Upload
teo-lt-ab
View
1.943
Download
1
Embed Size (px)
DESCRIPTION
Kaip nuo jų apsisaugoti? Kaip susijusios kompiuterių apsaugos sistemos ir vartotojų reputacija? Pranešimo autorius – Rainer Baeder. Įmonės „Fortinet“ sprendimų konsultacijų centro vadovas (Vokietija). Pranešimas skaitytas konferencijoje – INFORMACINIŲ SISTEMŲ SAUGUMAS, vykusioje 2013 m. balandžio 11d., skirtoje valstybės institucijų ir valstybinės reikšmės organizacijoms.
Citation preview
1 Fortinet Confidential1 CONFIDENTIAL – INTERNAL ONLY
Advanced Persistent Threats (APTs)
Rainer Baeder Manager Systems Engineering
2 Fortinet Confidential2 CONFIDENTIAL – INTERNAL ONLY
AGENDA
APT 101•FortiOS AV solution•Other tools
3 Fortinet Confidential3 CONFIDENTIAL – INTERNAL ONLY
A.P.T.
• ADVANCED• Based on Zero Days• Part of Targeted Attacks• 75% Patchable Vulnerabilities
• PERSISTENT• Update Techniques• Low Profile• 85% Breachs take >5month to discover
Highlight
4 Fortinet Confidential4 CONFIDENTIAL – INTERNAL ONLY
• Different companies targeted• 50% Large enterprises / Gov • 20 % Small Businesses
• Targeted Attacks• 20% target “C levels” • Sprawling 0-day market
Some Statistics on APT
5 Fortinet Confidential
APT strategy
Multi-layer defense Cut the link anywhere in the
chain Antivirus is the core
Not the silver bullet though “ALL ON” is the answer
Extensive botnet research Communication channel Even fight internal threats
Advanced Persistent DefenceFight APTs
6 Fortinet Confidential
APT history
Cyberwarfare: VoIP and ConvergenceIncrease VulnerabilityDavid L. FraleyBy 2005, the United States and other nations will have the ability to conduct cyberwarfare. The increasing use of Voice over IP and the converging of voice/data networks is facilitating it.
The U.S. military complex continues work on Presidential Directive 16, including developing therules and tools. The United States is not the only government thinking about cyberattacks. In thesecond quarter of 1995, Major General Wang Pufeng of The Chinese Army published a paper,“The Challenge of Information Warfare.” In this paper, Pufeng writes that the information era willtouch off a revolution in military affairs.
The aspects of cyberwarfare have been considered for years. Future cyberattacks couldconstitute an entire war or an attack type as part of a larger campaign. Cyberwarfare, like anymilitary operation, has two components — offensive and defensive operations.
7 Fortinet Confidential
APT today
8 Fortinet Confidential
Generating APT
rename to CV_xx.pdf
9 Fortinet Confidential
Example of APT today
10 Fortinet Confidential
APT´s Procedure
Step 1: Reconnaissance
Step 2: Spear-phishing attack
Step 3: Establish presence
Step 4: Exploration and Enumeration
Step 5: Steal Data
Step 6: Stay in
11 Fortinet Confidential
Crimeware as a Service
CaaS
Botnet-as-a-
Service
Do-it-Yourself
Designer-Malware-
as-a-Service
Spam-as-a-
Service
Spyware-as-a-
Service
dDoS-as-a-
Service
Fraud-as-a-
Service
Hacking-as-a-
Service
12 Fortinet Confidential12 Fortinet Confidential
APT 101FortiOS APT solutionOther tools
AGENDA
13 Fortinet Confidential
Technologies
SignaturesSignatures• Detects and blocks
known malware and some variants
• Highly accurate, low false positives
• Requires up-to-date signature updates
• 3rd party validated
Signatures• Detects and blocks
known malware and some variants
• Highly accurate, low false positives
• Requires up-to-date signature updates
• 3rd party validated
Behavioral Evaluation
• Detects and blocks malware based on scoring system of known malicious behaviors or characteristics
• Can be used to flag out suspicious files for further analysis
Behavioral Evaluation
• Detects and blocks malware based on scoring system of known malicious behaviors or characteristics
• Can be used to flag out suspicious files for further analysis
File Analysis• Detects zero-day
threats by executing codes on emulators to determine malicious activities.
• Resource intensive, performance and latency impact
File Analysis• Detects zero-day
threats by executing codes on emulators to determine malicious activities.
• Resource intensive, performance and latency impact
14 Fortinet Confidential
Technologies
Application Control•Detects and blocks nearly 50 active botnets
•Botnet network activities by examining traffic
• Prevents zombies from data leaks or communicates for instructions
Application Control•Detects and blocks nearly 50 active botnets
•Botnet network activities by examining traffic
• Prevents zombies from data leaks or communicates for instructions
Botnet IP Reputation DB• Detects and blocks known Botnet
C&C Communication by matching against Botnet command blacklisted IPs
• Stops dial back by infected zombies.
Botnet IP Reputation DB• Detects and blocks known Botnet
C&C Communication by matching against Botnet command blacklisted IPs
• Stops dial back by infected zombies.
15 Fortinet Confidential
AV Engine
Local SandboxLightweight Emulators
• Good against VM evasionOS-Independent file analysis, all file type
• Java Scripts, Flash, PDFBest against Malware Injections via (compromised) web 2.0 applications
Signature Match(CPRL/Checksum)Signature Match
(CPRL/Checksum)
File Sample
Decryption/unpacking System
Decryption/unpacking System
Local SandboxLocal SandboxBehavior AnalysisBehavior Analysis
SuspiciousForward to cloud-based FortiGuard AV service
PassNo Further Action
FortiGate AV Engine 2.0
BlockedFile discarded, option to
Quarantine and event logged
16 Fortinet Confidential
FortiGuard AV
VM Sandbox VM Sandbox
File Sample(Manual or auto Submission)
Botnet Servers Blacklist
Botnet Servers Blacklist
AV, IPS & Application Signatures
AV, IPS & Application SignaturesAnalyst ReviewAnalyst Review
New detectionNew signature is developed, Alert
to Inform Administrator
PassNo Further Action
FortiGuard Analytics
File Analysis Service
UpdatePush/pull/manual updates
Database Update Service
17 Fortinet Confidential
Cloud Based SandboxAs part of FortiGuard Analytics Service, Enabled on FortiOS (Proxy Based AV)True VM Environments – test across various OS, patch levels & application versions
• Windows, MAC, Linux
Bayesian Scoring & Classification using detection criteria• File system, permission/memory/registry modifications• Network activities, API calls, etc
Test all filetypes: • Portable Executables (PEs) – DLL, Font files, object codes• Browsers & OS Scripts• PDF, Flash etc …
FortiGuard AV Service
18 Fortinet Confidential
Analytics via Forticloud service
• Inspection stats
• Sample scan status
• Time / IP based correlation
19 Fortinet Confidential
In-box AV functions Cloud Based AV Service
Hardware Accelerated& Code optimized
Real time updated, 3rd party validated Signature DB
Local LightweightSandboxing
Behavior / Attribute Based Heuristic Detection
FortiGuard Botnet IP Reputation DB
Cloud BasedSandboxing
Application Control – Botnet Category
FortiOS + Analytics
20 Fortinet Confidential20 Fortinet Confidential
APT 101FortiOS APT solutionOther tools
AGENDA
21 Fortinet Confidential
RankingIdentification
Policy Enforceme
nt
Multiple Scoring VectorsReputation by Activity Threat Status
Real Time, Relative,
Drill-down, Correlated
Identify potential … zero-day attacks
Score Computati
on
Client Reputation
22 Fortinet Confidential
• View of “Reputation Score” & clickable detail drill-down
Click for further drill-down detail
Client Reputation Example
23 Fortinet Confidential
Botnet C&C communicationsExtension to AV Signature updates
IP/Port list of know C&C servers
Real Time IP
Reputation DB
X
Intercepting Botnets
24 Fortinet Confidential
FortiOS 5 Delivers:
25+ VB100 Awards VB100 RAP Leaders (#1)
Reactive & Proactive Test96% Detection Rate!
100% Detection on ItW In the Wild / Reactive
Intelligence Proxy Combined with Cloud Analytics
Allows proactive detection for new viral variants
AV enhancements result
25 Fortinet Confidential
One-arm SnifferOffline Monitoring with Flow based UTM
ONE More thing: Sniffer Mode