1

FireEye Architecture & Technology

Full Spectrum Kill-chain VisibilityJoshua Senzer, CISSP

DataConnectors June 2014

Re-Imagined.Security.

2

AGENDA

THREAT LANDSCAPE DEEP DIVE

A LOOK INSIDE THE FIREEYE TECHNOLOGY

THE FIREEYE PLATFORM

FIREEYE PLATFORM: A CASE STUDY

3

Current State of Cyber Security

NEW THREAT LANDSCAPE

Multi-Vector Attacks Multi-Staged Attacks

Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware

4

The High Cost of Being Unprepared

3 Months 6 Months 9 Months

229 DaysMedian # of days attackers are present on

a victim network before detection.

Initial Breach

63%of Companies Learned

They Were Breached froman External Entity

100%of Victims Had

Up-To-Date Anti-Virus Signatures

THREAT UNDETECTED REMEDIATION

Source: M-Trends Report

5

The High Cost of Being Unprepared

3 Months 6 Months 9 Months

Initial Breach

63%of Companies Learned

They Were Breached froman External Entity

100%of Victims Had

Up-To-Date Anti-Virus Signatures

THREAT UNDETECTED REMEDIATION

Source: M-Trends Report, Ponemon

32 DaysAverage Time to Resolve an Attack

6

Zero Day Scorecard

7

Multi-Staged Cyber Attack

Exploit Detection is Critical All SubsequentStages can be Hidden or Obfuscated

1Callback Server

IPSFile Share 2

File Share 1

Exploit Server

5

32

4

1. Exploitation of System

2. Malware Executable Download

3. Callbacks and Control Established

4. Lateral Spread

5. Data Exfiltration

Firewall

8

What Is An Exploit?

Compromised webpage with exploit object

1. Exploit object rendered by vulnerable software 2. Exploit injects code into running program memory

3. Control transfers to exploit code

Exploit object can be in ANY web page

An exploit is NOT the same as the malware executable file!

HACKED

9

Structure of a Multi-Flow APT Attack

Callback Server Exploit Server Encrypted Malware Command and Control Server

Embedded Exploit Alters Endpoint

1 Callback2Encrypted malware downloads

3Callback and data exfiltration

4

10

Structure of a Multi-Flow APT Attack

Callback Server Exploit Server Encrypted Malware Command and Control Server

Embedded Exploit Alters Endpoint

1 Callback2Encrypted malware downloads

3Callback and data exfiltration

4

11

Multi-Flow Structure of APT Attacks(e.g. Operation Aurora, Operation Beebus, CFR…)

Exploit injects code in Web browser

1

Exploit code downloads encrypted malware (not SSL!)

2

Exploit code decrypts malware3

Target end point connects to C&C server

4

CallbackExploit in compromisedWeb page

Encrypted Malware Command and Control Server

Embedded Exploit Alters Endpoint

CallbackEncrypted malware downloads

Callback and data exfiltration

1 2 3 4

12

Multi-Vector Structure of APT AttackWeaponized Email with Zero-Day Exploit (e.g. RSA)

Email with weaponized document, opened by user, causing exploit

1

Client endpoint calls back to infection server

2

Backdoor DLL dropped3

Encrypted callback over HTTP to command and control server

4

CallbackServer

Weaponized Email(2011 Recruitment

Plan.xls)

Backdoor C&C Server

1 2 3 4

13

Traditional “Defense in Depth” is failing

Firewalls/NGFW

Secure WebGateways

IPSAnti-SpamGateways

Desktop AV

The New Breed of Attacks Evade Signature-Based Defenses

14

Kill chain reconstruction to determine the scope and impact

of a threat

On and off-premise endpoint validation and containment

Accelerating the Detection to Forensics Workflow

Signature-less virtual machine-based approach to identify the attack lifecycle

Real-time Detection Validation & Containment Forensics: Connecting the dotsacross time

2 31

15

Virtual Machine-Based Model of Detection

Purpose-Built for Security

Hardened Hypervisor

Multi-flow

Multi-vector

Scalable

Extensible

Security Reimagined

Finds known/ unknown cyber-attacks in real time across all attack vectors

16

FireEye Technology: Scaling the MVX

HTML

JavaS

cript

Flash

Office an

d ZIP

EXE a

nd DLL PDF0

100000

200000

300000

400000

Real world line rate (objects/hour)

HTML and JavaScript form 95% of objects to be scanned on the wire

MVX

Line Rate Intelligent Capture

MVXCore

(Detonation)

Reduce False Positives

Reduce FalseNegatives

Phase 1 Phase 2

1M+ objects/hou

rMulti-flow virtual analysis

APT web attacks are nearly invisible needles in haystack of network traffic

17

FireEye Technology: Inside the MVX

FireEye Hardened Hypervisor

Hardware

Custom hypervisor with built-in countermeasures

Designed for threat analysis

FireEye Hardened Hypervisor 1

18

FireEye Technology: Inside the MVX

Multiple operating systems

Multiple service packs

Multiple applications

Multiple application versions

FireEye Hardened Hypervisor

Cross-Matrix Virtual Execution

Hardware

FireEye Hardened Hypervisor 1

Massive cross matrix of virtual executions2

19

FireEye Technology: Inside the MVX

>2000 simultaneous executions

Multi-flow analysis

FireEye Hardened Hypervisor

Cross-Matrix Virtual Execution

v1 v2 v3 v1 v2 v3

Hardware

Control Plane

> 2000 Execution Environments

FireEye Hardened Hypervisor 1

Massive cross matrix of virtual execution2

Threat Protection at Scale3

20

FireEye’s Web detection is great, BUT …..There are a number of threats that FireEye solution does not address well:

– Unauthorized access– Data Resource Theft – Malformed Packets– SQL Injection– Packet Flooding– Cross-Site Scripting– DDOS

Client-side vs. Server-side Attacks

21

• Improve Correlation Between Known and Unknown Threats to Increase Threat Protection and Reduce Costs

• Consolidated threat defense—integrate threat prevention for known and unknown threats, leveraging the MVX engine to provide timely and accurate notifications

• It allows NX to compete in both APT and IPS market segments

• Threat validation—validate attacks using the MVX engine so time and resource investments are not spent on filtering down the noise

• It supports custom IPS Snort rules that are widely used in the market for compliance

• Actionable insights—correlate known and unknown threats and derive richer threat intelligence to speed up incident response

• It provides both client and server IPS protection for known attacks• It provides the CVE ID for known attacks that has been detected by MVX

FireEye IPS

22

REALTIME

The Objective: “Continuous Threat Protection”

THEFT OF ASSETS & IP

COST OF RESPONSE

DISRUPTION TO BUSINESS

REPUTATION RISK

Prevent & Investigate

Time to Detect Time to Fix

nPulse

Full Real-time Enterprise Forensics

23

FireEye Product Portfolio: Powered by MVX

SEG IPS SWG

IPS

MDM

HostAnti-virus

HostAnti-virus

MVX

Threat Analytics Platform

Mobile Threat PreventionEmail Threat

Prevention

Dynamic Threat Intelligence

Network Threat

Prevention

Content Threat

Prevention

Mobile ThreatPrevention

Endpoint Threat

Prevention

Email ThreatPrevention

24

FireEye and Mandiant Services Portfolio

Security Consulting Services

Subscription Services and Product Support

FireEye Managed Defense

Product Support Services

Proactive Threat and Vulnerability

AssessmentsIncident Response

Strategic Consulting and Security Program

Assessments

25

Mandiant and Cloudofferings

MOBILITY

INSTRUMENTATION

ENDPOINT

MITIGATION

ANALYSIS/SIEM

Reference Architecture and Strategic Integrations

Virtual MachineDetonation

ForensicAnalysis

Real TimeAlerts

Call BackDetection

ExploitDetection

RemediateThreats

FireEye Technology AlliancesINSTRUMENTATION PARTNERS

Ease of implementation and high availability

for Layers 1-3

ENDPOINT PARTNERS

Verification and remediation of threats through

incident response processes

ANALYSIS / SIEM PARTNERS

Data correlation analytics, policy and compliance

management

MITIGATION PARTNERS

Augmenting and enhancing FireEye remediation

capabilities, real time policy creation and blocking

across the architecture

MOBILITY PARTNERS

Mitigating against mobile based threats for

BYOD environments with MDMs

ACCELERATION PARTNERS

Top partners in the Fuel Technology Program

“FireEye technology partnerships are great. They fill in the gaps other vendors can’t match. FireEye, with its partners, offers a formidable defense.” – OTR Global Report 2013

For Partner & Field Confidential Only

26

FireEye Platform: Products & Services Portfolio

Mandiant Incident Response, Vulnerability Assessment and

Penetration Testing

Strategic Services: Response Readiness and Security

Program Assessment

Product Deployment and Integration

Advanced Services

Managed Defense

Continuous Protection

Continuous Monitoring

Managed Defense Services Portfolio

Platinum (24x7, Global)

Platinum Priority Plus (DSE)

Gov’t. Support (Citizens)

Gov’t Classified – Planned

(Clearances, Secured Facility)Start in U.S. and expand

internationally)

SupportServices

Network (NX) - IPSEmail (EX)

Content (FX)Endpoint (HX)

Central Manager (CM)Mobile (MTP)

Cloud Email (ETP)Forensics (AX)

Threat Analytics Platform (TAP)Network Forensics – (CPX)

Products

27ReimaginedSecurityReimaginedSecurity

Thank You