fireeye webinar 11. november 2015 - home | avantec documents... · fireeye webinar 11. ......

FireEye Webinar11. November 2015

1Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Why Technology Alone is not EnoughThomas Cueni, Senior Systems Engineer

2Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

How has the Threat Landscape Changed?

PROFESSIONALATTACKERS

DETERMINED

ORGANIZED

WELL FUNDED

SOPHISTICATED TOOLS

MULTI-FLOW EXPLOITS

SANDBOX DETECTION

OBFUSCATION / HIDING

* Source: FireEye DTI

80% 68%Observed malware thatshows up only once

Observed malware thatappears in only one organization

PERSISTENT TACTICS

TARGETED

INNOVATIVE

CUSTOMIZED



Crimeware Actors

(Cyber crime gangs)

Hacktivists

(Anonymous, LulzSec)

APT Actors

(Nation-State threats)

Threat Actors – The Traditional View


Hacktivists(Anonymous)

APT Actors

(Nation-State threats)

CrimewareActors

(Cyber crime gangs)

CrimewareActors

(Cyber crime gangs)

The Reality - A Rainbow of Threat Actors



M-Trends 2015

Detecting the compromise

- 31% internally notified

- 69% externally notified

Evidence of Compromise to Discovery

- 205 days average/median

- 2,982 days longest seen by Mandiant

APT tactics

- 78% were IT or Security related

When do they attack

- 72% sent on weekdays


Cybercrime Campaigns

Takeaway: Cybercrime Campaigns are well prepared and executed



APT Targeted Verticals

Takeaway: Energy, Aerospace, Government and Financial Services are most targeted


Attack Lifecycle

UNAUTHORIZED USE OF VALID

ACCOUNTS

KNOWN & UNKNOWN MALWARE

COMMAND & CONTROL ACTIVITY

SUSPICIOUS NETWORK TRAFFIC

FILES ACCESSED BY ATTACKERS

VALID PROGRAMS USED FOR EVIL

PURPOSES

TRACE EVIDENCE &

PARTIAL FILES

In the last three years, only 54% of compromised hosts had malware artifacts. FireEye observed more counter-forensic techniques in 2014 than the previous ten years

combined. Group overlap is also rapidly expanding in many areas.

INITIAL COMPROMISE

ESTABLISH FOOTHOLD

ESCALATE PRIVILEGES

INTERNALRECON

COMPLETE MISSION

MOVELATERALLY

MAINTAINPRESENCE

EVIDENCE OF COMPROMISE



TECHNOLOGYIDENTIFIES KNOWN, UNKNOWN, AND NON MALWARE BASED THREATS

INTEGRATED TO PROTECT ACROSS ALL MAJOR ATTACK VECTORS

PATENTED VIRTUAL MACHINE TECHNOLOGY

EXPERTISE“GO-TO” RESPONDERS FOR SECURITY INCIDENTS

HUNDREDS OF CONSULTANTS AND ANALYSTS

UNMATCHED EXPERIENCE WITH ADVANCED ATTACKERS

INTELLIGENCE50 BILLION+ OBJECTS ANALYZED PER DAY

FRONT LINE INTEL FROM HUNDREDS OF INCIDENTS

MILLIONS OF NETWORK & ENDPOINT SENSORS

HUNDREDS OF INTEL AND MALWARE EXPERTS

HUNDREDS OF THREAT ACTOR PROFILES

DISCOVERED 19 OF THE LAST 36 ZERO-DAYS

FireEye Adaptive Defense: Close the Gaps


TACTICAL INTELLIGENCE

CONTEXTUAL INTELLIGENCE

STRATEGIC INTELLIGENCE

Focus on Threats: APT17 & BLACKCOFFEE

MACHINE-TO-MACHINE INTELLIGENCE TO DETECT AND PREVENT THE KNOWN AND UNKNOWN ATTACKS

ALERT CONTEXT TO IDENTIFY RISK LEVEL, ATTACKER INSIGHTS, AND IOCS TO

INFORM ALERT RESPONSE

ATTACK CONTEXT TO BUILD THREAT ACTOR AND

INDUSTRY INSIGHTS TO PROACTIVELY STAY AHEAD

OF THE ATTACKER



APT17 – BLACKCOFFEE Malware

Encodes C&C IP addresses on forums BLACKCOFFEE malware host infection

BLACKCOFFEE pulls encoded C&C IP addressesAppears as standard TechNet network trafficUpdate IP addresses without updating host malware

Standard C&C traffic

Upload, download, rename, move, or delete files Generate new backdoor commands

Collaborated with Microsoft to remediate threatSinkhole to enrich threat intelligence

1 2

3

4


ba86c0c1d9a08284c61c4251762ad0df

!?



What can VirusTotal tell me?


TACTICAL INTELLIGENCE

CONTEXTUAL INTELLIGENCE

STRATEGIC INTELLIGENCE

APT17 – BLACKCOFFEE Malware

C016af303b5729e57d0e6563b3c51be4Da88e711e4ffc7c617986fc585bce3055f2fcba8bd42712d9975da208a1cc0caba86c0c1d9a08284c61c4251762ad0df

110.45.151.43Translate[.]wordraference[.]com

This is a proxy-aware backdoorcapable of uploading and

downloading files, creating a reverse shell, enumerating and

interacting with files and processes, and expanding itsfunctionality by adding new commands. This backdoor

communicates over HTTP using a binary protocol that is crafted to

look like Portable Network Graphics (PNG) files.

APT17, also known as DeputyDog, is a China- based

threat group that FireEyeIntelligence has observed

conducting network intrusions against U.S. government

entities, the defense industry, law firms, information

technology companies, mining companies, and non-

government organizations.



APPLIED THREAT INTELLIGENCE

Detection / Prevention(Tactical)

Investigation(Contextual)

Response(Strategic)

APPLY

NETWORK EMAIL CONTENT

MOBILE ENDPOINT ANALYTICS

FORENSICS FIREEYE AS A SERVICE

SERVICES


The Numbers Game – Why Context Matter

37% of organizations have over 10,000+ security events per month

64% of of the alerts were redundant and 52% alerts being false positives

40% of companies manually review each alert



New Security Paradigm

Ability to Operate Through Compromise

Holistic Visibility (Network & Endpoint)

Actionable Threat Intelligence

Shift to Threat Centric Security

Threat Intelligence

Threat Intelligence

Threat Intelligence

Incident ResponseIncident ResponseIncident Response

Security MonitoringSecurity

MonitoringSecurity

Monitoring

Organizations Must Seek to Eliminate or Reduce the Consequences and Impact of Security Breaches


How can FireEye Help You?



HX Triage Viewer with Alert Timeline

Shows timeline of alert

Simplifies investigation

Filters results based on selection

Red dot shows indicator triggers

Full triage download for deeper investigation


ON PREMISE ENDPOINTS REMOTE ENDPOINTS

Enterprise SearchA quick broad investigation for simple indicators

CookiesFile Data

Network CommunicationBasic Indicators of Compromise

DVR CacheService ListingPort ListingUser AccountsScheduled TasksProcess ListingSystem InformationDisk/Volume ListingBrowser URL

File DownloadDNS RoutingDriver Modules ListingDrivers in MemoryRootkit Hook DetectionProcess Listing from MemoryEvent Log HistoryRegistry Hive ListingFile Listing from Raw Disk

Enterprise Search and Live Response

Live Response

Deep Look

Investigate

Scalable, Flexible, Simple to Use, and Fast




Where are you on the Maturity Curve?

Predictive

Proactive

Managed

Controlled

Reactive

Time / Effort

GOVERNANCE & COMMUNICATIONAGILEAVFW

PROXY

H/N IPS THREAT & VULN MGT

SIGNATURE-LESS TOOLS

SIEM ACTIONABLE THREAT INTEL

HOST FORENSICS

INTEL SHARING

NETWORKFORENSICS

CAMPAIGN TRACKING

TREND & SECURITY ANALYTICS

FO

UN

DA

TIO

NA

L

CO

NT

RO

LS

TO

OL

ING

C

AP

AB

ILIT

IES

Etc…

fireeye webinar 11. november 2015 - home | avantec documents... · fireeye webinar 11. ......

Documents