Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1

Next Generation Threat Protection

Randy Lee– Sr. SE Manager

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2

The Acceleration of Advanced Targeted Attacks

• # of threats are up 5X• Nature of threats changing

– From broad, scattershot to advanced, targeted, persistent

• Advanced attacks accelerating– High profile victims common

(e.g., RSA, Symantec, Google)– Numerous APT attacks like

Operation Aurora, Shady RAT, GhostNet, Night Dragon, Nitro

“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”

Gartner, 2012

2004 2006 2008 2010 2012

Advanced Persistent Threats

Zero-dayTargeted AttacksDynamic Trojans

Stealth Bots

WormsViruses

Disruption Spyware/Bots

Cybercrime

Cyber-espionage and Cybercrime

Dam

age

of A

ttac

ks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3

High Profile Attacks are Increasingly Common

By Ben Elgin, Dune Lawrence & Michael Riley - Nov 4, 2012 6:01 PM ET Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest

foreign takeover of a Chinese company at the time.

Coke Gets Hacked And Doesn’t Tell Anyone

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4

We are Only Seeing the Tip of the Iceberg

Headline Grabbing Attacks

Thousands More Below the Surface

APT AttacksZero-Day Attacks

Polymorphic AttacksTargeted Attacks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5

Traditional Defenses Don’t Work

Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses

Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses

Like NGFW, IPS, AV, and Gateways

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6

ADVANCED

TRADITIONAL

Advanced Targeted Attack

Defining Advanced Targeted Attacks

• Utilizes advanced techniques and/or malware

– Unknown– Targeted– Polymorphic– Dynamic– Personalized

• Uses zero-day exploits, commercial quality toolkits, and social engineering

• Often targets IP, credentials and often spreads laterally throughout network

• AKA—Advanced Persistent Threat (APT)

StealthyUnknown and

Zero DayTargeted Persistent

OpenKnown andPatchable

Broad One Time

The New Threat LandscapeThere is a new breed of attacks that are

advanced, zero-day, and targeted

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7

Advanced Malware Infection Lifecycle

Desktop antivirusLosing the threat arms race

Compromised Web server, or

Web 2.0 site

Callback Server

Perimeter SecuritySignature, rule-based

Other gatewayList-based, signatures

System gets exploited Drive-by attacks in casual browsing Links in Targeted Emails Attachments in Targeted Emails

Dropper malware installsFirst step to establish controlCalls back out to criminal serversFound on compromised sites, and Web 2.0, user-created content sites

Malicious data theft & long-term control establishedUploads data stolen via keyloggers, Trojans, bots, & file grabbersOne exploit leads to dozens of infections on same systemCriminals have built long-term control mechanisms into system

3

2

1

Anti-spam

DMZ

Email Servers

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8

Malware Analysis

• What types of Malware Analysis should you do?

Malware Analysis

Static Analysis

Signature Heuristics

Dynamic Analysis

Discrete Object

analysis

Contextual Analysis

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9

Case Study: Operation Aurora Infection Cycle

Desktop antivirusLosing the threat arms race

MaliciousWeb server

Callback Server

System gets exploited Social engineering Obfuscated JavaScript code Exploited IE 6 zero-day vulnerability

Web server delivers malware Servers mapped by dynamic DNS XOR encoded malware EXE delivered No Signatures

Malware calls home & long-term control established Complete control of infected system Further payloads downloaded C&C located in Taiwan Using outbound port 443 (SSL)

3

2

1

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10

Captured Aurora on Day Zero

Signature-less detection of zero-day attack

Decryption routine for “a.exe”

Malicious binary download posing as JPG

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11

Captured Aurora on Day Zero

Decryption complete. MD5 of Hydraq.Trojan

Hydraq callback captured

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12

Requirements for APT Detection / Protection

1. Dynamic defenses to stop targeted, zero-day attacks

2. Real-time protection to block data exfiltration attempts

3. Accurate, low false positive rates

4. Global intelligence on advanced threats to protect the local

network

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13

CORPORATE

• Over $825M in Revenue

• HQ in Chantilly, VA

• National Sales and Engineering Presence

•IS0 9001:2008 Certified for the Chantilly, VA,

Largo, MD, and Kent, WA locations

PEOPLE

• 350+ Employees

• More than 85% of Services Delivery Personnel

Possess Government Clearances

• PMP and ITIL Professionals

• Skilled Pre-sales and Post-sales Engineers

with Top-tier Certifications

TECHNOLOGY MARKETS

• Commercial• Department of Defense • Federal Civilian • Intelligence

• Strategic Manufacturer Partnerships

• Practice Disciplines

Cloud Computing

Collaboration

Data Center

Information Security

Secure Mobility

Network Infrastructure

13

Who is Iron Bow Technologies

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14

Past Performance

Customer/Project Iron Bow Technologies Activities

Delivered a multi-vendor solution supporting the Army Top Layer Architecture (TLA). Solution provides IPS, firewall, web content filtering, and real-time forensic monitoring capabilities in a single integrated architecture.

Architected and deployed a multi-factor authentication pilot to support worldwide access to critical business applications and information. The pilot involved critical integration points to core network services and expert knowledge transfer to enable local customer resources to expand the program subsequent to the pilot saving thousands in future services.

Developed a solution to secure more than 2,000 mobile computing devices. Solution provided local device security hardening and centralized management across multiple computing tablet devices.

Designed a solution to address web content filtering, application whitelisting, antivirus, and end-point security throughout the 128 site enterprise. The solution included centralized management of the entire security platform from a single console.

Black Entertainment Television

Booz Allen Hamilton

U.S. Army NETCOM

14

Job Corps

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15

Thank You