-
7/31/2019 Less Secure Than You Think - Flame
1/4
Adaned ageed
aaks ae gowng
n nens and sops-
aon. Despe s
eal, an oganza-
ons ae fa fo
adeqael poeed.
ExEcutivE SummAry
This whit pap ais th chagig that ladscap, how th at
of security threats has evolved, and the potential nancial
impact across
tical ats ad ogaizatios of all sizs. This pap will plai why
adacd tagtd attacs ha b tly ffcti at baig thogh
taditioal two scity ad ablig th assi data bachs ad
itllctal popty thfts that a pig CISOs awa at ight.
Th $20 Billio IT Scity Hol
is e fo a se wake-p all. Wen oes o adaned ageed aaks,
s o oganzaon eall as poeed as o wan o belee?
te so answe s: pobabl no. Adaned ageed aaks ae oe sopsaed
and pofessonal an ee befoe, and e pae of ese eas onnes o
aeleae.
usng gl nsdos enqes, benals ae beoe eeel effee
a beakng og adonal se defenses o enable asse daa beaes,
sealng nelleal pope (iP) and enepse edenals.
in een eas, g-leel akng sees and be eos opeaons s
as GosNe, Ng Dagon, and No ae ageed global opoaons and goen-
ments to steal sensitive data, cause nancial loss, and damage
corporate reputations.
And s a global penoenon: cope spwae was sad o beoe a weapon
n
the Syrian conict in early 2012, with the government using
malware that spies on
opposon ass and nfes e opes w ses.
te nae of eas s angng fo boad and saeso o adaned, ageed,
and pessen. Lke e Opeaon Aoa aak on Google, o e beaes on
rSA,
Wold Bank, and Global Paen Sses a ageed iP, adaned pessen
eas (APts) se lple sages and aenes o peneae e newok and aess
alable daa.
WhitE PAPEr
Lss Sc Tha Yo Thi
Custom Solutions Group
-
7/31/2019 Less Secure Than You Think - Flame
2/4
2 WhitE PAPEr|Less See tan yo tnk
malwae an de o loak self sng enqes s as pol-
ops o obfsaon. i ages nknown lneables a
so-alled zeo-da aaks. Adaned ageed aaks also
nopoae deades-old b gl daagng eods s as
spea psng, wee s pesonal daa obaned fo
public social networking proles is used to fool them into
revealing
sense nfoaon and newok aess edenals.
Despite an estimated $20 billion invested annually in IT secu
-
globall, aodng o Gane esea, a gapng se
ole sll ess. case n pon: respondens o CSO agaznes
2012 Global State of Information Security Survey indicate
that
e ea of APts des e oganzaons se spendng,
but only 16 percent say their company has a security policy
that
addesses APts.
APTs have become a tremendous nancial liabili ty impacting
the
saeolde boo lne. te poble s so seos a e u.S.
Sees and Eange cosson as ssed gdane on
pbl dslose abo be ndens.
The level of compromise is signicant. For instance, over 95
percent of deployments see at least 10 incidents per week
per
Gbps, with the median about 450 incidents per week per Gbps.
This is according to statistics collected from the FireEye
customer
base wee oe se dees ae been deploed. te
onssen n nfeon ae as poen e pon a esng
se dees ae nable o a ese adaned eas.
tese adonal se eanss an no longe keep p w
e gl dna, l-sage aaks a ae beoe oon
oda w adaned ageed aaks.
te sas sold be a wake-p all o enepses, sas Asa
Aziz, founder, CEO, and CTO, FireEye Inc., Milpitas, Calif.
Theyneed o losel eane e en it defense peee and
see f adaned alwae s eneng e newoks npeded,
and [en] deene f e need o add an ea lae of defense
o oe s afl and osl se gap.
Coping with APTs is a CISOs nightmare. For example, 71
percent
of seed it se pofessonals belee e angng/
eolng nae of eas s a ajo allenge o allenge,
according to a 2011 Forrester Research report. [Source:
Forrsights: The Evolution Of IT Security, 2010 To 2011,
Forrester
Research Inc., February 15, 2011, Jonathan Penn and Heidi
Shey.]
Scity Ppadss
tpall, oganzaons eplo a llaeed se saeg
w a ae of newok-based and os-leel onols. ts
results in a false sense of security. For instance, more than
46
peen of espondens sa e el on a llaeed se
poga and do no belee e ae enl oposed n an
wa, aodng o e iANS Daa copose Awaeness Sd,
February 2012. Yet FireEye research shows more than 95
percent
of oganzaons ae adaned alwae nfeons n e Web,
email, and le sharing infrastructures.
Adaned alwae and ageed a aks eas l eade adonal
defenses such as rewalls, intrusion prevention systems
(IPS),
an-s sofwae, and Web/eal gaewas. tese fo enolo-
ges fnon as e an pllas of os oganzaons se
faewok. B alone o een as obned solons, e anno
effeel oba adaned ageed aaks. Les eane w.
Fiwalls, w seld sses and sees a sold no be
geneall aessble, ae opleel blnd n es of peenng
ageed and zeo-da alwae aaks. Bo e nal aaks
and sbseqen alwae a opose ope sses se
onaon poools a s be allowed o pass og
the rewall. Next-generation rewalls (NGFW) add layers of
policy
les based on ses and applaons, and onsoldae adonal
poeons s as an-s and iPS; owee, e do no add
dna poeon a an dee and blok fas-angng, ne-
geneaon eas o beao.
Itsio ptio systs wee bl o dee and analze
newok sees-based aaks on e OS and see appla-
ons, ae an e len-sde applaon aaks a donae
e en landsape. te se sgnaes, pake nspeon,
DNS analss, and ess, b do no dee anng nsal
n a zeo-da eplo, espeall f e alos ode s eal
dsgsed o deleed n sages.
Ati-is softwa eles on e lage daabases of known
eas ananed b sofwae endos. if e sgnae of a
threat is identied on a system le, that le can then be quaran
-
ned o eoed. B sne endos don know abo eas
in advance, its difcult to prevent them; nor can they keep
pace
w e ole of lneables n e aos bowse plg-ns.
In the case of email spam ltering, where spoofed phishing
sites
se dna doans and urLs, blaklsng lags bend nal
aes. i ofen eqes oe an wo das o s down e
aeage psng se.
Wb gatways se lss of known bad urLs, peenng e
transmissions of Web data and websites identied as
malicious.
They do not protect against unknown future threats. Web
lters
wll le a webse pass w a lean epaon f e alwae and
lneabl a eplos ae nknown.
-
7/31/2019 Less Secure Than You Think - Flame
3/4
conenonal newok defenses ae sll essenal, b e do no
poe agans adaned alwae, zeo-da, and ageed APt
aaks bease e ae bl on wo fndaenal poeon e-
nologieslists and signatures. They only scan for the rst move
or
e nbond aak and el on sgnaes and known paens of
sbeao o denf and blok eas.
howee, e os seee and sessfl aaks ae ose
a eplo nknown lneables. if aaks ean below
e ada, e alwae s opleel ssed, and e newok
eans lneable o eaeos APt polop ode aaks
a onebalane adonal defense sses. tadonal ools
a allow en o een e os alos ode f e aen
seen befoe.
Heuristics-based ltering techniques, essentially educated
gesses based on beaos o sasal oelaons, also fall
so. An aggesse es deeon pol a geneae a
ge nbe of false poses; less aggesse es deeon
a deease false alas b adds e neased sk of ssngalwae ndens.
Dploy Dyaic Dfss to Stop Tagtd,Zo-Day Attacs
Oganzaons woldwde wll need o agen e defenses oaddess e dna nae
of odas alwae a s eeel
successful at penetrating todays networks, says Aziz of
FireEye.
Adaned eas se a l-sage nfeon le o aze
their chances to evade detection and successfully steal con-
denal nfoaonpalal se edenals and nelleal
pope daa.
Organizations cannot afford the potential nancial,
operational,
and epaon sks APts pose. Defendng opoae newoks
fo e alwae sed n adaned ageed aaks eqes
opeense oeage o poe agans l-eo, l-
saged aaks. consde wo eaples:
GOvernmenT AGenCY.A u.S. naonal laboao, wandles a ge pofolo of
naonal sees and sense
daa, s be able o onnall enane e effeeness
of poeon agans esalang global be eas s as
adaned alwae, zeo-da, and ageed APt aaks. B
deploying the FireEye Malware Protection System (MPS),
s naonal agen was able o do js a and sa aead
of advanced malware. The benets: A dramatic increase in
speed of threat detection, notication, and resolution, and
neased pod wo addonal newok o se
anageen oeead.
Th nw That Paadig:mlti-vcto, mlti-StagAttacs
Adaned ageed aaks ae ople, ng aosslple ea eos o aze e anes of
beakng
og newok defenses. ml-eo aaks ae pall
deleed a e Web o eal. te leeage applaon
o opeang sse lneables, eplong e nabl
of onenonal newok-poeon eanss o pode
a unied defense. As soon as one vulnerability is detected,
Web-based aaks qkl sf o anoe.
The ve stages of the attack lifecycle are as follows:
STAGe 1: SYSTem exPLOITATIOn. te aak aeps
to set up the rst stage, and exploits the system using
drive-
b aaks n asal bowsng. is ofen a blended aakdeleed aoss e Web o
eal ea eos, w e
email containing malicious URLs, a PDF or ofce document.
STAGe 2: mALWAre exeCuTABLeS Are DOWn-
LOADeD AnD LOnG-Term COnTrOL eSTABLISHeD.
A sngle eplo anslaes no dozens of nfeons on e
sae sse. W eploaon sessfl, oe alwae
bnaeske logges, tojan bakdoos, passwod akes,
and le grabbersare then downloaded. This means that
nals ae now bl long-e onol eanss no
e sse.
STAGe 3: mALWAre CALLS BACk. As soon as emalware installs,
attackers have cracked the rst step to estab-
lsng a onol pon fo wn oganzaonal defenses.
One n plae, e alwae alls bak o nal sees
fo fe nsons. te alwae an also eplae and
dsgse self o aod sans, n of f an-s sannes,
ensall ssng oponens afe a leanng, o le doan
fo das o weeks. B sng allbaks fo wn e sed
newok, alwae onaons ae allowed og e
rewall and will penetrate all the different layers of the
network.
STAGe 4: DATA exFILTrATIOn. Daa aqed fo
infected servers is exltrated via encrypted les over a
commonly allowed protocol, such as FTP or HTTP, to aneenal
oposed see onolled b e nal.
STAGe 5: mALWAre SPreADS LATerALLY. te nal
woks o oe beond e sngle sse and esabls long-
e onol wn e newok. te adaned alwae looks
fo apped des on nfeed lapops and deskops, and an
then spread laterally and deeper into network le shares.
te alwae wll ond eonnassane: i wll ap o e
newok nfase, deene ke asses, and esabls a
newok fooold on age sees.
3 WhitE PAPEr|Less See tan yo tnk
-
7/31/2019 Less Secure Than You Think - Flame
4/4
Th Fiey Appoach
FireEye is the leader in stopping advanced targeted attacks
that
se adaned alwae, zeo-da eplos, and adaned pess-
tent threat (APT) tactics. The FireEye solutions supplement
tradi-
tional and next generation rewalls, IPS, anti-virus, and
gateways,
w anno sop adaned eas, leang se oles n
newoks.
The FireEye Malware Protection System (MPS) is the only
oplee solon o sop adaned ageed aaks aoss all
ea eos. W Web and eal se o sop alwae-n-
motion and le security to stop malware-at-rest, the FireEye
MPSoffes a one-awae se solon o sop adaned aaks,
gang e ea of APts and enablng apd nden esponse.
Each of FireEyes products features a Virtual Execution (VX)
engne a podes sae-of-e-a, sgnae-less analss sng
the most sophisticated virtual machines to provide a
360-degree
ew of ea adaned aak sage, fo e nal eplo and
malware callback to data exltration. This completely
integrated
and poen solon s w opanes aond e globe oose
FireEye to protect their networks against advanced targeted
aaks. n
4 WhitE PAPEr|Less See tan yo tnk
PrOFeSSIOnAL ServICeS.A lage New yok-based law
rm must protect the interests of its nancial service and
lnaonal opoae lens. to peen poenal leaks
of highly sensitive data, the rm needed a next-generation
solon a wold eleae s se nfase beond
leels poded b adonal sgnae-based enolo-gies and rewall products.
The solution: The FireEye Web
mPS applane, w as poded sopsaed, eal-e
alwae poeon apables.
Anoe eaple s healand Paen Sses, one of e
largest payment processors in the United States. For
Heartland,
poeon of soe daa s bsness al. te opan
learned from experience that network inltrators had been
ondng alos a fo a wle befoe s well-
pblzed bea was dsoeed.
te bgges poble we fae s no knowng wa we don know,
says CSO John South. We were looking for mechanisms that
would nd the advanced types of threats that are out there
today.
FireEye has also helped Equifax, a U.S.-based consumer
credit-
reporting agency, nd new security threats other vendors
could
no. ton Spnell, SvP and cSO of Eqfa, sas, We ae s
aego a Eqfa alls nandled alwae, [w] w ad-
onal se appoaes aen been e elpfl. Png n
FireEye has really helped us detect this unhandled malware,
then
ges s e apabl o ake aon o sa see.
he onnes, te zeo-da and ageed aaks a eade
soe of e sple defenses ae wee o ae gong o need a
next-generation product like FireEye. We looked at two or
three
other vendors in this space, but when we put FireEye up
against
the other two vendors, by far, FireEye detected and kept us
secure
fo ese sses.
A sf n e poeon paadg s a bsness peae.
insead of eae solons a el on known lneables,
oganzaons eqe dna defense sses a an
accurately analyze network trafc to counter advanced threats
in
eal e. Poeon s also fnon aoss an poools
and ogo e poool sak, nldng e newok lae,
opeang sses, applaons, bowses, and plg-ns s
as Flash.
Custom Solutions Group
We ae s aego a Eqfa
alls nandled alwae, [w]
w adonal se appoaes
aen been e elpfl. Png n
FireEye has really helped us detect
s nandled alwae, en ges
s e apabl o ake aon o
sa see.
ton Spnell, SvP and cSO, Eqfa
For more information, please visit
www.reeye.com
http://www.fireeye.com/http://www.fireeye.com/
