2. 2
FortiGuard Services
FORTIGUARD ANTIVIRUS SERVICE
FORTIGUARD ANTISPAM
SECURITY SERVICE
FORTIGUARD WEB
SECURITY SERVICE
FORTIGUARD DATABASE
SECURITY SERVICE
FORTIGUARD IP REPUTATION
SERVICE
FORTIGUARD VULNERABILITY
MANAGEMENT SERVICE
FORTIGUARD WEB
FILTERING SERVICE
FORTIGUARD INTRUSION
PREVENTION SERVICE
FORTIGUARD APPLICATION
CONTROL SERVICE
What is FortiGuard? Advanced Defense
3. 3
Sandbox 101
Sandbox has many meanings…
• Container to hold sand to improve rail adhesion
• Shallow playground construction to hold sand
• Virtual container in which untrusted programs can be safely run
• Soviet Anti-Ship Missile (SS-N-12)
SS-N-12 Sandbox
The Sandbox
What do we mean?
4. 4
Sandbox 101
VIRTUAL END-USER ENVIRONMENT
• Code is executed in an contained, virtual environment
• Goal is to replicate typical workstations
• Output is analyzed to determine characteristics
• Some characteristics are malicious
• Known virus downloads
• Registry modifications
• Outbound connection to malicious IPs
• Infection of processes
Unsafe action, escape attempt
Controlled communication inspection
X
What is Sandboxing?
Virtual analysis – nothing new
5. 5
Sandbox 101
BEHAVIOR BASED DETECTION vs. SIGNATURE
• Signature based detection can’t catch everything
• Run time analysis can catch things static (signature) inspection may not
• Inspection is ran post-execution so all aspects are examined
BUT WAIT, THERE’S MORE …
• Malware often downloads more malware
• Sandboxing catches this and inspects the lifecycle
Why Sandbox?
Modern threats (APT / ATAs) are tough to detect
6. 6
Advanced Persistent Threats
DISGUISE
• Advanced threats focus
on disguise to slip past
security detection
SURVIVABILITY
• Persistent threats aim
to survive on systems as
long as possible
IMPACT
• Threat to Hard drive data
• Stolen IP, customer data
• Blackmail & Ransom
• Critical infrastructure
Detect Disguise,
Kill the Chain
Reduce Survivability,
Break Impact
Something Different?
Disguise, Survive, Impact
7. 7
Advanced Persistent Threats
ADVANCED
• AV evasion
• Crypters
• IPS/App evasion
• Obfuscation
• Custom protocol
• Piggybacking
• Dynamic Decryption
• Code decrypted
at runtime
PERSISTENT
• Rootkits
• Hide threats at
O/S layer
• Bootkits
• Invoke at startup
• Process killers
THREATS
• Keyloggers
• Steal data
• Ransomware
• Encrypt data and
hold for ransom
• HD Wipers
So what do they do?
Disguise, Survive, Impact
8. 8
Sandbox 101
VISIBILITY & REPORTS – FOR THE SOC
• New viral families may not have existing signatures
• Shows potentially unwanted activity on a system
• Output and characteristics gathered
• Useful for reports
• Correlate connected components
INCIDENT RESPONSE
• Infection is likely underway, how to deal with it?
Why Sandbox?
It completes the puzzle
9. 9
Sandbox 101
Sandbox Evasion Techniques
• VM detection
• Time bombs
• Debug loops
• Event triggers
• Mouse clicks
• System reboots
Common Sandbox Problems
• Fixed operating systems
• Only a few to pick from, and it’s slow
• Fixed software versions
• Adobe reader, Java
• Attacks very specific to certain versions
• IE: Some require newest version of Java
• Malware won’t execute in Sandbox
• Will execute once passed through
The Sandbox Challenge
Bring Your Own Sandbox … Evasion Techniques that are used widely
10. 10
FortiSandbox
FortiGuard Labs - On Top of It
• Discover latest evasion techniques
• Intelligent Evasion Inspection
• IE: VM detection code
• Quickly address any new measures
• via AV Engine
• And FortiSandbox
• All in house!
The Only All-In-One Sandbox
• World Class Fortinet Antivirus
• Scan & Sandbox (EXE, PDF, JS)
• Integrated Webfiltering
• Scan connected domains
• Drill Down Reports: PCAP & Behavior
• Unified Sandbox
• Local scan to detect sandbox evasion
• Fall back to full sandbox
• Local file upload supported
Introducing FortiSandbox
Complements existing Fortinet technology
12. 12
FortiSandbox
FortiSandbox – Best of Breed
Patent pending CPRL, industry leading AV all in one!
STREAM
•98.6%
Effective
PROXY
•99.82%
Effective
PROXY
•99.81%
Effective
STREAM
•28.18%
Effective
WILDLIST
573 18,165
13. 13
The Fortinet Advantage – Security & Performance
Multi-tiered file processing optimize
resource usage that improves security,
capacity and performance
Virtual OS Sandbox
Real Time Sandbox
AV Engine
• OS independent
• Not subjected to VM evasion
techniques
• Lightweight
• Industry’s validated with superior RAP
score (ability to detect variants,
proactive detection)
• Real time updated
14. 14
Branch Offices
(Distributed Enterprise)
Data Center
The Fortinet Advantage - Deployment
Flexible Deployment Options
• Offers most suitable implementation depends on requirements and infrastructure
• Allow protection of investment by allowing different deployment modes as
requirement changes
Headquarters
(Enterprise Core)
Standalone Mode –
Ideal for scalable
requirements
Integrated Mode –
Ideal for centralized
gateway with inline
protection
Distributed Mode –
Ideal for protection in
distributed environment
15. 15
The Fortinet Advantage - ROI
WEB MAIL FILE
Competitors Solution
• Multiple appliance is required for
each applications
• Poor ROI, high TCO
• Adds more management burden
Fortinet Solution
• Central file scanning from various
applications and sources,
including mobile devices
• Simplifies threat management,
provide faster ROI
FILE
MAIL
WEB
Instant Messenger
16. 16
Deep AV Scan & RTS
• 96% RAP before Sandbox
• No need toSandbox if caught
FortiSandbox
Solving the Sandbox Problem
Look first for what we know, then inspect suspicious
Cloud Check
Real time check on
latest malware rating
Full Sandbox
Catch anything not
caught by signature
detection
Forensics
Behavior Report
Downloaded & Dropped Files
Recursively Scanned
17. 17
FortiCloud Sandbox
Where’s Your Data?
FortiOS AV
Engine Provides
Local Sandbox
1 Still Suspicious
Samples Sent for
Cloud Sandbox
Analysis
2 Results are correlated
across all FortiGuard
Services
3
4 Updates pushed out by
FortiGuard Network
18. 18
FortiSandbox
Where’s Your Data?
Files Processed
Through FortiGate
1 Sent to
FortiSandbox for
AV & Sandbox
2 Files collected, scanned3
5 Updates pushed out by
FortiGuard Network
(To FortiGates, FortiSandbox)
4 Results sent to
FortiGuard for
Updates
19. 19
FortiSandbox
FortiGuard Learning
Signatures created to update global devices
Global Intelligence Network
• Where is your Data?
• FortiSandbox is local (cloud optional)
• FortiGuard Cloud is external
• Global Sandbox Updates
AV, WCF and Botnet DB’s updated
System Utilities (Behavior Engine)
Rating Engine
Traffic Sniffer
20. 20
KNOW
Filter known Malware
(No Sandboxing Required)
Detect Sandbox Evading
Malware
(Real Time Sandbox)
Full Sandbox
Incident Response
Update Devices
Refactor
(Incident Response)
Raise Awarness
SUSPECT
LEARN
SHARE
FortiGuard: The Sandbox Fit
21. 21
Incident Response Service
How Does it Work?
1) LOGIN & SUBMIT
• http://premier.fortiguard.com
• Communicate message
• Attach binary / PCAP sample
2) UPDATE & MITIGATE
• View and correspond
• Get signature updates
•Manual, FDN
Supicious
Activity
0 Hours
Incident
Reported
Zero Day
Attack
FortiGuard – Premier Services
3) ANALYZE & RESPOND
• Threat remediation
• Understand nature of threat
• Take action
4 Hours
Malware Spread
Mitigated
AV Signatures,
Brief Analysis
8 Hours
Feedback &
Follow up
12 Hours
IPS
Signatures
Exploit Spread
Mitigated
Feedback &
Follow up
48 Hours
Full
Analysis
22. 22
Practical Sandbox Applications
Case Studies: Sandbox Visibility
Low Volume, Targeted Threat Cases
• Generally harder to get samples
Targeted Industrial Plants
Low Volume
Operation Aurora
December 2009
Victim
RSA SecurID
March 2011
South Korea Wiper
March 2013
Crime Services
QA (AV Scanning Undetected)
Zero Day IPS Vulnerability
FortiSandbox Detects vs.
Crime Services and QA
Flame
May 2012