Zlatibor asseco-fire eye

Solutions for Demanding Business

solutions for demanding business

FireEye – Advance Threat Protection

Dane Hinić

Senior [email protected]

3


Traditional Security Solutions

IPSAttack-signature based

detection, shallow application analysis,

high-false positives, no visibility into advanced

attack lifecycle

Secure Web Gateways

Some analysis of script-based malware, AV,

IP/URL filtering; ineffective vs. advanced

targeted attacks

Desktop AVSignature-based detection (some

behavioral); ineffective vs. advanced targeted

attacks

Anti-Spam GatewaysRelies largely

on antivirus, signature-based detection (some

behavioral); no true spear phishing

protection

Firewalls/NGFWBlock IP/port connections,

application-level control, no visibility

Despite all this technology 95% of organizations are compromised


Multi-Staged Cyber Attack

Exploit Detection is Critical All SubsequentStages can be Hidden or Obfuscated

1Callback Server

IPSFile Share 2

File Share 1

Exploit Server

5

32

4

1. Exploitation of System

2. Malware Executable Download

3. Callbacks and Control Established

4. Lateral Spread

5. Data Exfiltration

Firewall

4


What Is An Exploit?Compromised webpage

with exploit object

1. Exploit object rendered by vulnerable software

2. Exploit injects code into running program memory

3. Control transfers to exploit code

Exploit object can be in ANY web page

An exploit is NOT the same as the malware executable file!

HACKED

5


Structure of a Multi-Flow APT Attack

Exploit Server

Embedded Exploit Alters Endpoint

16



Callback Server Exploit Server


1 Callback27



Callback Server Exploit Server Encrypted Malware


1 Callback2Encrypted malware downloads

38



Callback Server Exploit Server Encrypted Malware Command and Control Server


1 Callback2Encrypted malware downloads

3Callback and data exfiltration

49


FireEye’s Technology: State of the Art DetectionCORRELATEANALYZE

( 5 0 0 , 0 0 0 O B J E C T S / H O U R )

Within VMs

Across VMs

Cross-enterprise

Network

Email

Mobile

Files

Exploit

Callback

MalwareDownload

Lateral Transfer

Exfiltration

DETONATE

10


Who detected the attack first?(Detections by month)

07/13 08/13 09/13 10/13 11/13 12/130

5000

10000

15000

20000

25000

30000

FireEye found FirstDetected by vendor in VirusTotal

11

Industry: Government (Federal)

Top APT Business Impact

Backdoor.APT.Houdini(25%)

Loss of sensitive information. Houdini is believed to be the developer’s name of VBS-based RAT known to target international energy industry and take part in spammed email campaign.

Top Crimeware Business Impact

Malware.Archive(68%)

Malware is discovered inside archive file (ZIP, RAR)

Malware.Binary (52%) Loss of sensitive financial information, e.g. credit card, banking login

FireEye PoVCustomers

Compromised Had APT

31 100% 39%

0.39 2.63

11058.1

11046.3

303.06

4939

WebExploit

MalwareDownload

UniqueMalware

UniqueCallback

ImpactedHosts

164.75

13.95

350.44

352.55

MaxAverage(Per Week)

Industry: High-Tech


Backdoor.APT.Gh0stRAT (40%) Remote Access Tools (RAT) that lead to loss of

intellectual property, trade secret, and sensitive internal communication.

Backdoor.APT.DarkComet (40%)


Malware.Binary (67%) Never-seen-before malware. Signature based protection defenseless.

Exploit.Kit.Neutrino (67%)

Infection with several types of malware that steal credentials or restrict access to computer and demands ransom.


Compromised Had APT

18 100% 28%

1.46 8.66

41486.9

43022.5

86.92

3011.14

WebExploit

MalwareDownload

UniqueMalware

UniqueCallback

ImpactedHosts

198.9

12.9

2708.9

2629.8


Industry: Financial


Backdoor.APT.Houdini (29%)

Loss of sensitive information. Houdini is believed to be the developer’s name of VBS-based RAT known to target international energy industry and take part in spammed email campaign.


Exploit.Browser (66%) An attempt to compromise endpoint by exploiting vulnerability in the Web browser. If successful, attacker can install and execute malicious software without end users consent.

Exploit.Kit.Neutrino (54%)

Infection with several types of malware that steal credentials or restrict access to computer and demand ransom.


Compromised Had APT

71 99% 10%

0.78 5.68

1602.83

1405.78

174.1

3183.1

WebExploit

MalwareDownload

UniqueMalware

UniqueCallback

ImpactedHosts

90.48

6.26

24.21

34.85


Industry: Services / Consulting / VAR


Backdoor.APT.XtremeRAT (50%)

Being victim of common RATs capabilities including key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying.


Exploit.Browser (53%) An attempt to compromise endpoint by exploiting vulnerability in the Web browser. If successful, attacker can install and execute malicious software without end users consent.

Malware.Archive (53%) Malware is discovered inside archive file (ZIP, RAR)


Compromised Had APT

19 100% 11%

1.75 20.77

83.06

52.15

151.15

187.85

WebExploit

MalwareDownload

UniqueMalware

UniqueCallback

ImpactedHosts

18.05

12.23

5.57

13.34



FireEye Product Portfolio

SEG IPS SWG

IPS

MDM

HostAnti-virus

HostAnti-virus

MVX

Threat Analytics Platform

Mobile Threat PreventionEmail Threat

Prevention

Dynamic Threat Intelligence

Network ThreatPrevention

Content Threat Prevention

Mobile ThreatPrevention

Endpoint Threat Prevention

Email ThreatPrevention

Dane Hinić[email protected]

Education

Zlatibor asseco-fire eye