FireEye Security-Update 28. August 2014

FireEye Security-Update
28. August 2014
IT IS TIME TO REIMAGINE SECURITY
Thomas Cueni, Senior Systems Engineer
1
2
FireEye Security-Update
28. August 2014
The High Cost of Being Unprepared
THREAT UNDETECTED
REMEDIATION
Initial
Breach
of Companies Learned
They Were Breached from
an External Entity
229 Days
3
Months
6
Months
9
Months
of Victims Had
Up-To-Date Anti-Virus
Signatures
Source: M-Trends Report
3
Advanced Threat Analysis 2013
4
FireEye Security-Update
28. August 2014
A Typical Story
• Proof of Concept at large Swiss Customer
• >30,000 users, 60 days
Firewalls/
NGFW
Secure Web
Gateways
IPS
( B e s t
o f
Anti-Spam
Gateways
B r e e d )
FireEye
5
Proof of Concept Results
• Houdini / H-worm APT activity detected
Remote access tool, giving total control over compromised machines
Callbacks from multiple hosts
• >130 hosts associated with malicious behaviour
• 33 binary email attachments undetected
– 6 not detected by any AV-vendor
– 2/3 detected by less than half of AV-vendors
• 25 different malicious families
– Backdoors, infostealers, trojans, drive-by downloads, malware archives, etc.
6
FireEye Security-Update
28. August 2014
Houdini
• Full access to compromised machine:
– Files, processes, passwords, command shell
– Lateral spread possible via Windows mechanisms
7
Real-Time Detection
8
FireEye Security-Update
28. August 2014
Current State of Cyber Security
Coordinated Persistent Threat Actors
Dynamic, Polymorphic Malware
NEW THREAT LANDSCAPE
Multi-Vector Attacks
Multi-Staged Attacks
9
10
FireEye Security-Update
28. August 2014
What Is An Exploit?
Compromised webpage
with exploit object
Exploit object can be in
ANY web page
1. Exploit object rendered by vulnerable software
An exploit is NOT the same as
the malware executable file!
2. Exploit injects code into running program memory
3. Control transfers to exploit code
11
Structure of a Multi-Flow APT Attack
Exploit Server
1
Embedded
Exploit Alters
Endpoint
12
FireEye Security-Update
28. August 2014
Structure of a Multi-Flow APT Attack
Exploit Server
1
Embedded
Exploit Alters
Endpoint
Callback Server
2
Callback
13
Structure of a Multi-Flow APT Attack
Exploit Server
1
Embedded
Exploit Alters
Endpoint
Callback Server
2
Callback
Encrypted Malware
3
Encrypted
malware
downloads
14
FireEye Security-Update
28. August 2014
Structure of a Multi-Flow APT Attack
Exploit Server
1
Embedded
Exploit Alters
Endpoint
Callback Server
2
Callback
Command and
Control Server
Encrypted Malware
3
Encrypted
malware
downloads
4
Callback
and data
exfiltration
15
Structure of a Multi-Flow APT Attack
Exploit Server
1
Embedded
Exploit Alters
Endpoint
Callback Server
2
Callback
Command and
Control Server
Encrypted Malware
3
Encrypted
malware
downloads
4
Callback
and data
exfiltration
16
FireEye Security-Update
28. August 2014
Multi-Vector Structure of APT Attack
Weaponized Email with Zero-Day Exploit (e.g. RSA)
1
Email with weaponized document,
opened by user, causing exploit
2
Client endpoint calls back to
infection server
3
Backdoor DLL dropped
4
Encrypted callback over HTTP to
command and control server
Weaponized Email
(2011 Recruitment
Plan.xls)
1
Callback
Server
Backdoor
C&C Server
2
3
4
17
Traditional “Defense in Depth” is failing
The New Breed of Attacks Evade Signature-Based Defenses
Firewalls/
NGFW
IPS
Secure Web
Gateways
Anti-Spam
Gateways
Desktop AV
18
FireEye Security-Update
28. August 2014
Purpose-Built for Security
Hardened Hypervisor
Multi-flow
Multi-vector
Scalable
Extensible
Security
19
FireEye’s Technology: State of the Art Detection
ANALYZE
DETONATE
CORRELATE
(1M+ OBJECTS/HOUR)
Network
Exploit
Email
Malware
Download
Callback
Mobile
Lateral
Transfer
Files
Exfiltration
Within VMs
Across VMs
Cross-enterprise
20
FireEye Security-Update
28. August 2014
FireEye Technology: Inside the MVX
1
FireEye Hardened
Hypervisor
Custom hypervisor with built-in countermeasures
Designed for threat analysis
FireEye Hardened Hypervisor
Hardware
21
FireEye Technology: Inside the MVX
1
FireEye Hardened
Hypervisor
2
Massive cross matrix of
virtual executions
Multiple operating systems
Multiple service packs
Multiple applications
Multiple application versions
Cross-Matrix Virtual Execution
FireEye Hardened Hypervisor
Hardware
22
FireEye Security-Update
28. August 2014
FireEye Technology: Inside the MVX
FireEye Hardened
1 Hypervisor
Massive cross matrix of
virtual execution
2
Threat Protection
at Scale
3
>2000 simultaneous executions
Multi-flow analysis
> 2000 Execution
Environments
Cross-Matrix Virtual Execution
v1
v2
v3
v1
v2
Control Plane
v3
FireEye Hardened Hypervisor
Hardware
23
FireEye Technology: Scaling the MVX
Realworldlinerate
(objects/hour)
MVX
400000
Phase 1
Phase 2
300000
200000
Line Rate
Intelligent
Capture
100000
0
Reduce False
Negatives
HTML and JavaScript form 95% of objects to be
scanned on the wire
1M+
objects/hour
MVX
Core
(Detonation)
Reduce False
Positives
Multi-flow virtual analysis
APT web attacks are nearly invisible
needles in haystack of network traffic
24
FireEye Security-Update
28. August 2014
FireEye Product Portfolio: Powered by MVX
Threat
Analytics
Platform
Mobile Threat
Prevention
Email Threat
Prevention
EX
NX
MVX
Dynamic Threat
Intelligence
SEG
IPS SWG
Host
Anti-virus
HX
FX
IPS
MTP
Host
Anti-virus
MDM
25
Validation & Containment
26
FireEye Security-Update
28. August 2014
Example: Council on Foreign Relations Attack
Lateral spread
infecting more machines
About CFR:
• Independent, nonpartisan organization, think tank, and publisher
• Influential among US policy makers
• Members include preeminent personalities and corporations
27
FireEye HX Platform: Workflow
1 FireEye
Network
Platforms
Monitor
Flows for
Events
MVX
2 FireEye
Network
Platforms
Alert FireEye
HX On Event
+ OS
Change
Report
28
FireEye Security-Update
28. August 2014
FireEye HX Platform: Workflow
HX
3 FireEye
Validates
Reach Endpoints
Anywhere
Endpoints For
Compromise
Understand What
Happened to Define
Next Steps
Detect Events in
the Past
Home
Office
Airplane
Hotel
Corporate Headquarters
Coffee
Shop
Agent Anywhere™ Automatically
Investigates Endpoints No Matter Where They Are
29
FireEye HX Platform: Workflow
&
4 Contain
Isolate
Deny attackers
access to systems
with a single mouse
click while still
allowing remote
investigation.
Compromised
Devices
Airplane
Home
Office
Hotel
Coffee
Shop
Corporate Headquarters
30
FireEye Security-Update
28. August 2014
Forensics
31
Forensics
„Kill chain reconstruction
What happened? Lateral movement?
to determine the scope
Who and how many affected?
and impact of a breach.“
What data was stolen? What is the damage?
32
FireEye Security-Update
28. August 2014
nPulse Enterprise Forensics Features
Continuous, lossless packet capture at up to
20 Gbps and 1 Petabyte of storage
Ultrafast search and retrieval of connections
and packets
RESTful web API and drill-down web GUI for
search, inspection, and retrieval of packets,
connections, and sessions
Session decoder for web, email, FTP, DNS, chat,
SSL, and file extraction
Industry-standard storage and export in PCAP,
Netflow v9 and IPFIX formats
33
Layer 1-4 Analysis
• Packets: Wireshark-based analysis
• Connections: Connection Flow View, IP, Port, Protocol
34
FireEye Security-Update
28. August 2014
Layer 7 Analysis
• Sessions: Mail, web, DNS, chat, file extraction
35
36
FireEye Security-Update
28. August 2014
37
38
FireEye Security-Update
28. August 2014
Why Trust FireEye?
11 of 13
Zero Days
First to detect malware
from 2013
discovered by FireEye
(compared to traditional
Over 80%
of the times
AV engines)
39
Who Are We?
• Founded 2004, based in California
• 2000+ Employees
• Global Presence
• The leader in stopping advanced targeted
attacks
40
FireEye Security-Update
28. August 2014
41

Download Report