Transcript Document
Malware Pandemic?
Sometimes getting a shot only treats the
symptoms and not the cause…
Tim Davidson
System Engineer
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
1
Agenda
Changing Threat Landscape
Why Traditional Defenses Fail?
Introducing the FireEye Platform
FireEye Advantage
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
2
Changing Threat Landscape
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
3
Changing Threat Landscape – Advanced
Persistent Threats (APTs)
Advanced
• Leverages spectrum of exploits
• Well-known and zero-day vulnerabilities
• Multi-pronged
The New Threat Landscape
There is a new breed of attacks that are
advanced, zero-day, and targeted
MODERN
Stealthy
Unknown and
Zero Day
Targeted
Persistent
Well-funded
syndicates
Persistent
Advanced Persistent
Threats
• Goal oriented rather than opportunistic
• Targeted attacks
• Well-planned – low and slow
Threats
• Organized, well-funded adversaries
• Nation-states, cyber-espionage groups
• Stealthy and camouflaged attacks
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
Open
Known and
Patchable
Broad
One Time
Individuals
LEGACY
4
High Profile Targeted Attacks
3 minutes
On average, malware activities take place once every 3 minutes
184 countries, 41%
Over the past year, FireEye captured callbacks to 184 countries, a 41% rise
46%
Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks
Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22%
Technology companies
Technology companies experienced highest rate of callback activity
89%
89% of callback activities linked with APT tools made in China or Chinese hacker groups
Source: FireEye Advanced Threat Report, March 2013
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
5
Significant Compromise Still Exists!
Percent of
Deployments
98.5% of deployments see at
least 10 incidents*/week/Gbps
Infections/Weeks at Normalized Bandwidth
100%
1 Gbps
90%
80%
70%
Average is about
221 incidents*/week
60%
50%
40%
20% of deployments have
thousands of incidents*/week
30%
20%
10%
0%
10
100
1,000
10,000
100,000
Source: FireEye Advanced Threat Report, March, 2013
221 Average Net New Incidents Per Week at Only 1 Gbps!
* An incident is beyond inbound malware – it includes an exploit and callback
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
6
Why Traditional
Defenses Fail
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
7
What’s causing the compromise?
Coordinated Persistent Threat Actors
Dynamic,
Polymorphic Malware
NEW THREAT LANDSCAPE
Multi-Vector Attacks
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
Multi-Staged Attacks
8
The Attack Life Cycle – Multiple Stages
Callback Server
1
Compromised
Web server, or
Web 2.0 site
1
Exploitation of system
2
Malware executable download
4
Exploit detection is critical
3
Callbacks and control established
File Share 2
All subsequent stages
can be hidden or obfuscated
IPS
5
4
Data exfiltration
5
Malware spreads laterally
File Share 1
2
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
3
9
Traditional Defenses Don’t Work
The new breed of attacks evade signature-based defenses
Anti-Spam
Gateways
IPS
Firewalls/
NGFW
Secure Web
Gateways
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
Desktop AV
10
The Enterprise Security Hole
Attack Vector
NGFW
FW
Web-Based
Attacks
IPS
SECURITY
HOLE
SWG
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
AV
Spear Phishing
Emails
Malicious
Files
11
A New Model is Required
Legacy Pattern-Matching
Detection Model
New Virtual Execution
Model
MATCH
101011010101101000101110
001101010101011001101111
100101011001001001001000
100100111001010101010110
110100101101011010101000
•
•
•
•
Signature-Based
Reactive
Only known threats
Many false negatives
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
•
•
•
•
Signature-less
Dynamic, real-time
Known/unknown threats
Minimal false positives
12
Introducing the FireEye Platform
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
13
FireEye Platform: Next Generation Threat Protection
Dynamic
Threat Intelligence
(CLOUD)
Multi-Vector
Virtual Execution
engine
Dynamic
Threat Intelligence
(ENTERPRISE)
Technology
Interoperability
Ecosystem Partners
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
14
FireEye Platform: Multi-Vector Virtual Execution (MVX)
Email MPS
CMS
1
SMTP
2
Inbound
3
MVX
6
Outbound
HTTP
Callback Server
5
4
Web MPS
1 – Email with weaponized pdf
2 – Executed in MVX (Email MPS) – phish suspected
3 – Web MPS notified via CMS
4 – Callback over HTTP to C&C server
5 – Callback detected by Web MPS and blocked
6 – End user defended from multi-vector attack
Multi-vector blended attack
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
15
FireEye Platform: Multi-Flow Virtual Execution
Infection Server
Exploit
Callbacks
Callback Server
Malware
Executable
Data
Exfiltration
Downloads
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
•
File-oriented sandboxing can be easily
evaded by malware
•
Lack of virtually executing flows
vs. file-based approach
•
Lack of capturing and analyzing
flows across multiple vectors
•
FireEye uses multi-vector, multi-flow
analysis to understand the full context
of today’s cyber attacks
•
Stateful attack analysis shows the
entire attack life cycle
•
Enables FireEye to disrupt each stage
and neutralize attack
16
FireEye Platform: Dynamic Threat Intelligence
Anonymized
Malware
Metadata
Anonymized
Malware
Metadata
DTI Cloud
Ecosystem
Partners
Ecosystem
Partners
Ecosystem
Partners
Enterprise 1
Enterprise 2
Enterprise 3
DTI Enterprise
DTI Enterprise
DTI Enterprise
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
17
FireEye
Advantage
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
18
FireEye Platform Advantage
1. Thousands of
Permutations
(files, OS, browser, apps)
Local Loop
2. Multi-flow
analysis
MVX
MVX
Dynamic
Threat
Intelligence (DTI)
3. Multi-vector
analysis
4. Correlation of
information
5. Cloud Sharing
6. Time to protection
Single Enterprise
Threat
Protection
Fabric
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
Cross Enterprise
19
Sandbox Approach (Cloud)
File-oriented
sandbox - evasion
1. Thousands of
Permutations
(files, OS, browser, apps)
Sandbox in the cloud
•
•
•
Privacy violation
Compliance and regulation violation
Latency issues
Single file
2. Multi-flow
analysis
Single vector
3. Multi-vector
analysis
4. Correlation of
information
partial
5. Cloud Sharing
6. Time to protection
hours or days
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
20
Sandbox Approach (On-Premises)
File-oriented
sandbox
1. Thousands of
Permutations
Sandbox (On-Premises)
•
•
•
Malware can easily circumvent generic sandbox
File-based sandbox misses the exploit detection
phase
No flow causes lack of stateful malware analysis
(files, OS, browser, apps)
Single file
2. Multi-flow
analysis
Single vector
3. Multi-vector
analysis
4. Correlation of
information
Hashes: limited value
5. Cloud Sharing
6. Time to protection
Non-realtime
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
21
Key Takeaways
Changing Threat Landscape
Advanced Persistent Threats
Traditional Defenses Fall Short
File-oriented sandboxing does not
detect exploits
Exploit Detection is Critical
FireEye Platform
MVX architecture
DTI Cloud
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
DTI Enterprise
22
Thank You
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
23