FireEye Webinar11. November 2015
1Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Why Technology Alone is not EnoughThomas Cueni, Senior Systems Engineer
2Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
How has the Threat Landscape Changed?
PROFESSIONALATTACKERS
DETERMINED
ORGANIZED
WELL FUNDED
SOPHISTICATED TOOLS
MULTI-FLOW EXPLOITS
SANDBOX DETECTION
OBFUSCATION / HIDING
* Source: FireEye DTI
80% 68%Observed malware thatshows up only once
Observed malware thatappears in only one organization
PERSISTENT TACTICS
TARGETED
INNOVATIVE
CUSTOMIZED
FireEye Webinar11. November 2015
3Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Crimeware Actors
(Cyber crime gangs)
Hacktivists
(Anonymous, LulzSec)
APT Actors
(Nation-State threats)
Threat Actors – The Traditional View
4Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Hacktivists(Anonymous)
APT Actors
(Nation-State threats)
CrimewareActors
(Cyber crime gangs)
CrimewareActors
(Cyber crime gangs)
The Reality - A Rainbow of Threat Actors
FireEye Webinar11. November 2015
5Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
M-Trends 2015
Detecting the compromise
- 31% internally notified
- 69% externally notified
Evidence of Compromise to Discovery
- 205 days average/median
- 2,982 days longest seen by Mandiant
APT tactics
- 78% were IT or Security related
When do they attack
- 72% sent on weekdays
6Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Cybercrime Campaigns
Takeaway: Cybercrime Campaigns are well prepared and executed
FireEye Webinar11. November 2015
7Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
APT Targeted Verticals
Takeaway: Energy, Aerospace, Government and Financial Services are most targeted
8Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Attack Lifecycle
UNAUTHORIZED USE OF VALID
ACCOUNTS
KNOWN & UNKNOWN MALWARE
COMMAND & CONTROL ACTIVITY
SUSPICIOUS NETWORK TRAFFIC
FILES ACCESSED BY ATTACKERS
VALID PROGRAMS USED FOR EVIL
PURPOSES
TRACE EVIDENCE &
PARTIAL FILES
In the last three years, only 54% of compromised hosts had malware artifacts. FireEye observed more counter-forensic techniques in 2014 than the previous ten years
combined. Group overlap is also rapidly expanding in many areas.
INITIAL COMPROMISE
ESTABLISH FOOTHOLD
ESCALATE PRIVILEGES
INTERNALRECON
COMPLETE MISSION
MOVELATERALLY
MAINTAINPRESENCE
EVIDENCE OF COMPROMISE
FireEye Webinar11. November 2015
9Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
TECHNOLOGYIDENTIFIES KNOWN, UNKNOWN, AND NON MALWARE BASED THREATS
INTEGRATED TO PROTECT ACROSS ALL MAJOR ATTACK VECTORS
PATENTED VIRTUAL MACHINE TECHNOLOGY
EXPERTISE“GO-TO” RESPONDERS FOR SECURITY INCIDENTS
HUNDREDS OF CONSULTANTS AND ANALYSTS
UNMATCHED EXPERIENCE WITH ADVANCED ATTACKERS
INTELLIGENCE50 BILLION+ OBJECTS ANALYZED PER DAY
FRONT LINE INTEL FROM HUNDREDS OF INCIDENTS
MILLIONS OF NETWORK & ENDPOINT SENSORS
HUNDREDS OF INTEL AND MALWARE EXPERTS
HUNDREDS OF THREAT ACTOR PROFILES
DISCOVERED 19 OF THE LAST 36 ZERO-DAYS
FireEye Adaptive Defense: Close the Gaps
10Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
TACTICAL INTELLIGENCE
CONTEXTUAL INTELLIGENCE
STRATEGIC INTELLIGENCE
Focus on Threats: APT17 & BLACKCOFFEE
MACHINE-TO-MACHINE INTELLIGENCE TO DETECT AND PREVENT THE KNOWN AND UNKNOWN ATTACKS
ALERT CONTEXT TO IDENTIFY RISK LEVEL, ATTACKER INSIGHTS, AND IOCS TO
INFORM ALERT RESPONSE
ATTACK CONTEXT TO BUILD THREAT ACTOR AND
INDUSTRY INSIGHTS TO PROACTIVELY STAY AHEAD
OF THE ATTACKER
FireEye Webinar11. November 2015
11Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
APT17 – BLACKCOFFEE Malware
Encodes C&C IP addresses on forums BLACKCOFFEE malware host infection
BLACKCOFFEE pulls encoded C&C IP addressesAppears as standard TechNet network trafficUpdate IP addresses without updating host malware
Standard C&C traffic
Upload, download, rename, move, or delete files Generate new backdoor commands
Collaborated with Microsoft to remediate threatSinkhole to enrich threat intelligence
1 2
3
4
12Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
ba86c0c1d9a08284c61c4251762ad0df
!?
FireEye Webinar11. November 2015
13Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What can VirusTotal tell me?
14Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
TACTICAL INTELLIGENCE
CONTEXTUAL INTELLIGENCE
STRATEGIC INTELLIGENCE
APT17 – BLACKCOFFEE Malware
C016af303b5729e57d0e6563b3c51be4Da88e711e4ffc7c617986fc585bce3055f2fcba8bd42712d9975da208a1cc0caba86c0c1d9a08284c61c4251762ad0df
110.45.151.43Translate[.]wordraference[.]com
This is a proxy-aware backdoorcapable of uploading and
downloading files, creating a reverse shell, enumerating and
interacting with files and processes, and expanding itsfunctionality by adding new commands. This backdoor
communicates over HTTP using a binary protocol that is crafted to
look like Portable Network Graphics (PNG) files.
APT17, also known as DeputyDog, is a China- based
threat group that FireEyeIntelligence has observed
conducting network intrusions against U.S. government
entities, the defense industry, law firms, information
technology companies, mining companies, and non-
government organizations.
FireEye Webinar11. November 2015
15Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
APPLIED THREAT INTELLIGENCE
Detection / Prevention(Tactical)
Investigation(Contextual)
Response(Strategic)
APPLY
NETWORK EMAIL CONTENT
MOBILE ENDPOINT ANALYTICS
FORENSICS FIREEYE AS A SERVICE
SERVICES
16Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
The Numbers Game – Why Context Matter
37% of organizations have over 10,000+ security events per month
64% of of the alerts were redundant and 52% alerts being false positives
40% of companies manually review each alert
FireEye Webinar11. November 2015
17Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
New Security Paradigm
Ability to Operate Through Compromise
Holistic Visibility (Network & Endpoint)
Actionable Threat Intelligence
Shift to Threat Centric Security
Threat Intelligence
Threat Intelligence
Threat Intelligence
Incident ResponseIncident ResponseIncident Response
Security MonitoringSecurity
MonitoringSecurity
Monitoring
Organizations Must Seek to Eliminate or Reduce the Consequences and Impact of Security Breaches
18Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
How can FireEye Help You?
FireEye Webinar11. November 2015
19Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
HX Triage Viewer with Alert Timeline
Shows timeline of alert
Simplifies investigation
Filters results based on selection
Red dot shows indicator triggers
Full triage download for deeper investigation
20Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
ON PREMISE ENDPOINTS REMOTE ENDPOINTS
Enterprise SearchA quick broad investigation for simple indicators
CookiesFile Data
Network CommunicationBasic Indicators of Compromise
DVR CacheService ListingPort ListingUser AccountsScheduled TasksProcess ListingSystem InformationDisk/Volume ListingBrowser URL
File DownloadDNS RoutingDriver Modules ListingDrivers in MemoryRootkit Hook DetectionProcess Listing from MemoryEvent Log HistoryRegistry Hive ListingFile Listing from Raw Disk
Enterprise Search and Live Response
Live Response
Deep Look
Investigate
Scalable, Flexible, Simple to Use, and Fast
FireEye Webinar11. November 2015
21Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
22Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
FireEye Webinar11. November 2015
23Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
24Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Where are you on the Maturity Curve?
Predictive
Proactive
Managed
Controlled
Reactive
Time / Effort
GOVERNANCE & COMMUNICATIONAGILEAVFW
PROXY
H/N IPS THREAT & VULN MGT
SIGNATURE-LESS TOOLS
SIEM ACTIONABLE THREAT INTEL
HOST FORENSICS
INTEL SHARING
NETWORKFORENSICS
CAMPAIGN TRACKING
TREND & SECURITY ANALYTICS
FO
UN
DA
TIO
NA
L
CO
NT
RO
LS
TO
OL
ING
C
AP
AB
ILIT
IES
Etc…
FireEye Webinar11. November 2015
25Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
QUESTIONS?
Thomas Cueni