1 FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP...
-
Upload
darren-westbury -
Category
Documents
-
view
213 -
download
1
Transcript of 1 FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP...
1
FireEye Architecture & Technology
Full Spectrum Kill-chain VisibilityJoshua Senzer, CISSP
DataConnectors June 2014
Re-Imagined.Security.
2
AGENDA
THREAT LANDSCAPE DEEP DIVE
A LOOK INSIDE THE FIREEYE TECHNOLOGY
THE FIREEYE PLATFORM
FIREEYE PLATFORM: A CASE STUDY
3
Current State of Cyber Security
NEW THREAT LANDSCAPE
Multi-Vector Attacks Multi-Staged Attacks
Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware
4
The High Cost of Being Unprepared
3 Months 6 Months 9 Months
229 DaysMedian # of days attackers are present on
a victim network before detection.
Initial Breach
63%of Companies Learned
They Were Breached froman External Entity
100%of Victims Had
Up-To-Date Anti-Virus Signatures
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report
5
The High Cost of Being Unprepared
3 Months 6 Months 9 Months
Initial Breach
63%of Companies Learned
They Were Breached froman External Entity
100%of Victims Had
Up-To-Date Anti-Virus Signatures
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report, Ponemon
32 DaysAverage Time to Resolve an Attack
6
Zero Day Scorecard
7
Multi-Staged Cyber Attack
Exploit Detection is Critical All SubsequentStages can be Hidden or Obfuscated
1Callback Server
IPSFile Share 2
File Share 1
Exploit Server
5
32
4
1. Exploitation of System
2. Malware Executable Download
3. Callbacks and Control Established
4. Lateral Spread
5. Data Exfiltration
Firewall
8
What Is An Exploit?
Compromised webpage with exploit object
1. Exploit object rendered by vulnerable software 2. Exploit injects code into running program memory
3. Control transfers to exploit code
Exploit object can be in ANY web page
An exploit is NOT the same as the malware executable file!
HACKED
9
Structure of a Multi-Flow APT Attack
Callback Server Exploit Server Encrypted Malware Command and Control Server
Embedded Exploit Alters Endpoint
1 Callback2Encrypted malware downloads
3Callback and data exfiltration
4
10
Structure of a Multi-Flow APT Attack
Callback Server Exploit Server Encrypted Malware Command and Control Server
Embedded Exploit Alters Endpoint
1 Callback2Encrypted malware downloads
3Callback and data exfiltration
4
11
Multi-Flow Structure of APT Attacks(e.g. Operation Aurora, Operation Beebus, CFR…)
Exploit injects code in Web browser
1
Exploit code downloads encrypted malware (not SSL!)
2
Exploit code decrypts malware3
Target end point connects to C&C server
4
CallbackExploit in compromisedWeb page
Encrypted Malware Command and Control Server
Embedded Exploit Alters Endpoint
CallbackEncrypted malware downloads
Callback and data exfiltration
1 2 3 4
12
Multi-Vector Structure of APT AttackWeaponized Email with Zero-Day Exploit (e.g. RSA)
Email with weaponized document, opened by user, causing exploit
1
Client endpoint calls back to infection server
2
Backdoor DLL dropped3
Encrypted callback over HTTP to command and control server
4
CallbackServer
Weaponized Email(2011 Recruitment
Plan.xls)
Backdoor C&C Server
1 2 3 4
13
Traditional “Defense in Depth” is failing
Firewalls/NGFW
Secure WebGateways
IPSAnti-SpamGateways
Desktop AV
The New Breed of Attacks Evade Signature-Based Defenses
14
Kill chain reconstruction to determine the scope and impact
of a threat
On and off-premise endpoint validation and containment
Accelerating the Detection to Forensics Workflow
Signature-less virtual machine-based approach to identify the attack lifecycle
Real-time Detection Validation & Containment Forensics: Connecting the dotsacross time
2 31
15
Virtual Machine-Based Model of Detection
Purpose-Built for Security
Hardened Hypervisor
Multi-flow
Multi-vector
Scalable
Extensible
Security Reimagined
Finds known/ unknown cyber-attacks in real time across all attack vectors
16
FireEye Technology: Scaling the MVX
HTML
JavaS
cript
Flash
Office an
d ZIP
EXE a
nd DLL PDF0
100000
200000
300000
400000
Real world line rate (objects/hour)
HTML and JavaScript form 95% of objects to be scanned on the wire
MVX
Line Rate Intelligent Capture
MVXCore
(Detonation)
Reduce False Positives
Reduce FalseNegatives
Phase 1 Phase 2
1M+ objects/hou
rMulti-flow virtual analysis
APT web attacks are nearly invisible needles in haystack of network traffic
17
FireEye Technology: Inside the MVX
FireEye Hardened Hypervisor
Hardware
Custom hypervisor with built-in countermeasures
Designed for threat analysis
FireEye Hardened Hypervisor 1
18
FireEye Technology: Inside the MVX
Multiple operating systems
Multiple service packs
Multiple applications
Multiple application versions
FireEye Hardened Hypervisor
Cross-Matrix Virtual Execution
Hardware
FireEye Hardened Hypervisor 1
Massive cross matrix of virtual executions2
19
FireEye Technology: Inside the MVX
>2000 simultaneous executions
Multi-flow analysis
FireEye Hardened Hypervisor
Cross-Matrix Virtual Execution
v1 v2 v3 v1 v2 v3
Hardware
Control Plane
> 2000 Execution Environments
FireEye Hardened Hypervisor 1
Massive cross matrix of virtual execution2
Threat Protection at Scale3
20
FireEye’s Web detection is great, BUT …..There are a number of threats that FireEye solution does not address well:
– Unauthorized access– Data Resource Theft – Malformed Packets– SQL Injection– Packet Flooding– Cross-Site Scripting– DDOS
Client-side vs. Server-side Attacks
21
• Improve Correlation Between Known and Unknown Threats to Increase Threat Protection and Reduce Costs
• Consolidated threat defense—integrate threat prevention for known and unknown threats, leveraging the MVX engine to provide timely and accurate notifications
• It allows NX to compete in both APT and IPS market segments
• Threat validation—validate attacks using the MVX engine so time and resource investments are not spent on filtering down the noise
• It supports custom IPS Snort rules that are widely used in the market for compliance
• Actionable insights—correlate known and unknown threats and derive richer threat intelligence to speed up incident response
• It provides both client and server IPS protection for known attacks• It provides the CVE ID for known attacks that has been detected by MVX
FireEye IPS
22
REALTIME
The Objective: “Continuous Threat Protection”
THEFT OF ASSETS & IP
COST OF RESPONSE
DISRUPTION TO BUSINESS
REPUTATION RISK
Prevent & Investigate
Time to Detect Time to Fix
nPulse
Full Real-time Enterprise Forensics
23
FireEye Product Portfolio: Powered by MVX
SEG IPS SWG
IPS
MDM
HostAnti-virus
HostAnti-virus
MVX
Threat Analytics Platform
Mobile Threat PreventionEmail Threat
Prevention
Dynamic Threat Intelligence
Network Threat
Prevention
Content Threat
Prevention
Mobile ThreatPrevention
Endpoint Threat
Prevention
Email ThreatPrevention
24
FireEye and Mandiant Services Portfolio
Security Consulting Services
Subscription Services and Product Support
FireEye Managed Defense
Product Support Services
Proactive Threat and Vulnerability
AssessmentsIncident Response
Strategic Consulting and Security Program
Assessments
25
Mandiant and Cloudofferings
MOBILITY
INSTRUMENTATION
ENDPOINT
MITIGATION
ANALYSIS/SIEM
Reference Architecture and Strategic Integrations
Virtual MachineDetonation
ForensicAnalysis
Real TimeAlerts
Call BackDetection
ExploitDetection
RemediateThreats
FireEye Technology AlliancesINSTRUMENTATION PARTNERS
Ease of implementation and high availability
for Layers 1-3
ENDPOINT PARTNERS
Verification and remediation of threats through
incident response processes
ANALYSIS / SIEM PARTNERS
Data correlation analytics, policy and compliance
management
MITIGATION PARTNERS
Augmenting and enhancing FireEye remediation
capabilities, real time policy creation and blocking
across the architecture
MOBILITY PARTNERS
Mitigating against mobile based threats for
BYOD environments with MDMs
ACCELERATION PARTNERS
Top partners in the Fuel Technology Program
“FireEye technology partnerships are great. They fill in the gaps other vendors can’t match. FireEye, with its partners, offers a formidable defense.” – OTR Global Report 2013
For Partner & Field Confidential Only
26
FireEye Platform: Products & Services Portfolio
Mandiant Incident Response, Vulnerability Assessment and
Penetration Testing
Strategic Services: Response Readiness and Security
Program Assessment
Product Deployment and Integration
Advanced Services
Managed Defense
Continuous Protection
Continuous Monitoring
Managed Defense Services Portfolio
Platinum (24x7, Global)
Platinum Priority Plus (DSE)
Gov’t. Support (Citizens)
Gov’t Classified – Planned
(Clearances, Secured Facility)Start in U.S. and expand
internationally)
SupportServices
Network (NX) - IPSEmail (EX)
Content (FX)Endpoint (HX)
Central Manager (CM)Mobile (MTP)
Cloud Email (ETP)Forensics (AX)
Threat Analytics Platform (TAP)Network Forensics – (CPX)
Products
27ReimaginedSecurityReimaginedSecurity
Thank You