copyright © 2013, fireeye, inc. all rights reserved. | confidential 1 tim davidson system engineer...
TRANSCRIPT
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
Tim Davidson
System Engineer
Malware Pandemic?Sometimes getting a shot only treats the
symptoms and not the cause…
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
Agenda
Changing Threat Landscape
Why Traditional Defenses Fail?
Introducing the FireEye Platform
FireEye Advantage
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
Changing Threat Landscape
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Changing Threat Landscape – Advanced Persistent Threats (APTs)
• Leverages spectrum of exploits• Well-known and zero-day vulnerabilities• Multi-pronged
Advanced
• Goal oriented rather than opportunistic• Targeted attacks• Well-planned – low and slow
Persistent
• Organized, well-funded adversaries• Nation-states, cyber-espionage groups• Stealthy and camouflaged attacks
Threats
MODERN
LEGACY
Advanced Persistent Threats
StealthyUnknown and
Zero DayTargeted Persistent
Well-funded syndicates
OpenKnown andPatchable
Broad One Time Individuals
The New Threat LandscapeThere is a new breed of attacks that are
advanced, zero-day, and targeted
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
High Profile Targeted Attacks
3 minutes On average, malware activities take place once every 3 minutes
184 countries, 41% Over the past year, FireEye captured callbacks to 184 countries, a 41% rise
46%Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks
Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22%
Technology companies Technology companies experienced highest rate of callback activity
89%89% of callback activities linked with APT tools made in China or Chinese hacker groups
Source: FireEye Advanced Threat Report, March 2013
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Significant Compromise Still Exists!
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%100,00010,0001,00010010
Infections/Weeks at Normalized BandwidthPercent of
Deployments
98.5% of deployments see at least 10 incidents*/week/Gbps
Average is about 221 incidents*/week
20% of deployments havethousands of incidents*/week
1 Gbps
221 Average Net New Incidents Per Week at Only 1 Gbps!
Source: FireEye Advanced Threat Report, March, 2013
* An incident is beyond inbound malware – it includes an exploit and callback
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Why Traditional Defenses Fail
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
What’s causing the compromise?
NEW THREAT LANDSCAPE
Dynamic, Polymorphic MalwareCoordinated Persistent Threat Actors
Multi-Vector Attacks Multi-Staged Attacks
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
The Attack Life Cycle – Multiple Stages
Exploitation of system1
3 Callbacks and control established
2 Malware executable download
CompromisedWeb server, or
Web 2.0 site
1Callback Server
IPS
32Malware spreads laterally
4 Data exfiltration
5
File Share 2
File Share 1
5
4
Exploit detection is critical
All subsequent stages can be hidden or obfuscated
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Traditional Defenses Don’t Work
Firewalls/NGFW
Secure WebGateways
IPSAnti-SpamGateways
Desktop AV
The new breed of attacks evade signature-based defenses
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
The Enterprise Security Hole
Web-BasedAttacks
NGFW FW
IPS
SWG AV
Attack Vector
SECURITYHOLE
Malicious Files
Spear Phishing Emails
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
A New Model is Required
• Signature-Based• Reactive• Only known threats• Many false negatives
• Signature-less• Dynamic, real-time• Known/unknown threats• Minimal false positives
Legacy Pattern-Matching Detection Model
New Virtual Execution Model
101011010101101000101110001101010101011001101111100101011001001001001000100100111001010101010110110100101101011010101000
MATCH
100100111001010101010110
MATCH
100100111001010101010110
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
Introducing the FireEye Platform
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
FireEye Platform: Next Generation Threat Protection
Multi-VectorVirtual Execution
engine
Dynamic Threat Intelligence
(ENTERPRISE)
Technology Interoperability
Dynamic Threat Intelligence
(CLOUD)
Ecosystem Partners
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
FireEye Platform: Multi-Vector Virtual Execution (MVX)
5
1 – Email with weaponized pdf2 – Executed in MVX (Email MPS) – phish suspected3 – Web MPS notified via CMS4 – Callback over HTTP to C&C server5 – Callback detected by Web MPS and blocked6 – End user defended from multi-vector attack
6MVX
Callback Server
Inbound
1
SMTP
Outbound
4
HTTP
Multi-vector blended attack
CMS
Web MPS
Email MPS
2
3
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
FireEye Platform: Multi-Flow Virtual Execution
• File-oriented sandboxing can be easily evaded by malware
• Lack of virtually executing flows vs. file-based approach
• Lack of capturing and analyzing flows across multiple vectors
• FireEye uses multi-vector, multi-flow analysis to understand the full context of today’s cyber attacks
• Stateful attack analysis shows the entire attack life cycle
• Enables FireEye to disrupt each stage and neutralize attack
Exploit
Downloads
Callback ServerInfection Server
DataExfiltration
Malware ExecutableCallbacks
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
FireEye Platform: Dynamic Threat Intelligence
DTI Cloud
Anonymized Malware Metadata
Anonymized Malware Metadata
Enterprise 1
Ecosystem Partners
DTI Enterprise
Enterprise 3
Ecosystem Partners
DTI Enterprise
Enterprise 2
DTI Enterprise
Ecosystem Partners
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
FireEye Advantage
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
1. Thousands of Permutations(files, OS, browser, apps)
2. Multi-flow analysis
3. Multi-vector analysis
4. Correlation of information
5. Cloud Sharing
6. Time to protection
Cross Enterprise
MVX
Single Enterprise
DynamicThreat
Intelligence (DTI)
FireEye Platform Advantage
Local Loop
MVX
Threat Protection
Fabric
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
1. Thousands of Permutations(files, OS, browser, apps)
2. Multi-flow analysis
3. Multi-vector analysis
4. Correlation of information
5. Cloud Sharing
6. Time to protection
File-oriented sandbox - evasion
partial
hours or days
Sandbox Approach (Cloud)
Single file
Single vector
Sandbox in the cloud• Privacy violation• Compliance and regulation violation• Latency issues
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
1. Thousands of Permutations(files, OS, browser, apps)
2. Multi-flow analysis
3. Multi-vector analysis
4. Correlation of information
5. Cloud Sharing
6. Time to protection
File-oriented sandbox
Hashes: limited value
Non-realtime
Sandbox Approach (On-Premises)
Single file
Single vector
Sandbox (On-Premises)• Malware can easily circumvent generic sandbox• File-based sandbox misses the exploit detection
phase• No flow causes lack of stateful malware analysis
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
Key Takeaways
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
Thank You