1Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
RANSOMWARE, CRYPTOLOCKER E ALTRI ATTACCHI
INFORMATICI DI ULTIMA GENERAZIONE: COME DIFENDERSI?
STEFANO LAMONATO
SR. SALES ENGINEER – FIREEYE
NETMIND | www.netmind.com
2Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
“…SECURITY BREACHES ARE INEVITABLE.”
- K. Mandia
Source: http://fas.org/irp/congress/2011_hr/100411mandia.pdf
Despite our hopes, eliminating in total the risk of a security breach and guarantee 100% of security is not possible nor realistic
…But the right strategies allow to mitigate
or eliminate their consequences.
3Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
WHAT TO PROTECT FROM?
Malware Attacker
Source: http://www.securityweek.com/breaches-are-more-malware
4Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
TRADITIONAL SOLUTIONS ARE FALLING
5Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
SIGNATURES: JUST KNOW ATTACKS AFTER LONG DELAYS
New Threat Discovery
VendorIdentifies Signature
Signature Published by
Vendor
Vendor Product Updates
Vendor Product Identifies Threat
= 110101
110101110101
6Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
SIGNATURE FAILURE EXAMPLE: CRYPTOLOCKER & CO.
Infection - email with weaponized
file or URL for drive-by infection1
C&C (optional): domain
generated callback2
Key generation (optional) – an
asymmetric key is created3
Data encryption – local files and
possibly shared drives, strong4
C&CEmail Key generation Resources encryption
1 2 3 4 5
Ransom payment
Ask for ransom – Countdown /
Tor / BitCoin5
7Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
IN EMEA Ransomware is exploding!
0%
5%
10%
15%
20%
25%
30%
gen-15 feb-15 mar-15 apr-15 mag-15 giu-15 lug-15 ago-15 set-15 ott-15 nov-15 dic-15
Mo
nth
ly T
ren
d
Ransomware
Malware usingoffice macro
8Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
And in Italy even more!!!
9Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
T H E F I R E E Y E A D V A N T A G E
INTELLIGENCE‣ Discovered 22 of the last 40 zero-
days
‣ Live intel from incident response
‣ Millions of network & endpoint
sensors
‣ Hundreds of intel and malware
experts
‣ Hundreds of threat actor profiles
TECHNOLOGY‣ Identifies known,unknown and
non-malware based threats
‣ Integrated to protect across major
attack vectors
‣ Patented virtual machine technology
EXPERTISE‣ Go to responders for security
incidents
‣ Hundreds of consultants and
analysts
‣ Unmatched experience with
advanced attackers
10Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
FIREEYE TECHNOLOGY
MVX SIGNATURE-LESS ENGINE
11Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
PURPOSE-BUILT FOR SECURITY
HARDENED HYPERVISOR
SIGNATURE-LESS
EXPLOIT BASED DETECTION, NOT JUST FILE
FINDS KNOWN AND UNKNOWN THREATS
MULTI-VECTOR
PERFORMANCE
EFFICACY
DETECTION AND PREVENTION – TECHNOLOGY
12Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
TECHNOLOGY INSIDE: MVX
FireEye Hardened Hypervisor
Hardware
Custom hypervisor with built-in countermeasures
Designed for threat analysis
FireEye Hardened
Hypervisor 1
13Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
TECHNOLOGY INSIDE: MVX
FireEye Hardened Hypervisor
Hardware
FireEye Hardened
Hypervisor 1
Multiple operating systems
Multiple service packs
Multiple applications
Multiple application versions
Cross-Matrix Virtual Execution
Massive cross matrix of
virtual executions2
14Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
TECHNOLOGY INSIDE:MVX
>2000 simultaneous executions
Multi-flow analysis
FireEye Hardened Hypervisor
Cross-Matrix Virtual Execution
v1 v2 v3 v1 v2 v3
Hardware
Control Plane
> 2000 Execution
Environments
FireEye Hardened
Hypervisor 1
Massive cross matrix of
virtual execution2Threat Protection
at Scale3
15Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
WITHIN VMs
ACROSS VMs
CROSS ENTERPRISE
DETONATE
CORRELATE
2 MILLION
OBJECTS
PER HOUR
ANALYZE
DETECTION AND PREVENTION – TECHNOLOGY
16Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
REAL-TIME
INFORMATION SHARING
RISK AND CONTEXT
TO PRIORITIZE RESPONSE
TACTICAL AND STRATEGIC INTELLIGENCE WITH ATTRIBUTION
THAT IS APPLICABLE AND ACTIONABLE TO YOUR ORGANIZATION
DYNAMICTHREAT
INTELLIGENCE
A GLOBAL DEFENSE COMMUNITY
17Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
O N E V I E W O N E P L A T F O R M
SERVICES
‣ Dynamic threat intelligence
‣ Advanced threat intelligence
‣ Advanced threat intelligence+
‣ iSIGHT Partners
INTELLIGENCE
‣ Threat analytics platform
‣ Email threat protection
CLOUD
‣ Endpoint
‣ Mobile
ENDPOINT
‣ Network
‣ Network SSL Intercept
‣ Content
‣ Malware analysis
‣ Enterprise forensics
NETWORK
‣ Security program assessment
‣ Response readiness assessment
‣ ICS gap assessment
‣ Red Teaming
‣ Vulnerability assessment
‣ Cyber Defense Center development
‣ Compromise assessment
‣ Incident response retainer
‣ INVOTAS
ORCHESTRATION
18Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
SOLUTIONS FOR COMPANIES OF ALL SIZES
NETWORK EMAIL CONTENT ENDPOINT MOBILE NETWORKFORENSICS
ENDPOINTFORENSICS
ANALYTICSTECHNOLOGIES
LARGE
MEDIUM
SMALL
NX10000
NX7400
NX4400
NX2400
NX1400
NX900
EX8400
EX5400
EMAIL THREAT
PREVENTION
CLOUD
FX8400
FX5400 HX4000XMOBILE
THREAT
PREVENTION
20X0ESS /
1000EXT:10-20G
PX200XESS /
PX1000EXT:4G
PX1000ESS
MANDIANT
INTELLIGENT
RESPONSE
THREAT
ANALYTICS
PLATFORM
SIZ
E O
F O
RG
AN
IZA
TIO
N
INTELLIGENCE DTI ATI ATI+
19Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
Email Still Top Vector for Security Breaches
Spear Phishing is the preferred
vehicle for launching cyber attacks
Social engineering with email
messages highly effective
Email attachments and links remain
#1 vectors
Email is the front door in blended,
persistent attacks
20Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
• Executes email attachment(s) in
virtual machine to detect hidden
malware
• 30+ file types supported
• Detects and blocks malicious
URLs by leveraging FireEye
Threat Intelligence and data from
the entire FireEye ecosystem
MVX
MVX
Effective Detection and Blocking of Spear Phishing Emails
21Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
Introducing FireEye Email Threat Prevention
Email Threat Prevention (EX Series) Email Threat Prevention Cloud
On-Premise
Option to add-on Cloud AV/AS Protection
CAPEX Consumption Model
Cloud-Based
Comprehensive Email Security
AV/AS + Advanced Threat Protection
OPEX Consumption Model
EX Series
MVX
MVX
ETP Cloud
22Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
Email Security (EX)
Protection against spear phishing and blended attacks
Analyzes all emails for malicious attachments and URLs
In-line MTA for blocking or SPAN / BCC for monitoring
Brute-force analysis of all email attachments in MVX Engine
NX integration for malicious URL analysis / blocking
NX integration for blocking of newly discovered callback channels
HX (Endpoint Threat Prevention) integration for validation of compromised endpoints
23Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
EX Deployment
24Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
EX Series Sizing
Mid Market
Enterprise
Large Ent3400
5400
8400, 8420
1000Base-SX (2)
1000Base-T (2)
1000Base-T (2)
1000Base-T (2)
SAS (2) – RAID 1
SAS (2) – RAID 1
SAS (2) – RAID 1
Dual
Dual
Dual
Platform Emails/Day (Clear
Text)
Emails/Day (TLS)
3400 150k 100k
5400 400k 270k
8400 750k 500k
25Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
ETP Cloud Offerings
ETP Cloud
MVX
ETP without
Antivirus/Antispam
ETP Cloud
MVX
AV/AS
ETP with
Antivirus/Antispam
26Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
Inline Email Flow
1
Incoming
email from
Internet
reaches ETP
Cloud
ETP Cloud analyzes
email, quarantines
malicious emails,
and alerts admin
3
Safe emails
forwarded to
customer MTA for
end user delivery
4
Admin can manage
alerts/release emails
via the ETP Cloud
web portal
5
MVX
ETP
CloudSMTP with TLS
Customer MTA
Quarantin
e
Requires
pointing MX
record to ETP
Cloud
27Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
ETP Cloud vs EX
Dynamic Threat Intelligence
Threat correlation ETP Cloud
NXEX
Threat correlation
• CM integration
• CAPEX
• MVX engine analysis
• Active protection (inline)
mode or monitor (BCC)
mode
• Email quarantine with
optional end user
notification
• NX correlation
• DTI intel sharing
• No on-premise hardware
• Antivirus/antispam
analysis
• OPEX
BothETP Cloud EX
28Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
The Malware Detection Test
29Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
How Does it Work?
30Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
Where does the Malware come from?
Real Malware will be used during the Malware Detection Test.
The files used are recent samples collected from FireEye appliances & Mandiant incident response engagements.
During the test 9 samples as below will be used:
3x Unknown to VirusTotal
3x Known to VirusTotal with 1-5 vendors
3x Known to VirusTotal with more then 5 vendors
http://en.wikipedia.org/wiki/VirusTotal
https://www.virustotal.com/
31Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
The Result
The report will contain:
List of all Malware used during the test
A detection chart comparing findings on customers side and the FireEye Lab
Real-life Malware detection timeline based on VirusTotal.com
Recommendations e.g.
- Deploy FireEye EX/NX/CM, along with FAAS
- Compromise Assessment, Incident Response Retainer etc
32Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
FireEye Ransomware Response Strategies Whitepaper
http://bit.ly/FEYERansomware
FireEye Ransomware Response
Strategies Whitepaper