1 / 23

Tim Davidson System Engineer

Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause…. Tim Davidson System Engineer. Agenda. Changing Threat Landscape. Changing Threat Landscape – Advanced Persistent Threats (APTs). The New Threat Landscape

nike
Download Presentation

Tim Davidson System Engineer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause… Tim Davidson System Engineer

  2. Agenda

  3. Changing Threat Landscape

  4. Changing Threat Landscape – Advanced Persistent Threats (APTs) The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted MODERN Advanced Persistent Threats LEGACY

  5. High Profile Targeted Attacks • 3 minutes • On average, malware activities take place once every 3 minutes • 184 countries, 41% • Over the past year, FireEye captured callbacks to 184 countries, a 41% rise • 46% • Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks • Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22% • Technology companies • Technology companies experienced highest rate of callback activity • 89% • 89% of callback activities linked with APT tools made in China or Chinese hacker groups Source: FireEye Advanced Threat Report, March 2013

  6. Significant Compromise Still Exists! Percent ofDeployments Infections/Weeks at Normalized Bandwidth 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 98.5% of deployments see at least 10 incidents*/week/Gbps Average is about 221 incidents*/week 1 Gbps 20% of deployments havethousands of incidents*/week Source: FireEye Advanced Threat Report, March, 2013 221 Average Net New Incidents Per Week at Only 1 Gbps! 10 100 1,000 10,000 100,000 * An incident is beyond inbound malware – it includes an exploit and callback

  7. Why Traditional Defenses Fail

  8. What’s causing the compromise? Dynamic, Polymorphic Malware Coordinated Persistent Threat Actors NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks

  9. The Attack Life Cycle – Multiple Stages Compromised Web server, or Web 2.0 site 1 Callback Server Exploitation of system 1 4 Malware executable download 2 Exploit detection is critical All subsequent stages can be hidden or obfuscated Callbacks and control established 3 File Share 2 IPS 5 Data exfiltration 4 File Share 1 2 3 Malware spreads laterally 5

  10. Traditional Defenses Don’t Work The new breed of attacks evade signature-based defenses Firewalls/NGFW Anti-SpamGateways IPS Secure WebGateways Desktop AV

  11. The Enterprise Security Hole Attack Vector NGFW FW Web-Based Attacks IPS SECURITYHOLE Spear Phishing Emails Malicious Files SWG AV

  12. A New Model is Required • Signature-Based • Reactive • Only known threats • Many false negatives Legacy Pattern-Matching Detection Model New Virtual Execution Model MATCH MATCH 101011010101101000101110001101010101011001101111100101011001001001001000 100100111001010101010110 100100111001010101010110 100100111001010101010110 110100101101011010101000 • Signature-less • Dynamic, real-time • Known/unknown threats • Minimal false positives

  13. Introducing the FireEye Platform

  14. FireEye Platform: Next Generation Threat Protection Dynamic Threat Intelligence (CLOUD) Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability Ecosystem Partners

  15. FireEye Platform: Multi-Vector Virtual Execution (MVX) Email MPS 4 2 1 3 6 5 CMS MVX SMTP Inbound Outbound HTTP Callback Server 1 – Email with weaponized pdf 2 – Executed in MVX (Email MPS) – phish suspected 3 – Web MPS notified via CMS 4 – Callback over HTTP to C&C server 5 – Callback detected by Web MPS and blocked 6 – End user defended from multi-vector attack Web MPS Multi-vector blended attack

  16. FireEye Platform: Multi-Flow Virtual Execution • File-oriented sandboxing can be easily evadedby malware • Lack of virtually executing flows vs. file-based approach • Lack of capturing and analyzing flows across multiple vectors • FireEye uses multi-vector, multi-flow analysis to understand the full context of today’s cyber attacks • Stateful attack analysis shows the entire attack life cycle • Enables FireEye to disrupt each stage and neutralize attack Infection Server Callback Server Malware Executable DataExfiltration Exploit Callbacks Downloads

  17. FireEye Platform: Dynamic Threat Intelligence Anonymized Malware Metadata Anonymized Malware Metadata DTI Cloud Ecosystem Partners Ecosystem Partners Ecosystem Partners Enterprise 1 Enterprise 3 Enterprise 2 DTI Enterprise DTI Enterprise DTI Enterprise

  18. FireEye Advantage

  19. FireEye Platform Advantage 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Local Loop MVX MVX Dynamic Threat Intelligence (DTI) Threat Protection Fabric Single Enterprise Cross Enterprise

  20. Sandbox Approach (Cloud) File-oriented sandbox - evasion 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Single file • Sandbox in the cloud • Privacy violation • Compliance and regulation violation • Latency issues Single vector partial hours or days

  21. Sandbox Approach (On-Premises) File-oriented sandbox 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection • Sandbox (On-Premises) • Malware can easily circumvent generic sandbox • File-based sandbox misses the exploit detection phase • No flow causes lack of stateful malware analysis Single file Single vector Hashes: limited value Non-realtime

  22. Key Takeaways

  23. Thank You

More Related