load the DLL is its own directory. By dropping the ntshrui.DLL in the directory C:Windows, the malware achieves persistence.
The malware communicates with a remote command and control (CnC) server. The GET request in Figure 4 is the initial request that the compromised machine makes to "check in" with the CnC server. It encrypts information it collects with the base64 algorithm and then sends it to the remote CnC server as seen in Figure 4. It is interesting to note that the base64 data is subjected to some substitutions before it is sent out preventing run of the mill inspection on the wire. It replaces the ‘/’ (forward slash) and ‘+’ (plus) characters which are part of the base64 character set with ‘_’ (underscore) and ‘-‘ (hyphen) respectively. The code that performs this operation is shown in Figure 5.

20. Multi-Vector Analysis of Operation Beebus Attack
Multi-vectored attack
Apr 2011
update.exe
Sept 2011
UKNOWN
Dec 2011
RHT_SalaryGuide_2012.pdf
Key Attack Characteristics
Nation state driven attack using multiple vectors & files in campaigns spread over 2 years
Exploits known vulnerabilities in several Adobe products such as Reader and Flash Player
Targeted attacks - each campaign tried to compromise few specific individuals
Encrypted callback communications to hide exfiltrated data
Defense Industry
Weaponized (RHT_SalaryGuide_2012.pdf) 1
Timeline of attack – multiple vectors, multiple campaigns
Feb 2012
Mar 2012
Apr 2012
May 2012
Jul 2012
Aug 2012
Sept 2012
Nov 2012
Jan 2013
install_flash_player.tmp2
Conflict-Minerals-Overview-for-KPMG.doc
dodd-frank-conflict-minerals.doc
update.exe
Boeing_Current_Market_Outlook_…pdf
Understand your blood test report.pdf
RHT_SalaryGuide_2012.pdf
sensor environments.doc
FY2013_Budget_Request.doc
Dept of Defense FY12 …Boeing.pdf
April is the Cruelest Month.pdf
National Human Rights…China.pdf
Security Predictions…2013.pdf
rundll32.exe
UKNOWN
сообщить.doc
install_flash_player.ex
Global_A&D_outlook_2012.pdf
SMTP / HTTP
UAV/UAS Manufacturers
Aerospace Industry
Backdoor 2
Backdoor
C&C Server:
worldnews.alldownloads.ftpserver.biz 3
FireEye discovered an APT campaign consistently targeting companies in the aerospace and defense industries. The campaign has been in effect for sometime now.
Infection Vector - We have seen this campaign use both and drive-by downloads as a means of infecting end users. The threat actor has consistently used attachment names of documents/white papers released by well-known companies. The malicious attachment exploits some common vulnerabilities in PDF and DOC files.
The malware uses a well-documented vulnerability in the Windows OS known as DLL search order hijacking. There is an order in which executables load DLLs on the Windows operating system. This particular malware takes advantage of this vulnerability and drops a DLL called ntshrui.DLL in the C:Windows directory. The first place from where the executable looks to load the DLL is its own directory. By dropping the ntshrui.DLL in the directory C:Windows, the malware achieves persistence.
Encrypted callback
1 – /Web with weaponized malware
2 – Backdoor DLL dropped
3 – Encrypted callback over HTTP to C&C

21. APT Protection Requirements
Multi-Vector protection (web, , file, mobile)
Address all stages of advanced attacks (inbound attacks, outbound callbacks, malware executable downloads)
Understand the full context of an attack using multi-flow analysis
Share threat data in real time locally and globally (Dynamic Threat Intelligence)

22. Summary
Today’s new breed of attacks are more advanced and sophisticated
Affects all verticals and segments
Traditional defenses can’t stop these attacks
Real-time, integrated signature- less solution is required across Web, and file attack vectors
Integrated, cross-enterprise platform to stop today’s new breed of cyber attacks
Complete Protection Against Today’s New Breed of Cyber Attacks
Dynamic Threat Intelligence Cloud
Central Management System
Malware Analysis System
Web Malware Protection System
Malware Protection System
File
Malware Protection System
Wit the pace of today’s new breed of cyber attacks accelerating, all verticals and all segments are affected.
Because traditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacks, companies need a real-time, proactive signature-less solution is required across Web, and file shares
FireEye has engineered the most advanced threat protection to supplement traditional defenses and stop today’s new breed of cyber attacks.

23. GuidePoint Security - Uniquely Positioned
Boutique Shops
Highly-technical consultants
Security R&D
Consulting Firms
Professional consultants
Broad client experience
System Integrators
Comprehensive solutions
Extensive program knowledge
Partnering/teaming
Small Business (BPA/IDIQ)
Value-Added Resellers
Vendor agnostic
Experienced engineers
System
Integrators
Value-Added
Resellers
Consulting
Firms
Boutique
Shops

24. Technology Integration Services
Architecture and Design
Technology Implementation
Optimization
Security Architecture Review
Target Architecture Design
Technology Implementation Architecture
Rack and Stack
Configuration and Hardening
Functionality, Regression and Performance Testing
Technology Support
Security Technology Review
Consolidation Assessment
Technology Optimization

25. Information Assurance Services
Security Program Strategy
Security Assessments
Compliance Services
Third Party Management
Security Program Review / Implementation
Cloud Migration Strategy
Trusted Advisory Services
Incident Response / Forensics
Security Policy & Standards
Application Penetration Testing
Perimeter Security Assessment
Cloud Security Assessments
Security Code Reviews
Social Engineering
PCI DSS Compliance Program Management
PCI DSS QSA Assessment Services
HIPAA / HITECH Compliance
ISO Compliance
Third Party Management Program Design
Third Party Assessments

26. Thank You