Upload
dejan-jeremich
View
317
Download
5
Embed Size (px)
Citation preview
Solutions for Demanding Business
solutions for demanding business
FireEye – Advance Threat Protection
Dane Hinić
Senior [email protected]
3
solutions for demanding business
Traditional Security Solutions
IPSAttack-signature based
detection, shallow application analysis,
high-false positives, no visibility into advanced
attack lifecycle
Secure Web Gateways
Some analysis of script-based malware, AV,
IP/URL filtering; ineffective vs. advanced
targeted attacks
Desktop AVSignature-based detection (some
behavioral); ineffective vs. advanced targeted
attacks
Anti-Spam GatewaysRelies largely
on antivirus, signature-based detection (some
behavioral); no true spear phishing
protection
Firewalls/NGFWBlock IP/port connections,
application-level control, no visibility
Despite all this technology 95% of organizations are compromised
solutions for demanding business
Multi-Staged Cyber Attack
Exploit Detection is Critical All SubsequentStages can be Hidden or Obfuscated
1Callback Server
IPSFile Share 2
File Share 1
Exploit Server
5
32
4
1. Exploitation of System
2. Malware Executable Download
3. Callbacks and Control Established
4. Lateral Spread
5. Data Exfiltration
Firewall
4
solutions for demanding business
What Is An Exploit?Compromised webpage
with exploit object
1. Exploit object rendered by vulnerable software
2. Exploit injects code into running program memory
3. Control transfers to exploit code
Exploit object can be in ANY web page
An exploit is NOT the same as the malware executable file!
HACKED
5
solutions for demanding business
Structure of a Multi-Flow APT Attack
Exploit Server
Embedded Exploit Alters Endpoint
16
solutions for demanding business
Structure of a Multi-Flow APT Attack
Callback Server Exploit Server
Embedded Exploit Alters Endpoint
1 Callback27
solutions for demanding business
Structure of a Multi-Flow APT Attack
Callback Server Exploit Server Encrypted Malware
Embedded Exploit Alters Endpoint
1 Callback2Encrypted malware downloads
38
solutions for demanding business
Structure of a Multi-Flow APT Attack
Callback Server Exploit Server Encrypted Malware Command and Control Server
Embedded Exploit Alters Endpoint
1 Callback2Encrypted malware downloads
3Callback and data exfiltration
49
solutions for demanding business
FireEye’s Technology: State of the Art DetectionCORRELATEANALYZE
( 5 0 0 , 0 0 0 O B J E C T S / H O U R )
Within VMs
Across VMs
Cross-enterprise
Network
Mobile
Files
Exploit
Callback
MalwareDownload
Lateral Transfer
Exfiltration
DETONATE
10
solutions for demanding business
Who detected the attack first?(Detections by month)
07/13 08/13 09/13 10/13 11/13 12/130
5000
10000
15000
20000
25000
30000
FireEye found FirstDetected by vendor in VirusTotal
11
Industry: Government (Federal)
Top APT Business Impact
Backdoor.APT.Houdini(25%)
Loss of sensitive information. Houdini is believed to be the developer’s name of VBS-based RAT known to target international energy industry and take part in spammed email campaign.
Top Crimeware Business Impact
Malware.Archive(68%)
Malware is discovered inside archive file (ZIP, RAR)
Malware.Binary (52%) Loss of sensitive financial information, e.g. credit card, banking login
FireEye PoVCustomers
Compromised Had APT
31 100% 39%
0.39 2.63
11058.1
11046.3
303.06
4939
WebExploit
MalwareDownload
UniqueMalware
UniqueCallback
ImpactedHosts
164.75
13.95
350.44
352.55
MaxAverage(Per Week)
Industry: High-Tech
Top APT Business Impact
Backdoor.APT.Gh0stRAT (40%) Remote Access Tools (RAT) that lead to loss of
intellectual property, trade secret, and sensitive internal communication.
Backdoor.APT.DarkComet (40%)
Top Crimeware Business Impact
Malware.Binary (67%) Never-seen-before malware. Signature based protection defenseless.
Exploit.Kit.Neutrino (67%)
Infection with several types of malware that steal credentials or restrict access to computer and demands ransom.
FireEye PoVCustomers
Compromised Had APT
18 100% 28%
1.46 8.66
41486.9
43022.5
86.92
3011.14
WebExploit
MalwareDownload
UniqueMalware
UniqueCallback
ImpactedHosts
198.9
12.9
2708.9
2629.8
MaxAverage(Per Week)
Industry: Financial
Top APT Business Impact
Backdoor.APT.Houdini (29%)
Loss of sensitive information. Houdini is believed to be the developer’s name of VBS-based RAT known to target international energy industry and take part in spammed email campaign.
Top Crimeware Business Impact
Exploit.Browser (66%) An attempt to compromise endpoint by exploiting vulnerability in the Web browser. If successful, attacker can install and execute malicious software without end users consent.
Exploit.Kit.Neutrino (54%)
Infection with several types of malware that steal credentials or restrict access to computer and demand ransom.
FireEye PoVCustomers
Compromised Had APT
71 99% 10%
0.78 5.68
1602.83
1405.78
174.1
3183.1
WebExploit
MalwareDownload
UniqueMalware
UniqueCallback
ImpactedHosts
90.48
6.26
24.21
34.85
MaxAverage(Per Week)
Industry: Services / Consulting / VAR
Top APT Business Impact
Backdoor.APT.XtremeRAT (50%)
Being victim of common RATs capabilities including key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying.
Top Crimeware Business Impact
Exploit.Browser (53%) An attempt to compromise endpoint by exploiting vulnerability in the Web browser. If successful, attacker can install and execute malicious software without end users consent.
Malware.Archive (53%) Malware is discovered inside archive file (ZIP, RAR)
FireEye PoVCustomers
Compromised Had APT
19 100% 11%
1.75 20.77
83.06
52.15
151.15
187.85
WebExploit
MalwareDownload
UniqueMalware
UniqueCallback
ImpactedHosts
18.05
12.23
5.57
13.34
MaxAverage(Per Week)
solutions for demanding business
FireEye Product Portfolio
SEG IPS SWG
IPS
MDM
HostAnti-virus
HostAnti-virus
MVX
Threat Analytics Platform
Mobile Threat PreventionEmail Threat
Prevention
Dynamic Threat Intelligence
Network ThreatPrevention
Content Threat Prevention
Mobile ThreatPrevention
Endpoint Threat Prevention
Email ThreatPrevention
Dane Hinić[email protected]