stopping targeted cyber attacks march 18th, 2013 security workshop/0011___ray... · exploitation of...
TRANSCRIPT
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
Stopping targeted cyber attacks
March 18th, 2013
Modern Malware Protection Solutions
Ray Kafity
Senior Director
FireEye Middle East, Turkey and Africa
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
The New Breed of Cyber Attacks
• Nature of threats
changing
• Today’s attacks
sophisticated and
successful
“Organizations face an evolving threat scenario that they are ill-prepared to deal
with….threats that have bypassed their traditional security protection techniques
and reside undetected on their systems.” Gartner, 2012
2005 2007 2009 2011 2013
Advanced Persistent Threats
Zero-Day Targeted Attacks Dynamic Trojans
Stealth Bots
Worms Viruses
Disruption Spyware/
Bots
Cybercrime
Cyber-Espionage
and Cybercrime
Dam
age o
f A
ttacks
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
High Profile Attacks Are Increasingly Common
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Numbers Show a Harsh Reality
2/3 of U.S. firms
report that
they have been the
victim of cybersecurity
40% of all IT executives expect a major cybersecurity incident
115% CAGR unique malware
since 2009
9,000+
malicious websites
identified per day
00.01 Every second 14 adults become
a victim of cyber crime
6.5x Number of cyber
attacks since 2006
95 new vulnerabilities
discovered each week
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
What’s Changed?
NEW THREAT LANDSCAPE
Dynamic,
Polymorphic Malware Coordinated Persistent Threat Actors
Multi-Vector Attacks Multi-Staged Attacks
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
CFO
Director of Engineering
Government Employee
Intellectual Property Web-Based Attack
Spear Phishing
File-Based Attack
Financial Information
National Security
Information
Targeting an Organization’s Valuable Assets
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Threat Actors
APT Actors Crimeware
Actors
Hactivists
(Anonymous, LulzSec)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
APT Actors & Crimeware actors
An unholy alliance?
APT Actors
Crimeware Actors
Sell compromised
systems to
Sell “burned”
0-day exploits to
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
The Point?
• If you have a fair amount of common malware infections (crimeware), you may never see unique APT attacks
• APT actors may simply leverage your existing crimeware backdoors
• Therefore, you still have to respond to the low grade attacks, because they can become high grade for a valuable target
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
400 Incidents Per Week Per Gbps
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
The Attack Life Cycle – Multiple Stages
Exploitation of system 1
3 Callbacks and control established
2 Malware executable download
Compromised
Web server, or
Web 2.0 site
1 Callback Server
IPS
3 2
Malware spreads laterally
4 Data exfiltration
5
File Share 2
File Share 1
5
4
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
Traditional Defenses Don’t Work
Firewalls/ NGFW
Secure Web Gateways
IPS Anti-Spam Gateways
Desktop AV
THREAT
The new breed of attacks evade signature-based defenses
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
The Enterprise Security Hole
Web-Based
Attacks
NGFW FW
IPS
SWG AV
Attack Vector
SECURITY
HOLE
Malicious
Files
Spear Phishing
Emails
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
A New Model is Required
• Signature-Based
• Reactive
• Only known threats
• False positives
• Signature-less
• Dynamic, real-time
• Known/unknown threats
• Minimal false positives
Legacy Pattern-Matching
Detection Model
New Virtual Execution
Model
101011010101101000101110
001101010101011001101111
100101011001001001001000
100100111001010101010110
110100101101011010101000
MATCH
100100111001010101010110
MATCH
100100111001010101010110
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Attacks Increasingly Sophisticated
Dynamic Web Attacks
Malicious Exploits
Spear Phishing Emails
Multi-Vector
• Delivered via Web or email
• Blended attacks with email
containing malicious URLs
• Uses application/OS exploits
Multi-Stage
• Initial exploit stage followed
by malware executable
download, callbacks, and
exfiltration
• Lateral movement to infect
other network assets