© Copyright Fortinet Inc. All rights reserved.
Advanced Threat Protection Webinar 24 May 2016 | Fortinet Italy
2
Agenda
What is Sandbox?
FortiSandbox Cloud Options
FortiSandbox On-premise
FortiSandbox On-premise File Submission
Sniffer Mode
FortiSandbox On-Premise Device Mode
FortiSandbox On-premise FortiClient Integration
HA & Sizing Details
1. What is SandBox
4
Sandbox
VIRTUAL END-USER ENVIRONMENT
• Code is executed in an contained, virtual environment
• Goal is to replicate typical workstations
• Output is analyzed to determine characteristics
• Some characteristics are malicious
• Known virus downloads
• Registry modifications
• Outbound connection to malicious IPs
• Infection of processes
Unsafe action, escape attempt
Controlled communication inspection
X
What is Sandboxing? Virtual analysis – nothing new
5
Why a Customer looks for ATP?
Lateral Movement Categorization Not Enough AntiSpam Ineffective
Against Phishing
6
Breaking the Kill Chain of Advanced Attacks
Antispam
Web Filtering
Antivirus
Intrusion Prevention
App Control
IP Reputation
Spam
Malicious
Link
Exploit
Malware
Bot Commands
& Stolen Data
Spam
Malicious
Link
Exploit
Malware
Bot Commands
& Stolen Data
Malicious
Malicious
Web Site
C2 Server
7
Sa
nd
bo
x
Breaking the Kill Chain of Advanced Attacks
Antispam
Web Filtering
Antivirus
Intrusion Prevention
App Control
IP Reputation
Spam
Malicious
Link
Exploit
Malware
Bot Commands
& Stolen Data
Spam
Malicious
Link
Exploit
Malware
Bot Commands
& Stolen Data
Malicious
Malicious
Web Site
C2 Server
Access
Confirmed
8
Lateral Movement -Two Approaches
ISFW in Transparent Mode (Pro-active) FortiClient (Reactive)
9
Spear Phishing Prevention - Two Approaches
Transparent VDOM on ISFW FortiMail in Gateway Mode
Ineffective
Agaist encrypted
attacks
10
11
Advanced Threat Protection Framework
Access Control
Stateful Firewall
Vulnerability Management
2-Factor Authentication
Threat Prevention
IPS/Application Control
AntiMalware
Email/Web Filtering
Anti-bot
Threat Detection “Sandboxing”
Network Behavior Analysis
Botnet Reporting
Client Reputation
Incident Response Professional Services, Device Quarantine, FortiGuard Updates
Continuous Monitoring Reporting
FortiGuard Research
SIEM/Log Mgt/Intelligence
Service Partners
12
ATP Framework in Action
Unknown URLs and Files
submission to FortiSandbox
FortiSandbox
FortiGate
FortiWeb
FortiMail
FortiClient
Web Server
Mail Server
Extended and fast protection
Internet
13
Call Back Detection
Full Virtual Sandbox
FortiSandbox- key components
• Multi-tiered file processing optimizes resources to improve security, capacity and performance
• Quickly simulates intended activity
• OS independent and immune to evasion/obfuscation
• Applies top-rated (95%+ Reactive And Proactive) engine
• Serves as an efficient pre-filter
Code Emulation
Cloud Query
AV Engine
• Examines real-time, full lifecycle activity
• Provides rich threat information
• Checks FortiSandbox community intelligence
• FortiGuard verified
• Identifies the ultimate aim, call back and exfiltration
• FortiGuard verified
14
Products
2.FortiSandbox Cloud
16
FortiOS 5.4
17
FortiCloud
18
Register your device
19
New Tab of FortiSandbox
20
Tune AV Profile on FortiGate
21
Select AV Profile in Policy
22
FortiSandbox Cloud for FortiMail & FortiWeb
FortiSanbox Cloud
FortiMail
FortiWeb
23
FortiMail Sandbox
24
Select Sandbox in AV Profile
25
FortiWeb Sandbox Cloud Configuration
26
Select Sandbox Cloud in File Upload Policy
3.FortiSandbox On-premise
28
Status Page
29
FortiGuard Updates
30
Pre-requisite
31
It Appears in Scan Profile
32
FSA SimNet - Open or Closed Environment?
Should you risk to degrade your IP reputation by allowing sandbox VM going
through your Internet access?
» Sandbox VM execution is short
» Your reputation is at risk every day (i.e. infected computer in your network)
» Use a dedicated Internet access for FortiSandbox outgoing traffic
INTERNET
port1
port2
port3
33
Why Internet Access is Important for Detection?
Detonating a downloader sample into a sandbox VM with the netsim feature
enabled
DNS Query: A FQDN?
DNS Response: A 192.168.250.1?
HTTP Request: GET URL
HTTP Response
dummy.exe
URL Rating: FQDN
URL Rating: URL
AV Inspection
Execution Time Sandbox VM Rating Engine
IP Reputation: 192.168.250.1
dummy.exe
34
Why Internet Access is Important for Detection?
Detonating a downloader sample into a sandbox VM without netsim
URL Rating: FQDN
URL Rating: URL
Execution Time Rating Engine
AV Inspection:
IP Reputation: a.b.c.d
DNS Query: A FQDN?
DNS Response: A a.b.c.d?
HTTP Request: GET URL
HTTP Response
Sandbox VM
Callback connection: C2
IP Reputation: C2
35
simnet disabled vs simnet enabled
Sample
Network Action Rating Feature
SimNet
Disabled
SimNet
Enabled
DNS Request URL Rating
FQDN
DNS Response IP Reputation
a.b.c.d
HTTP Request URL Rating
URL
HTTP Response AV Inspection
content
Callback connection IP Reputation
C2
36
simnet disabled vs simnet enabled
Sample
Network Action Rating Feature
SimNet
Disabled
SimNet
Enabled
DNS Request URL Rating
FQDN
DNS Response IP Reputation
a.b.c.d
HTTP Request URL Rating
URL
HTTP Response AV Inspection
content
Callback connection IP Reputation
C2
37
For Networks Using Proxy
38
Alert Email Setting
39
Scheduled Reports on Mail
40
SNMP Settings
3.a. Advance Setup On-Premise Mode
42
Configuring VM’s
43
Maximum Number of VM’s
44
Scan Profile
45
Configuring a VM to Scan File type
46
Flexibility to add User-Define File Types
47
What if we don’t have WindowsXP
48
Device/Sniff
er
EXE
New Virtual Machines Support
Android, Windows 8.1 and 10
Not integrated by default
SKUs to come for ordering
Android Windows 8 Windows 10
On-Demand/
REST API
Adapter Network
Share
Device/Sniff
er
Device/Sniff
er
DOC
Device
*.*
Sniffer
*.*
URL
New design is based on input source and file type
new source and type
49
Blacklist & Whitelist
4. File-On Demand
51
Administrator uses the web-
based Manager to uploads files
or URLs for inspection.
The combination of inspection
methods can be customized
» AV
» Cloud File Query
» VM Sandboxing
Tracking of the inspection
through the On-Demand page
On-Demand: Manual Input Method
52
How to check
53
54
Flexibility to choose Scan Engine
4.a. URL Submission
56
57
5. Sniffer Mode
59
Monitor the network traffic through two
possible connections methods:
» Mirroring/monitoring or SPAN ports
» TAP device
Sniffer Input Method
Monitoring traffic
Switch with mirroring/monitoring/SPAN capabilities.
Monitoring traffic TAP Device
60
6.Device Mode
62
Devices Input Method
FortiGate, FortiMai or FortiWeb Devices.
514/tcp SSL encrypted
- File submission
- Get statistics back
In memory hash table preventing accepting the same files several times. Cleared every week or each time there is a DB update.
Fortinet Appliance FortiSandbox
63
Registering FortiGate on FortiSandbox for File Submission
64
Device should appear in FortiSandbox
65
Device Authorization
66
Configure AV Profile with FortiSandbox
67
Tune WCF Profile to use FortiSandbox
68
Policy
69
FortiView
6.a Device Mode-FortiWeb
71
If FGT is integrated with FSA why I need to Integrate FWEB with FSA?
72
Encrypted Traffic
FGT
FWeb FSA
HTTPS Traffic Encrypted File
Decrypted File
73
FSA Integration
» Configure FSA
Authorise and test connectivity
Setup Admin mail
74
FortiWeb Configuration
FortiWeb
» Configure File Upload
Restriction Policy
6.c Device Mode-FortiMail
76
Threat Vectors
Which threat vector is the most popular for Targeted Attacks ?
a) Web browsing
b) Email
c) Software: bugs, backdoors, exploits
d) USB
Percentage of attacks involving that vector ?
Attacker’s easiest choice for Targeted Attacks
“more than 90% of Targeted Attacks involves email”
77
Integrate with FortiSandbox
78
Enable Sandbox in AV-Profile
79
Select AV-Profile in Recipient Policy
7. FortiClient Integration
81
Prevent known malwares
» Everything that can enforce a
security policy
Detect unknown malwares
» FortiSandbox & everything that is
behavior based
Mitigatation
» FortiGuard teams and automation
Part of the Fortinet ATP Framework
Creating a fix
& update prevention
High risk items
Provide ratings
& results
82
File Submission of supported file types
Every Input source supported
» Internet, removable media and network
drive
Malware Package support from
FortiSandbox
Prevent the user to access the file until a
verdict is received
FortiSandbox Integration
Extending the ATP Framework up to the EndPoint
1. Submit and Hold
the files
2. Receive verdicts
3. Retrieve Malware
Packages
83
FortiSandbox Integration
Execution or Access Hold during the Inspection
2
1
4
3
84
Create a Profile with FortiSandbox IP
85
Register FortiClient on FGT
86
Test FCT FSA Communication
87
Check FCT is registered on FSA & FGT
FortiClient
» On the FGT check the
FCT Monitor
» On the FSA, under Scan Input>FCT
check that the client has been registered
88
Process Next Level
Sniffer
Devices
On-demand
Inputs Methods
Controller
Local DB
Control
AV-Scan Engine
Cloud-Query Engine
VM-Scan Engine
Rating Engine
File Filter
Analysis
Static Scan Engine
Network Share
URL Detection
89
FortiGuard Threat Research & Response
FortiGuard Web
Filtering Service
FortiGuard Anti-spam
Security Service
FortiGuard Intrusion
Prevention Service
FortiGuard Application
Control Service
FortiGuard Database
Security Service
FortiGuard
Antivirus Service
FortiGuard Web
Security Service
FortiGuard IP
Reputation Service
IP FortiGuard Vulnerability
Management Service
Anti-botnet
BOT
AV-Scan Engine
Cloud-Query Engine
VM-Scan Engine
Rating Engine
File Filter
Analysis
Static Scan Engine
90
FortiGuard Lab
FortiGuard Services
The Fortinet ATP Solution
FortiGate
FortiMail
FortiWeb
FortiClient
FortiSandbox
Sizing & Clustering
92
Clean File
✓ Or Unknown Malware
Supported
File Type
New / Known Malware
FortiSandbox Scaling
Confidential
up to
+ 2 ½ minutes
FortiSandbox
pre-filters
15 - 20 seconds
Most files types scanned by Static Scan
EXE/DLL, .bat/.vbs/.ps1/.com, PDF, Office Files,
Flash Files, URLs from device, .jar, Office with
embedded binary, Android All into VMs Clean File
✓
File Filter
Static Scan Engine
Or AV-Scan Engine
Cloud-Query Engine
VM-Scan Engine
Rating Engine
93
File Sizing Summary
This Means……(worse case scenario)
» Maximum of 3 minutes per file (60 minutes / 3) =
» Maximum of 20 files an hour per Virtual Machine (if not caught by the pre-filters)
FortiSandbox Platforms
» FortiSandbox-1000D (8 concurrent VMs * 20) = 160 files per hour
» FortiSandbox-3000D (28 concurrent VMs * 20) = 560 files per hour
» FortiSandbox-Base-Virtual Appliance (4 VMs * 20) = 80 files per hour
» FortiSandbox-Maximum-Virtual Appliance (52 VMs * 20) = 1,040 files per hour
Clustering Allows Up to 100 Members
» In any platform combination (Initial Master / Primary Backup have to be the same)
» All cluster platforms share the file load / distribution
94
Clustering and Load Balancing
Master and Primary Slave have to the same appliance (can be any model)
Regular Slaves can be any appliance
Up to 100 nodes in a cluster
REGULAR
SLAVE
REGULAR
SLAVE
REGULAR
SLAVE
MASTER PRIMARY
SLAVE
Thank You!