Advance Persistent Threats –A Technical AnalysisA Technical Analysis

“Move from Reactive to Proactive”

Lau Boon Peng, CISSPSr Channel SE – South Asia Pacific

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1

FireEye, Inc.

The New Threat Landscape

• # of threats are up 5XN t f th t h i Advanced

Cyber-espionage and Cybercrime

s• Nature of threats changing– From broad to targeted

• Advanced attacks

Persistent ThreatsZero-day

Targeted AttacksDynamic Trojans

Stealth BotsCybercrime

age

of A

ttack

s

Advanced attacks accelerating– High profile victims common

(e g RSA Symantec Google)

WormsViruses

Disruption Spyware/Bots

Dam

a

(e.g., RSA, Symantec, Google)

“O i ti f l i th t i th t th ill d t

2004 2006 2008 2010 2012

“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”

Gartner, 2012

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2

Defining Next Generation Threats

• Uses zero-day exploits, commercial quality toolkits

The New Threat LandscapeThere is a new breed of attacks that are

advanced, zero-day, and targeted

ADVANCEDADVANCEDcommercial quality toolkits, and social engineering

• Utilizes advanced Stealthy Unknown and

Zero Day Targeted Persistent

Advanced Targeted Advanced Targeted AttackAttack

techniques and/or malware

• Often targets IP• Often targets IP, credentials

• Spreads laterally

TRADITIONALTRADITIONAL

Spreads laterally throughout network Open Known and

Patchable Broad One Time

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3

Attacks Increasingly Sophisticated

Dynamic Web Attacks

Multi VectorMulti-Vector• Web, email or files

Multi-StageMulti-Stage• Exploit to exfiltration

Malicious Exploits

Spear Phishing Emails

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4

The Adcaned Attack Lifecycle – Multiple Stages

Public Internet Drop Zones Command and Control

Attack &Spread

116CompromisedWeb server, or

Web 2.0 site

Public Internet Drop Zones Command and Controlp

I i i l111 112 113 114115Initial

RequestInfectedContent

11FurtherInfection

113CallBack

114UpdatedExploits

115

Enterprise

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5

Typical Enterprise Security Architecture

Firewalls/Firewalls/NGFWNGFW IPSIPS Secure WebSecure Web

GatewaysGatewaysAntiAnti--SpamSpamGatewaysGateways

Desktop AVDesktop AV

APTAPTAPT APT

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6

The Enterprise Security Hole

NGFW FW

Attack Vector

Web-basedAttacks

NGFW FW

IPS SECURITYHOLE

Spear Phishing E ilHOLE Emails

SWG AVMalicious Files

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7

Public Spear Phishing ExamplesPhishing Examples

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8

Spear Phishing: The Preferred Intrusion Method

Callback Server

1 Spear phish attack exploits PCM th 50% li i URL

Spear Phishing

Email

More than 50% use malicious URLsAttachments: PDF, PPT, XLS and DOCTargeted mid- & high-level energy execsAlso targeted Vendors (Investment Bankers,Oil & Gas Service companies)

13

Anti-Spam Gateway

2 Back door opened & lateral spreadZIP file on Windows 7Exploit code executed when ZIP opened

3

Gate ay

Second phase objects and callbacks linked to initial exploit

Callbacks related to RSA intrusion Exploit in ZIP2

Desktop antivirusLosing the threat arms race

DMZ

Mail ServersData exfiltration commences Sensitive dataPasswords

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9

Losing the threat arms race

VirusTotal is Helpful for Investigations

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10

RSA Spear Phish (H/T @mikko)

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11

Social Networks are a Data Gold Mine

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12

We Are Only Seeing the Tip of the Iceberg

HEADLINE GRABBING ATTACKSHEADLINE GRABBING ATTACKS

THOUSANDS MORE BELOW THE SURFACETHOUSANDS MORE BELOW THE SURFACEAPT AttacksAPT Attacks

ZZ D Att kD Att kZeroZero--Day AttacksDay AttacksPolymorphic AttacksPolymorphic Attacks

Targeted AttacksTargeted Attacks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13

The Degree of Compromise is Significant

100%

90%

Infections/Weeks at Normalized BandwidthPercent of

Deployments

1 Gbps 5 Gbps90%

80%

70%

60%

98.5% of deployments see at least 10 incidents/week/Gbps

50%

40%

30%

20%

Median is about 450 incidents/week/Gbps

20% of deployments have10%

0%100,00010,0001,00010010

p ythousands of incidents/week/Gbps

Source: FireEye Advanced Threat Report, Feb. 2012

450 Median Net New Infections Per Week at Only 1 Gbps!

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14

Dynamism of Malware: Binary MD5s

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15

Industries Most Affected by Advanced Threats

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16

APT Threat Actors & Surprising CollusionsSurprising Collusions

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17

Advanced Persistent Threat (APT) Actors

APT Actors (nation state

threats)

CrimewareActors

(cyber crime

Hacktivists(Anonymous,

L l S )threats) ( ygangs) LulzSec)

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18

Advanced Threat Actors & Crimeware Actors

Sell “used” zero-day exploits that became known too widelyknown too widely

APT Actors

CrimewareActorsActors Actors

Sell compromised systems (access & control over)

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19

Case Study: Wermud Trojan

[March 2011]

[April 2011]W d2011]

Created and used by APT

Wermudpassed to crimeware

tby APT actors

[15 March 2011]

Fi E

[June 2011]Seen used b F k AVFireEye

created callback

rules

by FakeAV(crimeware)

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20

Example ofExample of Bypassing yp gTraditional Security

Basic Evasion Tactics

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21

Builders Used In Team Attacks. H/T alienvault + threatexpert

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22

Anti-Virus Evasion is Done through Simplicity

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23

Callbacks Done Through Legitimate Channels

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24

Callbacks Done Through Legitimate Channels

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25

Blogs are Free to Set up

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26

The Point?

• Advanced targeted attacks run rampant inside networks, easily infiltrating existing defenses

• Advanced targeted attacks can occur as unique exploits, e.g. Aurora and RSA attacks

BUT if h f i t f l• BUT, if you have a fair amount of common malware infections (crimeware), you may never see unique targeted APT attacks

• APT actors may simply leverage existing crimewarebackdoors

• Therefore you still have to respond to the low gradeTherefore, you still have to respond to the low gradeattacks, because they can become high grade for a valuable target

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27

5 Criteria for Advanced Threat Protection

1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound attacks (as used by APT actors crimeware actors andby APT actors, crimeware actors, and Hacktivists)

2. Real-time protection to stop data exfiltration

3. Integrated, cross-protocol Web & Email inbound infection and outbound callback protection

4. Accurate, no tuning, and very low false positive rate

5. Global malware intelligence for sharing threat indicators to block zero-day malware & latest callback channels

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28

Cyber Security = ProactiveCyber Security = Proactive

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29

FireEye Malware Protection System

• Integrated solution to combat advanced malware across multiple vectors like Web Email and File

Complete Protection Against Advanced Targeted Attacks

vectors, like Web, Email and File Shares

• Exploit, callback, and payload analysis to address all stages of attack lifecycle

• Malware forensics complements

Web Malware

Protection System

EmailMalware

ProtectionSystem

FileMalware• Malware forensics complements

real-time protections with deep malware intelligence

S

Malware Protection

System

• Systems share real-time malware intelligence locally and globally

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30

Thank YouThank YouTwitter @fireeyeTwitter @fireeyewww.fireeye.com

Contact us online for a complimentary securityContact us online for a complimentary security assessment. You’ll find out if you are infected and

what to do about it.

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3131

Sign Up for a Free FireEye Security Assessment

http://www.fireeye.com/stopapts

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 32

y