Upload
hillel-kobrobski-
View
130
Download
0
Embed Size (px)
Citation preview
© Copyright Fortinet Inc. All rights reserved.
Advanced Threat Protection with FortiSandbox
Hillel Kobrovski
Founder & CTO at Sec4Biz LTD
Cyber & Network Security Solutions Architect
Fortinet Senior Trainer since 2007
972-54-7700919
2
SandBox ,Why It’s Important ?
“New Studies Reveal Companies are Attacked an Average of 17,000 Times a Year.”
“Companies like J.P. Morgan Plan to Double Spending on Cyber security…”
“Cybercrime Will Remain a Growth Industry for the Foreseeable Future.”
“The Reality of the Internet of Things is the Creation of More Vulnerabilities.”
“43% of firms in the United States have experienced a data breach in the past year.”
3
Companies should be concerned
Prevention techniques sometimes fail, so detection and response tools,
processes, & teams must be addedFACT:
GOAL: Reduce time to Find/Detect incidentsReduce time to Investigate incidentsReduce time to Remediate incidents
229 days
Average time attackers were on a network before detection
67%
Victims were notified by an external entity
4
Known
Good
Known
Bad
Probably
Good
Very
Suspicious
Somewhat
Suspicious
Might be
Good
Completely
Unknown
Whitelists Reputation: File, IP, App,
Email Signatures
Digitally signed files
BlacklistsSignatures
HeuristicsReputation:
File, IP,
App, Email
Generic Signatures
Code
Continuum
Security
Technologies
Sandboxing
Malware? Goodware? I-don’t-know-ware? The Continuum
5
Enter Sandboxing
SpamMaliciousEmailMalicious
Link
MaliciousWeb Site
Exploit
Malware
Bot Commands& Stolen Data
Command &Control Center
Spam
MaliciousLink
Exploit
Malware
Bot Commands& Stolen Data
Sa
nd
bo
x
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
6
FortiSandbox – 5 Steps to Better Performance
Call Back Detection
Full Virtual Sandbox
Code Emulation
Cloud File Query
AV Prefilter
• Quickly simulate intended activity – Fortinet patented CPRL
• OS independent & immune to evasion – high catch rate
• Apply top-rated anti-malware engine
• Examine real-time, full lifecycle activity in the sandbox
to get the threat to expose itself
• Check community intelligence & file reputation
• Identify the ultimate aim, call back & exfiltration
• Mitigate w/ analytics & FortiGuard updates
7
3 Types of AV - Signatures
Wormchecksum
» It is a hash value (a number derived from a string of text) that uniquely
identifies a specific piece of malware.
» Usually has a "!tr“ or "!worm extension
Script and Macro Checksums
» – It is used to detect scripts and macros that do not change from one
generation to the next.
CPRL (Compact Pattern Recognition Language)
» With CPRL, the analyst can match bytes at different locations of a file.
» It can be used to provide generic detection for a group of malware with
certain commonalities.
8
CPRL Before Sandboxing
Compact Pattern Recognition Language(CPRL)
Fortinet-unique (Patented) way to identify an attack or evasion.
Emulates the code to understand what it is attempting to do.
Explores all the different code paths for attack vectors.
Not as CPU-intensive as spinning up a Virtual OS, so used as a first pass.
Typically catches more than 60%+ of malware.
If malware found, then there is no need to do any further inspection.
Uncovered attacks or evasion techniques are reported back to FortiGuard to
further enhance the ecosystem.
10
CPRL – Manual Steps
•Make sense of machine code
•Utilize reverse engineering tools
Static Analysis
•Compare variations
•Spot patterns in functionality and behavior
•Not just one sequence of bytes
Replication•Creates CPRL code to match those patterns
•Test against known variations
•And new variations
Detection
11
CPRL Strength – Doing More with Less!
12
Introduction Into Polymorphism
• Malware that constantly changes or "morphs", making it difficult to detect with anti-malware
programs
•The appearance of the code varies with each "mutation may change, but the essential function
usually remains the same
Same File
Different Encryption
Same File
13
Polymorphic Techniques - Examples
Padding with NOPs
Packed with no Pattern
Non-Polymorphic
14
Introduction into Packers
• Wrappers used to compress or encrypt software files
•Can be used for legitimate purposes
•Often times used by malware to disguise its contents to circumvent detection and analysis
ROT Base 64
XOR
Level of Difficulty
UPX
ASPACK
Themida
FSG
Native or known unpacking capabilities No native unpacking capabilities
Real-Time Sandbox
Custom Packers
Generic Unpacker
PETITE
FSG
UPACK
MEW
PECompact
ASProtectPecBundle
PEncrypt
ACProtect
ZIP
15
Packer Anatomy - Computer Code – Version 2
Headers
1111010101010
Code
0010101010101
1010101010101
10111101010111
Data
1010101010111
1010101010101
1010101010101
Normal File
Pack Run
Headers
1111010101010Code
0010101011001
1010101010101
10111101010111Data
1010101010111
1010101010101
1010101010101
Packed
program
stored as
encrypted
data
Packed/Encrypted
Decryption routine Headers
1111010101010Code
0010101010101
1010101010101
10111101010111Data
1010101010111
1010101010101
1010101010101Unpacking
Engine
Encrypted code stored
in data is moved into
code at run time and
into memory
CPRL
16
VB100 Reactive: AV w/ all updates
VB100 Proactive: AV w/o updates
Fortinet anti-malware results
» 96% reactive
» 86% proactive
Top Rated Anti-Malware
Independent third-party
tested & validated!
17
Top-rated Breach Detection (NSS Labs Recommended)
Preloaded with Microsoft Windows XP and 7, 32- and 64-bit, plus IE & Office
Genuine Microsoft Licenses for Windows. IE and Office
Top Rated Sandbox
Independent third-party
tested & validated!
18
VMs NA 2+ 8 28
FormCloud service integrated
with FortiGateVirtual appliance Physical appliance Physical appliance
FortiSandbox 1000D
FortiSandbox Platform Options
FortiSandbox VM
FortiSandbox 3000D
FortiSandbox Cloud
19
FortiSandbox Details
Network Traffic
Ob
jects
for
Insp
ection
Up
date
d P
rote
ction
3. Operating Environment
• Code emulation: OS-
independent
• Sandbox: Windows XP, 7, IE,
Office
2. File type support
• AV Prefilter: all
• Full Sandbox: as follows
• Archived: .tar, .gz, .tar.g,
.tgz, .zip, .bz2, .tar.bz2,
.bz, .tar.Z, .cab, .rar, .arj
• Executable: .exe, .dll,
PDF, Windows Office,
Javascript
• Media: .avi, .mpeg, mp3,
mp4
1. Protocol support
• FortiGate Integrated: HTTP,
SMTP, POP3, IMAP, MAPI, FTP,
SMB, IM
and SSL encrypted equivalents
• Stand-alone: HTTP, FTP, POP3,
IMAP, SMTP, SMB
• FortiMail Integrated: SMTP
20
FortiSandbox 2.0
Now includes full sandboxing w/ licenses for Windows, MS Office, IE
Now follows URLs to scan objects
Now inspects Network File Share locations
Now exports to 3rd Party scan tools
Integrated with FortiGate
Provides SSL inspection
Fewer sandboxes needed– 1 sandbox supports multiple FortiGates (Ingress/Egress points)
FortiSandbox Cloud service integrated with FortiGate offers quarantine feature
FortiSandbox 2.0 – Detecting More Attacks
Network Traffic
Network Traffic FortiGate
FortiSandbox
FortiSandbox
FortiMail
21
New in FortiSandbox 2.1
HA Clustering
VM Build Customization (Win8.1/Win2008/Win2010)
SHA1 Support, and Hash Whitelisting
Radius Authentication
Enhanced Search Capabilities
Remove All Files After Scan (HIPAA)
License Expiration Information
Integrated with FortiGate (5.4)
Active Hash Block List
Integrated with FortiMail
Active block list including URI scanning
Integration with FortiClient (5.4)
New in FortiSandbox 2.1 - Detecting Even More Attacks
Network Traffic
Network Traffic FortiGate
FortiSandbox
FortiSandbox
FortiMail
22
Stop Malicious Emails: FortiSandbox, FortiGate, FortiMail
Reputation, behavior and other analysis performed by FortiMail.
At risk messages held for additional FortiSandbox analysis.
Clean emails delivered to mail servers.
Outgoing email also inspected
FortiSandbox prefilters, executes, analyzes
and feeds back to FortiMail and FortiGuard.
Feedback
to FortiGuard
Feedback
to FortiMail
Traffic
Internet
Sandbox
Inspection
Inspected
EmailsNetwork
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox
FortiMail for Email Inspection
» Blocks known threats
» Holds high risk messages for
Sandbox rating
» Simplified deployment
1 sandbox supports multiple FortiMail
FortiSandbox for Payload Analysis
» Detects unknown threats
» Provides threat intelligence for mitigation
» Ultimately results in updated FortiGuard Security
Services
23
Flexible Appliance Deployment Modes
Flexible Deployment Options
• Offers most suitable implementation depends on requirements and infrastructure
• Allow protection of investment by allowing different deployment modes as requirement changes
• Full automatic Mitigation and blocking with the addition of FortiMail (with FortiSandbox appliances) and FortiGate (with
FortiSandbox Cloud)
Standalone Mode – Ideal for scalable requirements
Data Center
Integrated Mode – Ideal for centralized gateway with inline protection
Headquarters
(Enterprise Core)
Distributed Mode – Ideal for protection in distributed environment
Branch Offices
(Distributed Enterprise)
24
Stand-Alone Integrated
Pros• Specialized coverage
• More robust feature set
• Vendor independent
Cons• More boxes to buy, manage…
• Separate monitoring system
Pros• Fewer boxes
• Extends current security
• Existing/known vendor
Cons• May offer a reduced feature set
• Fewer vendor options
25
Clustering and Load Balancing
REGULAR
SLAVE
REGULAR
SLAVE
REGULAR
SLAVE
MASTERPRIMARY
SLAVE
Master and Primary Slave have to the same appliance (can be any model)
Regular Slaves can be any appliance
Up to 100 nodes in a cluster
26
Demo Configuration Screen Shots
FGT: FortiSandbox configuration
FGT: AV Profile FortiSandbox enable
FML: FortiSandbox configuration
FML: AV Profile FortiSandbox enable
27
FGT: FortiSandbox configuration
28
FGT: AV Profile FortiSandbox enable
29
FML: FortiSandbox configuration
30
FML: AV Profile FortiSandbox enable
31
Demo Screen Shots
Email message sent with clean file attached
FML: Message paused, Attachment sent to FSA
FSA: Attachment sandboxed
FML: FSA clean verdict
FML: FSA clean verdict, message delivered
FML: FSA malicious verdict
FML: Virus message quarantined
32
Email message sent with clean file attached
Message may be sent from any external user
To a FortiSandbox protected email domain.
33
FML: Message paused, Attachment sent to FSA
* The message is held on the FortiMail while the FortiSandbox is processing it.
34
FSA: Attachment sandboxed
If the file is clean
It is released.
35
FML: FSA clean verdict, message delivered
Messages with clean attachments
Are delivered.
36
FSA: Virus Attachment Sandboxed
If the file is malicious
It is quarantined.
37
FML: Virus Message Quarantined
Message quarantined on
the FortiMail
38
FortiClient ATP Integration
FortiClient and FortiSandbox
integration
File Submission and option to
hold till result is received
Receive dynamic threat DB
39
FortiGate v5.4 ATP/Sandbox Integration
40
FortiGate v5.4 ATP/Sandbox Integration
FortiGate and FortiSandbox integration
Applicable to FortiSandbox Appliance and VM
41
DON’T GO UNPROTECTED