230 likes | 462 Views
Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause…. Tim Davidson System Engineer. Agenda. Changing Threat Landscape. Changing Threat Landscape – Advanced Persistent Threats (APTs). The New Threat Landscape
E N D
Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause… Tim Davidson System Engineer
Changing Threat Landscape – Advanced Persistent Threats (APTs) The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted MODERN Advanced Persistent Threats LEGACY
High Profile Targeted Attacks • 3 minutes • On average, malware activities take place once every 3 minutes • 184 countries, 41% • Over the past year, FireEye captured callbacks to 184 countries, a 41% rise • 46% • Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks • Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22% • Technology companies • Technology companies experienced highest rate of callback activity • 89% • 89% of callback activities linked with APT tools made in China or Chinese hacker groups Source: FireEye Advanced Threat Report, March 2013
Significant Compromise Still Exists! Percent ofDeployments Infections/Weeks at Normalized Bandwidth 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 98.5% of deployments see at least 10 incidents*/week/Gbps Average is about 221 incidents*/week 1 Gbps 20% of deployments havethousands of incidents*/week Source: FireEye Advanced Threat Report, March, 2013 221 Average Net New Incidents Per Week at Only 1 Gbps! 10 100 1,000 10,000 100,000 * An incident is beyond inbound malware – it includes an exploit and callback
What’s causing the compromise? Dynamic, Polymorphic Malware Coordinated Persistent Threat Actors NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks
The Attack Life Cycle – Multiple Stages Compromised Web server, or Web 2.0 site 1 Callback Server Exploitation of system 1 4 Malware executable download 2 Exploit detection is critical All subsequent stages can be hidden or obfuscated Callbacks and control established 3 File Share 2 IPS 5 Data exfiltration 4 File Share 1 2 3 Malware spreads laterally 5
Traditional Defenses Don’t Work The new breed of attacks evade signature-based defenses Firewalls/NGFW Anti-SpamGateways IPS Secure WebGateways Desktop AV
The Enterprise Security Hole Attack Vector NGFW FW Web-Based Attacks IPS SECURITYHOLE Spear Phishing Emails Malicious Files SWG AV
A New Model is Required • Signature-Based • Reactive • Only known threats • Many false negatives Legacy Pattern-Matching Detection Model New Virtual Execution Model MATCH MATCH 101011010101101000101110001101010101011001101111100101011001001001001000 100100111001010101010110 100100111001010101010110 100100111001010101010110 110100101101011010101000 • Signature-less • Dynamic, real-time • Known/unknown threats • Minimal false positives
FireEye Platform: Next Generation Threat Protection Dynamic Threat Intelligence (CLOUD) Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability Ecosystem Partners
FireEye Platform: Multi-Vector Virtual Execution (MVX) Email MPS 4 2 1 3 6 5 CMS MVX SMTP Inbound Outbound HTTP Callback Server 1 – Email with weaponized pdf 2 – Executed in MVX (Email MPS) – phish suspected 3 – Web MPS notified via CMS 4 – Callback over HTTP to C&C server 5 – Callback detected by Web MPS and blocked 6 – End user defended from multi-vector attack Web MPS Multi-vector blended attack
FireEye Platform: Multi-Flow Virtual Execution • File-oriented sandboxing can be easily evadedby malware • Lack of virtually executing flows vs. file-based approach • Lack of capturing and analyzing flows across multiple vectors • FireEye uses multi-vector, multi-flow analysis to understand the full context of today’s cyber attacks • Stateful attack analysis shows the entire attack life cycle • Enables FireEye to disrupt each stage and neutralize attack Infection Server Callback Server Malware Executable DataExfiltration Exploit Callbacks Downloads
FireEye Platform: Dynamic Threat Intelligence Anonymized Malware Metadata Anonymized Malware Metadata DTI Cloud Ecosystem Partners Ecosystem Partners Ecosystem Partners Enterprise 1 Enterprise 3 Enterprise 2 DTI Enterprise DTI Enterprise DTI Enterprise
FireEye Platform Advantage 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Local Loop MVX MVX Dynamic Threat Intelligence (DTI) Threat Protection Fabric Single Enterprise Cross Enterprise
Sandbox Approach (Cloud) File-oriented sandbox - evasion 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Single file • Sandbox in the cloud • Privacy violation • Compliance and regulation violation • Latency issues Single vector partial hours or days
Sandbox Approach (On-Premises) File-oriented sandbox 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection • Sandbox (On-Premises) • Malware can easily circumvent generic sandbox • File-based sandbox misses the exploit detection phase • No flow causes lack of stateful malware analysis Single file Single vector Hashes: limited value Non-realtime