FortiGuard: AI, Emerging Trends

Derek Manky

Chief of Security Insights & Global Threat Alliances

FortiGuard Labs

NETWORK

MULTI-CLOUD

PARTNER API

EMAILUNIFIED ACCESS

IOT-ENDPOINT

WEB APPS

ADVANCED THREAT PROTECTION

MANAGEMENT-ANALYTICS

FortiGuard Labs delivers services and

intelligence that protects and defends against

the evolving threat landscape

3

FORTIGUARD – GLOBAL THREAT RESPONSE

PRIMARYFDN

SecondaryFDN

Vancouver DC

FortiGate

FortiMail

FortiClient

Antivirus

Anti-spam

Web Filtering

Intrusion Prevention

Anti-Botnet

FortiManager

6

FortiGuard Threat Intelligence Partnerships

Industry – Collaboration & Innovation Enterprise – Threat Research

7

FortiGuard Threat Intelligence Partnerships

Law Enforcement & Government - Attribution CERT - Disruption

8

Threat Type Total in South

Korea (million)

Total in APAC

(million)

Percentage

Virus 0.1 5,017 2%

Ips 2113 58,786 3.6%

App 25255 431908 5.8%

Botnet 2 263 1%

Endpoint 0.007 0.213 3.2%

Volume of detections events South Korea vs APAC (Q4 2018)

9

In APAC the manufacturing, technology and education sector are

the most affected by viruses

In South Korea the technology sector is the most affected by

viruses but the MSP sector is most hit by intrusions

Botnet activity is spread across all sectors almost equally

Threat landscape comparison South Korea vs APAC

10

Variety of threats affecting South Korea

0

50

100

150

200

250

차트제목

Botnet IDSS IPS Virus

11

Top intrusion activity in South Korea

0 10 20 30 40 50 60

TCP.Split.Handshake

MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow

D-Link.DSL-2750B.CLI.OS.Command.Injection

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution

Generic.JavaScript.Cryptocurrency.Mining.Script

Oracle.WebLogic.Server.wls-wsat.Component.Code.Injection

MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution

ZmEu.Vulnerability.Scanner

Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass

Jenkins.CI.Server.XStream.Remote.Code.Execution

Zyxel.Router.nslookup.Command.Injection

Masscan.Scanner

JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution

NETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution

Zivif.PR115-204-P-RS.Web.Cameras.Credentials.Disclosure

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution

SonicWall.GMS.XMLRPC.set_time_zone.Remote.Code.Execution

HTTP.URI.SQL.Injection

percentage

Majority IOT Related Attacks &

Server Attacks

12

COMPOUNDED CYBERCRIME

CRIMEWARE PRODUCERS

Source Code

Junior

Developers

Copy & paste

Senior

Developers

Exploits Packers Special

Platforms

Mobile

CRIME SERVICES ENABLERS

Quality AssuranceCrypters / Packers

Scanners

HostingInfections / Drop Zones

Management

Botnet RentalsInstalls / Spam /

SEO / DDoS

Money MulesAccounts Receivable

Consulting

AffiliatesCriminal

OrganizationsSales, Licensing,

MaintenancePartnerships

Affiliate Programs

FakeAV / Ransomware / Botnets

Victims

Bank

Accounts

Credentials

& Data

Digital Real

Estate

EVOLVING ATTACK CAPABILITIES THREAT LANDSCAPE

13

EXFILTRATION 5

GATHER 4

EXPAND3

BREAK-IN2

PLANNING1

• Deliver remote exploits and malware

• Establish backdoors for commands

• Identify and collect

sensitive data

• Staging Server

• Research target

• Build or Acquire Tools

• Test tools + detection

The Accelerated Attack Chain

Automation & Swarm Decrease TTB (Time to Breach)

• Move laterally to increase

system access

• Stronger Foothold

• Data exfiltration through

command and control services

to external network

SURVIVE… Or PROFIT?

6

14

• Shodan is a search engine that indexes open ports and services

• Attacker Queries Shodan

• Attacker uses a list of known exploits to attack known IoT and

other systems based on indexed queries given by Shodan

• Attackers then attacks IoT or vulnerable systems directly

bypassing per miter security features gaining a foothold into

internal networks.

Autosploit – Building Swarms

15

16

Shortest Path Between Nest and Food

Traveling Salesman Problem

Nodes lay synthetic pheromones alongedges of their paths

History

• 1959: Stigmergy theory invented, behavior of nest building in termites

• 1989: Ant Colony Optimization algorithm is born

• Food behavior model implemented

• 1994: British Telecommunications Plc publishes first application of ACO to telecommunication networks

Applications include emergency vehicle response systems, planning & logistics, microchip manufacturing

Ant Colony OptimizationForm of Swarm Intelligence

17

Software Examples: Swarm Robotics

Self Organizing Systems Research Group

Kilobots: Headless

swarm, no leaders

Follow solutions based

approach

Work by communication

through peer nodes

18

Botnet Building Blocks

Typical Botnet Components

Attacker

(botmaster, herder)

C&C Server Zombies Victim / target Communications

channels

Attacker Control Server Botnet Attach Nodes Victim

Initiate Attack Attack Traffic

19

Blackhat Swarms – Removing the C2

Next Generation Botnet 3.0: Swarm

What if Botnets could utilize swarm intelligence? Largely Accelerated Attack Chain

Human Out of Loop Strengthened Blackhat Hive

Botnet Attach Nodes Victim

Attack Traffic

Satori Botnet example

If camera is hacked or under stress it skips the system if better targets are found (pheromones)

20

Hide and Seek

'e' +

IP:PORT

's' + path

‘m<data’ Y<data>’

2) Target is identified by swarm

3) Target is swarmed, penetrated

4) File information leaked

through swarm (IP, etc)

1) Seed the Swarm (Autosploit)

21

Intent Based Solutions: Swarm Networks

Mar 2018: Canonical ES Exploits Q*Bert

Intent Based AI: Get

More Points

Q*Bert Designer Never

Observed This Before

Swarm Attacks Will

Follow This Path

22CONFIDENTIAL

FORTIGUARDARTIFICIALINTELLIGENCE

23

System Training

FEATURES REPOSITORY

TRAINING FILES

1. We start with FortiGuard AI

and an empty feature

repository

2. A training set of files are

input, consisting of clean and

malicious files. Files are

labeled for initial training

3. FortiGuard AI logic determines

commonality of files and

builds the feature set.

4. Features are modified as the

system learns (weighting values,

next phase)

FortiGuard AI

24

System Testing

MALICIOUS

CLEAN

FEATURES REPOSITORY

TESTING FILES

OUTPUT1. Test samples are selected

and input to the system

2. Using the feature repository,

samples are analyzed

3. As this occurs, existing

features may get modified

or others added

4. The system determines clean

or malicious output

5. Output is compared to expected

results. If not accurate, reset to

known point and retrain.RESULTS

EXAMINED

FortiGuard AI

25

FortiGuard AI in Operation

MALICIOUS

CLEAN

OUTPUT

INPUTRAW SAMPLES

Feature Set Improvements

Quality

Stabilized Number

Weighting Confidence

Continued Accuracy

to a High Degree of

Confidence

FEATURESQuantity

Quality

26

Protect. Disrupt. Elevate.

For more information on becoming a CTA member, reach out to:newmember@cyberthreatalliance.org

27

Who We Are

ABOUT CTA

Our members include some of the leading cybersecurity providers from around the world, representing many different approaches and points of view.

CYBER THREAT ALLIANCE 27

Charter Members

Affiliate Members

Contributing Members

28

Mark

McLaughlin

Greg ClarkKen Xie Chris Young

Martin

Roesch

Gil

Shwed

Board of Directors - Founding Members

Michael J. Daniel – CEO & President

29

Protect End-Users

ABOUT CTA CYBER THREAT ALLIANCE 29

Global Impact

CTA is the industry’s first formally organized group of cybersecurity practitioners that work together in good faith to share threat information and improve global defenses against advanced cyber adversaries; ultimately, protecting customers in real-time.

CTA SHARED PLATFORM

30

Disrupt Malicious Actors

CYBER THREAT ALLIANCE 30

Sharing information to enable more rapid deployment of protections

CTA enables members to share sensitive information on malicious activity, allowing members to bring together analytic insights on the activity, protect their customers as quickly as possible, and systematically disrupt adversary activity.

ABOUT CTA

VPNFilter : CTA IN ACTION

Cisco shared malware samples and analytic

findings

CTA members used this information to develop

protections

CTA members published their own findings and

analysis, amplifying Cisco’s messaging

Members continue to collaborate through CTA, providing a forum for sharing new insights

CTA Joint Analysis – The Illicit Cryptocurrency Mining Threat

CTA members worked together to highlight the new and growing threat from illicit cryptocurrency mining, using correlated, shared threat intelligence and a collaborative analytic process

Cryptocurrency malware detections by CTA members jumped 459 percent between 2017 and 2018, indicating an enormous expansion of this threat to customers around the world

THANK YOU !