Transcript Document
Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause… Tim Davidson System Engineer Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Agenda Changing Threat Landscape Why Traditional Defenses Fail? Introducing the FireEye Platform FireEye Advantage Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2 Changing Threat Landscape Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3 Changing Threat Landscape – Advanced Persistent Threats (APTs) Advanced • Leverages spectrum of exploits • Well-known and zero-day vulnerabilities • Multi-pronged The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted MODERN Stealthy Unknown and Zero Day Targeted Persistent Well-funded syndicates Persistent Advanced Persistent Threats • Goal oriented rather than opportunistic • Targeted attacks • Well-planned – low and slow Threats • Organized, well-funded adversaries • Nation-states, cyber-espionage groups • Stealthy and camouflaged attacks Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Open Known and Patchable Broad One Time Individuals LEGACY 4 High Profile Targeted Attacks 3 minutes On average, malware activities take place once every 3 minutes 184 countries, 41% Over the past year, FireEye captured callbacks to 184 countries, a 41% rise 46% Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22% Technology companies Technology companies experienced highest rate of callback activity 89% 89% of callback activities linked with APT tools made in China or Chinese hacker groups Source: FireEye Advanced Threat Report, March 2013 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5 Significant Compromise Still Exists! Percent of Deployments 98.5% of deployments see at least 10 incidents*/week/Gbps Infections/Weeks at Normalized Bandwidth 100% 1 Gbps 90% 80% 70% Average is about 221 incidents*/week 60% 50% 40% 20% of deployments have thousands of incidents*/week 30% 20% 10% 0% 10 100 1,000 10,000 100,000 Source: FireEye Advanced Threat Report, March, 2013 221 Average Net New Incidents Per Week at Only 1 Gbps! * An incident is beyond inbound malware – it includes an exploit and callback Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6 Why Traditional Defenses Fail Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7 What’s causing the compromise? Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware NEW THREAT LANDSCAPE Multi-Vector Attacks Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Multi-Staged Attacks 8 The Attack Life Cycle – Multiple Stages Callback Server 1 Compromised Web server, or Web 2.0 site 1 Exploitation of system 2 Malware executable download 4 Exploit detection is critical 3 Callbacks and control established File Share 2 All subsequent stages can be hidden or obfuscated IPS 5 4 Data exfiltration 5 Malware spreads laterally File Share 1 2 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3 9 Traditional Defenses Don’t Work The new breed of attacks evade signature-based defenses Anti-Spam Gateways IPS Firewalls/ NGFW Secure Web Gateways Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Desktop AV 10 The Enterprise Security Hole Attack Vector NGFW FW Web-Based Attacks IPS SECURITY HOLE SWG Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL AV Spear Phishing Emails Malicious Files 11 A New Model is Required Legacy Pattern-Matching Detection Model New Virtual Execution Model MATCH 101011010101101000101110 001101010101011001101111 100101011001001001001000 100100111001010101010110 110100101101011010101000 • • • • Signature-Based Reactive Only known threats Many false negatives Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL • • • • Signature-less Dynamic, real-time Known/unknown threats Minimal false positives 12 Introducing the FireEye Platform Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13 FireEye Platform: Next Generation Threat Protection Dynamic Threat Intelligence (CLOUD) Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability Ecosystem Partners Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14 FireEye Platform: Multi-Vector Virtual Execution (MVX) Email MPS CMS 1 SMTP 2 Inbound 3 MVX 6 Outbound HTTP Callback Server 5 4 Web MPS 1 – Email with weaponized pdf 2 – Executed in MVX (Email MPS) – phish suspected 3 – Web MPS notified via CMS 4 – Callback over HTTP to C&C server 5 – Callback detected by Web MPS and blocked 6 – End user defended from multi-vector attack Multi-vector blended attack Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15 FireEye Platform: Multi-Flow Virtual Execution Infection Server Exploit Callbacks Callback Server Malware Executable Data Exfiltration Downloads Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL • File-oriented sandboxing can be easily evaded by malware • Lack of virtually executing flows vs. file-based approach • Lack of capturing and analyzing flows across multiple vectors • FireEye uses multi-vector, multi-flow analysis to understand the full context of today’s cyber attacks • Stateful attack analysis shows the entire attack life cycle • Enables FireEye to disrupt each stage and neutralize attack 16 FireEye Platform: Dynamic Threat Intelligence Anonymized Malware Metadata Anonymized Malware Metadata DTI Cloud Ecosystem Partners Ecosystem Partners Ecosystem Partners Enterprise 1 Enterprise 2 Enterprise 3 DTI Enterprise DTI Enterprise DTI Enterprise Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17 FireEye Advantage Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18 FireEye Platform Advantage 1. Thousands of Permutations (files, OS, browser, apps) Local Loop 2. Multi-flow analysis MVX MVX Dynamic Threat Intelligence (DTI) 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Single Enterprise Threat Protection Fabric Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Cross Enterprise 19 Sandbox Approach (Cloud) File-oriented sandbox - evasion 1. Thousands of Permutations (files, OS, browser, apps) Sandbox in the cloud • • • Privacy violation Compliance and regulation violation Latency issues Single file 2. Multi-flow analysis Single vector 3. Multi-vector analysis 4. Correlation of information partial 5. Cloud Sharing 6. Time to protection hours or days Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20 Sandbox Approach (On-Premises) File-oriented sandbox 1. Thousands of Permutations Sandbox (On-Premises) • • • Malware can easily circumvent generic sandbox File-based sandbox misses the exploit detection phase No flow causes lack of stateful malware analysis (files, OS, browser, apps) Single file 2. Multi-flow analysis Single vector 3. Multi-vector analysis 4. Correlation of information Hashes: limited value 5. Cloud Sharing 6. Time to protection Non-realtime Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21 Key Takeaways Changing Threat Landscape Advanced Persistent Threats Traditional Defenses Fall Short File-oriented sandboxing does not detect exploits Exploit Detection is Critical FireEye Platform MVX architecture DTI Cloud Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL DTI Enterprise 22 Thank You Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23