copyright (c) 2012, fireeye, inc. all rights reserved. | confidential 1 next generation threat...
TRANSCRIPT
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
Next Generation Threat Protection
Randy Lee– Sr. SE Manager
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
The Acceleration of Advanced Targeted Attacks
• # of threats are up 5X• Nature of threats changing
– From broad, scattershot to advanced, targeted, persistent
• Advanced attacks accelerating– High profile victims common
(e.g., RSA, Symantec, Google)– Numerous APT attacks like
Operation Aurora, Shady RAT, GhostNet, Night Dragon, Nitro
“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”
Gartner, 2012
2004 2006 2008 2010 2012
Advanced Persistent Threats
Zero-dayTargeted AttacksDynamic Trojans
Stealth Bots
WormsViruses
Disruption Spyware/Bots
Cybercrime
Cyber-espionage and Cybercrime
Dam
age
of A
ttac
ks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
High Profile Attacks are Increasingly Common
By Ben Elgin, Dune Lawrence & Michael Riley - Nov 4, 2012 6:01 PM ET Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest
foreign takeover of a Chinese company at the time.
Coke Gets Hacked And Doesn’t Tell Anyone
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
We are Only Seeing the Tip of the Iceberg
Headline Grabbing Attacks
Thousands More Below the Surface
APT AttacksZero-Day Attacks
Polymorphic AttacksTargeted Attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Traditional Defenses Don’t Work
Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses
Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses
Like NGFW, IPS, AV, and Gateways
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
ADVANCED
TRADITIONAL
Advanced Targeted Attack
Defining Advanced Targeted Attacks
• Utilizes advanced techniques and/or malware
– Unknown– Targeted– Polymorphic– Dynamic– Personalized
• Uses zero-day exploits, commercial quality toolkits, and social engineering
• Often targets IP, credentials and often spreads laterally throughout network
• AKA—Advanced Persistent Threat (APT)
StealthyUnknown and
Zero DayTargeted Persistent
OpenKnown andPatchable
Broad One Time
The New Threat LandscapeThere is a new breed of attacks that are
advanced, zero-day, and targeted
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Advanced Malware Infection Lifecycle
Desktop antivirusLosing the threat arms race
Compromised Web server, or
Web 2.0 site
Callback Server
Perimeter SecuritySignature, rule-based
Other gatewayList-based, signatures
System gets exploited Drive-by attacks in casual browsing Links in Targeted Emails Attachments in Targeted Emails
Dropper malware installsFirst step to establish controlCalls back out to criminal serversFound on compromised sites, and Web 2.0, user-created content sites
Malicious data theft & long-term control establishedUploads data stolen via keyloggers, Trojans, bots, & file grabbersOne exploit leads to dozens of infections on same systemCriminals have built long-term control mechanisms into system
3
2
1
Anti-spam
DMZ
Email Servers
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
Malware Analysis
• What types of Malware Analysis should you do?
Malware Analysis
Static Analysis
Signature Heuristics
Dynamic Analysis
Discrete Object
analysis
Contextual Analysis
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
Case Study: Operation Aurora Infection Cycle
Desktop antivirusLosing the threat arms race
MaliciousWeb server
Callback Server
System gets exploited Social engineering Obfuscated JavaScript code Exploited IE 6 zero-day vulnerability
Web server delivers malware Servers mapped by dynamic DNS XOR encoded malware EXE delivered No Signatures
Malware calls home & long-term control established Complete control of infected system Further payloads downloaded C&C located in Taiwan Using outbound port 443 (SSL)
3
2
1
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Captured Aurora on Day Zero
Signature-less detection of zero-day attack
Decryption routine for “a.exe”
Malicious binary download posing as JPG
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Captured Aurora on Day Zero
Decryption complete. MD5 of Hydraq.Trojan
Hydraq callback captured
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
Requirements for APT Detection / Protection
1. Dynamic defenses to stop targeted, zero-day attacks
2. Real-time protection to block data exfiltration attempts
3. Accurate, low false positive rates
4. Global intelligence on advanced threats to protect the local
network
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
Who is Mission Critical Systems? Southeast based Information security solutions reseller & integrator
in business for over 15 years. Headquarters in South Florida with additional offices in Atlanta and Tampa.
Network and Data security solutions are our only focus
Representing 20+ best-of-breed security products at either Platinum/Elite or Gold level partner status. Our relationships and status with the manufacturers allow us to leverage significant resources and hold manufacturers accountable.
Sales consultants and engineers maintain manufacturer certifications to ensure we provide accurate information to help customers achieve their security goals and not purchase unnecessary technologies.
We work on behalf of the customer to design the appropriate solution for their security needs, negotiate the best value, and ensure a successful project roll-out.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
Professional Services
Installation, Configuration and Support Services
Security Assessment and AuditsVulnerability Scanning / Penetration TestingWeb Application AssessmentSecure Network Design Telephone Support ContractsTraining
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Thank You