fortinet, держи марку!
TRANSCRIPT
© Copyright Fortinet Inc. All rights reserved.
FORTISANDBOXАлексей Андрияшин
2 ноября 2015
+79859996477
2
ЖИЗНЕННЫЙ ЦИКЛ APT (ATA)
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
…от 1 дня до 2+ лет…
Начальный
этап
внедрения
Создание
плацдарма
Повышение
привилегий
Сбор
информацииНачальная
разведка
Поддержка
присутствия
Основная
деятельность
Завершение
миссии
3
РЕШЕНИЯ FORTINET
FortiDBDatabase
Protectio
n
FortiClientEndpoint Protection,
VPN
FortiTokenTwo Factor
Authentication
FortiSandboxAdvanced Threat
Protection
FortiClientEndpoint Protection
FortiGateNGFW
FortiAuthenticatorUser Identity
Management
FortiManagerCentralized
Management
FortiAnalyzerLogging, Analysis,
Reporting
FortiADCApplication
Delivery Control
FortiWebWeb Application
Firewall
FortiGateDCFW
FortiGateInternal NGFW
FortiDDoSDDoS Protection
FortiMailEmail Security
FortiGateVM
XSDN, Virtual
Firewall
FortiAPSecure Access
Point
DATA CENTER
BRANCH
OFFICE
CAMPUS
FortiGateCloud
FortiWi
FiUTM
FortiGat
eTop-of-
Rack
FortiCameraIP Video Security
FortiVoiceIP PBX Phone
System
FortiGateNext Gen IPS
FortiExtenderLTE Extension
Secure Wireless
Switching
Advanced Threat Protection
Authentication & Tokens
Application Security
Application Delivery/SLB
Endpoint Security
IP PBX and Phones
IP Video Surveillance
More…
4
• Эшелонированная безопасность
• Высокая скорость реакции
СИНЕРГИЯ ПРИ ПРЕДОТВРАЩЕНИИ УГРОЗ
IPS
Antivirus
Anti-Spam
IP Reputation
Web Filtering
App Control
ОСНОВНАЯ ЗАДАЧА – РАЗОРВАТЬ ЦЕПЬ УГРОЗ И РАЗРУШИТЬ ЛОГИКУ APT
5
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ
Пример: Фишинг
1. Anti-spam
2. Antivirus
3. Web Filtering
IPS
IP Reputation
App Control
6
Пример: Бэкдор/Бот
1. Antivirus
2. IPS
3. Web Filtering
Anti-spam
IP Reputation
App Control
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ
7
1. Anti-spam
2. Web Filtering
3. IPS
4. Antivirus5. IP
Reputation
6. App Control
Добавьте ATP SandboxИсключите
неопределенность
угроз
Пример: ATP
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ
8
ВОЗМОЖНЫЙ СЦЕНАРИЙ
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
9
РАЗРЫВА ЦЕПИ УГРОЗ –ШАГ 1
СпамМошенническоесообщение
Спам
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
10
СпамМошенническоесообщение
Спам
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
ФишингСайт злоумышленника
Фишинг
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 2
11
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
ФишингСайт злоумышленника
Спам
Фишинг
Эксплойт
Мошенническоесообщение
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 3
12
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
ФишингСайт злоумышленника
Спам
Фишинг
Эксплойт
Мошенническоесообщение
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 4
13
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
ФишингСайт злоумышленника
Вредоносное ПО
Спам
Фишинг
Эксплойт
Вредоносное ПО
Мошенническоесообщение
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 5
14
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
ФишингСайт злоумышленника
Вредоносное ПОC&C Центр
Спам
Фишинг
Эксплойт
Вредоносное ПО
Бот активностьи кража данных
Мошенническоесообщение
Бот активностьи кража данных
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 6
15
Спам
ФишингСайт злоумышленника
Эксплойт
Вредоносное ПОC&C Центр
Спам
Фишинг
Эксплойт
Вредоносное ПО
Бот активностьи кража данных
Sa
nd
bo
x
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Мошенническоесообщение
Бот активностьи кража данных
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 7. ВНЕДРЯЕМ SANDBOX
16
MALWARE? GOODWARE? IDON’TKNOWWARE?
Known
Good
Known
Bad
Probably
Good
Very
Suspicious
Somewhat
Suspicious
Might be
Good
Completely
Unknown
Whitelists Reputation:
File, IP, App, Email
App Signatures
Digitally signed files
Blacklists
Signatures
Heuristics
Reputation: File, IP,
App, Email
Generic Signatures
Code
Continuum
Security
Technologies
Sandboxing
17
Known
Good
Known
Bad
Probably
Good
Very
Suspicious
Somewhat
Suspicious
Might be
Good
Completely
Unknown
Whitelists Reputation:
File, IP, App, Email
App Signatures
Digitally signed files
Blacklists
Signatures
Heuristics
Reputation: File, IP,
App, Email
Generic Signatures
Code
Continuum
Security
Technologies
Solutions
FortiGate(and/or FortiMail, FortiClient, FortiWebt, etc.)
Sandboxing
FortiSandbox
MALWARE? GOODWARE? IDON’TKNOWWARE?
18
• Prefilters objects, identifying known threats
• Runs objects/URLs, analyzing and rating activity
• Uncovers full threat lifecycle and presentsindicators of compromise
• 3 modes of operation
– Sniffer: span port mode to capture all packets
– On-demand: manual submission & analysis
– Integrated: with FortiGate, FortiMail and FortiClientto feed into and act on intelligence out of FortiSandbox
FortiSandboxОПРЕДЕЛЕНИЕ ЦЕЛЕНАПРАВЛЕННЫХ АТАК
Network Traffic
Cloud
File QueryAV
Prefilter
Code
EmulationFull
Sandbox
Callback
Detection
19
FortiSandbox – 5 STEPS TO BETTER PERFORMANCE
Call Back Detection
Full Virtual Sandbox
Code Emulation
Cloud File Query
AV Prefilter
• Quickly simulate intended activity
• OS independent and immune to evasion/obfuscation
• Apply top-rated anti-malware engine
• Examine real-time, full lifecycle activity to get the
threat to expose itself
• Check community intelligence & file reputation
• Identify the ultimate aim, call back & exfiltration
• Mitigate w/FortiGuard updates
20
• Top-rated Breach Detection (NSS Labs Recommended)
• Customizable Environment
– Preloaded with Microsoft Windows XP and 7, 32- and 64-bit, plus Office, IE and Adboe
– Ability to select specific combination or let the system choose
• Genuine Microsoft Licenses for Windows and Office
TOP RATED SANDBOX
Independent third-
party tested &
validated!
21
FORTISANDBOX DETAILS
Network Traffic
Ob
jects
fo
r In
sp
ectio
n
Up
da
ted P
rote
ction 3. Operating Environment
• Code emulation: OS-
independent
• Sandbox: Windows XP, 7, 8.1,
Server 2008/2010, IE, Office
2. File type support
• AV Prefilter: all
• Full Sandbox: as follows
Archived: .tar, .gz, .tar.g,
.tgz, .zip, .bz2, .tar.bz2,
.bz, .tar.Z, .cab, .rar, .arj
Executable: .exe, .dll,
PDF, Windows Office,
Javascript, .pd
URLs
Media: .avi, .mpeg, mp3,
mp4
1. Protocol support
• FortiGate Integrated: HTTP,
SMTP, POP3, IMAP, MAPI, FTP,
SMB, IM
and SSL encrypted equivalents
• Stand-alone: HTTP, FTP, POP3,
IMAP, SMTP, SMB
• FortiMail Integrated: SMTP,
POP3, IMAP
22
SANDBOX ONLY
Feedback
to/from FortiGuard
InternetNetwork
Traffic
Deployed in sniffer mode FortiSandbox will preflter
for known threats, sandbox unknown threats and
watch for callback activity
Inspected
Traffic
23
NGFW + SANDBOX
Feedback
to/from FortiGuard
InternetNetwork
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Inspected
Traffic
Deployed in integrated mode FortiSandbox will
receive objects, perform analysis and return results
24
CENTRAL SANDBOX FOR NGFW+SEG
Reputation, behavior and other analysis performed by FortiMail.
At risk messages held for FortiSandbox analysis, results acted on.
Clean emails delivered to mail
servers.
Outgoing email also inspected
Feedback
to/from FortiGuard
Traffic
Internet
Inspected
Emails
Network
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Inspected
Traffic
25
CENTRAL SANDBOX FOR NGFW + SEG + EPP
Reputation, behavior and other analysis performed by FortiMail.
At risk messages held for FortiSandbox analysis, results acted on.
Clean emails delivered to mail
servers.
Outgoing email also inspected
FortiSandbox prefilters, executes, analyzes and feeds
back to FortiGate, FortiMail, FortiClient and
FortiGuardFeedback
to/from FortiGuard
Traffic
Internet
Inspected
Emails
Network
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Full EPP inspection, new files also sent
to FortiSandbox. Results acted on.
Inspected
Traffic
26
РАЗРЫВА ЦЕПИ УГРОЗ – ШАГ 8 ПОДДЕРЖКА АКТУАЛЬНОСТИ СИСТЕМЫ ЗАЩИТЫ
Anti-spam
Web Filtering
Intrusion
Prevention
Antivirus
App Control/
IP Reputation
Sa
nd
bo
xЦОД
Предприятия и
филиальная сеть
Облако
Мобильные
Распределенная сеть
DLP
27
ОПЕРЕЖАТЬ ДЕЙСТВИЯ ЗЛОУМЫШЛЕННИКОВ
Комплексная Безопасность
Глобальная Защита
Уверенность в высокой эффективности
360
247x
100%
28
http://www.netwell.ru/events/?id_form=fortinet_security_day
Алексей Андрияшин
+79859996477
Илья Яблонко, CISSP,
менеджер по развитию решений ИБ
+7 912 607 55 66,