Fortinet sandboxing

1

April 15, 2023

FortiSandboxSandboxing Modern Threats

2FortiGuard Services

FORTIGUARD ANTIVIRUS SERVICE

FORTIGUARD ANTISPAMSECURITY SERVICE

FORTIGUARD WEBSECURITY SERVICE

FORTIGUARD DATABASESECURITY SERVICE

FORTIGUARD IP REPUTATIONSERVICE

FORTIGUARD VULNERABILITYMANAGEMENT SERVICE

FORTIGUARD WEBFILTERING SERVICE

FORTIGUARD INTRUSIONPREVENTION SERVICE

FORTIGUARD APPLICATIONCONTROL SERVICE

What is FortiGuard? Advanced Defense

3

Sandbox 101

Sandbox has many meanings…

• Container to hold sand to improve rail adhesion

• Shallow playground construction to hold sand

• Virtual container in which untrusted programs can be safely run

• Soviet Anti-Ship Missile (SS-N-12) SS-N-12 Sandbox

The SandboxWhat do we mean?

4

Sandbox 101

VIRTUAL END-USER ENVIRONMENT

• Code is executed in an contained, virtual environment

• Goal is to replicate typical workstations

• Output is analyzed to determine characteristics

• Some characteristics are malicious

• Known virus downloads

• Registry modifications

• Outbound connection to malicious IPs

• Infection of processes

Unsafe action, escape attempt

Controlled communication inspection

X

What is Sandboxing?Virtual analysis – nothing new

5

Sandbox 101

BEHAVIOR BASED DETECTION vs. SIGNATURE

• Signature based detection can’t catch everything

• Run time analysis can catch things static (signature) inspection may not

• Inspection is ran post-execution so all aspects are examined

BUT WAIT, THERE’S MORE …

• Malware often downloads more malware

• Sandboxing catches this and inspects the lifecycle

Why Sandbox?Modern threats (APT / ATAs) are tough to detect

6

Advanced Persistent Threats

DISGUISE

• Advanced threats focus on disguise to slip past security detection

SURVIVABILITY

• Persistent threats aim to survive on systems as long as possible

IMPACT

• Threat to Hard drive data

• Stolen IP, customer data

• Blackmail & Ransom

• Critical infrastructureDetect Disguise,Kill the Chain

Reduce Survivability,Break Impact

Something Different?Disguise, Survive, Impact

7

Advanced Persistent Threats

ADVANCED

• AV evasion

• Crypters

• IPS/App evasion

• Obfuscation

• Custom protocol

• Piggybacking

• Dynamic Decryption

• Code decrypted at runtime

PERSISTENT

• Rootkits

• Hide threats at O/S layer

• Bootkits

• Invoke at startup

• Process killers

THREATS

• Keyloggers

• Steal data

• Ransomware

• Encrypt data and hold for ransom

• HD Wipers

So what do they do?Disguise, Survive, Impact

8

Sandbox 101

VISIBILITY & REPORTS – FOR THE SOC

• New viral families may not have existing signatures

• Shows potentially unwanted activity on a system

• Output and characteristics gathered

• Useful for reports

• Correlate connected components

INCIDENT RESPONSE

• Infection is likely underway, how to deal with it?

Why Sandbox?It completes the puzzle

9

Sandbox 101

Sandbox Evasion Techniques

• VM detection

• Time bombs

• Debug loops

• Event triggers

• Mouse clicks

• System reboots

Common Sandbox Problems

• Fixed operating systems

• Only a few to pick from, and it’s slow

• Fixed software versions

• Adobe reader, Java

• Attacks very specific to certain versions

• IE: Some require newest version of Java

• Malware won’t execute in Sandbox

• Will execute once passed through

The Sandbox Challenge Bring Your Own Sandbox … Evasion Techniques that are used widely

10

FortiSandbox

FortiGuard Labs - On Top of It

• Discover latest evasion techniques

• Intelligent Evasion Inspection

• IE: VM detection code

• Quickly address any new measures

• via AV Engine

• And FortiSandbox

• All in house!

The Only All-In-One Sandbox

• World Class Fortinet Antivirus

• Scan & Sandbox (EXE, PDF, JS)

• Integrated Webfiltering

• Scan connected domains

• Drill Down Reports: PCAP & Behavior

• Unified Sandbox

• Local scan to detect sandbox evasion

• Fall back to full sandbox

• Local file upload supported

Introducing FortiSandboxComplements existing Fortinet technology

11

FortiSandbox

FSA 3000DAll In One Sandbox

12

FortiSandbox

FortiSandbox – Best of BreedPatent pending CPRL, industry leading AV all in one!

STREAM

• 98.6% Effective

PROXY

• 99.82% Effective

PROXY

• 99.81%Effective

STREAM

• 28.18% Effective

WILDLIST

573 18,165

13

The Fortinet Advantage – Security & Performance

Multi-tiered file processing optimize resource usage that improves security, capacity and performance

Virtual OS Sandbox

Real Time Sandbox

AV Engine

• OS independent• Not subjected to VM evasion

techniques• Lightweight

• Industry’s validated with superior RAP score (ability to detect variants, proactive detection)

• Real time updated

14

Branch Offices(Distributed Enterprise)

Data Center

The Fortinet Advantage - Deployment

Flexible Deployment Options• Offers most suitable implementation depends on requirements and

infrastructure • Allow protection of investment by allowing different deployment modes as

requirement changes

Headquarters(Enterprise Core)

Standalone Mode – Ideal for scalable requirements

Integrated Mode – Ideal for centralized gateway with inline protection

Distributed Mode – Ideal for protection in distributed environment

15

The Fortinet Advantage - ROI

WEB MAIL FILE

Competitors Solution• Multiple appliance is required

for each applications• Poor ROI, high TCO• Adds more management

burden

Fortinet Solution• Central file scanning from

various applications and sources, including mobile devices

• Simplifies threat management, provide faster ROI

FILEMAILWEB

Instant Messenger

16

Deep AV Scan & RTS

• 96% RAP before Sandbox

• No need toSandbox if caught

FortiSandbox

Solving the Sandbox ProblemLook first for what we know, then inspect suspicious

Cloud Check

Real time check on latest malware rating

Full Sandbox

Catch anything not caught by signature detection

Forensics

Behavior Report

Downloaded & Dropped Files

Recursively Scanned

17

FortiCloud Sandbox

Where’s Your Data?

FortiOS AV Engine Provides Local Sandbox

1 Still Suspicious Samples Sent for Cloud Sandbox Analysis

2 Results are correlated across all FortiGuard Services

3

4 Updates pushed out by FortiGuard Network

18

FortiSandbox

Where’s Your Data?

Files Processed Through FortiGate

1 Sent to FortiSandbox for AV & Sandbox

2 Files collected, scanned3

5 Updates pushed out by FortiGuard Network(To FortiGates, FortiSandbox)

4 Results sent to FortiGuard for Updates

19

FortiSandbox

FortiGuard LearningSignatures created to update global devices

Global Intelligence Network

• Where is your Data?

• FortiSandbox is local (cloud optional)

• FortiGuard Cloud is external

• Global Sandbox Updates

AV, WCF and Botnet DB’s updated

System Utilities (Behavior Engine)

Rating Engine

Traffic Sniffer

20

KNOWFilter known Malware

(No Sandboxing Required)

Detect Sandbox EvadingMalware

(Real Time Sandbox)

Full SandboxIncident Response

Update DevicesRefactor

(Incident Response)Raise Awarness

SUSPECT

LEARN

SHARE

FortiGuard: The Sandbox Fit

21

Incident Response ServiceHow Does it Work?

1) LOGIN & SUBMIT

• http://premier.fortiguard.com• Communicate message• Attach binary / PCAP

sample

2) UPDATE & MITIGATE

• View and correspond • Get signature updates

• Manual, FDN

SupiciousActivity

0 Hours

IncidentReported

Zero DayAttack

FortiGuard – Premier Services

3) ANALYZE & RESPOND

• Threat remediation • Understand nature of

threat• Take action

4 Hours

Malware SpreadMitigated

AV Signatures, Brief Analysis

8 Hours

Feedback &Follow up

12 Hours

IPSSignatures

Exploit SpreadMitigated

Feedback &Follow up

48 Hours

FullAnalysis

22

Practical Sandbox Applications

Case Studies: Sandbox Visibility

Low Volume, Targeted Threat Cases

• Generally harder to get samples

Targeted Industrial PlantsLow Volume

Operation Aurora

December 2009

Victim

RSA SecurID

March 2011

South Korea Wiper

March 2013

Crime ServicesQA (AV Scanning Undetected)Zero Day IPS Vulnerability

FortiSandbox Detects vs.Crime Services and QA

Flame

May 2012

23

Examples

24

FortiSandbox – FortiGate Integration

25

FortiSandbox – FortiGate Integration

Mail Server Setup – Fully Automated Reports

26

FortiSandbox – Dashboard View

27

FortiSandbox – What’s On Your Network?

28

FortiSandbox – FortiGuard Updates

Antivirus, System Utilities and Rating Updates

Fortinet sandboxing

Technology

Transcript of Fortinet sandboxing