Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Next Generation Threat...

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1

Next Generation Threat Protection

Randy Lee– Sr. SE Manager


The Acceleration of Advanced Targeted Attacks

• # of threats are up 5X• Nature of threats changing

– From broad, scattershot to advanced, targeted, persistent

• Advanced attacks accelerating– High profile victims common

(e.g., RSA, Symantec, Google)– Numerous APT attacks like

Operation Aurora, Shady RAT, GhostNet, Night Dragon, Nitro

“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”

Gartner, 2012

2004 2006 2008 2010 2012

Advanced Persistent Threats

Zero-dayTargeted AttacksDynamic Trojans

Stealth Bots

WormsViruses

Disruption Spyware/Bots

Cybercrime

Cyber-espionage and Cybercrime

Dam

age

of A

ttac

ks


High Profile Attacks are Increasingly Common

By Ben Elgin, Dune Lawrence & Michael Riley - Nov 4, 2012 6:01 PM ET Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest

foreign takeover of a Chinese company at the time.

Coke Gets Hacked And Doesn’t Tell Anyone


We are Only Seeing the Tip of the Iceberg

Headline Grabbing Attacks

Thousands More Below the Surface

APT AttacksZero-Day Attacks

Polymorphic AttacksTargeted Attacks


Traditional Defenses Don’t Work

Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses

Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses

Like NGFW, IPS, AV, and Gateways


ADVANCED

TRADITIONAL

Advanced Targeted Attack

Defining Advanced Targeted Attacks

• Utilizes advanced techniques and/or malware

– Unknown– Targeted– Polymorphic– Dynamic– Personalized

• Uses zero-day exploits, commercial quality toolkits, and social engineering

• Often targets IP, credentials and often spreads laterally throughout network

• AKA—Advanced Persistent Threat (APT)

StealthyUnknown and

Zero DayTargeted Persistent

OpenKnown andPatchable

Broad One Time

The New Threat LandscapeThere is a new breed of attacks that are

advanced, zero-day, and targeted


Advanced Malware Infection Lifecycle

Desktop antivirusLosing the threat arms race

Compromised Web server, or

Web 2.0 site

Callback Server

Perimeter SecuritySignature, rule-based

Other gatewayList-based, signatures

System gets exploited Drive-by attacks in casual browsing Links in Targeted Emails Attachments in Targeted Emails

Dropper malware installsFirst step to establish controlCalls back out to criminal serversFound on compromised sites, and Web 2.0, user-created content sites

Malicious data theft & long-term control establishedUploads data stolen via keyloggers, Trojans, bots, & file grabbersOne exploit leads to dozens of infections on same systemCriminals have built long-term control mechanisms into system

3

2

1

Anti-spam

DMZ

Email Servers


Malware Analysis

• What types of Malware Analysis should you do?

Malware Analysis

Static Analysis

Signature Heuristics

Dynamic Analysis

Discrete Object

analysis

Contextual Analysis


Case Study: Operation Aurora Infection Cycle

Desktop antivirusLosing the threat arms race

MaliciousWeb server

Callback Server

System gets exploited Social engineering Obfuscated JavaScript code Exploited IE 6 zero-day vulnerability

Web server delivers malware Servers mapped by dynamic DNS XOR encoded malware EXE delivered No Signatures

Malware calls home & long-term control established Complete control of infected system Further payloads downloaded C&C located in Taiwan Using outbound port 443 (SSL)

3

2

1


Captured Aurora on Day Zero

Signature-less detection of zero-day attack

Decryption routine for “a.exe”

Malicious binary download posing as JPG


Captured Aurora on Day Zero

Decryption complete. MD5 of Hydraq.Trojan

Hydraq callback captured


Requirements for APT Detection / Protection

1. Dynamic defenses to stop targeted, zero-day attacks

2. Real-time protection to block data exfiltration attempts

3. Accurate, low false positive rates

4. Global intelligence on advanced threats to protect the local

network


Who is Mission Critical Systems? Southeast based Information security solutions reseller & integrator

in business for over 15 years. Headquarters in South Florida with additional offices in Atlanta and Tampa.

Network and Data security solutions are our only focus

Representing 20+ best-of-breed security products at either Platinum/Elite or Gold level partner status. Our relationships and status with the manufacturers allow us to leverage significant resources and hold manufacturers accountable.

Sales consultants and engineers maintain manufacturer certifications to ensure we provide accurate information to help customers achieve their security goals and not purchase unnecessary technologies.

We work on behalf of the customer to design the appropriate solution for their security needs, negotiate the best value, and ensure a successful project roll-out.


Professional Services

Installation, Configuration and Support Services

Security Assessment and AuditsVulnerability Scanning / Penetration TestingWeb Application AssessmentSecure Network Design Telephone Support ContractsTraining


Thank You

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Next Generation Threat...

Documents

Transcript of Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Next Generation Threat...