1 / 31

Stopping Next-Gen Threats

Stopping Next-Gen Threats. Dan Walters – Sr. Systems Engineer Mgr. "We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security

vince
Download Presentation

Stopping Next-Gen Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr.

  2. "We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security Tech Week Europe, September 28th 2012

  3. High Profile APT Attacks Are Increasingly Common

  4. The Attack Lifecycle – Multiple Stages Compromised Web server, or Web 2.0 site 1 Callback Server Exploitation of system 1 Malware binary download 2 File Share 2 IPS Callbacks and control established 3 File Share 1 DMZ 2 3

  5. Crimeware == for the $

  6. Advanced Persistent Threat == Human

  7. This is Alex == FireEye Research

  8. The Usual Suspects

  9. Organized…Persistent…

  10. Reconnaissance made easy…

  11. The Exploit

  12. LaserMotive

  13. CEOs are targeted

  14. Could you stop this?

  15. The Callback

  16. Hidden in plain view…

  17. Blog Post?

  18. RSS Feed?

  19. We’re Only Human

  20. HR make for easy targets

  21. Just doing my job…

  22. NATO is a frequent spearphish target

  23. Global Unrest

  24. Who’s Oil is it?

  25. The curious case of Trojan.Bisonal • Targets 100% Japanese organizations • Delivered via weaponized doc/xls files • Embeds the target name into the command and control traffic

  26. Custom “Flag” and c2 domain GET /j/news.asp?id=* HTTP/1.1 User-Agent: flag:khihost:BusinessIP:10.0.0.43 OS:XPSP3 vm:�� proxy:�� Host: online.cleansite.us Cache-Control: no-cache GET /a.asp?id=* HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: khi.acmetoy.com Connection: Keep-Alive

  27. Other “Flag”s seen • flag:410maff <-- ministry of agriculture, forestry, and fisheries • flag:1223 • Flag:712mhi <-- mitsubishi heavy industries • Flag:727x • Flag:8080 • Flag:84d • flag:boat • Flag:d2 • Flag:dick • flag:jsexe • flag:jyt • Flag:m615 • flag:toray • Flag:MARK 1 • flag:nec01 <-- nec corporation • Flag:qqq • flag:nids<-- national institute for defense studies (nids.go.jp) • flag:nsc516 <-- nippon steel corp • flag:ihi <-- ihicorp

  28. China is not the only threat

  29. Multi-Protocol, Real-Time VX Engine PHASE 1 Multi-Protocol Object Capture PHASE 2 Virtual Execution Environments • PHASE 1: WEB MPS • Aggressive Capture • Web Object Filter • PHASE 1: E-MAIL MPS • Email Attachments • URL Analysis • DYNAMIC, REAL-TIME ANALYSIS • Exploit detection • Malware binary analysis • Cross-matrix of OS/apps • Originating URL • Subsequent URLs • OS modification report • C&C protocol descriptors Map to Target OS and Applications

  30. Thank You! FireEye - Modern Malware Protection System

More Related