fortinet sandboxing
TRANSCRIPT
2FortiGuard Services
FORTIGUARD ANTIVIRUS SERVICE
FORTIGUARD ANTISPAMSECURITY SERVICE
FORTIGUARD WEBSECURITY SERVICE
FORTIGUARD DATABASESECURITY SERVICE
FORTIGUARD IP REPUTATIONSERVICE
FORTIGUARD VULNERABILITYMANAGEMENT SERVICE
FORTIGUARD WEBFILTERING SERVICE
FORTIGUARD INTRUSIONPREVENTION SERVICE
FORTIGUARD APPLICATIONCONTROL SERVICE
What is FortiGuard? Advanced Defense
3
Sandbox 101
Sandbox has many meanings…
• Container to hold sand to improve rail adhesion
• Shallow playground construction to hold sand
• Virtual container in which untrusted programs can be safely run
• Soviet Anti-Ship Missile (SS-N-12) SS-N-12 Sandbox
The SandboxWhat do we mean?
4
Sandbox 101
VIRTUAL END-USER ENVIRONMENT
• Code is executed in an contained, virtual environment
• Goal is to replicate typical workstations
• Output is analyzed to determine characteristics
• Some characteristics are malicious
• Known virus downloads
• Registry modifications
• Outbound connection to malicious IPs
• Infection of processes
Unsafe action, escape attempt
Controlled communication inspection
X
What is Sandboxing?Virtual analysis – nothing new
5
Sandbox 101
BEHAVIOR BASED DETECTION vs. SIGNATURE
• Signature based detection can’t catch everything
• Run time analysis can catch things static (signature) inspection may not
• Inspection is ran post-execution so all aspects are examined
BUT WAIT, THERE’S MORE …
• Malware often downloads more malware
• Sandboxing catches this and inspects the lifecycle
Why Sandbox?Modern threats (APT / ATAs) are tough to detect
6
Advanced Persistent Threats
DISGUISE
• Advanced threats focus on disguise to slip past security detection
SURVIVABILITY
• Persistent threats aim to survive on systems as long as possible
IMPACT
• Threat to Hard drive data
• Stolen IP, customer data
• Blackmail & Ransom
• Critical infrastructureDetect Disguise,Kill the Chain
Reduce Survivability,Break Impact
Something Different?Disguise, Survive, Impact
7
Advanced Persistent Threats
ADVANCED
• AV evasion
• Crypters
• IPS/App evasion
• Obfuscation
• Custom protocol
• Piggybacking
• Dynamic Decryption
• Code decrypted at runtime
PERSISTENT
• Rootkits
• Hide threats at O/S layer
• Bootkits
• Invoke at startup
• Process killers
THREATS
• Keyloggers
• Steal data
• Ransomware
• Encrypt data and hold for ransom
• HD Wipers
So what do they do?Disguise, Survive, Impact
8
Sandbox 101
VISIBILITY & REPORTS – FOR THE SOC
• New viral families may not have existing signatures
• Shows potentially unwanted activity on a system
• Output and characteristics gathered
• Useful for reports
• Correlate connected components
INCIDENT RESPONSE
• Infection is likely underway, how to deal with it?
Why Sandbox?It completes the puzzle
9
Sandbox 101
Sandbox Evasion Techniques
• VM detection
• Time bombs
• Debug loops
• Event triggers
• Mouse clicks
• System reboots
Common Sandbox Problems
• Fixed operating systems
• Only a few to pick from, and it’s slow
• Fixed software versions
• Adobe reader, Java
• Attacks very specific to certain versions
• IE: Some require newest version of Java
• Malware won’t execute in Sandbox
• Will execute once passed through
The Sandbox Challenge Bring Your Own Sandbox … Evasion Techniques that are used widely
10
FortiSandbox
FortiGuard Labs - On Top of It
• Discover latest evasion techniques
• Intelligent Evasion Inspection
• IE: VM detection code
• Quickly address any new measures
• via AV Engine
• And FortiSandbox
• All in house!
The Only All-In-One Sandbox
• World Class Fortinet Antivirus
• Scan & Sandbox (EXE, PDF, JS)
• Integrated Webfiltering
• Scan connected domains
• Drill Down Reports: PCAP & Behavior
• Unified Sandbox
• Local scan to detect sandbox evasion
• Fall back to full sandbox
• Local file upload supported
Introducing FortiSandboxComplements existing Fortinet technology
12
FortiSandbox
FortiSandbox – Best of BreedPatent pending CPRL, industry leading AV all in one!
STREAM
• 98.6% Effective
PROXY
• 99.82% Effective
PROXY
• 99.81%Effective
STREAM
• 28.18% Effective
WILDLIST
573 18,165
13
The Fortinet Advantage – Security & Performance
Multi-tiered file processing optimize resource usage that improves security, capacity and performance
Virtual OS Sandbox
Real Time Sandbox
AV Engine
• OS independent• Not subjected to VM evasion
techniques• Lightweight
• Industry’s validated with superior RAP score (ability to detect variants, proactive detection)
• Real time updated
14
Branch Offices(Distributed Enterprise)
Data Center
The Fortinet Advantage - Deployment
Flexible Deployment Options• Offers most suitable implementation depends on requirements and
infrastructure • Allow protection of investment by allowing different deployment modes as
requirement changes
Headquarters(Enterprise Core)
Standalone Mode – Ideal for scalable requirements
Integrated Mode – Ideal for centralized gateway with inline protection
Distributed Mode – Ideal for protection in distributed environment
15
The Fortinet Advantage - ROI
WEB MAIL FILE
Competitors Solution• Multiple appliance is required
for each applications• Poor ROI, high TCO• Adds more management
burden
Fortinet Solution• Central file scanning from
various applications and sources, including mobile devices
• Simplifies threat management, provide faster ROI
FILEMAILWEB
Instant Messenger
16
Deep AV Scan & RTS
• 96% RAP before Sandbox
• No need toSandbox if caught
FortiSandbox
Solving the Sandbox ProblemLook first for what we know, then inspect suspicious
Cloud Check
Real time check on latest malware rating
Full Sandbox
Catch anything not caught by signature detection
Forensics
Behavior Report
Downloaded & Dropped Files
Recursively Scanned
17
FortiCloud Sandbox
Where’s Your Data?
FortiOS AV Engine Provides Local Sandbox
1 Still Suspicious Samples Sent for Cloud Sandbox Analysis
2 Results are correlated across all FortiGuard Services
3
4 Updates pushed out by FortiGuard Network
18
FortiSandbox
Where’s Your Data?
Files Processed Through FortiGate
1 Sent to FortiSandbox for AV & Sandbox
2 Files collected, scanned3
5 Updates pushed out by FortiGuard Network(To FortiGates, FortiSandbox)
4 Results sent to FortiGuard for Updates
19
FortiSandbox
FortiGuard LearningSignatures created to update global devices
Global Intelligence Network
• Where is your Data?
• FortiSandbox is local (cloud optional)
• FortiGuard Cloud is external
• Global Sandbox Updates
AV, WCF and Botnet DB’s updated
System Utilities (Behavior Engine)
Rating Engine
Traffic Sniffer
20
KNOWFilter known Malware
(No Sandboxing Required)
Detect Sandbox EvadingMalware
(Real Time Sandbox)
Full SandboxIncident Response
Update DevicesRefactor
(Incident Response)Raise Awarness
SUSPECT
LEARN
SHARE
FortiGuard: The Sandbox Fit
21
Incident Response ServiceHow Does it Work?
1) LOGIN & SUBMIT
• http://premier.fortiguard.com• Communicate message• Attach binary / PCAP
sample
2) UPDATE & MITIGATE
• View and correspond • Get signature updates
• Manual, FDN
SupiciousActivity
0 Hours
IncidentReported
Zero DayAttack
FortiGuard – Premier Services
3) ANALYZE & RESPOND
• Threat remediation • Understand nature of
threat• Take action
4 Hours
Malware SpreadMitigated
AV Signatures, Brief Analysis
8 Hours
Feedback &Follow up
12 Hours
IPSSignatures
Exploit SpreadMitigated
Feedback &Follow up
48 Hours
FullAnalysis
22
Practical Sandbox Applications
Case Studies: Sandbox Visibility
Low Volume, Targeted Threat Cases
• Generally harder to get samples
Targeted Industrial PlantsLow Volume
Operation Aurora
December 2009
Victim
RSA SecurID
March 2011
South Korea Wiper
March 2013
Crime ServicesQA (AV Scanning Undetected)Zero Day IPS Vulnerability
FortiSandbox Detects vs.Crime Services and QA
Flame
May 2012