1 / 26

Next Generation Threat Protection

Next Generation Threat Protection. Charles Wilkerson, Sr. Security Engineer Charles.wilkerson@fireeye.com. Introduction.

slade
Download Presentation

Next Generation Threat Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Next Generation Threat Protection Charles Wilkerson, Sr. Security Engineer Charles.wilkerson@fireeye.com

  2. Introduction "While traditional antivirus [vendors] may be able to spot and deflect many kinds of attacks, they're not well-equipped to handle targeted attacks. But there are technologies able to detect such attacks, if not entirely prevent them, Pescatore said, from the likes of vendors such as FireEye, not McAfee or Kaspersky." About every five years, we get in a phase when attacks get ahead of defenses, and we're in one now," said Pescatore. Source: CIO Magazine, Aug. 23rd 2011 - http://www.cio.in/news/security-firms-knock-heads-over-shady-rat-hacks-163462011

  3. The New Breed of Cyber Attacks • Nature of threats changing • Today’s attacks sophisticated and successful Cyber-Espionage and Cybercrime Advanced Persistent Threats Zero-Day Targeted Attacks Dynamic Trojans Stealth Bots Cybercrime Damage of Attacks Spyware/Bots Disruption Worms Viruses 2005 2007 2009 2011 2013 “Organizations face an evolving threat scenario that they are ill-prepared to deal with….threats that have bypassed their traditional security protection techniques and reside undetected on their systems.” Gartner, 2012

  4. High Profile Attacks are Increasingly Common

  5. Numbers Show a Harsh Reality 2/3 of U.S. firms report that they have been the victim of cyber attacks Every second 14 adults become a victim of cyber crime 00.01 6.5x 40% of all IT executives expect a major cybersecurity incident Number of cyber attacks since 2006 95 9,000+ 115% CAGR unique malware since 2009 malicious websites identified per day new vulnerabilities discovered each week

  6. What’s Changed? Dynamic, Polymorphic Malware Coordinated Persistent Threat Actors NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks

  7. Advanced Targeted Attacks Defined • IPS and AV Signatures bypassed by: • Dynamic zero-day malware • Targeted attacks • Polymorphic malware The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted ADVANCED • URL Filtering & Reputation bypassed by: • Dynamic, disposable, malicious domains • Framed and deep embedded content • Compromised legitimate Web sites Advanced Targeted Attack • Heuristics, Correlation, & Basic Emulation techniques are bypassed by: • Targeted attacks • Zero-day vulnerability attacks TRADITIONAL

  8. Commercial Tool Kits

  9. The Attack Life Cycle – Multiple Stages Compromised Web server, or Web 2.0 site 1 Callback Server Exploitation of system 1 4 Malware executable download 2 Callbacks and control established 3 File Share 2 IPS 5 Data exfiltration 4 File Share 1 2 3 Malware spreads laterally 5

  10. Traditional Defenses Don’t Work The new breed of attacks evade signature-based defenses Firewalls/NGFW THREAT Anti-SpamGateways IPS Secure WebGateways Desktop AV

  11. A New Model is Required • Signature-Based • Reactive • Only known threats • False positives Legacy Pattern-Matching Detection Model New Virtual Execution Model MATCH MATCH 101011010101101000101110001101010101011001101111100101011001001001001000 100100111001010101010110 100100111001010101010110 100100111001010101010110 110100101101011010101000 • Signature-less • Dynamic, real-time • Known/unknown threats • Minimal false positives

  12. Malware Analysis • What types of Malware Analysis should you do?

  13. Building Blocks of the FireEye Platform Dynamic Threat Intelligence (CLOUD) Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability

  14. Multi-Flow Virtual Execution (MVX) Dynamic Threat Intelligence Aggressive Capture of Suspicious Traffic Purpose-built Virtual Execution Contextual Detonation of Malware in Virtual Victim Visibility & Forensics of Full Attack LifeCycle Block Inbound Attack, Outbound Callbacks to C2 Crowd-Sourced DTI for Scalable, Global Protection Hourly Content Updates DynamicThreat Intelligence Uploaded to FireEye Cloud Zero-Day DTI Profile Shared across FireEye Installation Blocks Inbound Exploit Attempts Blocks Outbound C&C Callbacks

  15. Advanced Malware Protection Architecture Dynamic Threat Intelligence • Real-time Web, Email, & File Security to stop Advanced Targeted Attacks • Centralized Management, Reporting • Augments Zero-Day gaps traditional security misses • FireEye Platform shares DTI with 3rd party products • Automation ensures higher detection accuracy & low TCO • Dynamic Threat Intelligence provides unique, zero-day intelligence Firewall CMS Anti-Spam IPS File Share 2 Web MPS Email MPS File MPS File Share 1 LAN Mail Servers MAS

  16. FireEye Platform – Extending DTI Closer to the Breach SIA Partner Member Network Monitoring Endpoint

  17. Council of Foreign Relations (CFR) Attack • Zero-day attack • Targets IE 8.0 browsers with OS language English, Chinese, Japanese, Korean, or Russian • Delivered only once per user • Infection vector: Drive-by downloads targeting visitors to www.cfr.org • Exploits vulnerability in Internet Explorer 8.0 • CFR influential in US foreign policy decisions • Accessed by high ranking government officials, including former presidents, secretaries of state, ambassadors, and leaders of industry • Perpetrated by nation state actors • Goal seems to be to gather business and/or military intelligence

  18. Multi-Flow Analysis of Council of Foreign Relations Attack HTTP Compromised domain Client PC Microsoft MSHTML workaround Custom tools http://www.cfr.org • Independent, nonpartisan membership organization, think tank, and publisher: • Influential in US foreign policy decisions • Preeminent personalities and corporations as members • Develops foreign policy leaders • Accessed by lawmakers, govt. officials First instance of attack reported 3 6 7 5 2 1 4 JavaScript in compromised page Open window of attack Lateral spread Check browser version, country, first visit FireEye DTI recorded malicious content Microsoft advisory published Microsoft security bulletin released Exploit file Exploit for IE8 XOR (0x83) Exploit detection is critical Following phases of the attack can be hidden or obfuscated Backdoor C&C Callback 1 – User visits compromised or tainted website 2 – JavaScript in page checks infection criteria 3 – Exploit code downloaded after checks 4 – Backdoor downloaded with exploit 5 – Backdoor decoded on client machine 6 – Infected client connects with C&C server 7 – Infected client infects other devices on network C&C Server: Dynamic DNS provide.yourtrap.com

  19. Operation Beebus Attack • APT campaign targeting aerospace and defense industry in waves • No pattern to attack • Multiple weaponized emails some day; single targeted email on others • Infection vector: Email and drive-by downloads • Exploits common vulnerabilities in PDF and DOC • Familiar document names used in attack • Encrypted communications with C&C server • Backdoor contains modules to download and execute additional payloads and updates • Potentially same nation state actors that breached RSA • Same server domain seen in callbacks • Known to be behind information stealing from at least 70 organizations

  20. Multi-Vector Analysis of Operation BeebusAttack update.exe Apr 2011 UKNOWN Sept 2011 RHT_SalaryGuide_2012.pdf Dec 2011 • Key Attack Characteristics • Nation state driven attack using multiple vectors & files in campaigns spread over 2 years • Exploits known vulnerabilities in several Adobe products such as Reader and Flash Player • Targeted attacks - each campaign tried to compromise few specific individuals • Encrypted callback communications to hide exfiltrated data Timeline of attack – multiple vectors, multiple campaigns install_flash_player.tmp2 Feb 2012 Defense Industry 1 3 2 Conflict-Minerals-Overview-for-KPMG.doc dodd-frank-conflict-minerals.doc update.exe Mar 2012 SMTP / HTTP Weaponized Email (RHT_SalaryGuide_2012.pdf) Boeing_Current_Market_Outlook_…pdf Understand your blood test report.pdf RHT_SalaryGuide_2012.pdf Apr 2012 UAV/UAS Manufacturers May 2012 sensor environments.doc FY2013_Budget_Request.doc Dept of Defense FY12 …Boeing.pdf April is the Cruelest Month.pdf Backdoor Backdoor Aerospace Industry National Human Rights…China.pdf Jul 2012 Aug 2012 Security Predictions…2013.pdf C&C Server: worldnews.alldownloads.ftpserver.biz Encrypted callback Sept 2012 rundll32.exe UKNOWN сообщить.doc Nov 2012 Multi-vectored attack Jan 2013 install_flash_player.ex install_flash_player.tmp2 Global_A&D_outlook_2012.pdf 1 – Email/Web with weaponized malware 2 – Backdoor DLL dropped 3 – Encrypted callback over HTTP to C&C

  21. APT Protection Requirements Multi-Vector protection (web, email, file, mobile) Address all stages of advanced attacks (inbound attacks, outbound callbacks, malware executable downloads) Understand the full context of an attack using multi-flow analysis Share threat data in real time locally and globally (Dynamic Threat Intelligence)

  22. Summary • Today’s new breed of attacks are more advanced and sophisticated • Affects all verticals and segments • Traditional defenses can’t stop these attacks • Real-time, integrated signature-less solution is required across Web, email and file attack vectors • Integrated, cross-enterprise platform to stop today’s new breed of cyber attacks Complete Protection Against Today’s New Breed of Cyber Attacks Dynamic Threat Intelligence Cloud Central Management System Malware Analysis System Web Malware Protection System EmailMalwareProtectionSystem File Malware Protection System

  23. GuidePoint Security - Uniquely Positioned Boutique Shops • Highly-technical consultants • Security R&D Consulting Firms • Professional consultants • Broad client experience System Integrators • Comprehensive solutions • Extensive program knowledge • Partnering/teaming • Small Business (BPA/IDIQ) Value-Added Resellers • Vendor agnostic • Experienced engineers System Integrators Consulting Firms Value-Added Resellers Boutique Shops

  24. Technology Integration Services Architecture and Design Technology Implementation Optimization • Rack and Stack • Configuration and Hardening • Functionality, Regression and Performance Testing • Technology Support • Security Technology Review • Consolidation Assessment • Technology Optimization • Security Architecture Review • Target Architecture Design • Technology Implementation Architecture

  25. Information Assurance Services Security Program Strategy Security Assessments Compliance Services Third Party Management • Application Penetration Testing • Perimeter Security Assessment • Cloud Security Assessments • Security Code Reviews • Social Engineering • PCI DSS Compliance Program Management • PCI DSS QSA Assessment Services • HIPAA / HITECH Compliance • ISO 27002 Compliance • Third Party Management Program Design • Third Party Assessments • Security Program Review / Implementation • Cloud Migration Strategy • Trusted Advisory Services • Incident Response / Forensics • Security Policy & Standards

  26. Thank You

More Related