2. solutions for demanding business
FireEye – Advance Threat Protection
Dane Hinić
Senior Consultant
dane.hinic@asseco-see.rs
3. solutions for demanding business
3
Traditional Security Solutions
IPS
Attack-signature based
detection, shallow
application
analysis, high-false
positives, no visibility
into advanced
attack lifecycle
Secure Web
Gateways
Some analysis of script-
based
malware, AV, IP/URL
filtering; ineffective vs.
advanced targeted
attacks
Desktop AV
Signature-based
detection (some
behavioral); ineffective
vs. advanced targeted
attacks
Anti-Spam
Gateways
Relies largely
on antivirus, signature-
based detection (some
behavioral); no true
spear phishing
protection
Firewalls/NGFW
Block IP/port
connections, applicatio
n-level control, no
visibility
Despite all this technology 95% of
organizations are compromised
4. solutions for demanding business
Multi-Staged Cyber Attack
Exploit Detection is Critical All Subsequent
Stages can be Hidden or Obfuscated
1
Callback Server
IPSFile Share 2
File Share 1
Exploit Server
5
32
4
1. Exploitation of System
2. Malware Executable Download
3. Callbacks and Control Established
4. Lateral Spread
5. Data Exfiltration
Firewall
4
5. solutions for demanding business
What Is An Exploit?
Compromised webpage
with exploit object
1. Exploit object rendered by vulnerable
software
2. Exploit injects code into running
program memory
3. Control transfers to exploit code
Exploit object can be in
ANY web page
An exploit is NOT the same as
the malware executable file!
5
6. solutions for demanding business
Structure of a Multi-Flow APT Attack
Exploit Server
Embedded
Exploit Alters
Endpoint
1
6
7. solutions for demanding business
Structure of a Multi-Flow APT Attack
Callback ServerExploit Server
Embedded
Exploit Alters
Endpoint
1 Callback2
7
8. solutions for demanding business
Structure of a Multi-Flow APT Attack
Callback ServerExploit Server Encrypted Malware
Embedded
Exploit Alters
Endpoint
1 Callback2
Encrypted
malware
downloads
3
8
9. solutions for demanding business
Structure of a Multi-Flow APT Attack
Callback ServerExploit Server Encrypted Malware Command and
Control Server
Embedded
Exploit Alters
Endpoint
1 Callback2
Encrypted
malware
downloads
3
Callback
and data
exfiltration
4
9
10. solutions for demanding business
FireEye’s Technology: State of the Art Detection
CORRELATEANALYZE
( 5 0 0 , 0 0 0 O B J E C T S / H O U R )
Within VMs
Across VMs
Cross-enterprise
Network
Email
Mobile
Files
Exploit
Callback
Malware
Download
Lateral
Transfer
Exfiltration
DETONATE
10
11. solutions for demanding business
Who detected the attack first?
(Detections by month)
0
5000
10000
15000
20000
25000
30000
07/13 08/13 09/13 10/13 11/13 12/13
FireEye found First
Detected by vendor in VirusTotal
11
12. Industry: Government (Federal)
Top APT Business Impact
Backdoor.APT.
Houdini(25%)
Loss of sensitive information. Houdini is
believed to be the developer’s name of VBS-
based RAT known to target international energy
industry and take part in spammed email
campaign.
Top Crimeware Business Impact
Malware.Archive
(68%)
Malware is discovered inside archive file (ZIP,
RAR)
Malware.Binary (52%) Loss of sensitive financial information, e.g.
credit card, banking login
FireEye PoV
Customers
Compromised HadAPT
31 100% 39%
0.39 2.63
11058.1
11046.3
303.06
4939
Web
Exploit
Malware
Download
Unique
Malware
Unique
Callback
Impacted
Hosts
164.75
13.95
350.44
352.55
MaxAverage(Per Week)
13. Industry: High-Tech
Top APT Business Impact
Backdoor.APT.
Gh0stRAT (40%) Remote Access Tools (RAT) that lead to loss of
intellectual property, trade secret, and sensitive
internal communication.Backdoor.APT.
DarkComet (40%)
Top Crimeware Business Impact
Malware.Binary (67%) Never-seen-before malware. Signature based
protection defenseless.
Exploit.Kit.Neutrino
(67%)
Infection with several types of malware that
steal credentials or restrict access to computer
and demands ransom.
FireEye PoV
Customers
Compromised HadAPT
18 100% 28%
1.46 8.66
41486.9
43022.5
86.92
3011.14
Web
Exploit
Malware
Download
Unique
Malware
Unique
Callback
Impacted
Hosts
198.9
12.9
2708.9
2629.8
MaxAverage(Per Week)
14. Industry: Financial
Top APT Business Impact
Backdoor.APT.Houdini
(29%)
Loss of sensitive information. Houdini is
believed to be the developer’s name of VBS-
based RAT known to target international energy
industry and take part in spammed email
campaign.
Top Crimeware Business Impact
Exploit.Browser (66%) An attempt to compromise endpoint by
exploiting vulnerability in the Web browser. If
successful, attacker can install and execute
malicious software without end users consent.
Exploit.Kit.Neutrino
(54%)
Infection with several types of malware that
steal credentials or restrict access to computer
and demand ransom.
FireEye PoV
Customers
Compromised HadAPT
71 99% 10%
0.78 5.68
1602.83
1405.78
174.1
3183.1
Web
Exploit
Malware
Download
Unique
Malware
Unique
Callback
Impacted
Hosts
90.48
6.26
24.21
34.85
MaxAverage(Per Week)
15. Industry: Services / Consulting / VAR
Top APT Business Impact
Backdoor.APT.XtremeRA
T (50%)
Being victim of common RATs capabilities
including key logging, screen capturing, video
capturing, file transfers, system administration,
password theft, and traffic relaying.
Top Crimeware Business Impact
Exploit.Browser (53%) An attempt to compromise endpoint by
exploiting vulnerability in the Web browser. If
successful, attacker can install and execute
malicious software without end users consent.
Malware.Archive (53%) Malware is discovered inside archive file (ZIP,
RAR)
FireEye PoV
Customers
Compromised HadAPT
19 100% 11%
1.75 20.77
83.06
52.15
151.15
187.85
Web
Exploit
Malware
Download
Unique
Malware
Unique
Callback
Impacted
Hosts
18.05
12.23
5.57
13.34
MaxAverage(Per Week)
16. solutions for demanding business
FireEye Product Portfolio
SEG IPS SWG
IPS
MDM
Host
Anti-virus
Host
Anti-virus
MVX
Threat
Analytics
Platform
Mobile Threat
PreventionEmail Threat
Prevention
DynamicThreat
Intelligence
NetworkThreat
Prevention
ContentThreat
Prevention
MobileThreat
Prevention
EndpointThreat
Prevention
EmailThreat
Prevention
Note:Threats @ perimeter – Network Threat Prevention PlatformData Center – Content Threat Prevention Platform for latent malwareObviously many people are now bringing in mobile devices… with Mobile Threat Prevention, we are able to leverage MVX to now analyze the new class of threats – threats via mobile apps. E.g. apps stealing contacts via mobile apps, which provides the attacker the email information (and legally valid sources) for the next stage of attackOn the endpoint, Mandiant brings us the MSO product, which will be rebranded into the FireEye platform as the Endpoint Threat Prevention PlatformFinally, we have the Email threat Prevention Platform for the spearphishing attacks that attackers use to penetrate organizations.The Threat Analytics Platform is a new product for analyzing advanced threats using a combination of of event logs and security device logs with homegrown threat intelligence from FireEye.