Recomendados
Recomendados
Mais conteúdo relacionado
Semelhante a FireEye Report.ppt
Semelhante a FireEye Report.ppt (20)
Último
Último (20)
FireEye Report.ppt
- 1. 1 FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP DataConnectors June 2014 Re-Imagined. Security.
- 2. 2 THREAT LANDSCAPE DEEP DIVE A LOOK INSIDE THE FIREEYE TECHNOLOGY THE FIREEYE PLATFORM FIREEYE PLATFORM: A CASE STUDY
- 3. 3 Current State of Cyber Security NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware
- 4. 4 The High Cost of Being Unprepared 3 Months 6 Months 9 Months 229 Days Median # of days attackers are present on a victim network before detection. Initial Breach of Companies Learned They Were Breached from an External Entity of Victims Had Up-To-Date Anti-Virus Signatures THREAT UNDETECTED REMEDIATION Source: M-Trends Report
- 5. 5 The High Cost of Being Unprepared 3 Months 6 Months 9 Months Initial Breach of Companies Learned They Were Breached from an External Entity of Victims Had Up-To-Date Anti-Virus Signatures THREAT UNDETECTED REMEDIATION Source: M-Trends Report, Ponemon 32 Days Average Time to Resolve an Attack
- 7. 7 Multi-Staged Cyber Attack Exploit Detection is Critical All Subsequent Stages can be Hidden or Obfuscated Callback Server IPS File Share 2 File Share 1 Exploit Server 1. Exploitation of System 2. Malware Executable Download 3. Callbacks and Control Established 4. Lateral Spread 5. Data Exfiltration Firewall
- 8. 8 What Is An Exploit? Compromised webpage with exploit object 1. Exploit object rendered by vulnerable software 2. Exploit injects code into running program memory 3. Control transfers to exploit code Exploit object can be in ANY web page An exploit is NOT the same as the malware executable file!
- 9. 9 Structure of a Multi-Flow APT Attack Callback Server Exploit Server Encrypted Malware Command and Control Server Embedded Exploit Alters Endpoint 1 Callback 2 Encrypted malware downloads 3 Callback and data exfiltration 4
- 10. 10 Structure of a Multi-Flow APT Attack Callback Server Exploit Server Encrypted Malware Command and Control Server Embedded Exploit Alters Endpoint 1 Callback 2 Encrypted malware downloads 3 Callback and data exfiltration 4
- 11. 11 Multi-Flow Structure of APT Attacks (e.g. Operation Aurora, Operation Beebus, CFR…) Exploit injects code in Web browser 1 Exploit code downloads encrypted malware (not SSL!) 2 Exploit code decrypts malware 3 Target end point connects to C&C server 4 Callback Exploit in compromised Web page Encrypted Malware Command and Control Server Embedded Exploit Alters Endpoint Callback Encrypted malware downloads Callback and data exfiltration 1 2 3 4
- 12. 12 Multi-Vector Structure of APT Attack Weaponized Email with Zero-Day Exploit (e.g. RSA) Email with weaponized document, opened by user, causing exploit 1 Client endpoint calls back to infection server 2 Backdoor DLL dropped 3 Encrypted callback over HTTP to command and control server 4 Callback Server Weaponized Email (2011 Recruitment Plan.xls) Backdoor C&C Server 1 2 3 4
- 13. 13 Traditional “Defense in Depth” is failing Firewalls/ NGFW Secure Web Gateways IPS Anti-Spam Gateways Desktop AV The New Breed of Attacks Evade Signature-Based Defenses
- 14. 14 Kill chain reconstruction to determine the scope and impact of a threat On and off-premiseendpoint validationand containment Accelerating the Detection to Forensics Workflow Signature-less virtual machine-basedapproach to identifythe attack lifecycle Real-time Detection Validation & Containment Forensics: Connecting the dot across time 2 3 1
- 15. 15 Purpose-Built for Security Hardened Hypervisor Multi-flow Multi-vector Scalable Extensible Security Finds known/ unknown cyber-attacks in real time across all attack vectors
- 16. 16 FireEye Technology: Scaling the MVX 0 100000 200000 300000 400000 Real world line rate (objects/hour) HTML and JavaScript form 95% of objects to be scanned on the wire MVX Line Rate Intelligent Capture MVX Core (Detonation) Reduce False Positives Reduce False Negatives Phase 1 Phase 2 1M+ objects/hour Multi-flow virtual analysis APT web attacks are nearly invisible needles in haystack of network traffic
- 17. 17 FireEye Technology: Inside the MVX FireEye Hardened Hypervisor Hardware Custom hypervisor with built-in countermeasures Designed for threat analysis FireEye Hardened Hypervisor 1
- 18. 18 FireEye Technology: Inside the MVX Multiple operating systems Multiple service packs Multiple applications Multiple application versions FireEye Hardened Hypervisor Cross-Matrix Virtual Execution Hardware FireEye Hardened Hypervisor 1 Massive cross matrix of virtual executions 2
- 19. 19 FireEye Technology: Inside the MVX >2000 simultaneous executions Multi-flow analysis FireEye Hardened Hypervisor Cross-Matrix Virtual Execution v1 v2 v3 v1 v2 v3 Hardware Control Plane > 2000 Execution Environments FireEye Hardened Hypervisor 1 Massive cross matrix of virtual execution 2 Threat Protection at Scale 3
- 20. 20 FireEye’s Web detection is great, BUT ….. There are a number of threats that FireEye solution does not address well: – Unauthorized access – Data Resource Theft – Malformed Packets – SQL Injection – Packet Flooding – Cross-Site Scripting – DDOS Client-side vs. Server-side Attacks
- 21. 21 • Improve Correlation Between Known and Unknown Threats to Increase Threat Protection and Reduce Costs • Consolidated threat defense—integrate threat prevention for known and unknown threats, leveraging the MVX engine to provide timely and accurate notifications • It allows NX to compete in both APT and IPS market segments • Threat validation—validate attacks using the MVX engine so time and resource investments are not spent on filtering down the noise • It supports custom IPS Snort rules that are widely used in the market for compliance • Actionable insights—correlate known and unknown threats and derive richer threat intelligence to speed up incident response • It provides both client and server IPS protection for known attacks • It provides the CVE ID for known attacks that has been detected by MVX FireEye IPS
- 22. 22 REAL TIME The Objective: “Continuous Threat Protection” THEFT OF ASSETS & IP COST OF RESPONSE DISRUPTION TO BUSINESS REPUTATION RISK Prevent & Investigate Time to Detect Time to Fix nPulse Full Real-time Enterprise Forensics
- 23. 23 FireEye Product Portfolio: Powered by MVX SEG IPS SWG IPS MDM Host Anti-virus Host Anti-virus MVX Threat Analytics Platform Mobile Threat Prevention Email Threat Prevention Dynamic Threat Intelligence Network Threat Prevention Content Threat Prevention Mobile Threat Prevention Endpoint Threat Prevention Email Threat Prevention
- 24. 24 FireEye and Mandiant Services Portfolio Security Consulting Services Subscription Services and Product Support FireEye Managed Defense Product Support Services Proactive Threat and Vulnerability Assessments Incident Response Strategic Consulting and Security Program Assessments
- 25. 25 Mandiant and Cloud offerings MOBILITY INSTRUMENTATION ENDPOINT MITIGATION ANALYSIS/SIEM Reference Architecture and Strategic Integrations Virtual Machine Detonation Forensic Analysis Real Time Alerts Call Back Detection Exploit Detection Remediate Threats FireEye Technology Alliances INSTRUMENTATION PARTNERS Ease of implementation and high availability for Layers 1-3 ENDPOINT PARTNERS Verification and remediation of threats through incident response processes ANALYSIS / SIEM PARTNERS Data correlation analytics, policy and compliance management MITIGATION PARTNERS Augmenting and enhancing FireEye remediation capabilities, real time policy creation and blocking across the architecture MOBILITY PARTNERS Mitigating against mobile based threats for BYOD environments with MDMs ACCELERATION PARTNERS Top partners in the Fuel Technology Program “FireEye technology partnerships are great. They fill in the gaps other vendors can’t match. FireEye, with its partners, offers a formidable defense.” – OTR Global Report 2013 For Partner & Field Confidential Only
- 26. 26 FireEye Platform: Products & Services Portfolio Mandiant Incident Response, VulnerabilityAssessment and Penetration Testing Strategic Services: Response Readiness and Security ProgramAssessment Product Deployment and Integration Advanced Services Managed Defense Continuous Protection Continuous Monitoring Managed Defense Services Portfolio Platinum (24x7, Global) Platinum Priority Plus (DSE) Gov’t. Support (Citizens) Gov’t Classified – Planned (Clearances, Secured Facility) Start in U.S. and expand internationally) Support Services Network (NX) - IPS Email (EX) Content (FX) Endpoint (HX) Central Manager (CM) Mobile (MTP) Cloud Email (ETP) Forensics (AX) ThreatAnalytics Platform (TAP) Network Forensics – (CPX) Products
Notas do Editor
- Here’s what we’ve seen in our experiences at FireEye/Mandiant. Attackers have literally months of unfettered access.. And when they have access for so long, they penetrate deep and it take months to cleanup the mess All environments we analyzed had traditional security tools, e.g. old school IDS, AV, designed into their architectures to safe-guard! But they weren’t protecting against this new breed of cyber threats. More alarming… 63% of the organizations were told they were breached by someone outside – someone walking up to their door and saying, “Hey, you dropped you wallet outside… is this yours?” And these were serious organizations, your everyday brands… that had invested heavily in security. How’s that possible?
- Here’s what we’ve seen in our experiences at FireEye/Mandiant. Attackers have literally months of unfettered access.. And when they have access for so long, they penetrate deep and it take months to cleanup the mess All environments we analyzed had traditional security tools, e.g. old school IDS, AV, designed into their architectures to safe-guard! But they weren’t protecting against this new breed of cyber threats. More alarming… 63% of the organizations were told they were breached by someone outside – someone walking up to their door and saying, “Hey, you dropped you wallet outside… is this yours?” And these were serious organizations, your everyday brands… that had invested heavily in security. How’s that possible?
- And what do they all have in common? The attacks are targeted, persistent and unknown, enabling them to evade traditional signature-based defenses. Traditional or next generation firewalls, IPS, gateways or AV. It doesn’t matter. They are all completely defenseless in the face of these new attacks.
- One security platform with precise alert capabilities and detailed forensic data on the full scope of an attack.
- We see two key goals: Minimize time to detect and time to fix/remediate the threats/impact in our environment Lets just take a look at the Target breach --- it cost $400M just to replace the credit cards, not to mention the impact to the brand, organizational disruption, and legal ramifications. The ideal situation would be to stop this right at the outset and prevent and impact to the organization and its customers – providing Continuous Threat Protection. FireEye has identified four steps to achieving “Continuous Threat Protection”.. These include detecting the threats (in real time) containing the impact of the threats within an organization by understand what the malware might be going after resolving the impacted systems (identifying, quarantining, and cleaning up the machines) and where appropriate preventing any impact from these threats (especially when deployed inline)
- Note: Threats @ perimeter – Network Threat Prevention Platform Data Center – Content Threat Prevention Platform for latent malware Obviously many people are now bringing in mobile devices… with Mobile Threat Prevention, we are able to leverage MVX to now analyze the new class of threats – threats via mobile apps. E.g. apps stealing contacts via mobile apps, which provides the attacker the email information (and legally valid sources) for the next stage of attack On the endpoint, Mandiant brings us the MSO product, which will be rebranded into the FireEye platform as the Endpoint Threat Prevention Platform Finally, we have the Email threat Prevention Platform for the spearphishing attacks that attackers use to penetrate organizations. The Threat Analytics Platform is a new product for analyzing advanced threats using a combination of of event logs and security device logs with homegrown threat intelligence from FireEye.
- While products help defend you against threats and attacks in progress right here and now, knowing your attackers, their motives, and your infrastructural security structure will take your organizational security health to a higher level. Much like health assessments and exercise complement medication for the human health taking it a level higher. In addition to managed defense, FireEye offers services to help you assess your security with constant evolution of services and business models, update and test your incident response plan, review current processes, capabilities and technology against leading practices as well as train your CERT teams. Additionally if you are short on staff or talent, count on assistance to complement your staff or leverage external services to help manage your security. All these services are offered directly by FireEye and some can also be offered in conjunction with one of the FireEye partners (depending on their level)