state of cyber security - dave dewalt, chairman & ceo - fireeye, inc
DESCRIPTION
Despite substantial investments in traditional security technologies, the vast majority of advanced attacks go undetected and proliferate undefended. Determined attackers pick their targets for a reason and architect their attacks to easily bypass traditional security technology and defense models. In this presentation Mr. DeWalt will share FireEye’s latest observations from front lines of the cyber battlefield on how threat actors are exploiting the security gap. Specific topics will include: •Who is the adversary and what are they after? •How do attackers circumvent traditional security technologies? •What are the latest tools, techniques and procedures attackers are using? •What are the best sources of threat intelligence? •What can security teams do to better defend themselves?TRANSCRIPT
1
Dawning of Cyber Wars
in the 21st Century
Shaka-Con June 2014
2
State of Cyber Security
The Offense
The Defense
The Outcome
Topics
3
A phantom view of one of the miniature forts,
thousands of which are being erected to form the
most impregnable defensive systems ever known.
Sources: IDC Worldwide Network Security 2011–2015 Forecast and 2010 Vendor Shares, November 2011 and IDC Worldwide Web Security 2011–2015 Forecast and 2010 Vendor Shares, November 2011
4
Sources: IDC Worldwide Network Security 2011–2015 Forecast and 2010 Vendor Shares, November 2011 and IDC Worldwide Web Security 2011–2015 Forecast and 2010 Vendor Shares, November 2011
5
Sources: IDC Worldwide Network Security 2011–2015 Forecast and 2010 Vendor Shares, November 2011 and IDC Worldwide Web Security 2011–2015 Forecast and 2010 Vendor Shares, November 2011
SECTION OF FRENCH MAGINOT LINE
6
Traditional Defense Against New Offensive Technologies
Ardennes Forest
France
Germany
7
8
CORPORATE IT MAGINOT LINE
Chinese 3PLA and Russian RBN
easily evade Defense in Depth
security strategies!
9
“Defense-in-Depth” is Failing
Firewalls/ NGFW
Secure Web Gateways
IPS Email
Gateways
Desktop AV
The New Breed of Attacks Evade Signature/Sandbox Defenses
>95% organizations compromised*
10
Legacy Security
Model Pattern-Matching
Model of Detection
Low Detection Rates
Only Known Attacks
Slow Signature Turns
High False Positives
Poor Performance
Copyright © 2014, FireEye, Inc. All rights reserved. 10
SECURITY Needs to Be
11
11
The High Cost of Being Unprepared
3 Months 6
Months
9 Months
243 Days Median # of days attackers are present
on a victim network before detection
Initial
Breach of Companies
Learned
They Were
Breached from
an External Entity
of Victims Had
Up-To-Date Anti-Virus
Signatures
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report
12
Maginot Line Proof - By The Numbers
1,217
Customers
Last 100 Days!
1,614 Appliances
67 Countries
13
Over 20
16%
Government
6%
Energy
18%
Financial
5% Retail
7% High-Tech
7%
Chemical & Manufacturing
7% Consulting
Others
(12+) 30%
Others
4% Healthcare
Verticals
Were Covered
14
124,289
75% of all the unique
malware detected was seen ONCE
18%
Unique Malware Seen During PoV
Detected by Top 5 AVs
15
Maginot Line in the Real World!
97% Organizations Breached
1/4 Experienced an APT Event
3/4 Hosted active CnC sessions
1.59 Average # attacks per week after breach
All 214 99%
Firewalls
119 99%
Web Proxy 137 99%
Network A/V 74 100%
Endpoint A/V 175 99%
Other anti-
malware 33 97%
Successful Attacks
Breach Rate
16
“The Greatest Transfer of Wealth
in History!” - Gen. Keith Alexander
Maginot Line in the Real World!
17
What is Causing the Situation?
The Perfect Platform of Evil
Mobile Social
Big Data Cloud
New Domain
New Innovation
Anonymity
Lack of Governance
Increased Nationalism
18
Cyber Esponiage Expands Globally
Cyber Sabotage Increases Regionally & Globally
Cyber Crime Continues to Shift to Equity Markets
Risk of Cyber Accidents Increasing
19
APTs
VM
Analysis
Evolution of Malware
Data Loss
Filtering
URL
Filtering
Anti-spam, Anti-spyware Anti-malware
Trojans
Worms,
Bots
Spyware
Spam
Grey-listing
Reputation
Analysis
HIPS
Whitelisting
Rootkits
Phishing Zero-days
1980s 1990s 2000s 2010s
Off
en
se
D
efe
nse
Melissa CodeRed
Birth of
Anti-Virus
20
The Offense Uses Visible Net to Start Attack and DarkNet to Stage Attacks
Databases
Password Protected
Websites
Federal, state and Local
public records
Intranets
Message boards
Website Archives
Forums
Classifieds
Online Library catalogues
21
The Offensive Models
High Tech
Companies with
Critical Assets
Coordinated Persistent
Threat Actors
Multi-Vector Attacks
Multi-Staged Attacks
Dynamic, Polymorphic Malware
1000’s of Targeted APT Victims
Source Code Leverage
Vulnerability
Digital Trust
Certificates
22
Attack Models on This Fabric
SEG IPS Firewall
SWG
Host Anti-virus
Host Anti-virus
IPS
MDM
Zero-day
attacks
Mobile
Threats
Drive-by
Downloads
Lateral
Spread
Spear
Phishing
Advanced Threats Attack From All Directions, Taking Advantage of the Security Silo Effect
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
101010
23
Multiple Stages Used by the Attackers
Exploitation of system
(Spearphish) 1
3 Callbacks and control established
2 Malware executable download
Compromised
Web server, or
Email User 1
Cloud Callback Servers
IPS
3 2 Malware spreads laterally
4 Encrypted Data exfiltration
5
File Share 2
File Share 1
5
4
24
APT Encyclopedia
Global Cyber Threat Map
204 Countries
Involved 67% Known “Good” CnC’s
25
HIGH-TECH
1. Gh0stRat
2. SpyNet
3. Rdpdoor
4. Kaba
5. LV
6. XtremeRAT
7. Wycores
8. PoisonIvy
9. Beebus
10. C13
APT Campaigns by Sector
DEFENSE
1. Beebus
2. Gh0stRat
3. Mongall
4. Zegost
5. Leouncia
6. Protux
7. HeartBeat
8. Kaba
9. 9002
10. Cookies
TELECOM
1. Gh0stRat
2. LV
3. Nflog
4. Protux
5. Taidoor
6. Digital
7. SpyNet
8. PoisonIvy
9. DNSWatch
10. 9002
GOVERNMENT
1. LV
2. Gh0stRat
3. Digital
4. Pandey
5. XtremeRAT
6. Note
7. Mongall
8. IndexASP
9. SpyNet
10. 9002
ENERGY
1. LV
2. Gh0stRat
3. XtremeRAT
4. SpyNet
5. Comfoo
6. Kaba
7. Dreamy
8. Net16
9. Mongall
10. RandomSite
26
APT Example - Operation BeeBus
China (Linked to Comment Crew/APT1)
Offense
Critical Infrastructure: Aerospace and Defense Industrial Base (DIB)
Target
• Spear phishing with weaponized attachments that evade traditional security capabilities
• One module collects system information
• Another module downloads payloads and updates
• The malware establishes communication with a command-and-control server, encrypts
and sends its information, and then waits for instructions from the server
Tools, Techniques and Procedures
Technical specs for military technology
Motive
27
The Big Four Cyber Super Powers
Characterized by a higher level of sophistication, and are highly effective at evading detection- focused on high value financial asset to enhance economic interests. Multiple groups operating throughout former Soviet
Waging high frequency, brute-force attacks against a range of targets- focused on Intellectual property to enhance economic interests. 20+ different groups from APT1-APT18.
Leverage sophisticated tactics for deceiving users so they unwittingly enable a compromise- focused on cyber sabotage. Largely in Syria, Iran, GCC)
Complex, sophisticated, and rigorously engineered cyber attack campaigns- focused on global intelligence & monitoring
28
Chinese Attack Playbook
Strategy Overwhelm cyber
defenses with quantity
and quality.
Sophistication Not always the most
advanced or creative
but in many
circumstances, it is
effective.
Investment
Level China employs brute-
force attacks that are
often the most
inexpensive way to
accomplish its
objectives. But skill
sets vary by groups
considerably.
29
China’s Cyber Intentions
“Keep a low profile to hide our capability and win time.”
China’s top cyber expert
30
Some Recent Chinese Activity
Operation Aurora
Night Dragon
Clandestine Fox
31
Indicted PLA Hackers
Wang Dong Wen Xinyu Sun Kailiang Gu Chunhui Huang Zhenyu
32
Russian Attack Playbook
Strategy • Emphasize stealth
and evasion.
• Run many botnets.
• Financial crime
more of a focus than
espionage
Sophistication Many of the most
complex and advanced
cyber attacks originate
in Russia.
Investment
Level High level of activity
from Russian
Business Network
(RBN), suspected
overlap with
government.
33
The Botnet Kings
Pushdo
•Peak spam volume
46.5%
•1.5 – 2 million
infected machines
Grum
•Spam levels 18% at
takedown and
peaked at 26%
•Infected machines
560,000 – 840,000
MegaD
• responsible for
32% of spam world
wide
• Botnet suspected
size of 500,000
34
From Russia, With Love
Pushdo bot herder sent an email to FireEye after we took
down his botnet.
35
Middle East Attack Playbook
Strategy Rely on cyber tactics
that emphasize novelty,
creativity and deception.
Sophistication Not very sophisticated,
but leverage imaginative
approaches to
compensate for low tech
approach.
Investment
Level Low with strong
emphasis on
volunteers.
36
37
Some Recent Middle Eastern Activity
Saudi Aramco Malware attack with 30,000 PCs
corrupted
Operation MoleRat Malware attack using the Poison
Ivy RAT, focusing on Middle
Eastern targets
38
Netting Out the Threats!
NEW THREAT LANDSCAPE
Multi-Vector Attacks Multi-Staged Attacks
Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware
39
Security Reimagined: Rise of the Virtual
Machines
2010s Future
Web
Em
ail
File
Cloud
Mobil
e
Endpoin
t
Endpoint AV
Network,
Cloud, Endpoint
VM-BASED
Threat Detection
Rise Of
APTs
VM-BASED
1990s
PATTERN MATCHING
Copyright © 2014, FireEye, Inc. All rights reserved. 39
40
THANK YOU!