Next Generation Threat Protection Randy Lee– Sr. SE Manager Copyright (c) 2012, FireEye, Inc.

Download Report

Transcript Next Generation Threat Protection Randy Lee– Sr. SE Manager Copyright (c) 2012, FireEye, Inc.

Next Generation Threat Protection

Randy Lee – Sr. SE Manager

The Acceleration of Advanced Targeted Attacks

• # of threats are up

• Nature of

threats changing

– From broad, scattershot to advanced, targeted, persistent • Advanced

attacks accelerating

– High profile victims common (e.g., RSA, Symantec, Google) – Numerous APT attacks like Operation Aurora, Shady RAT, GhostNet, Night Dragon, Nitro Disruption Worms Viruses Cybercrime Spyware/ Bots Cyber-espionage and Cybercrime Advanced Persistent Threats Zero-day Targeted Attacks Dynamic Trojans Stealth Bots 2004 2006 2008 2010 2012

“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”

High Profile Attacks are Increasingly Common

Coke Gets Hacked And Doesn’t Tell Anyone

By Ben Elgin, Dune Lawrence & Michael Riley - Nov 4, 2012 6:01 PM ET

Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time.

We are Only Seeing the Tip of the Iceberg

Headline Grabbing Attacks Thousands More Below the Surface

Traditional Defenses Don’t Work

Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses Like NGFW, IPS, AV, and Gateways Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5

Defining Advanced Targeted Attacks

• Utilizes advanced techniques and/or malware – Unknown – Targeted – Polymorphic – Dynamic – Personalized • Uses zero-day exploits, commercial quality toolkits, and social engineering • Often targets IP, credentials and often spreads laterally throughout network • AKA—Advanced Persistent Threat (APT)

The New Threat Landscape

There is a new breed of attacks that are advanced, zero-day, and targeted Stealthy

ADVANCED

Unknown and Zero Day Targeted Persistent Advanced Targeted Attack Open Known and Patchable Broad

TRADITIONAL

Advanced Malware Infection Lifecycle

1 2 3 System gets exploited

 Drive-by attacks in casual browsing  Links in Targeted Emails  Attachments in Targeted Emails

Compromised Web server, or Web 2.0 site Dropper malware installs

 First step to establish control  Calls back out to criminal servers  Found on compromised sites, and Web 2.0, user-created content sites

Perimeter Security

Signature, rule-based

Malicious data theft & long term control established

 Uploads data stolen via keyloggers, Trojans, bots, & file grabbers  One exploit leads to dozens of infections on same system  Criminals have built long-term control mechanisms into system

Other gateway

List-based, signatures

Desktop antivirus

Losing the threat arms race

Callback Server Anti spam Email Servers DMZ

Malware Analysis

• What types of Malware Analysis should you do?

Case Study: Operation Aurora Infection Cycle

1 System gets exploited

 Social engineering  Obfuscated JavaScript code  Exploited IE 6 zero-day vulnerability

2 Web server delivers malware

 Servers mapped by dynamic DNS  XOR encoded malware EXE delivered  No Signatures

3 Malware calls home & long-term control established

 Complete control of infected system  Further payloads downloaded  C&C located in Taiwan  Using outbound port 443 (SSL)

Malicious Web server Callback Server Desktop antivirus

Losing the threat arms race

Captured Aurora on Day Zero Signature-less detection of zero-day attack Malicious binary download posing as JPG Decryption routine for “a.exe” Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10

Captured Aurora on Day Zero Decryption complete. MD5 of Hydraq.Trojan

Requirements for APT Detection / Protection

1. Dynamic defenses to stop targeted, zero-day attacks 2. Real-time protection to block data exfiltration attempts 3. Accurate, low false positive rates 4. Global intelligence on advanced threats to protect the local network Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12

Who is Mission Critical Systems?

 Southeast based Information security solutions reseller & integrator in business for over 15 years. Headquarters in South Florida with additional offices in Atlanta and Tampa.

 Network and Data security solutions are our only focus  Representing 20+ best-of-breed security products at either Platinum/Elite or Gold level partner status. Our relationships and status with the manufacturers allow us to leverage significant resources and hold manufacturers accountable.  Sales consultants and engineers maintain manufacturer certifications to ensure we provide accurate information to help customers achieve their security goals and not purchase unnecessary technologies.

 We work on behalf of the customer to design the appropriate solution for their security needs, negotiate the best value, and ensure a successful project roll-out. Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13

Professional Services



Installation, Configuration and Support Services



Security Assessment and Audits



Vulnerability Scanning / Penetration Testing



Web Application Assessment



Secure Network Design



Telephone Support Contracts



Next Generation Threat Protection Randy Lee– Sr. SE Manager Copyright (c) 2012, FireEye, Inc.

Transcript Next Generation Threat Protection Randy Lee– Sr. SE Manager Copyright (c) 2012, FireEye, Inc.