ransomware, cryptolocker e altri attacchi …€¦ · copyright © 2016, fireeye, inc. all rights...

1Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL

RANSOMWARE, CRYPTOLOCKER E ALTRI ATTACCHI

INFORMATICI DI ULTIMA GENERAZIONE: COME DIFENDERSI?

STEFANO LAMONATO

SR. SALES ENGINEER – FIREEYE

[email protected]

NETMIND | www.netmind.com

[email protected]

mailto:[email protected]

mailto:[email protected]

2Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL

“…SECURITY BREACHES ARE INEVITABLE.”

- K. Mandia

Source: http://fas.org/irp/congress/2011_hr/100411mandia.pdf

Despite our hopes, eliminating in total the risk of a security breach and guarantee 100% of security is not possible nor realistic

…But the right strategies allow to mitigate

or eliminate their consequences.

http://fas.org/irp/congress/2011_hr/100411mandia.pdf


WHAT TO PROTECT FROM?

Malware Attacker

Source: http://www.securityweek.com/breaches-are-more-malware

http://www.securityweek.com/breaches-are-more-malware


TRADITIONAL SOLUTIONS ARE FALLING


SIGNATURES: JUST KNOW ATTACKS AFTER LONG DELAYS

New Threat Discovery

VendorIdentifies Signature

Signature Published by

Vendor

Vendor Product Updates

Vendor Product Identifies Threat

= 110101

110101110101


SIGNATURE FAILURE EXAMPLE: CRYPTOLOCKER & CO.

Infection - email with weaponized

file or URL for drive-by infection1

C&C (optional): domain

generated callback2

Key generation (optional) – an

asymmetric key is created3

Data encryption – local files and

possibly shared drives, strong4

C&CEmail Key generation Resources encryption

1 2 3 4 5

Ransom payment

Ask for ransom – Countdown /

Tor / BitCoin5


IN EMEA Ransomware is exploding!

0%

5%

10%

15%

20%

25%

30%

gen-15 feb-15 mar-15 apr-15 mag-15 giu-15 lug-15 ago-15 set-15 ott-15 nov-15 dic-15

Mo

nth

ly T

ren

d

Ransomware

Malware usingoffice macro


And in Italy even more!!!


T H E F I R E E Y E A D V A N T A G E

INTELLIGENCE‣ Discovered 22 of the last 40 zero-

days

‣ Live intel from incident response

‣ Millions of network & endpoint

sensors

‣ Hundreds of intel and malware

experts

‣ Hundreds of threat actor profiles

TECHNOLOGY‣ Identifies known,unknown and

non-malware based threats

‣ Integrated to protect across major

attack vectors

‣ Patented virtual machine technology

EXPERTISE‣ Go to responders for security

incidents

‣ Hundreds of consultants and

analysts

‣ Unmatched experience with

advanced attackers

10Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL

FIREEYE TECHNOLOGY

MVX SIGNATURE-LESS ENGINE


PURPOSE-BUILT FOR SECURITY

HARDENED HYPERVISOR

SIGNATURE-LESS

EXPLOIT BASED DETECTION, NOT JUST FILE

FINDS KNOWN AND UNKNOWN THREATS

MULTI-VECTOR

PERFORMANCE

EFFICACY

DETECTION AND PREVENTION – TECHNOLOGY


TECHNOLOGY INSIDE: MVX

FireEye Hardened Hypervisor

Hardware

Custom hypervisor with built-in countermeasures

Designed for threat analysis

FireEye Hardened

Hypervisor 1


TECHNOLOGY INSIDE: MVX


Hardware

FireEye Hardened

Hypervisor 1

Multiple operating systems

Multiple service packs

Multiple applications

Multiple application versions

Cross-Matrix Virtual Execution

Massive cross matrix of

virtual executions2


TECHNOLOGY INSIDE:MVX

>2000 simultaneous executions

Multi-flow analysis


Cross-Matrix Virtual Execution

v1 v2 v3 v1 v2 v3

Hardware

Control Plane

> 2000 Execution

Environments

FireEye Hardened

Hypervisor 1

Massive cross matrix of

virtual execution2Threat Protection

at Scale3


WITHIN VMs

ACROSS VMs

CROSS ENTERPRISE

DETONATE

CORRELATE

2 MILLION

OBJECTS

PER HOUR

ANALYZE

DETECTION AND PREVENTION – TECHNOLOGY


REAL-TIME

INFORMATION SHARING

RISK AND CONTEXT

TO PRIORITIZE RESPONSE

TACTICAL AND STRATEGIC INTELLIGENCE WITH ATTRIBUTION

THAT IS APPLICABLE AND ACTIONABLE TO YOUR ORGANIZATION

DYNAMICTHREAT

INTELLIGENCE

A GLOBAL DEFENSE COMMUNITY


O N E V I E W O N E P L A T F O R M

SERVICES

‣ Dynamic threat intelligence

‣ Advanced threat intelligence

‣ Advanced threat intelligence+

‣ iSIGHT Partners

INTELLIGENCE

‣ Threat analytics platform

‣ Email threat protection

CLOUD

‣ Endpoint

‣ Mobile

ENDPOINT

‣ Network

‣ Network SSL Intercept

‣ Email

‣ Content

‣ Malware analysis

‣ Enterprise forensics

NETWORK

‣ Security program assessment

‣ Response readiness assessment

‣ ICS gap assessment

‣ Red Teaming

‣ Vulnerability assessment

‣ Cyber Defense Center development

‣ Compromise assessment

‣ Incident response retainer

‣ INVOTAS

ORCHESTRATION


SOLUTIONS FOR COMPANIES OF ALL SIZES

NETWORK EMAIL CONTENT ENDPOINT MOBILE NETWORKFORENSICS

ENDPOINTFORENSICS

ANALYTICSTECHNOLOGIES

LARGE

MEDIUM

SMALL

NX10000

NX7400

NX4400

NX2400

NX1400

NX900

EX8400

EX5400

EMAIL THREAT

PREVENTION

CLOUD

FX8400

FX5400 HX4000XMOBILE

THREAT

PREVENTION

20X0ESS /

1000EXT:10-20G

PX200XESS /

PX1000EXT:4G

PX1000ESS

MANDIANT

INTELLIGENT

RESPONSE

THREAT

ANALYTICS

PLATFORM

SIZ

E O

F O

RG

AN

IZA

TIO

N

INTELLIGENCE DTI ATI ATI+


Email Still Top Vector for Security Breaches

Spear Phishing is the preferred

vehicle for launching cyber attacks

Social engineering with email

messages highly effective

Email attachments and links remain

#1 vectors

Email is the front door in blended,

persistent attacks


• Executes email attachment(s) in

virtual machine to detect hidden

malware

• 30+ file types supported

• Detects and blocks malicious

URLs by leveraging FireEye

Threat Intelligence and data from

the entire FireEye ecosystem

MVX

MVX

Effective Detection and Blocking of Spear Phishing Emails


Introducing FireEye Email Threat Prevention

Email Threat Prevention (EX Series) Email Threat Prevention Cloud

On-Premise

Option to add-on Cloud AV/AS Protection

CAPEX Consumption Model

Cloud-Based

Comprehensive Email Security

AV/AS + Advanced Threat Protection

OPEX Consumption Model

EX Series

MVX

MVX

ETP Cloud


Email Security (EX)

Protection against spear phishing and blended attacks

Analyzes all emails for malicious attachments and URLs

In-line MTA for blocking or SPAN / BCC for monitoring

Brute-force analysis of all email attachments in MVX Engine

NX integration for malicious URL analysis / blocking

NX integration for blocking of newly discovered callback channels

HX (Endpoint Threat Prevention) integration for validation of compromised endpoints


EX Deployment


EX Series Sizing

Mid Market

Enterprise

Large Ent3400

5400

8400, 8420

1000Base-SX (2)

1000Base-T (2)

1000Base-T (2)

1000Base-T (2)

SAS (2) – RAID 1

SAS (2) – RAID 1

SAS (2) – RAID 1

Dual

Dual

Dual

Platform Emails/Day (Clear

Text)

Emails/Day (TLS)

3400 150k 100k

5400 400k 270k

8400 750k 500k


ETP Cloud Offerings

ETP Cloud

MVX

ETP without

Antivirus/Antispam

ETP Cloud

MVX

AV/AS

ETP with

Antivirus/Antispam


Inline Email Flow

1

Incoming

email from

Internet

reaches ETP

Cloud

ETP Cloud analyzes

email, quarantines

malicious emails,

and alerts admin

3

Safe emails

forwarded to

customer MTA for

end user delivery

4

Admin can manage

alerts/release emails

via the ETP Cloud

web portal

5

MVX

ETP

CloudSMTP with TLS

Customer MTA

Quarantin

e

Requires

pointing MX

record to ETP

Cloud


ETP Cloud vs EX

Dynamic Threat Intelligence

Threat correlation ETP Cloud

NXEX

Threat correlation

• CM integration

• CAPEX

• MVX engine analysis

• Active protection (inline)

mode or monitor (BCC)

mode

• Email quarantine with

optional end user

notification

• NX correlation

• DTI intel sharing

• No on-premise hardware

• Antivirus/antispam

analysis

• OPEX

BothETP Cloud EX


The Malware Detection Test


How Does it Work?


Where does the Malware come from?

Real Malware will be used during the Malware Detection Test.

The files used are recent samples collected from FireEye appliances & Mandiant incident response engagements.

During the test 9 samples as below will be used:

3x Unknown to VirusTotal

3x Known to VirusTotal with 1-5 vendors

3x Known to VirusTotal with more then 5 vendors

http://en.wikipedia.org/wiki/VirusTotal

https://www.virustotal.com/

http://de.wikipedia.org/wiki/VirusTotal

https://www.virustotal.com/


The Result

The report will contain:

List of all Malware used during the test

A detection chart comparing findings on customers side and the FireEye Lab

Real-life Malware detection timeline based on VirusTotal.com

Recommendations e.g.

- Deploy FireEye EX/NX/CM, along with FAAS

- Compromise Assessment, Incident Response Retainer etc


FireEye Ransomware Response Strategies Whitepaper

http://bit.ly/FEYERansomware

FireEye Ransomware Response

Strategies Whitepaper

http://bit.ly/FEYERansomware

ransomware, cryptolocker e altri attacchi …€¦ · copyright © 2016, fireeye, inc. all rights...

Documents