fortiguard: ai, emerging trends
TRANSCRIPT
FortiGuard: AI, Emerging Trends
Derek Manky
Chief of Security Insights & Global Threat Alliances
FortiGuard Labs
NETWORK
MULTI-CLOUD
PARTNER API
EMAILUNIFIED ACCESS
IOT-ENDPOINT
WEB APPS
ADVANCED THREAT PROTECTION
MANAGEMENT-ANALYTICS
FortiGuard Labs delivers services and
intelligence that protects and defends against
the evolving threat landscape
3
FORTIGUARD – GLOBAL THREAT RESPONSE
PRIMARYFDN
SecondaryFDN
Vancouver DC
FortiGate
FortiMail
FortiClient
Antivirus
Anti-spam
Web Filtering
Intrusion Prevention
Anti-Botnet
FortiManager
6
FortiGuard Threat Intelligence Partnerships
Industry – Collaboration & Innovation Enterprise – Threat Research
7
FortiGuard Threat Intelligence Partnerships
Law Enforcement & Government - Attribution CERT - Disruption
8
Threat Type Total in South
Korea (million)
Total in APAC
(million)
Percentage
Virus 0.1 5,017 2%
Ips 2113 58,786 3.6%
App 25255 431908 5.8%
Botnet 2 263 1%
Endpoint 0.007 0.213 3.2%
Volume of detections events South Korea vs APAC (Q4 2018)
9
In APAC the manufacturing, technology and education sector are
the most affected by viruses
In South Korea the technology sector is the most affected by
viruses but the MSP sector is most hit by intrusions
Botnet activity is spread across all sectors almost equally
Threat landscape comparison South Korea vs APAC
10
Variety of threats affecting South Korea
0
50
100
150
200
250
차트제목
Botnet IDSS IPS Virus
11
Top intrusion activity in South Korea
0 10 20 30 40 50 60
TCP.Split.Handshake
MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow
D-Link.DSL-2750B.CLI.OS.Command.Injection
Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution
Generic.JavaScript.Cryptocurrency.Mining.Script
Oracle.WebLogic.Server.wls-wsat.Component.Code.Injection
MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution
ZmEu.Vulnerability.Scanner
Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass
Jenkins.CI.Server.XStream.Remote.Code.Execution
Zyxel.Router.nslookup.Command.Injection
Masscan.Scanner
JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution
NETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution
Zivif.PR115-204-P-RS.Web.Cameras.Credentials.Disclosure
Multiple.CCTV.DVR.Vendors.Remote.Code.Execution
SonicWall.GMS.XMLRPC.set_time_zone.Remote.Code.Execution
HTTP.URI.SQL.Injection
percentage
Majority IOT Related Attacks &
Server Attacks
12
COMPOUNDED CYBERCRIME
CRIMEWARE PRODUCERS
Source Code
Junior
Developers
Copy & paste
Senior
Developers
Exploits Packers Special
Platforms
Mobile
CRIME SERVICES ENABLERS
Quality AssuranceCrypters / Packers
Scanners
HostingInfections / Drop Zones
Management
Botnet RentalsInstalls / Spam /
SEO / DDoS
Money MulesAccounts Receivable
Consulting
AffiliatesCriminal
OrganizationsSales, Licensing,
MaintenancePartnerships
Affiliate Programs
FakeAV / Ransomware / Botnets
Victims
Bank
Accounts
Credentials
& Data
Digital Real
Estate
EVOLVING ATTACK CAPABILITIES THREAT LANDSCAPE
13
EXFILTRATION 5
GATHER 4
EXPAND3
BREAK-IN2
PLANNING1
• Deliver remote exploits and malware
• Establish backdoors for commands
• Identify and collect
sensitive data
• Staging Server
• Research target
• Build or Acquire Tools
• Test tools + detection
The Accelerated Attack Chain
Automation & Swarm Decrease TTB (Time to Breach)
• Move laterally to increase
system access
• Stronger Foothold
• Data exfiltration through
command and control services
to external network
SURVIVE… Or PROFIT?
6
14
• Shodan is a search engine that indexes open ports and services
• Attacker Queries Shodan
• Attacker uses a list of known exploits to attack known IoT and
other systems based on indexed queries given by Shodan
• Attackers then attacks IoT or vulnerable systems directly
bypassing per miter security features gaining a foothold into
internal networks.
Autosploit – Building Swarms
15
16
Shortest Path Between Nest and Food
Traveling Salesman Problem
Nodes lay synthetic pheromones alongedges of their paths
History
• 1959: Stigmergy theory invented, behavior of nest building in termites
• 1989: Ant Colony Optimization algorithm is born
• Food behavior model implemented
• 1994: British Telecommunications Plc publishes first application of ACO to telecommunication networks
Applications include emergency vehicle response systems, planning & logistics, microchip manufacturing
Ant Colony OptimizationForm of Swarm Intelligence
17
Software Examples: Swarm Robotics
Self Organizing Systems Research Group
Kilobots: Headless
swarm, no leaders
Follow solutions based
approach
Work by communication
through peer nodes
18
Botnet Building Blocks
Typical Botnet Components
Attacker
(botmaster, herder)
C&C Server Zombies Victim / target Communications
channels
Attacker Control Server Botnet Attach Nodes Victim
Initiate Attack Attack Traffic
19
Blackhat Swarms – Removing the C2
Next Generation Botnet 3.0: Swarm
What if Botnets could utilize swarm intelligence? Largely Accelerated Attack Chain
Human Out of Loop Strengthened Blackhat Hive
Botnet Attach Nodes Victim
Attack Traffic
Satori Botnet example
If camera is hacked or under stress it skips the system if better targets are found (pheromones)
20
Hide and Seek
'e' +
IP:PORT
's' + path
‘m<data’ Y<data>’
2) Target is identified by swarm
3) Target is swarmed, penetrated
4) File information leaked
through swarm (IP, etc)
1) Seed the Swarm (Autosploit)
21
Intent Based Solutions: Swarm Networks
Mar 2018: Canonical ES Exploits Q*Bert
Intent Based AI: Get
More Points
Q*Bert Designer Never
Observed This Before
Swarm Attacks Will
Follow This Path
22CONFIDENTIAL
FORTIGUARDARTIFICIALINTELLIGENCE
23
System Training
FEATURES REPOSITORY
TRAINING FILES
1. We start with FortiGuard AI
and an empty feature
repository
2. A training set of files are
input, consisting of clean and
malicious files. Files are
labeled for initial training
3. FortiGuard AI logic determines
commonality of files and
builds the feature set.
4. Features are modified as the
system learns (weighting values,
next phase)
FortiGuard AI
24
System Testing
MALICIOUS
CLEAN
FEATURES REPOSITORY
TESTING FILES
OUTPUT1. Test samples are selected
and input to the system
2. Using the feature repository,
samples are analyzed
3. As this occurs, existing
features may get modified
or others added
4. The system determines clean
or malicious output
5. Output is compared to expected
results. If not accurate, reset to
known point and retrain.RESULTS
EXAMINED
FortiGuard AI
25
FortiGuard AI in Operation
MALICIOUS
CLEAN
OUTPUT
INPUTRAW SAMPLES
Feature Set Improvements
Quality
Stabilized Number
Weighting Confidence
Continued Accuracy
to a High Degree of
Confidence
FEATURESQuantity
Quality
26
Protect. Disrupt. Elevate.
For more information on becoming a CTA member, reach out to:[email protected]
27
Who We Are
ABOUT CTA
Our members include some of the leading cybersecurity providers from around the world, representing many different approaches and points of view.
CYBER THREAT ALLIANCE 27
Charter Members
Affiliate Members
Contributing Members
28
Mark
McLaughlin
Greg ClarkKen Xie Chris Young
Martin
Roesch
Gil
Shwed
Board of Directors - Founding Members
Michael J. Daniel – CEO & President
29
Protect End-Users
ABOUT CTA CYBER THREAT ALLIANCE 29
Global Impact
CTA is the industry’s first formally organized group of cybersecurity practitioners that work together in good faith to share threat information and improve global defenses against advanced cyber adversaries; ultimately, protecting customers in real-time.
CTA SHARED PLATFORM
30
Disrupt Malicious Actors
CYBER THREAT ALLIANCE 30
Sharing information to enable more rapid deployment of protections
CTA enables members to share sensitive information on malicious activity, allowing members to bring together analytic insights on the activity, protect their customers as quickly as possible, and systematically disrupt adversary activity.
ABOUT CTA
VPNFilter : CTA IN ACTION
Cisco shared malware samples and analytic
findings
CTA members used this information to develop
protections
CTA members published their own findings and
analysis, amplifying Cisco’s messaging
Members continue to collaborate through CTA, providing a forum for sharing new insights
CTA Joint Analysis – The Illicit Cryptocurrency Mining Threat
CTA members worked together to highlight the new and growing threat from illicit cryptocurrency mining, using correlated, shared threat intelligence and a collaborative analytic process
Cryptocurrency malware detections by CTA members jumped 459 percent between 2017 and 2018, indicating an enormous expansion of this threat to customers around the world
THANK YOU !