email threat prevention (etp) - … protection with fireeye advanced url defense ... end-user...

Copyright © FireEye, Inc. All rights reserved.1 Copyright © FireEye, Inc. All rights reserved.1

EMAIL THREAT PREVENTION (ETP)EMAIL DETONATION ENGINE WITH ANTIVIRUS AND ANTISPAM CAPABILITIES

ETP SUPPORTS O365 AND GMAIL

TECHNICAL OVERVIEW

Copyright © FireEye, Inc. All rights reserved.2

W H Y F I R E E Y E

WentPublic2013

AcquiredMandiantDECEMBER2013

AwardedSAFETYActCertificationbytheDepartmentofHomelandSecurity

3700Customers

67Countries

675OftheFortuneGlobal2000

FireEyefoundedbyAshar Aziz2004

1STCYBERSECURITYCOMPANY

MandiantfoundedbyKevinMandia2004

IssuedtheAPT1Report2013

$1B+Cashonbalancesheet

iSightpartners foundedbyJohnWatters2006


• Executes email attachment(s) in virtual machine to detect hidden malware

• 30+ file types supported

• Detects and blocks malicious URLs by leveraging FireEye Threat Intelligence and data from the entire FireEye ecosystem

MVX

MVX

Effective Detection and Blocking of Spear Phishing Emails


LOWFALSEPOSITIVES

HIGHACCURACY(LOWFN)

28of53ZERODAYSDISCOVEREDBYFIREEYEWITHTHISTECHNOLOGY

DEPLOYEDINLINETOIMMEDIATELYBLOCKTHREATS

DODETONATIONINMULTIPLEWINDOWANDOSXENVIRONMENTS

FLOWSORFILESARETESTESAGAINTSMULTIPLEVERSIONSOFTHESAMEAPPLICATION

PURPOSE-BUILTFORSECURITYHARDENEDHYPERVISOR

MULTI-FLOWMULTI-VECTOR

SCALABLEEXTENSIBLE

MVX

M V X M U L T I - V E C T O R A N D M U L T I - F L O W T H R E A T D E T E C T I O N A N D P R E V E N T I O N E N G I N E


Actionable Context with Advanced Threat Intelligence (ATI)

Risk Level

Attribution

Mitigation

Kill Chain


Broader Protection with Dynamic URL Analysis

EX retrieves file and performs dynamic

analysis

3

EX analyzes URL to determine if URL points

to a file

2

EX extracts URL from email

1

If file is malicious, email is quarantined

4

http://example.com/clickme

http://example.com/afile.pdf

Internet

MVX

1 2

3

Quarantine

4

MVX ATI

ETP


Deeper Protection with FireEye Advanced URL Defense (FAUDE)

EX checks threat intel if suspicious URL is known to be

malicious

1

End user redirected to Malicious URL Lookup Server

upon link click

4

URL is rewritten and email delivered to prevent delays (in-

line deployments only)

3

Unknown URLs submitted to Deep URL Analysis

2

Based on results of lookup, URL access either allowed,

warned or blocked

5

http://example.com/clickmeFireEye Threat

Intelligence

DTI

MVX

1

3

Allow

Warn

Block

Deep URL Analysis

Malicious URL Lookup Server

http://example.com/clickme

https://protect.fireeye.com/url?abc

2

4

5

Email ServerNote: Advanced URL Defense requires two-way threat intel subscription

MVX ATI

ETP


• Protects against common evasion technique of password-protecting PDF and MS Office files in email attachments

• Identifies potential password candidates within email body

• Determines password based on PDF and password candidates

• Supports detection of English, Asian and Cyrillic passwords

• Supports ability to decrypt password protected .7zarchive files and base64 encoded files

• Allows customers to add/remove custom password candidates

Reduced Evasion with Password Protected File Analysis


Defend Individual Logins with Credential Harvesting Protection

• Utilizes URL analysis, message content analysis, image recognition and HTML emulation to detect and stop sophisticated credential-phishing attacks

User Credentials Compromised

Initial URL Not Malicious

‘Post’ action is malicious


Reduce Spoofing with Detection of "Like but not Equal" Domains

• Inside an email, there are links which are not malicious, but they can be phishing attacks, where the domain name has been altered to look like a well-known domain

• Implemented for both sender domains and URLs

• Example: weIIsfargo.com vs wellsfargo.com

These are capital ‘i’s


ETP extends interactions with multi-stage malware to better identify malicious behavior• Serves honey objects for first stage downloaders• Renders honey binaries and checks for callback detection

Stop Evasion with Multi Stage Detection

1 File is opened 2 Macro runs & requests file…requests additional fileand then another additional file

3 Requested file executes and infects local system

http://


Advanced Email Protection from the Cloud

Detection and Prevention• Delivers the same comprehensive detection

capabilities as FireEye EX appliances, but hosted in the cloud

• Analyzes both attachment and URL• Correlates threat intelligence from NX

platform with URLs in email• Integrated Advanced Threat Intelligence (ATI)• Anti-virus and anti-spam (AV/AS) option

Easy to Manage and Operate

• No equipment to install or maintain

• Works with both on-premise and cloud-based MTAs

• Customer management portal

• Real-time alert notifications

• Summary and detailed alerts with forensic information

• SOC2, Type II data centers in North America and Europe; Asia 2017


Leveraging intelligence from NX to detect and stop spear-phishing emails• On-premise NX appliances

notify ETP of malicious URLs• NX – ETP communicates

through password-protected XML over HTTPS

• ETP correlates and marks previously seen emails with malicious URLs as malicious

Real-Time Intelligence Sharing

Spear Phishing Email

Malicious, never seen before URL

1

User unknowingly visits malicious URL

2

NX determines URL is malicious

3

NX securely notifies ETP of malicious URL

4

MVX ATI

ETP


Cloud Email ServicesETP

ETP integrates seamlessly with other cloud email services such as Microsoft Exchange Online (O365) and Gmail

End User

Integration with Cloud Email Services

ATIMVX


BCC Email Flow

Incoming email from Internet reaches customer MTA (with AV/AS)

Customer MTA, configured with BCC transport rule, also forwards a copy of email to ETP for analysis

Admin receives alerts through email and can manage alerts via the ETP web portal

Customer MTA delivers email to end users

ETPCustomer MTASMTP with TLS

1 2 3 4

MVX


Inline Email Flow

Incoming email from Internet reaches ETP Cloud

ETP analyzes email, quarantines malicious emails, alerts admin

Safe emails forwarded to customer MTA for end-user delivery

Admin can manage alerts/release emails via the ETP portal

SMTP with TLS

Quarantine

Requires pointing MX record to ETP

1 2 3

4

ATI

ETP

MVX


Inline Deployment Options

With Third Party AV/AS

End UserETP

Cloud/on-premise Email Services

MX record points to ETP Cloud

End User

Cloud AV/AS

Cloud/on-premise Email Services

MVX ATI

MVX ATI

ETP


FireEye Email Security Benefits

• Flexible deployment models • Real time, automated protection from spear-phishing and other socially-engineered attacks

to minimize impostor ‘calls to action’• Industry-leading detection of and protection from advanced threats to safeguard business

assets• Comprehensive, contextual threat intelligence to maximize effectiveness of scarce security

practitioners• Protection from hard to detect multi-vector, multi-flow attacks


Email Cloud Infrastructure

Availability

Connectivity

Security

Management

• Warm standby failover across multiple data centers (2x Gov Cloud; 2x NA; 2016: 2x EMEA; 2017: 2x APJ) with validated Disaster Recovery process

• No loss of email, marginal delay in quarantine access • High Availability components in each DC; resilience during software upgrades or software component failures• 2n + 2 power redundancy• Elastic MTA redundancy

• Redundant ISP circuits• Multi-gigabit links• Current utilization levels well below 30%

• Public internet access protected with Web Firewall, IPS, Firewall• Logical and physical access governed by SOC 2 Type II (report separately available with NDA)• GovCloud FedRAMP certification 1H17• Periodic security audits and penetration testing• Only quarantined emails/attachments are stored with logical separation between customer data• 24x7 follow-the-sun support • Automated configuration framework to ensure code and configuration consistency; facilitate horizontal scaling• Staged rollout to ensure quality and stability• Centralized logging support via SIEM notification forwarder (logstash)

Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL

Cloud Infrastructure Certifications

• Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy

• Intended to meet the needs of a broad range of users • Reports use the AICPA Guide and are intended for use by stakeholders the service

organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:

• Oversight of the organization• Vendor management program• Internal corporate governance and risk management processes• Regulatory oversight

• Type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls


THANK YOU

email threat prevention (etp) - … protection with fireeye advanced url defense ... end-user...

Documents