1 Fortinet Confidential1 CONFIDENTIAL – INTERNAL ONLY

Advanced Persistent Threats (APTs)

Rainer Baeder Manager Systems Engineering

2 Fortinet Confidential2 CONFIDENTIAL – INTERNAL ONLY

AGENDA

APT 101•FortiOS AV solution•Other tools

3 Fortinet Confidential3 CONFIDENTIAL – INTERNAL ONLY

A.P.T.

• ADVANCED• Based on Zero Days• Part of Targeted Attacks• 75% Patchable Vulnerabilities

• PERSISTENT• Update Techniques• Low Profile• 85% Breachs take >5month to discover

Highlight

4 Fortinet Confidential4 CONFIDENTIAL – INTERNAL ONLY

• Different companies targeted• 50% Large enterprises / Gov • 20 % Small Businesses

• Targeted Attacks• 20% target “C levels” • Sprawling 0-day market

Some Statistics on APT

5 Fortinet Confidential

APT strategy

Multi-layer defense Cut the link anywhere in the

chain Antivirus is the core

Not the silver bullet though “ALL ON” is the answer

Extensive botnet research Communication channel Even fight internal threats

Advanced Persistent DefenceFight APTs

6 Fortinet Confidential

APT history

Cyberwarfare: VoIP and ConvergenceIncrease VulnerabilityDavid L. FraleyBy 2005, the United States and other nations will have the ability to conduct cyberwarfare. The increasing use of Voice over IP and the converging of voice/data networks is facilitating it.

The U.S. military complex continues work on Presidential Directive 16, including developing therules and tools. The United States is not the only government thinking about cyberattacks. In thesecond quarter of 1995, Major General Wang Pufeng of The Chinese Army published a paper,“The Challenge of Information Warfare.” In this paper, Pufeng writes that the information era willtouch off a revolution in military affairs.

The aspects of cyberwarfare have been considered for years. Future cyberattacks couldconstitute an entire war or an attack type as part of a larger campaign. Cyberwarfare, like anymilitary operation, has two components — offensive and defensive operations.

7 Fortinet Confidential

APT today

8 Fortinet Confidential

Generating APT

rename to CV_xx.pdf

9 Fortinet Confidential

Example of APT today

10 Fortinet Confidential

APT´s Procedure

Step 1: Reconnaissance

Step 2: Spear-phishing attack

Step 3: Establish presence

Step 4: Exploration and Enumeration

Step 5: Steal Data

Step 6: Stay in

11 Fortinet Confidential

Crimeware as a Service

CaaS

Botnet-as-a-

Service

Do-it-Yourself

Designer-Malware-

as-a-Service

Spam-as-a-

Service

Spyware-as-a-

Service

dDoS-as-a-

Service

Fraud-as-a-

Service

Hacking-as-a-

Service

12 Fortinet Confidential12 Fortinet Confidential

APT 101FortiOS APT solutionOther tools

AGENDA

13 Fortinet Confidential

Technologies

SignaturesSignatures• Detects and blocks

known malware and some variants

• Highly accurate, low false positives

• Requires up-to-date signature updates

• 3rd party validated

Signatures• Detects and blocks

known malware and some variants

• Highly accurate, low false positives

• Requires up-to-date signature updates

• 3rd party validated

Behavioral Evaluation

• Detects and blocks malware based on scoring system of known malicious behaviors or characteristics

• Can be used to flag out suspicious files for further analysis

Behavioral Evaluation

• Detects and blocks malware based on scoring system of known malicious behaviors or characteristics

• Can be used to flag out suspicious files for further analysis

File Analysis• Detects zero-day

threats by executing codes on emulators to determine malicious activities.

• Resource intensive, performance and latency impact

File Analysis• Detects zero-day

threats by executing codes on emulators to determine malicious activities.

• Resource intensive, performance and latency impact

14 Fortinet Confidential

Technologies

Application Control•Detects and blocks nearly 50 active botnets

•Botnet network activities by examining traffic

• Prevents zombies from data leaks or communicates for instructions

Application Control•Detects and blocks nearly 50 active botnets

•Botnet network activities by examining traffic

• Prevents zombies from data leaks or communicates for instructions

Botnet IP Reputation DB• Detects and blocks known Botnet

C&C Communication by matching against Botnet command blacklisted IPs

• Stops dial back by infected zombies.

Botnet IP Reputation DB• Detects and blocks known Botnet

C&C Communication by matching against Botnet command blacklisted IPs

• Stops dial back by infected zombies.

15 Fortinet Confidential

AV Engine

Local SandboxLightweight Emulators

• Good against VM evasionOS-Independent file analysis, all file type

• Java Scripts, Flash, PDFBest against Malware Injections via (compromised) web 2.0 applications

Signature Match(CPRL/Checksum)Signature Match

(CPRL/Checksum)

File Sample

Decryption/unpacking System

Decryption/unpacking System

Local SandboxLocal SandboxBehavior AnalysisBehavior Analysis

SuspiciousForward to cloud-based FortiGuard AV service

PassNo Further Action

FortiGate AV Engine 2.0

BlockedFile discarded, option to

Quarantine and event logged

16 Fortinet Confidential

FortiGuard AV

VM Sandbox VM Sandbox

File Sample(Manual or auto Submission)

Botnet Servers Blacklist

Botnet Servers Blacklist

AV, IPS & Application Signatures

AV, IPS & Application SignaturesAnalyst ReviewAnalyst Review

New detectionNew signature is developed, Alert

to Inform Administrator

PassNo Further Action

FortiGuard Analytics

File Analysis Service

UpdatePush/pull/manual updates

Database Update Service

17 Fortinet Confidential

Cloud Based SandboxAs part of FortiGuard Analytics Service, Enabled on FortiOS (Proxy Based AV)True VM Environments – test across various OS, patch levels & application versions

• Windows, MAC, Linux

Bayesian Scoring & Classification using detection criteria• File system, permission/memory/registry modifications• Network activities, API calls, etc

Test all filetypes: • Portable Executables (PEs) – DLL, Font files, object codes• Browsers & OS Scripts• PDF, Flash etc …

FortiGuard AV Service

18 Fortinet Confidential

Analytics via Forticloud service

• Inspection stats

• Sample scan status

• Time / IP based correlation

19 Fortinet Confidential

In-box AV functions Cloud Based AV Service

Hardware Accelerated& Code optimized

Real time updated, 3rd party validated Signature DB

Local LightweightSandboxing

Behavior / Attribute Based Heuristic Detection

FortiGuard Botnet IP Reputation DB

Cloud BasedSandboxing

Application Control – Botnet Category

FortiOS + Analytics

20 Fortinet Confidential20 Fortinet Confidential

APT 101FortiOS APT solutionOther tools

AGENDA

21 Fortinet Confidential

RankingIdentification

Policy Enforceme

nt

Multiple Scoring VectorsReputation by Activity Threat Status

Real Time, Relative,

Drill-down, Correlated

Identify potential … zero-day attacks

Score Computati

on

Client Reputation

22 Fortinet Confidential

• View of “Reputation Score” & clickable detail drill-down

Click for further drill-down detail

Client Reputation Example

23 Fortinet Confidential

Botnet C&C communicationsExtension to AV Signature updates

IP/Port list of know C&C servers

Real Time IP

Reputation DB

X

Intercepting Botnets

24 Fortinet Confidential

FortiOS 5 Delivers:

25+ VB100 Awards VB100 RAP Leaders (#1)

Reactive & Proactive Test96% Detection Rate!

100% Detection on ItW In the Wild / Reactive

Intelligence Proxy Combined with Cloud Analytics

Allows proactive detection for new viral variants

AV enhancements result

25 Fortinet Confidential

One-arm SnifferOffline Monitoring with Flow based UTM

ONE More thing: Sniffer Mode