1

19 September 2014

IDG Säkerhetsdagen, Göteborg 2014

Vad behövs innan Sandboxing och varför?

Nils von Greyerz, System Engineer

Fortinet Sweden

nisse@fortinet.com

2

Spam e-mails intercepted

Malware programs neutralized

Network intrusion attempts resisted

Attempts to access malicious websites blocked

Botnet command and control attempts thwarted

Website categorization requests

5 700 (2 500) Application

control rules

120 TB (70TB) of threat samples

15,9k (12k) Intrusion prevention rules

250 Million rated websites in

78 categories

143 Zero-Days discovered

170 (70) Intrusion prevention rules

8,000 Hours of research in labs around the globe

800k (150k) New and updated antivirus definitions

66 M (65M) New and updated antispam rules

2,7M (600k) URL ratings for web filtering

Problem #1: Antalet hot ökar Q3 2014, (Q3 2013)

Q2Y14

3

Problem #2: Antalet olika system ökar (Attackvektorer)

External Hard Drives

4

Problem #3: Många Befintliga Tjänster för att dölja

aktivteter

En fantastisk mängd skadliga

websiter och tjänster

5

Problem #3: Många Befintliga Tjänster för att dölja

aktivteter

En fantastisk mängd skadliga

websiter och tjänster

• June 2013: South Korea DDoS

» Hacked Korean website (Simdisk)

» TOR C&C Module (Deep Web)

» Nameserver takedown (DDoS)

6

What are APTs? ATAs ?? Defining Advanced Persistent Threats – D.S.I.

DISGUISE

• Advanced threats focus

on disguise to slip past

security detection

SURVIVABILITY

• Persistent threats aim

to survive on systems as

long as possible

IMPACT

• Hard drive killers

• Stolen IP, customer data

• Blackmail & Ransom

• Critical infrastructure Detect Disguise,

Kill the Chain Reduce Survivability,

Break Impact

Problem 4: APT and ATA

7

What Is REALLY Going On?

THREAT

LANDSCAPE

TRENDS

8

Q1 2013 (IDC):

79M PC Shipments

216.2M Smart Phones Shipped

February:

Claco Android X-

Platform Worm

March:

Android.Plankton

Hits Malware Top 10

July:

Android.FakeDefender

1st Mobile Ransomware

2013 Threat Landscape Developments

Jan 10

Java Remote Code Execution

MBEAN Exploit Zero-Day

CVE-2013-0422

7 UPnP Vulnerabilities

Remote Code Execution

CVE-2013-5958:5965

Jan 29

Spamhaus/CloudFlare DDoS

300GBit

DNS Amplification

Mar 19 Mar 20

South Korea HD Wiper

Wiped Windows & Linux

50,000+ Systems Destroyed

Jun 25

South Korea DDoS

Simdisk Hack

Government Nameservers

Nov 07

Fokirtor

Advanced Linux Worm

(SSH Piggyback)

NBC.com Hacked

MBean Exploit

Citadel Botnet Feb 28

Dec 15

Target

…

9

Q2 2014 (IDC):

301.3M Smart Phones Shipped

Android 84.7% Market

February:

Drive-By Mobile

(DriveGenie)

June:

Pletor Mobile Ransom

(Doc Encryption)

July:

Dorkbot/Ngrbot

Kamikaze

2014 Threat Landscape Developments

Feb 13

IoT:

The Moon Worm

Linksys Routers

Heartbleed

Vulnerable OpenSSL

Apr 07

Apple iCloud

Ransomware

$100 EUR

Oleg Pliss

May 26 Jun 23

Havex RAT

OPC Server Spy

Aug 05

Cybervor

1.2B User & Pass

500M emails

Aug 15

Supervalu Data Breach,

200 Stores Affected

Evernote Hack

164,644 Forum

Members

Jun 10 Evernote Hack

50M Users

Mar

2013

10

Threat Trends – Exploits

“Old Habits Die Hard”

11

Real World “Internet of things” Vulnerabilities

SCADA/ICS HMI

(Human Machine Interface)

OPC

Communication

(Havex)

PLC Hardware

“The Moon Worm”

• This is real: we observe it

• Shodan + Vulnerabilities

» 2012: 10,000 public ICS

exposed, vulnerable

» 2014: 28,000 NAS drives

found

• UPnP, OPC, HNAP … more

problems 2012: Eireann Leverett, Mapped Vulnerabilities to Critical Systems

12

ADVANCED

THREAT

PROTECTION &

THE FORTIGUARD

Stay tuned .. Good news follows

ADVANTAGE

13

Fortinet Advantage: Consolidation

Simple & Cost Effective Fortinet Security Model

Complex & Costly Typical Adhoc Model

14

Category

Update

Email

IM

Proxy

Network Service

Game

P2P

Video/Audio

Collaboration

Remote Access

Botnet

Social Media

General Internet

Storage Backup

More Categories

Technology

Browser-based

Network Protocol

Client Server

Peer-to-Peer

Popularity

★★★★★

★★★★★

★★★★★

★★★★★

★★★★★

Risk

Malware or Botnet

Bandwidth Consuming

None

Fortinet Advantage: Application Visibility, Manage Threats and

Productivity

15

Consolidated Security

Fortinet Delivers Complete Protection

AntiMalware Data Loss

Prevention

SSL

Inspection

Endpoint

Protection/

NAC

Firewall

VPN

IPS Application

Control

Real-Time

Threat

Updates

Wireless Controller/Wireless

LAN Dynamic

Routing

IPv6 & v4

ATP &

Sandboxing VoIP

Virtual Appliance/

Virtual Domains

BYOD

The Evolution of the Firewall

Web

Filtering

WAN Optimization

/ Traffic

Shaping

High

Availability

(HA)

Identity

Policies

16

FortiGuard

Research, Updates, Services

FortiGuard Research: • Rootkits: Kernel Hooks

• Botnets: Dynamic Monitoring, Spambots,

New Malware Protocols

• Malware: Code Techniques-PDF/Flash/Doc

• Security: Exploits & Vulnerabilities, Zero Day Detection

• Packer Research: Unpacking, Generic Detection

FortiGuard Services: • AV Signatures – 4x Daily

• IPS Signatures – 2x Daily

• Antispam/Web Content Filtering – Real Time

• Sample Collection

• Signature Creation

• Alerts & Escalation

Global Distribution Network: • Application Control

• Vulnerability Management

• Antispam

• Web Filtering

• Intrusion Prevention

• Antivirus

17

Fortinet Sandboxing Model – ATP - Advanced Threat

Protection. Layered Security.

Firewall

Application Control

Webfilter

Botnet & IP Reputation

AntiMalware

Intrusion Prevention

Data Leak Prevention

Sandboxing

@

RealTime Updates

through FortiGuard

18

“Innocent” Video Link:

»Redirects to malicious

Website

Integrated Web Filtering

Blocks access to malicious Website

Network Antivirus

Blocks download of virus

Intrusion Prevention

Blocks the spread of the worm

Error message:

»Installs on system and

attempts to propagate

“Out of date” Flash

player

»Download malware

file

Authentication

& Encryption

Fortinet in Action: Securing the clients & network

19

FortiGate Differentiators

One-Stop Shop.

• Everything developed in-house

Hardware Acceleration

• Real-Time Security features

• Custom built ASICs

Per Box Licensing

• No User restrictions

• No IP restrictions

• No Additional costs for HA etc

FortiGuard Services

• Developed, maintained and updated by Fortinet

Same functions in all sizes

• Same FortiOS

Worldwide Deployments

• EMEA and US are similar in revenue

• and then SEA

Third Party Certifications

20 20

THANK YOU