Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat...
Transcript of Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat...
Advance Persistent Threats –A Technical AnalysisA Technical Analysis
“Move from Reactive to Proactive”
Lau Boon Peng, CISSPSr Channel SE – South Asia Pacific
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
FireEye, Inc.
The New Threat Landscape
• # of threats are up 5XN t f th t h i Advanced
Cyber-espionage and Cybercrime
s• Nature of threats changing– From broad to targeted
• Advanced attacks
Persistent ThreatsZero-day
Targeted AttacksDynamic Trojans
Stealth BotsCybercrime
age
of A
ttack
s
Advanced attacks accelerating– High profile victims common
(e g RSA Symantec Google)
WormsViruses
Disruption Spyware/Bots
Dam
a
(e.g., RSA, Symantec, Google)
“O i ti f l i th t i th t th ill d t
2004 2006 2008 2010 2012
“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”
Gartner, 2012
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
Defining Next Generation Threats
• Uses zero-day exploits, commercial quality toolkits
The New Threat LandscapeThere is a new breed of attacks that are
advanced, zero-day, and targeted
ADVANCEDADVANCEDcommercial quality toolkits, and social engineering
• Utilizes advanced Stealthy Unknown and
Zero Day Targeted Persistent
Advanced Targeted Advanced Targeted AttackAttack
techniques and/or malware
• Often targets IP• Often targets IP, credentials
• Spreads laterally
TRADITIONALTRADITIONAL
Spreads laterally throughout network Open Known and
Patchable Broad One Time
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
Attacks Increasingly Sophisticated
Dynamic Web Attacks
Multi VectorMulti-Vector• Web, email or files
Multi-StageMulti-Stage• Exploit to exfiltration
Malicious Exploits
Spear Phishing Emails
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
The Adcaned Attack Lifecycle – Multiple Stages
Public Internet Drop Zones Command and Control
Attack &Spread
116CompromisedWeb server, or
Web 2.0 site
Public Internet Drop Zones Command and Controlp
I i i l111 112 113 114115Initial
RequestInfectedContent
11FurtherInfection
113CallBack
114UpdatedExploits
115
Enterprise
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Typical Enterprise Security Architecture
Firewalls/Firewalls/NGFWNGFW IPSIPS Secure WebSecure Web
GatewaysGatewaysAntiAnti--SpamSpamGatewaysGateways
Desktop AVDesktop AV
APTAPTAPT APT
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
The Enterprise Security Hole
NGFW FW
Attack Vector
Web-basedAttacks
NGFW FW
IPS SECURITYHOLE
Spear Phishing E ilHOLE Emails
SWG AVMalicious Files
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Public Spear Phishing ExamplesPhishing Examples
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
Spear Phishing: The Preferred Intrusion Method
Callback Server
1 Spear phish attack exploits PCM th 50% li i URL
Spear Phishing
More than 50% use malicious URLsAttachments: PDF, PPT, XLS and DOCTargeted mid- & high-level energy execsAlso targeted Vendors (Investment Bankers,Oil & Gas Service companies)
13
Anti-Spam Gateway
2 Back door opened & lateral spreadZIP file on Windows 7Exploit code executed when ZIP opened
3
Gate ay
Second phase objects and callbacks linked to initial exploit
Callbacks related to RSA intrusion Exploit in ZIP2
Desktop antivirusLosing the threat arms race
DMZ
Mail ServersData exfiltration commences Sensitive dataPasswords
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
Losing the threat arms race
VirusTotal is Helpful for Investigations
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
RSA Spear Phish (H/T @mikko)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Social Networks are a Data Gold Mine
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
We Are Only Seeing the Tip of the Iceberg
HEADLINE GRABBING ATTACKSHEADLINE GRABBING ATTACKS
THOUSANDS MORE BELOW THE SURFACETHOUSANDS MORE BELOW THE SURFACEAPT AttacksAPT Attacks
ZZ D Att kD Att kZeroZero--Day AttacksDay AttacksPolymorphic AttacksPolymorphic Attacks
Targeted AttacksTargeted Attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
The Degree of Compromise is Significant
100%
90%
Infections/Weeks at Normalized BandwidthPercent of
Deployments
1 Gbps 5 Gbps90%
80%
70%
60%
98.5% of deployments see at least 10 incidents/week/Gbps
50%
40%
30%
20%
Median is about 450 incidents/week/Gbps
20% of deployments have10%
0%100,00010,0001,00010010
p ythousands of incidents/week/Gbps
Source: FireEye Advanced Threat Report, Feb. 2012
450 Median Net New Infections Per Week at Only 1 Gbps!
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
Dynamism of Malware: Binary MD5s
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Industries Most Affected by Advanced Threats
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
APT Threat Actors & Surprising CollusionsSurprising Collusions
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
Advanced Persistent Threat (APT) Actors
APT Actors (nation state
threats)
CrimewareActors
(cyber crime
Hacktivists(Anonymous,
L l S )threats) ( ygangs) LulzSec)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
Advanced Threat Actors & Crimeware Actors
Sell “used” zero-day exploits that became known too widelyknown too widely
APT Actors
CrimewareActorsActors Actors
Sell compromised systems (access & control over)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
Case Study: Wermud Trojan
[March 2011]
[April 2011]W d2011]
Created and used by APT
Wermudpassed to crimeware
tby APT actors
[15 March 2011]
Fi E
[June 2011]Seen used b F k AVFireEye
created callback
rules
by FakeAV(crimeware)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Example ofExample of Bypassing yp gTraditional Security
Basic Evasion Tactics
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
Builders Used In Team Attacks. H/T alienvault + threatexpert
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
Anti-Virus Evasion is Done through Simplicity
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
Callbacks Done Through Legitimate Channels
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
Callbacks Done Through Legitimate Channels
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
Blogs are Free to Set up
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
The Point?
• Advanced targeted attacks run rampant inside networks, easily infiltrating existing defenses
• Advanced targeted attacks can occur as unique exploits, e.g. Aurora and RSA attacks
BUT if h f i t f l• BUT, if you have a fair amount of common malware infections (crimeware), you may never see unique targeted APT attacks
• APT actors may simply leverage existing crimewarebackdoors
• Therefore you still have to respond to the low gradeTherefore, you still have to respond to the low gradeattacks, because they can become high grade for a valuable target
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
5 Criteria for Advanced Threat Protection
1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound attacks (as used by APT actors crimeware actors andby APT actors, crimeware actors, and Hacktivists)
2. Real-time protection to stop data exfiltration
3. Integrated, cross-protocol Web & Email inbound infection and outbound callback protection
4. Accurate, no tuning, and very low false positive rate
5. Global malware intelligence for sharing threat indicators to block zero-day malware & latest callback channels
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
Cyber Security = ProactiveCyber Security = Proactive
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
FireEye Malware Protection System
• Integrated solution to combat advanced malware across multiple vectors like Web Email and File
Complete Protection Against Advanced Targeted Attacks
vectors, like Web, Email and File Shares
• Exploit, callback, and payload analysis to address all stages of attack lifecycle
• Malware forensics complements
Web Malware
Protection System
EmailMalware
ProtectionSystem
FileMalware• Malware forensics complements
real-time protections with deep malware intelligence
S
Malware Protection
System
• Systems share real-time malware intelligence locally and globally
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
Thank YouThank YouTwitter @fireeyeTwitter @fireeyewww.fireeye.com
Contact us online for a complimentary securityContact us online for a complimentary security assessment. You’ll find out if you are infected and
what to do about it.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3131
Sign Up for a Free FireEye Security Assessment
http://www.fireeye.com/stopapts
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 32
y