Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nathan Labadie Systems Engineer, US-Central FireEye

Published byPhillip Roman Modified over 10 years ago

Similar presentations

Presentation on theme: "Nathan Labadie Systems Engineer, US-Central FireEye"— Presentation transcript:

1 Nathan Labadie Systems Engineer, US-Central FireEye
FireEye Overview Nathan Labadie Systems Engineer, US-Central FireEye

2 The 1981 book School, Work and Play (World of Tomorrow) features this beautiful two-page spread. Apparently, thanks to computers, there's no crime in the future outside of the computerized variety.

3 Company Overview The leader in stopping advanced targeted attacks
Marquee customers across every industry Top banks, hi-tech, oil and gas, government All major Internet search engines, top social networks, and auction sites One of the fastest growing enterprise technology companies in the world FireEye is the leader in stopping advanced targeted attacks that use advanced malware, zero-day exploits, and APT tactics. FireEye’s solutions supplement traditional and next-generation firewalls, IPS, antivirus and gateways, which cannot stop advanced threats, leaving security holes in networks. Customers across every vertical in every industry. Named examples include NetApp, Heartland Payment Systems, and UC Berkeley. FireEye offers the industry’s only solution that detects and blocks attacks across Web and threat vectors as well as malware resident on file shares. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis. Based in Milpitas, California, FireEye is backed by premier financial partners including Sequoia Capital, Norwest Venture Partners, Juniper Networks, and In-Q-Tel, the venture arm of the Intelligence Community. These organizations have confirmed FireEye is among the fastest growing technology companies in the world. TRANSITION: Let’s take a look at a sample of the customer base.

4 We Are Only Seeing the Tip of the Iceberg
HEADLINE GRABBING ATTACKS THOUSANDS MORE BELOW THE SURFACE APT Attacks Zero-Day Attacks Polymorphic Attacks Targeted Attacks Beyond the headlines, there are a range of attacks that very commonly penetrate defenses. Well-known brands get the publicity, but for every one we hear about there are thousands that are not mentioned below the surface. This is due to the sophistication of attacks. (Transition to diving into what an Advanced Targeted Attack really is about.)

5 Manufacturing Hit Worst

6 Don’t Take Usual Vacations (Email Attacks)

7

8 Chinese Hacking Methodology

9 Chinese Hacking Methodology - Translated

10 Characteristics of Malware
Stealth Level Ranges from High to Low Target Vulnerability Unpatched machines, plug-ins, browsers Intended victim(s) Specific victims - using Spearphishing Objectives Theft? Disruption? Fear?

11 High Profile APT Attacks Are Increasingly Common
You may have seen these headlines, but one key point is that all companies are at risk. Interestingly, many attacks are actually designed with the express purpose to enable further attacks on even more valuable targets. (RSA attack led to attacks on Lockheed, L3, and Northrup.) Net-net: Data breaches are increasingly common due to flaws in common applications/plug-ins like Adobe Reader. Persistent foes show that break-ins like the RSA data breach or theft of Symantec source code are straightforward given today’s traditional defenses. TRANSITION: Getting beyond the headlines

12 Defining Advanced Targeted Attacks
Utilizes advanced techniques and/or malware Unknown Targeted Polymorphic Dynamic Personalized Uses zero-day exploits, commercial quality toolkits, and social engineering Often targets IP, credentials and often spreads laterally throughout network AKA—Advanced Persistent Threat (APT) The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted ADVANCED Stealthy Unknown and Zero Day Targeted Persistent Advanced Targeted Attack Advanced Targeted Attacks is the term we will use to describe the attacks in this market (it is also what Gartner has just coined and uses). What are advanced targeted attacks? They use advanced malware, zero-day and APT tactics to penetrate networks for the purpose of control, espionage and theft. Advanced Malware uses a variety of tactics like zero-day exploits, dynamism (e.g. fast flux DNS, polymorphism), and is often targeted / personalized. We are now in the age of the “Cyber Industrial Complex” in which criminals have commercial qualify toolkits to build the cyber weapons (malware) so effective at penetrating networks. Many in the IT security industry call these cyber criminal actors – Advanced, Persistent Threats TRANSITION: Why are advanced targeted attacks so effective? Open Known and Patchable Broad One Time TRADITIONAL

13 Traditional Defenses Don’t Work
Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses Like NGFW, IPS, AV, and Gateways Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses As a result, traditional defenses are ineffective against today’s advanced targeted attacks. Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted APT malware. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers. Also, advanced attacks bypass heuristics-based technologies in existing IT security defenses as well. Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. Signal-to-Noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.

14 Typical Enterprise Security Architecture
Firewalls/ NGFW IPS Secure Web Gateways Anti-Spam Gateways Desktop AV Block IP/port connections, application-level control, no visibility into exploits and ineffective vs. advanced targeted attacks Attack-signature based detection, shallow application analysis, high-false positives, no visibility into advanced attack lifecycle Some analysis of script-based malware, AV, IP/URL filtering; ineffective vs. advanced targeted attacks Relies largely on antivirus, signature-based detection (some behavioral); no true spear phishing protection Signature-based detection (some behavioral); ineffective vs. advanced targeted attacks Traditional defenses lack any true integration and are easily bypassed by blending threat vectors and taking place over time, in stages. Remember, all current defenses are signature-based so they can’t stop what they haven’t seen before. Firewalls/Next-gen firewall – rely on port/protocol/IP addresses to enforce connection policies. They have no visibility into exploits and are ineffective vs. advanced targeted attacks. IPS - Attack-signature based detection, shallow application-level analysis, high-false positives, no visibility into advanced attack lifecycle SWG - Some analysis of script-based malware, AV, IP/URL filtering; ineffective vs. advanced targeted attacks Anti-Spam - Relies largely on antivirus, signature-based detection (some behavioral); no true spear phishing protection Desktop Antivirus - Signature-based detection (some behavioral); ineffective vs. advanced targeted attacks Cyber criminals have figured out how to evade detection by traditional defenses. Using toolkits to design polymorphic threats that change with every use, move slowly, and exploit zero-day vulnerabilities, the criminals have broken in through the hole left by traditional and next-generation firewalls, IPS, antivirus and Web gateways. This new generation of organized cybercrime is persistent, capitalizing on organizational data available on social networking sites to create very targeted 'phishing' s and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries.

15 Attacks Increasingly Sophisticated
Dynamic Web Attacks Multi-Vector Delivered via Web or Blended attacks with containing malicious URLs Uses application/OS exploits Multi-Stage Initial exploit stage followed by malware executable download, callbacks and exfiltration Lateral movement to infect other network assets The main reason advanced attacks are so effective is that they use: * Multiple threat vectors like Web or to bypass signature-based defenses. * Multiple stages that take place over time, allowing criminals to penetrate uncoordinated, traditional security that is blind to the attack lifecycle. Initial exploit stage followed by malware binary (executable) download, callbacks and exfiltration Traditional protections, like traditional and next-generation firewalls, intrusion prevention systems, antivirus and Web gateways, only scan for the first move, the inbound attack. These systems rely heavily on signatures and known patterns of misbehavior to identify and block threats. This leaves a gaping hole in network defenses that remain vulnerable to zero-day and targeted APT attacks. Malicious Exploits Spear Phishing s

16 The Attack Lifecycle – Multiple Stages
Compromised Web server, or Web 2.0 site 1 Callback Server 1 Exploitation of system 4 2 Malware executable download 3 Callbacks and control established File Share 2 IPS 5 4 Data exfiltration The Advanced Attack Lifecycle: Stage 1: System exploitation They start out initially by attempting to exploit your system using “drive-by attacks” in casual browsing. The attack may be delivered via the Web or , with the containing malicious URLs, for example. It’s a blended attack across Web and threat vectors to setup the first stage, system exploitation. Stage 2: Binary payloads are downloaded With exploitation successful, more malware binaries are downloaded, such as key loggers, Trojan backdoors, password crackers, and file grabbers. Just one exploit translates into dozens of infections on the same system.   Stage 3: Malware calls backs and control established Once the malware installs, they have cracked the first step to establishing a control point from within your defenses. The malware, once in place, calls out to criminal servers for further instructions. It can also replicate itself and disguise itself to avoid scans. Some will turn off antivirus scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed right through the firewall. It will go through all the different layers of the network. At this point, the criminals have built long-term control mechanisms into the system. Stage 4: Data exfiltration Next, data acquired from infected servers is staged for exfiltration. The data is exfiltrated over any commonly allowed protocol, like ftp or HTTP, to an external server controlled by the criminal, say at a hosting provider. Stage 5: Malware spreads laterally The criminal works to move beyond the single system and establish long-term control in the network. The advanced malware looks for mapped drives on infected laptops and desktops, and then it will spread laterally deeper into network file shares, for example. It will conduct reconnaissance and map out network infrastructure, determine key assets, and establish a network foothold on target servers. File Share 1 2 3 5 Malware spreads laterally

17 FireEye Malware-VM™ Filter
Global loop sharing into MAX Cloud Intelligence Phase 3 XML/SNMP alerts on infections as well as C&C destinations Fast Path Real-time Blocking in Appliance Phase 1: Aggressive capture heuristics Deploys out-of-band/passive or inline Multi-protocol capture of HTML, files (e.g. PDF), & EXEs Maximizes capture of potential zero-day attacks Phase 2: Virtual machine analysis Confirmation of malicious attacks Removal of false positives Phase 3: Block Call Back Stop data/asset theft KEY POINT: More in-depth with the FireEye Malware VM analysis * Proprietary VM technology * Ability to detect even VM aware malware * Runs the full OS and browser software stack

18 The FireEye Difference
Multi-Vector Protection Protection against Web attacks Protection against attacks Protection against file-based attacks Multi-Stage Protection Inbound zero-day exploit detection Outbound malware callback blocking Malware binary payload analysis Latent malware quarantine Multi-Vector Multi-Stage FireEye offers true multi-vector protection addressing all stages of the attack lifecycle. Criminals are so effective because they blend tactics and take their time working in stages to penetrate the network. FireEye has been designed to address both the multi-vector nature of today’s advanced targeted attacks and address each stage of an advanced attack to completely mitigate against the threat of an advanced targeted attack. TRANSITION: let’s talk a bit more about multi-vector protection.

19 Multi-Vector Protection
Blended Web/ Threats MPS Web MPS File MPS CMS Web Threats Threats Multi-vector protection requires : * Dealing with Web and threats * Dealing with malware resident in file shares brought into the network by users (aka unintentional “Malware Mules”). The Web and MPS protect all the desktops and the File MPS protects all the servers and file shares. * Integrating protection mechanisms so that a malicious URL can be traced back to the originating Spear Phishing . * Blended protection to stop blended attacks. TRANSITION: Now, let’s dive into how FireEye stops across the multiple stages of an attack lifecycle Internal Lateral Movement of Threats

20 Multi-Staged Attack Pieces Connected
Point Products CALLBACK WEB EXPLOIT WEB OR EXPLOIT MALWARE EXECUTABLE DOWNLOAD DATA EXFILTRATION CALLBACK LATERAL MOVEMENT MALWARE EXECUTABLE DOWNLOAD LATERAL SPREAD DATA EXFILTRATION Point products attempt to deal with specific aspects of the attack lifecycle and poorly at that. E.g. callback blocking using URL filters is largely ineffective. Criminals use dynamic, one-time URLs, host them on high-reputation domains, and/or use non-HTTP callback channels. However, FireEye pulls the pieces together in real-time using dynamic, signature-less analysis. We connect the dots of an attack to mitigate the impact of APT threat actors. We see the actual exploit AND every other stage to connect the dots while others may only see the binary download or a callback. The exploit phase is very key. Spectrum or Wildfire have no visibility into the exploit phase. A sophisticated attack will mask the binary download. Therefore, any other solution other than FireEye does not pick this up. Finally, we also detect malware that has moved laterally in an organization.

21 Web Malware Protection System
Inline, real-time, signature-less malware protection at near-zero false positives Analyzes all web objects, e.g., web pages, flash, PDF, Office docs and executables Blocks malicious callbacks terminating data exfiltration across protocols Dynamically generates zero-day malware and malicious URL security content and shares through Malware Protection Cloud network Integration with and File MPS and MAS for real-time callback channel blocking Inline blocking both inbound and outbound Advanced content analysis (PDF, JavaScript, URLs) Models up to 1 Gbps at microseconds latency FEATURES The FireEye Web Malware Protection System * It is an inline, next-generation, signature-less malware protection device that analyzes HTTP on the inbound and MULTI-PROTOCOLS on the outbound to stop advanced attacks. * It can be deployed in out-of-band, monitoring mode. A large fraction of our customers deploy in in-line mode, but we recognize this does not fit all customer incident response procedures. * If deployed inline, it blocks known and zero-day, targeted attacks at near-zero false positives. This buys IT more time to deal with the APT incident. * FireEye also can block malicious callbacks terminating data exfiltration across protocols The Web MPS dynamically generates zero-day malware and malicious URL security content This content is shared locally to other MPS’ via the CMS and shared globally through Malware Protection Cloud network

22 Email Malware Protection System
Protection against spear phishing and blended attacks Analyzes all s for malicious attachments and URLs In-line MTA active security or SPAN/BCC for monitoring Brute-force analysis of all attachments in VX Engine Web MPS integration for malicious URL analysis/blocking Web MPS integration for blocking of newly discovered callback channels FEATURES Supports large range of file types (PDF, Office formats, ZIP, etc.) Attachment analysis URL analysis Correlation of malicious URLs to s at the CMS The FireEye Malware Protection System It protects against spear phishing and blended attacks It analyzes all s for malicious attachments and URLs It can be deployed in in-line MTA active security or SPAN/BCC for monitoring KEY: Web MPS integration for malicious URL analysis/blocking Then, the Web MPS dynamically generates zero-day malware and malicious URL security content The correlation of malicious URLs to s is done at the CMS This content is shared locally to other MPS’ via the CMS and shared globally through Malware Protection Cloud network

23 File Malware Protection System
Protects file sharing servers from latent malware Addresses malware brought into the network via web or or file sharing as well as other manual means Detects the lateral spread of malware through network file shares Continuous and incremental network file share analysis Web MPS integration for blocking of newly discovered callback channels FEATURES Supports large range of file types (PDF, Office, ZIP, etc.) CIFS support Malicious file quarantine Integration via CMS The File Malware Protection System protects file shares from resident malware brought into the network by users through Web downloads, cloud storage, and other manual means. This halts the lateral spread of malware through network file shares The File MPS offers continuous and incremental file share analysis, CIFS support, as well as file quarantine and CMS integration to share malware intelligence with local MPS appliances (Web/ /File).

24 Multi-Layered Threat Intelligence Sharing
Local Sharing Cross-Enterprise Sharing Global Sharing Central Management System Web MPS Seconds Internal Feedback Loop Many 3rd party Feeds Validated by FireEye Technology Another look at the benefit of joining the FireEye security feedback loop. * Internal feedback loop – Zero-day malware intelligence is inserted into the local appliances fast path to block subsequent inbound infections from that location as well as callbacks from the patient zero callback. We terminate the attack in real-time, preventing the infection from fully succeeding as well as subsequent infections. Dynamic, real-time exploit, callback, and payload analysis to stop zero-day attacks. Local loop protection – Via the CMS, local MPS appliances (Web/ /File/MAS) receive that malware intel as well. Shared in real-time to local deployment via CMS Global loop protection – This worldwide cloud efficiently shares auto-generated malware security intelligence. Local FireEye MPS’s auto-generate advanced malware security intelligence to mitigate zero-days and this feeds into the global Malware Protection Cloud Cross-Enterprise Web MPS Deployment

25 Summary Pace of advanced targeted attacks is accelerating, affecting all verticals and all segments Traditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacks Real-time, integrated signature-less solution is required across Web, and file attack vectors FireEye has engineered the most advanced threat protection to supplement traditional defenses and stop advanced targeted attacks Complete Protection Against Advanced Targeted Attacks Malware Protection Cloud Central Management System Malware Analysis System Web Malware Protection System Malware Protection System File Malware Protection System Wit the pace of advanced targeted attacks accelerating, all verticals and all segments are affected. Because traditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacks, companies need a real-time, proactive signature-less solution is required across Web, and file shares FireEye has engineered the most advanced threat protection to supplement traditional defenses and stop advanced targeted attacks.

26 Enjoy the rest of the show!
Thank You!

Download ppt "Nathan Labadie Systems Engineer, US-Central FireEye"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
1 Proofpoint, Inc. Proprietary and Confidential ©2010 Proofpoint Protection/Privacy Offering Proofpoint Privacy Accurately detect ePHI in e-mails Integrated.

1 Proofpoint, Inc. Proprietary and Confidential ©2010 Proofpoint Protection/Privacy Offering Proofpoint Privacy Accurately detect ePHI in s Integrated.
Next Generation Threat Protection

Next Generation Threat Protection
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
1 Effective, secure and reliable hosted email security and continuity solution.

1 Effective, secure and reliable hosted security and continuity solution.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
FireEye Architecture & Technology Full Spectrum Kill-chain Visibility

FireEye Architecture & Technology Full Spectrum Kill-chain Visibility
© Blue Coat Systems, Inc. 2011. All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.

© Blue Coat Systems, Inc All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.
Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.

Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.
1 Bitdefender 2013 Virtualization Security Understanding The Impact.

1 Bitdefender 2013 Virtualization Security Understanding The Impact.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
25 seconds left…...

25 seconds left…...
What’s New in WatchGuard Dimension v1.2

What’s New in WatchGuard Dimension v1.2
Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.

Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.
Tim Davidson System Engineer

Tim Davidson System Engineer
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

Similar presentations

Ads by Google