Next Generation Threat Protection Randy Lee– Sr. SE Manager Copyright (c) 2012, FireEye, Inc.
Download ReportTranscript Next Generation Threat Protection Randy Lee– Sr. SE Manager Copyright (c) 2012, FireEye, Inc.
Next Generation Threat Protection
Randy Lee – Sr. SE Manager
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
The Acceleration of Advanced Targeted Attacks
• # of threats are up
5X
• Nature of
threats changing
– From broad, scattershot to advanced, targeted, persistent • Advanced
attacks accelerating
– High profile victims common (e.g., RSA, Symantec, Google) – Numerous APT attacks like Operation Aurora, Shady RAT, GhostNet, Night Dragon, Nitro Disruption Worms Viruses Cybercrime Spyware/ Bots Cyber-espionage and Cybercrime Advanced Persistent Threats Zero-day Targeted Attacks Dynamic Trojans Stealth Bots 2004 2006 2008 2010 2012
“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”
Gartner, 2012 2 Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL
High Profile Attacks are Increasingly Common
Coke Gets Hacked And Doesn’t Tell Anyone
By Ben Elgin, Dune Lawrence & Michael Riley - Nov 4, 2012 6:01 PM ET
Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
We are Only Seeing the Tip of the Iceberg
Headline Grabbing Attacks Thousands More Below the Surface
APT Attacks Zero-Day Attacks Polymorphic Attacks Targeted Attacks Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Traditional Defenses Don’t Work
Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses Like NGFW, IPS, AV, and Gateways Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Defining Advanced Targeted Attacks
• Utilizes advanced techniques and/or malware – Unknown – Targeted – Polymorphic – Dynamic – Personalized • Uses zero-day exploits, commercial quality toolkits, and social engineering • Often targets IP, credentials and often spreads laterally throughout network • AKA—Advanced Persistent Threat (APT)
The New Threat Landscape
There is a new breed of attacks that are advanced, zero-day, and targeted Stealthy
ADVANCED
Unknown and Zero Day Targeted Persistent Advanced Targeted Attack Open Known and Patchable Broad
TRADITIONAL
One Time Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Advanced Malware Infection Lifecycle
1 2 3 System gets exploited
Drive-by attacks in casual browsing Links in Targeted Emails Attachments in Targeted Emails
Compromised Web server, or Web 2.0 site Dropper malware installs
First step to establish control Calls back out to criminal servers Found on compromised sites, and Web 2.0, user-created content sites
Perimeter Security
Signature, rule-based
Malicious data theft & long term control established
Uploads data stolen via keyloggers, Trojans, bots, & file grabbers One exploit leads to dozens of infections on same system Criminals have built long-term control mechanisms into system
Other gateway
List-based, signatures
Desktop antivirus
Losing the threat arms race
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL
Callback Server Anti spam Email Servers DMZ
7
Malware Analysis
• What types of Malware Analysis should you do?
Malware Analysis Static Analysis Signature Heuristics Dynamic Analysis Discrete Object analysis Contextual Analysis Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
Case Study: Operation Aurora Infection Cycle
1 System gets exploited
Social engineering Obfuscated JavaScript code Exploited IE 6 zero-day vulnerability
2 Web server delivers malware
Servers mapped by dynamic DNS XOR encoded malware EXE delivered No Signatures
3 Malware calls home & long-term control established
Complete control of infected system Further payloads downloaded C&C located in Taiwan Using outbound port 443 (SSL)
Malicious Web server Callback Server Desktop antivirus
Losing the threat arms race
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
Captured Aurora on Day Zero Signature-less detection of zero-day attack Malicious binary download posing as JPG Decryption routine for “a.exe” Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Captured Aurora on Day Zero Decryption complete. MD5 of Hydraq.Trojan
Hydraq callback captured Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Requirements for APT Detection / Protection
1. Dynamic defenses to stop targeted, zero-day attacks 2. Real-time protection to block data exfiltration attempts 3. Accurate, low false positive rates 4. Global intelligence on advanced threats to protect the local network Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
Who is Mission Critical Systems?
Southeast based Information security solutions reseller & integrator in business for over 15 years. Headquarters in South Florida with additional offices in Atlanta and Tampa.
Network and Data security solutions are our only focus Representing 20+ best-of-breed security products at either Platinum/Elite or Gold level partner status. Our relationships and status with the manufacturers allow us to leverage significant resources and hold manufacturers accountable. Sales consultants and engineers maintain manufacturer certifications to ensure we provide accurate information to help customers achieve their security goals and not purchase unnecessary technologies.
We work on behalf of the customer to design the appropriate solution for their security needs, negotiate the best value, and ensure a successful project roll-out. Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
Professional Services
Installation, Configuration and Support Services
Security Assessment and Audits
Vulnerability Scanning / Penetration Testing
Web Application Assessment
Secure Network Design
Telephone Support Contracts
Training
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
Thank You
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15