copyright (c) 2012, fireeye, inc. all rights reserved. | confidential 1 fireeye overview john bolger...

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1

FireEye Overview

John Bolger

Manager Channels, US-Central

FireEye


Company Overview

• The leader in stopping advanced targeted attacks

• Marquee customers across every industry– Top banks, hi-tech, oil and gas,

government– All major Internet search engines, top

social networks, and auction sites

• One of the fastest growing enterprise technology companies in the world


We Are Only Seeing the Tip of the Iceberg

HEADLINE GRABBING ATTACKS

THOUSANDS MORE BELOW THE SURFACEAPT Attacks

Zero-Day AttacksPolymorphic Attacks

Targeted Attacks


Manufacturing Hit Worst


Don’t Take Usual Vacations (Email Attacks)


Chinese Hacking Methodology

http://www.thedarkvisitor.com/2008/11/chinese-hacker-attack-flowchart/



Chinese Hacking Methodology - Translated




Characteristics of Malware

• Stealth Level

• Ranges from High to Low

• Target Vulnerability

• Unpatched machines, plug-ins, browsers

• Intended victim(s)

• Specific victims - using Spearphishing

• Objectives

• Theft? Disruption? Fear?


High Profile APT Attacks Are Increasingly Common


We Are Only Seeing the Tip of the Iceberg

HEADLINE GRABBING ATTACKS

THOUSANDS MORE BELOW THE SURFACEAPT Attacks

Zero-Day AttacksPolymorphic Attacks

Targeted Attacks


ADVANCED

TRADITIONAL

Advanced Targeted Attack

Defining Advanced Targeted Attacks

• Utilizes advanced techniques and/or malware

– Unknown– Targeted– Polymorphic– Dynamic– Personalized

• Uses zero-day exploits, commercial quality toolkits, and social engineering

• Often targets IP, credentials and often spreads laterally throughout network

• AKA—Advanced Persistent Threat (APT)

StealthyUnknown and

Zero DayTargeted Persistent

OpenKnown andPatchable

Broad One Time

The New Threat LandscapeThere is a new breed of attacks that are

advanced, zero-day, and targeted


The Enterprise Security Hole

Web-basedAttacks

NGFW FW

IPS

SWG AV

Attack Vector

SECURITYHOLE

Malicious Files

Spear Phishing Emails


Traditional Defenses Don’t Work

Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses

Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses

Like NGFW, IPS, AV, and Gateways


Typical Enterprise Security Architecture

Firewalls/NGFW

Block IP/port connections, application-level control, no visibility into exploits and ineffective vs. advanced targeted attacks

IPS

Attack-signature based detection, shallow application analysis, high-false positives, no visibility into advancedattack lifecycle

Secure WebGateways

Some analysis of script-based malware, AV, IP/URL filtering; ineffective vs. advanced targeted attacks

Anti-SpamGateways

Relies largely on antivirus, signature-based detection (some behavioral); no true spear phishing protection

Desktop AV

Signature-based detection (some behavioral); ineffective vs. advanced targeted attacks


Attacks Increasingly Sophisticated

Dynamic Web Attacks

Malicious Exploits

Spear Phishing Emails

Multi-Vector• Delivered via Web or email

• Blended attacks with email containing malicious URLs

• Uses application/OS exploits

Multi-Stage• Initial exploit stage followed

by malware executable download, callbacks and exfiltration

• Lateral movement to infect other network assets


The Attack Lifecycle – Multiple Stages

Exploitation of system1

3 Callbacks and control established

2 Malware executable download

CompromisedWeb server, or

Web 2.0 site

1Callback Server

IPS

32Malware spreads laterally

4 Data exfiltration

5

File Share 2

File Share 1

5

4


FireEye Malware-VM™ Filter

Phase 1: Aggressive capture heuristics Deploys out-of-band/passive or inline Multi-protocol capture of HTML, files (e.g. PDF), & EXEs Maximizes capture of potential zero-day attacks

Phase 2: Virtual machine analysis Confirmation of malicious attacks Removal of false positives

Phase 3: Block Call Back Stop data/asset theft

XML/SNMP alerts on infections as well as C&C destinations

Global loop sharing into MAX Cloud Intelligence

Fast Path Real-time Blocking in Appliance

Phase 3


The FireEye Difference

Multi-Vector Protection

• Protection against Web attacks

• Protection against email attacks

• Protection against file-based attacks

Multi-Stage Protection

•Inbound zero-day exploit detection

•Outbound malware callback blocking

•Malware binary payload analysis

•Latent malware quarantine

Multi-Vector

Multi-Stage


Multi-Vector Protection

Blended Web/Email Threats

Internal Lateral Movement of Threats

Web Threats Email Threats

CMS


LATERAL SPREAD

Multi-Staged Attack Pieces Connected

Point Products

WEB EXPLOIT

MALWARE

EXECUTABLE

DOWNLOAD

CALLBACK

WEB OR EMAILEXPLOIT

MALWAREEXECUTABLEDOWNLOAD

DATAEXFILTRATION

CALLBACK

LATERAL MOVEMENT

DATAEXFILTRATION


• Inline blocking both inbound and outbound

• Advanced content analysis (PDF, JavaScript, URLs)

• Models up to 1 Gbps at microseconds latency

FEATURES

Web Malware Protection System

• Inline, real-time, signature-less malware protection at near-zero false positives• Analyzes all web objects, e.g., web pages, flash, PDF, Office docs and executables• Blocks malicious callbacks terminating data exfiltration across protocols• Dynamically generates zero-day malware and malicious URL security content and

shares through Malware Protection Cloud network• Integration with Email and File MPS and MAS for real-time callback channel blocking

http://


Multi-Protocol, Real-Time VX Engine

PHASE 1Multi-Protocol Object Capture

PHASE 2Virtual Execution Environments

PHASE 1: WEB MPS• Aggressive Capture• Web Object Filter

DYNAMIC, REAL-TIME ANALYSIS

• Exploit detection

• Malware executable analysis

• Cross-matrix of OS/apps

• Originating URL

• Subsequent URLs

• OS modification report

• C&C protocol descriptors

Map to TargetOS and

Applications


• Supports large range of file types (PDF, Office formats, ZIP, etc.)

• Attachment analysis• URL analysis• Correlation of malicious

URLs to emails at the CMS

FEATURES

Email Malware Protection System

• Protection against spear phishing and blended attacks• Analyzes all emails for malicious attachments and URLs• In-line MTA active security or SPAN/BCC for monitoring• Brute-force analysis of all Email attachments in VX Engine• Web MPS integration for malicious URL analysis/blocking• Web MPS integration for blocking of newly discovered callback channels










• Originating URL

• Subsequent URLs



Map to TargetOS and

Applications

PHASE 1: E-MAIL MPS• Email Attachments• URL Analysis


Protecting Against Blended Threats

Secures Against Attacks Using URLs in Email

• High priority URL analysis through Web MPS VX engine

• Web MPS integration for correlation of malicious URL with spear phished email message

• Web MPS integration for blocking of newly discovered callback channels

Central Management System

Web MPS Email MPS


File Malware Protection System

• Supports large range of file types (PDF, Office, ZIP, etc.)

• CIFS support

• Malicious file quarantine

• Integration via CMS

FEATURES

• Protects file sharing servers from latent malware • Addresses malware brought into the network via web or email or file

sharing as well as other manual means• Detects the lateral spread of malware through network file shares• Continuous and incremental network file share analysis• Web MPS integration for blocking of newly discovered callback channels










• Originating URL

• Subsequent URLs



Map to TargetOS and

Applications

PHASE 1: E-MAIL MPS• Email Attachments• URL Analysis

PHASE 1: FILE MPS• Network File Shares


Multi-Layered Threat Intelligence Sharing

Local Sharing

Seconds

Internal Feedback Loop

Web MPS

Cross-Enterprise Sharing

Central Management System

Global Sharing

Cross-Enterprise Web MPS Deployment

Many 3rd party Feeds Validated by FireEye Technology


Summary

• Pace of advanced targeted attacks is accelerating, affecting all verticals and all segments

• Traditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacks

• Real-time, integrated signature-less solution is required across Web, email and file attack vectors

• FireEye has engineered themost advanced threat protection to supplement traditionaldefenses and stop advanced targeted attacks

Complete Protection Against Advanced Targeted Attacks

Web Malware

Protection System

EmailMalware

ProtectionSystem

FileMalware

Protection System


Enjoy the rest of the show!

Thank You!

copyright (c) 2012, fireeye, inc. all rights reserved. | confidential 1 fireeye overview john bolger...

Documents

copyright c

targeted slide

world slide

common slide

uscentral fireeye slide

surface apt attacks

new breed of attacks

high profile apt attacks