advance persistent threats – atechnical analysisa ... · 5 criteria for advanced threat...
TRANSCRIPT
![Page 1: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/1.jpg)
Advance Persistent Threats –A Technical AnalysisA Technical Analysis
“Move from Reactive to Proactive”
Lau Boon Peng, CISSPSr Channel SE – South Asia Pacific
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
FireEye, Inc.
![Page 2: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/2.jpg)
The New Threat Landscape
• # of threats are up 5XN t f th t h i Advanced
Cyber-espionage and Cybercrime
s• Nature of threats changing– From broad to targeted
• Advanced attacks
Persistent ThreatsZero-day
Targeted AttacksDynamic Trojans
Stealth BotsCybercrime
age
of A
ttack
s
Advanced attacks accelerating– High profile victims common
(e g RSA Symantec Google)
WormsViruses
Disruption Spyware/Bots
Dam
a
(e.g., RSA, Symantec, Google)
“O i ti f l i th t i th t th ill d t
2004 2006 2008 2010 2012
“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”
Gartner, 2012
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
![Page 3: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/3.jpg)
Defining Next Generation Threats
• Uses zero-day exploits, commercial quality toolkits
The New Threat LandscapeThere is a new breed of attacks that are
advanced, zero-day, and targeted
ADVANCEDADVANCEDcommercial quality toolkits, and social engineering
• Utilizes advanced Stealthy Unknown and
Zero Day Targeted Persistent
Advanced Targeted Advanced Targeted AttackAttack
techniques and/or malware
• Often targets IP• Often targets IP, credentials
• Spreads laterally
TRADITIONALTRADITIONAL
Spreads laterally throughout network Open Known and
Patchable Broad One Time
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
![Page 4: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/4.jpg)
Attacks Increasingly Sophisticated
Dynamic Web Attacks
Multi VectorMulti-Vector• Web, email or files
Multi-StageMulti-Stage• Exploit to exfiltration
Malicious Exploits
Spear Phishing Emails
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
![Page 5: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/5.jpg)
The Adcaned Attack Lifecycle – Multiple Stages
Public Internet Drop Zones Command and Control
Attack &Spread
116CompromisedWeb server, or
Web 2.0 site
Public Internet Drop Zones Command and Controlp
I i i l111 112 113 114115Initial
RequestInfectedContent
11FurtherInfection
113CallBack
114UpdatedExploits
115
Enterprise
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
![Page 6: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/6.jpg)
Typical Enterprise Security Architecture
Firewalls/Firewalls/NGFWNGFW IPSIPS Secure WebSecure Web
GatewaysGatewaysAntiAnti--SpamSpamGatewaysGateways
Desktop AVDesktop AV
APTAPTAPT APT
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
![Page 7: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/7.jpg)
The Enterprise Security Hole
NGFW FW
Attack Vector
Web-basedAttacks
NGFW FW
IPS SECURITYHOLE
Spear Phishing E ilHOLE Emails
SWG AVMalicious Files
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
![Page 8: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/8.jpg)
Public Spear Phishing ExamplesPhishing Examples
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
![Page 9: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/9.jpg)
Spear Phishing: The Preferred Intrusion Method
Callback Server
1 Spear phish attack exploits PCM th 50% li i URL
Spear Phishing
More than 50% use malicious URLsAttachments: PDF, PPT, XLS and DOCTargeted mid- & high-level energy execsAlso targeted Vendors (Investment Bankers,Oil & Gas Service companies)
13
Anti-Spam Gateway
2 Back door opened & lateral spreadZIP file on Windows 7Exploit code executed when ZIP opened
3
Gate ay
Second phase objects and callbacks linked to initial exploit
Callbacks related to RSA intrusion Exploit in ZIP2
Desktop antivirusLosing the threat arms race
DMZ
Mail ServersData exfiltration commences Sensitive dataPasswords
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
Losing the threat arms race
![Page 10: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/10.jpg)
VirusTotal is Helpful for Investigations
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
![Page 11: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/11.jpg)
RSA Spear Phish (H/T @mikko)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
![Page 12: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/12.jpg)
Social Networks are a Data Gold Mine
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
![Page 13: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/13.jpg)
We Are Only Seeing the Tip of the Iceberg
HEADLINE GRABBING ATTACKSHEADLINE GRABBING ATTACKS
THOUSANDS MORE BELOW THE SURFACETHOUSANDS MORE BELOW THE SURFACEAPT AttacksAPT Attacks
ZZ D Att kD Att kZeroZero--Day AttacksDay AttacksPolymorphic AttacksPolymorphic Attacks
Targeted AttacksTargeted Attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
![Page 14: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/14.jpg)
The Degree of Compromise is Significant
100%
90%
Infections/Weeks at Normalized BandwidthPercent of
Deployments
1 Gbps 5 Gbps90%
80%
70%
60%
98.5% of deployments see at least 10 incidents/week/Gbps
50%
40%
30%
20%
Median is about 450 incidents/week/Gbps
20% of deployments have10%
0%100,00010,0001,00010010
p ythousands of incidents/week/Gbps
Source: FireEye Advanced Threat Report, Feb. 2012
450 Median Net New Infections Per Week at Only 1 Gbps!
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
![Page 15: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/15.jpg)
Dynamism of Malware: Binary MD5s
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
![Page 16: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/16.jpg)
Industries Most Affected by Advanced Threats
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
![Page 17: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/17.jpg)
APT Threat Actors & Surprising CollusionsSurprising Collusions
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
![Page 18: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/18.jpg)
Advanced Persistent Threat (APT) Actors
APT Actors (nation state
threats)
CrimewareActors
(cyber crime
Hacktivists(Anonymous,
L l S )threats) ( ygangs) LulzSec)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
![Page 19: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/19.jpg)
Advanced Threat Actors & Crimeware Actors
Sell “used” zero-day exploits that became known too widelyknown too widely
APT Actors
CrimewareActorsActors Actors
Sell compromised systems (access & control over)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
![Page 20: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/20.jpg)
Case Study: Wermud Trojan
[March 2011]
[April 2011]W d2011]
Created and used by APT
Wermudpassed to crimeware
tby APT actors
[15 March 2011]
Fi E
[June 2011]Seen used b F k AVFireEye
created callback
rules
by FakeAV(crimeware)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
![Page 21: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/21.jpg)
Example ofExample of Bypassing yp gTraditional Security
Basic Evasion Tactics
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
![Page 22: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/22.jpg)
Builders Used In Team Attacks. H/T alienvault + threatexpert
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
![Page 23: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/23.jpg)
Anti-Virus Evasion is Done through Simplicity
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
![Page 24: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/24.jpg)
Callbacks Done Through Legitimate Channels
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
![Page 25: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/25.jpg)
Callbacks Done Through Legitimate Channels
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
![Page 26: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/26.jpg)
Blogs are Free to Set up
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
![Page 27: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/27.jpg)
The Point?
• Advanced targeted attacks run rampant inside networks, easily infiltrating existing defenses
• Advanced targeted attacks can occur as unique exploits, e.g. Aurora and RSA attacks
BUT if h f i t f l• BUT, if you have a fair amount of common malware infections (crimeware), you may never see unique targeted APT attacks
• APT actors may simply leverage existing crimewarebackdoors
• Therefore you still have to respond to the low gradeTherefore, you still have to respond to the low gradeattacks, because they can become high grade for a valuable target
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
![Page 28: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/28.jpg)
5 Criteria for Advanced Threat Protection
1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound attacks (as used by APT actors crimeware actors andby APT actors, crimeware actors, and Hacktivists)
2. Real-time protection to stop data exfiltration
3. Integrated, cross-protocol Web & Email inbound infection and outbound callback protection
4. Accurate, no tuning, and very low false positive rate
5. Global malware intelligence for sharing threat indicators to block zero-day malware & latest callback channels
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
![Page 29: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/29.jpg)
Cyber Security = ProactiveCyber Security = Proactive
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
![Page 30: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/30.jpg)
FireEye Malware Protection System
• Integrated solution to combat advanced malware across multiple vectors like Web Email and File
Complete Protection Against Advanced Targeted Attacks
vectors, like Web, Email and File Shares
• Exploit, callback, and payload analysis to address all stages of attack lifecycle
• Malware forensics complements
Web Malware
Protection System
EmailMalware
ProtectionSystem
FileMalware• Malware forensics complements
real-time protections with deep malware intelligence
S
Malware Protection
System
• Systems share real-time malware intelligence locally and globally
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
![Page 31: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/31.jpg)
Thank YouThank YouTwitter @fireeyeTwitter @fireeyewww.fireeye.com
Contact us online for a complimentary securityContact us online for a complimentary security assessment. You’ll find out if you are infected and
what to do about it.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3131
![Page 32: Advance Persistent Threats – ATechnical AnalysisA ... · 5 Criteria for Advanced Threat Protection 1. Dynamic, signature-less engine to detect & block zero-day and targeted inbound](https://reader033.vdocuments.site/reader033/viewer/2022042321/5f0ad0e97e708231d42d7b63/html5/thumbnails/32.jpg)
Sign Up for a Free FireEye Security Assessment
http://www.fireeye.com/stopapts
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 32
y