Stopping targeted cyber attacks March 18th, 2013 Security Workshop/0011___Ray... · Exploitation of system1 3 Callbacks and control established 2 Malware executable download Compromised1

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1

Stopping targeted cyber attacks

March 18th, 2013

Modern Malware Protection Solutions

Ray Kafity

Senior Director

FireEye Middle East, Turkey and Africa


The New Breed of Cyber Attacks

• Nature of threats

changing

• Today’s attacks

sophisticated and

successful

“Organizations face an evolving threat scenario that they are ill-prepared to deal

with….threats that have bypassed their traditional security protection techniques

and reside undetected on their systems.” Gartner, 2012

2005 2007 2009 2011 2013

Advanced Persistent Threats

Zero-Day Targeted Attacks Dynamic Trojans

Stealth Bots

Worms Viruses

Disruption Spyware/

Bots

Cybercrime

Cyber-Espionage

and Cybercrime

Dam

age o

f A

ttacks


High Profile Attacks Are Increasingly Common


Numbers Show a Harsh Reality

2/3 of U.S. firms

report that

they have been the

victim of cybersecurity

40% of all IT executives expect a major cybersecurity incident

115% CAGR unique malware

since 2009

9,000+

malicious websites

identified per day

00.01 Every second 14 adults become

a victim of cyber crime

6.5x Number of cyber

attacks since 2006

95 new vulnerabilities

discovered each week


What’s Changed?

NEW THREAT LANDSCAPE

Dynamic,

Polymorphic Malware Coordinated Persistent Threat Actors

Multi-Vector Attacks Multi-Staged Attacks


CFO

Director of Engineering

Government Employee

Intellectual Property Web-Based Attack

Spear Phishing

File-Based Attack

Financial Information

National Security

Information

Targeting an Organization’s Valuable Assets


Threat Actors

APT Actors Crimeware

Actors

Hactivists

(Anonymous, LulzSec)


APT Actors & Crimeware actors

An unholy alliance?

APT Actors

Crimeware Actors

Sell compromised

systems to

Sell “burned”

0-day exploits to


The Point?

• If you have a fair amount of common malware infections (crimeware), you may never see unique APT attacks

• APT actors may simply leverage your existing crimeware backdoors

• Therefore, you still have to respond to the low grade attacks, because they can become high grade for a valuable target


400 Incidents Per Week Per Gbps


The Attack Life Cycle – Multiple Stages

Exploitation of system 1

3 Callbacks and control established

2 Malware executable download

Compromised

Web server, or

Web 2.0 site

1 Callback Server

IPS

3 2

Malware spreads laterally

4 Data exfiltration

5

File Share 2

File Share 1

5

4


Traditional Defenses Don’t Work

Firewalls/ NGFW

Secure Web Gateways

IPS Anti-Spam Gateways

Desktop AV

THREAT

The new breed of attacks evade signature-based defenses


The Enterprise Security Hole

Web-Based

Attacks

NGFW FW

IPS

SWG AV

Attack Vector

SECURITY

HOLE

Malicious

Files

Spear Phishing

Emails


A New Model is Required

• Signature-Based

• Reactive

• Only known threats

• False positives

• Signature-less

• Dynamic, real-time

• Known/unknown threats

• Minimal false positives

Legacy Pattern-Matching

Detection Model

New Virtual Execution

Model

101011010101101000101110

001101010101011001101111

100101011001001001001000

100100111001010101010110

110100101101011010101000

MATCH

100100111001010101010110

MATCH

100100111001010101010110


Attacks Increasingly Sophisticated

Dynamic Web Attacks

Malicious Exploits

Spear Phishing Emails

Multi-Vector

• Delivered via Web or email

• Blended attacks with email

containing malicious URLs

• Uses application/OS exploits

Multi-Stage

• Initial exploit stage followed

by malware executable

download, callbacks, and

exfiltration

• Lateral movement to infect

other network assets

Documents

Stopping targeted cyber attacks March 18th, 2013 Security Workshop/0011___Ray... · Exploitation of system1 3 Callbacks and control established 2 Malware executable download Compromised1