1. 1
FireEye Architecture & Technology
Full Spectrum Kill-chain Visibility
Joshua Senzer, CISSP
DataConnectors June 2014
Re-Imagined.
Security.
2. 2
THREAT LANDSCAPE DEEP DIVE
A LOOK INSIDE THE FIREEYE TECHNOLOGY
THE FIREEYE PLATFORM
FIREEYE PLATFORM: A CASE STUDY
3. 3
Current State of Cyber Security
NEW THREAT LANDSCAPE
Multi-Vector Attacks Multi-Staged Attacks
Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware
4. 4
The High Cost of Being Unprepared
3 Months 6 Months 9 Months
229 Days
Median # of days attackers are present on
a victim network before detection.
Initial
Breach of Companies Learned
They Were Breached from
an External Entity
of Victims Had
Up-To-Date Anti-Virus
Signatures
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report
5. 5
The High Cost of Being Unprepared
3 Months 6 Months 9 Months
Initial
Breach of Companies Learned
They Were Breached from
an External Entity
of Victims Had
Up-To-Date Anti-Virus
Signatures
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report, Ponemon
32 Days
Average Time to Resolve an Attack
7. 7
Multi-Staged Cyber Attack
Exploit Detection is Critical All Subsequent
Stages can be Hidden or Obfuscated
Callback Server
IPS
File Share 2
File Share 1
Exploit Server
1. Exploitation of System
2. Malware Executable Download
3. Callbacks and Control Established
4. Lateral Spread
5. Data Exfiltration
Firewall
8. 8
What Is An Exploit?
Compromised webpage
with exploit object
1. Exploit object rendered by vulnerable software 2. Exploit injects code into running program
memory
3. Control transfers to exploit code
Exploit object can be in
ANY web page
An exploit is NOT the same as
the malware executable file!
9. 9
Structure of a Multi-Flow APT Attack
Callback Server
Exploit Server Encrypted Malware Command and
Control Server
Embedded
Exploit Alters
Endpoint
1 Callback
2
Encrypted
malware
downloads
3
Callback
and data
exfiltration
4
10. 10
Structure of a Multi-Flow APT Attack
Callback Server
Exploit Server Encrypted Malware Command and
Control Server
Embedded
Exploit Alters
Endpoint
1 Callback
2
Encrypted
malware
downloads
3
Callback
and data
exfiltration
4
11. 11
Multi-Flow Structure of APT Attacks
(e.g. Operation Aurora, Operation Beebus, CFR…)
Exploit injects code in
Web browser
1
Exploit code downloads
encrypted malware (not SSL!)
2
Exploit code decrypts malware
3
Target end point connects to
C&C server
4
Callback
Exploit in compromised
Web page
Encrypted Malware Command and
Control Server
Embedded
Exploit Alters
Endpoint
Callback
Encrypted
malware
downloads
Callback
and data
exfiltration
1 2 3 4
12. 12
Multi-Vector Structure of APT Attack
Weaponized Email with Zero-Day Exploit (e.g. RSA)
Email with weaponized document,
opened by user, causing exploit
1
Client endpoint calls back to
infection server
2
Backdoor DLL dropped
3
Encrypted callback over HTTP to
command and control server
4
Callback
Server
Weaponized Email
(2011 Recruitment
Plan.xls)
Backdoor C&C Server
1 2 3 4
13. 13
Traditional “Defense in Depth” is failing
Firewalls/
NGFW
Secure Web
Gateways
IPS
Anti-Spam
Gateways
Desktop AV
The New Breed of Attacks Evade Signature-Based Defenses
14. 14
Kill chain reconstruction to
determine the scope and impact
of a threat
On and off-premiseendpoint
validationand containment
Accelerating the Detection to Forensics Workflow
Signature-less virtual
machine-basedapproach to
identifythe attack lifecycle
Real-time Detection Validation & Containment Forensics: Connecting the dot
across time
2 3
1
15. 15
Purpose-Built for Security
Hardened Hypervisor
Multi-flow
Multi-vector
Scalable
Extensible
Security
Finds known/ unknown
cyber-attacks in real time
across all attack vectors
16. 16
FireEye Technology: Scaling the MVX
0
100000
200000
300000
400000
Real world line rate
(objects/hour)
HTML and JavaScript form 95% of objects to be
scanned on the wire
MVX
Line Rate
Intelligent
Capture
MVX
Core
(Detonation)
Reduce False
Positives
Reduce False
Negatives
Phase 1 Phase 2
1M+
objects/hour Multi-flow virtual analysis
APT web attacks are nearly invisible
needles in haystack of network traffic
17. 17
FireEye Technology: Inside the MVX
FireEye Hardened Hypervisor
Hardware
Custom hypervisor with built-in countermeasures
Designed for threat analysis
FireEye Hardened
Hypervisor
1
18. 18
FireEye Technology: Inside the MVX
Multiple operating systems
Multiple service packs
Multiple applications
Multiple application versions
FireEye Hardened Hypervisor
Cross-Matrix Virtual Execution
Hardware
FireEye Hardened
Hypervisor
1
Massive cross matrix of
virtual executions
2
20. 20
FireEye’s Web detection is great, BUT …..
There are a number of threats that FireEye solution does not address well:
– Unauthorized access
– Data Resource Theft
– Malformed Packets
– SQL Injection
– Packet Flooding
– Cross-Site Scripting
– DDOS
Client-side vs. Server-side Attacks
21. 21
• Improve Correlation Between Known and Unknown Threats to Increase Threat Protection and Reduce
Costs
• Consolidated threat defense—integrate threat prevention for known and unknown threats, leveraging the MVX
engine to provide timely and accurate notifications
• It allows NX to compete in both APT and IPS market segments
• Threat validation—validate attacks using the MVX engine so time and resource investments are not spent on
filtering down the noise
• It supports custom IPS Snort rules that are widely used in the market for compliance
• Actionable insights—correlate known and unknown threats and derive richer threat intelligence to speed up
incident response
• It provides both client and server IPS protection for known attacks
• It provides the CVE ID for known attacks that has been detected by MVX
FireEye IPS
22. 22
REAL
TIME
The Objective: “Continuous Threat Protection”
THEFT OF
ASSETS & IP
COST OF
RESPONSE
DISRUPTION TO
BUSINESS
REPUTATION RISK
Prevent & Investigate
Time to Detect Time to Fix
nPulse
Full Real-time
Enterprise
Forensics
24. 24
FireEye and Mandiant Services Portfolio
Security
Consulting
Services
Subscription
Services and
Product Support
FireEye
Managed Defense
Product
Support Services
Proactive Threat
and Vulnerability
Assessments
Incident Response
Strategic Consulting
and Security Program
Assessments
25. 25
Mandiant
and Cloud
offerings
MOBILITY
INSTRUMENTATION
ENDPOINT
MITIGATION
ANALYSIS/SIEM
Reference Architecture and Strategic Integrations
Virtual Machine
Detonation
Forensic
Analysis
Real Time
Alerts
Call Back
Detection
Exploit
Detection
Remediate
Threats
FireEye Technology Alliances
INSTRUMENTATION PARTNERS
Ease of implementation and high availability
for Layers 1-3
ENDPOINT PARTNERS
Verification and remediation of threats through
incident response processes
ANALYSIS / SIEM PARTNERS
Data correlation analytics, policy and compliance
management
MITIGATION PARTNERS
Augmenting and enhancing FireEye remediation
capabilities, real time policy creation and blocking
across the architecture
MOBILITY PARTNERS
Mitigating against mobile based threats for
BYOD environments with MDMs
ACCELERATION PARTNERS
Top partners in the Fuel Technology Program
“FireEye technology partnerships are great. They fill in the gaps other vendors can’t match. FireEye, with its
partners, offers a formidable defense.” – OTR Global Report 2013
For Partner & Field Confidential Only
26. 26
FireEye Platform:
Products & Services Portfolio
Mandiant Incident Response,
VulnerabilityAssessment and
Penetration Testing
Strategic Services: Response
Readiness and Security
ProgramAssessment
Product Deployment and
Integration
Advanced Services
Managed Defense
Continuous Protection
Continuous Monitoring
Managed Defense
Services Portfolio
Platinum
(24x7, Global)
Platinum Priority Plus (DSE)
Gov’t. Support (Citizens)
Gov’t Classified
– Planned
(Clearances, Secured Facility)
Start in U.S. and expand
internationally)
Support
Services
Network (NX) - IPS
Email (EX)
Content (FX)
Endpoint (HX)
Central Manager (CM)
Mobile (MTP)
Cloud Email (ETP)
Forensics (AX)
ThreatAnalytics Platform (TAP)
Network Forensics – (CPX)
Products
Here’s what we’ve seen in our experiences at FireEye/Mandiant.
Attackers have literally months of unfettered access.. And when they have access for so long, they penetrate deep and it take months to cleanup the mess
All environments we analyzed had traditional security tools, e.g. old school IDS, AV, designed into their architectures to safe-guard! But they weren’t protecting against this new breed of cyber threats.
More alarming… 63% of the organizations were told they were breached by someone outside – someone walking up to their door and saying, “Hey, you dropped you wallet outside… is this yours?”
And these were serious organizations, your everyday brands… that had invested heavily in security.
How’s that possible?
Here’s what we’ve seen in our experiences at FireEye/Mandiant.
Attackers have literally months of unfettered access.. And when they have access for so long, they penetrate deep and it take months to cleanup the mess
All environments we analyzed had traditional security tools, e.g. old school IDS, AV, designed into their architectures to safe-guard! But they weren’t protecting against this new breed of cyber threats.
More alarming… 63% of the organizations were told they were breached by someone outside – someone walking up to their door and saying, “Hey, you dropped you wallet outside… is this yours?”
And these were serious organizations, your everyday brands… that had invested heavily in security.
How’s that possible?
And what do they all have in common? The attacks are targeted, persistent and unknown, enabling them to evade traditional signature-based defenses. Traditional or next generation firewalls, IPS, gateways or AV. It doesn’t matter. They are all completely defenseless in the face of these new attacks.
One security platform with precise alert capabilities and detailed forensic data on the full scope of an attack.
We see two key goals:
Minimize time to detect and time to fix/remediate the threats/impact in our environment
Lets just take a look at the Target breach --- it cost $400M just to replace the credit cards, not to mention the impact to the brand, organizational disruption, and legal ramifications.
The ideal situation would be to stop this right at the outset and prevent and impact to the organization and its customers – providing Continuous Threat Protection.
FireEye has identified four steps to achieving “Continuous Threat Protection”.. These include
detecting the threats (in real time)
containing the impact of the threats within an organization by understand what the malware might be going after
resolving the impacted systems (identifying, quarantining, and cleaning up the machines)
and where appropriate preventing any impact from these threats (especially when deployed inline)
Note:
Threats @ perimeter – Network Threat Prevention Platform
Data Center – Content Threat Prevention Platform for latent malware
Obviously many people are now bringing in mobile devices… with Mobile Threat Prevention, we are able to leverage MVX to now analyze the new class of threats – threats via mobile apps. E.g. apps stealing contacts via mobile apps, which provides the attacker the email information (and legally valid sources) for the next stage of attack
On the endpoint, Mandiant brings us the MSO product, which will be rebranded into the FireEye platform as the Endpoint Threat Prevention Platform
Finally, we have the Email threat Prevention Platform for the spearphishing attacks that attackers use to penetrate organizations.
The Threat Analytics Platform is a new product for analyzing advanced threats using a combination of of event logs and security device logs with homegrown threat intelligence from FireEye.
While products help defend you against threats and attacks in progress right here and now, knowing your attackers, their motives, and your infrastructural security structure will take your organizational security health to a higher level. Much like health assessments and exercise complement medication for the human health taking it a level higher.
In addition to managed defense, FireEye offers services to help you assess your security with constant evolution of services and business models, update and test your incident response plan, review current processes, capabilities and technology against leading practices as well as train your CERT teams.
Additionally if you are short on staff or talent, count on assistance to complement your staff or leverage external services to help manage your security. All these services are offered directly by FireEye and some can also be offered in conjunction with one of the FireEye partners (depending on their level)