Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės


Published on

Kaip nuo jų apsisaugoti? Kaip susijusios kompiuterių apsaugos sistemos ir vartotojų reputacija?

Pranešimo autorius – Rainer Baeder. Įmonės „Fortinet“ sprendimų konsultacijų centro vadovas (Vokietija).

Pranešimas skaitytas konferencijoje – INFORMACINIŲ SISTEMŲ SAUGUMAS, vykusioje 2013 m. balandžio 11d., skirtoje valstybės institucijų ir valstybinės reikšmės organizacijoms.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ##need to update with screenshot of drill-down {to-do later!}
  • Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės

    1. 1. Advanced Persistent Threats (APTs) Rainer Baeder Manager Systems Engineering1 CONFIDENTIAL – INTERNAL ONLY Fortinet Confidential
    2. 2. AGENDA APT 101 •FortiOS AV solution •Other tools2 CONFIDENTIAL – INTERNAL ONLY Fortinet Confidential
    3. 3. HighlightA.P.T.• ADVANCED • Based on Zero Days • Part of Targeted Attacks • 75% Patchable Vulnerabilities• PERSISTENT • Update Techniques • Low Profile • 85% Breachs take >5month to discover3 CONFIDENTIAL – INTERNAL ONLY Fortinet Confidential
    4. 4. Some Statistics on APT • Different companies targeted • 50% Large enterprises / Gov • 20 % Small Businesses • Targeted Attacks • 20% target “C levels” • Sprawling 0-day market4 CONFIDENTIAL – INTERNAL ONLY Fortinet Confidential
    5. 5. APT strategyAdvanced Persistent DefenceFight APTs Multi-layer defense  Cut the link anywhere in the chain Antivirus is the core Not the silver bullet though  ―ALL ON‖ is the answer Extensive botnet research  Communication channel  Even fight internal threats5 Fortinet Confidential
    6. 6. APT history Cyberwarfare: VoIP and Convergence Increase Vulnerability David L. Fraley By 2005, the United States and other nations will have the ability to conduct cyberwarfare. The increasing use of Voice over IP and the converging of voice/data networks is facilitating it. The aspects of cyberwarfare have been considered for years. Future cyberattacks could constitute an entire war or an attack type as part of a larger campaign. Cyberwarfare, like any military operation, has two components — offensive and defensive operations. The U.S. military complex continues work on Presidential Directive 16, including developing the rules and tools. The United States is not the only government thinking about cyberattacks. In the second quarter of 1995, Major General Wang Pufeng of The Chinese Army published a paper, ―The Challenge of Information Warfare.‖ In this paper, Pufeng writes that the information era will touch off a revolution in military affairs.6 Fortinet Confidential
    7. 7. APT today7 Fortinet Confidential
    8. 8. Generating APT rename to CV_xx.pdf8 Fortinet Confidential
    9. 9. Example of APT today9 Fortinet Confidential
    10. 10. APT´s Procedure Step 1: Reconnaissance Step 2: Spear-phishing attack Step 3: Establish presence Step 4: Exploration and Enumeration Step 5: Steal Data Step 6: Stay in10 Fortinet Confidential
    11. 11. Crimeware as a Service Hacking- Fraud-as- as-a- a- Service Botnet- Service as-a- Service dDoS-as- a- Service Do-it- CaaS Yourself Spyware- as-a- Designer- Service Malware- Spam-as- as-a- a- Service Service11 Fortinet Confidential
    12. 12. AGENDA •APT 101 FortiOS APT solution •Other tools12 Fortinet Confidential
    13. 13. Technologies Signatures Signatures Behavioral File Analysis • Detects and blocks Evaluation • Detects zero-day known malware and • Detects and blocks threats by executing some variants malware based on codes on emulators to scoring system of determine malicious • Highly accurate, low known malicious activities. false positives behaviors or • Resource intensive, • Requires up-to-date characteristics performance and signature updates • Can be used to flag latency impact • 3rd party validated out suspicious files for further analysis13 Fortinet Confidential
    14. 14. Technologies Application Control Botnet IP Reputation DB •Detects and blocks nearly 50 active •Detects and blocks known Botnet botnets C&C Communication by matching •Botnet network activities by against Botnet command blacklisted examining traffic IPs • Prevents zombies from data leaks •Stops dial back by infected zombies. or communicates for instructions14 Fortinet Confidential
    15. 15. AV Engine File Sample Local Sandbox Signature Match Decryption/unpacking Lightweight Emulators (CPRL/Checksum) System • Good against VM evasion OS-Independent file Behavior Analysis Local Sandbox analysis, all file type • Java Scripts, Flash, PDF Best against Malware FortiGate AV Engine 2.0 Injections via (compromised) web 2.0 applications Suspicious Pass BlockedForward to cloud-based No Further Action File discarded, option to FortiGuard AV service Quarantine and event logged15 Fortinet Confidential
    16. 16. FortiGuard AV File Sample (Manual or auto Submission) Botnet Servers VM Sandbox Blacklist AV, IPS & Application Analyst Review Signatures FortiGuard Analytics Database Update Service File Analysis Service New detection Pass Update New signature is developed, Alert No Further Action Push/pull/manual updates to Inform Administrator16 Fortinet Confidential
    17. 17. FortiGuard AV Service Cloud Based Sandbox As part of FortiGuard Analytics Service, Enabled on FortiOS (Proxy Based AV) True VM Environments – test across various OS, patch levels & application versions • Windows, MAC, Linux Bayesian Scoring & Classification using detection criteria • File system, permission/memory/registry modifications • Network activities, API calls, etc Test all filetypes: • Portable Executables (PEs) – DLL, Font files, object codes • Browsers & OS Scripts • PDF, Flash etc …17 Fortinet Confidential
    18. 18. Analytics via Forticloud service•Inspection stats•Sample scan status•Time / IP based correlation18 Fortinet Confidential
    19. 19. FortiOS + Analytics Local Lightweight FortiGuard Botnet IP Hardware Accelerated Sandboxing & Code optimized Reputation DB Behavior / Attribute Based Real time updated, Heuristic Detection Cloud Based 3rd party validated Sandboxing Signature DB Application Control – Botnet Category In-box AV functions Cloud Based AV Service19 Fortinet Confidential
    20. 20. AGENDA •APT 101 •FortiOS APT solution Other tools20 Fortinet Confidential
    21. 21. Client Reputation Identify potential … zero-day attacks Reputation by Activity Threat Status Multiple Scoring Vectors Real Time, Relative, Drill-down, Correlated Policy ScoreIdentification Ranking Enforcement Computation21 Fortinet Confidential
    22. 22. Client Reputation Example • View of “Reputation Score” & clickable detail drill- down Click for further drill- down detail22 Fortinet Confidential
    23. 23. Intercepting Botnets Botnet C&C communications Extension to AV Signature updates IP/Port list of know C&C servers Real Time X IP Reputation DB 23 Fortinet Confidential
    24. 24. AV enhancements result FortiOS 5 Delivers:  25+ VB100 Awards  VB100 RAP Leaders (#1) Reactive & Proactive Test 96% Detection Rate!  100% Detection on ItW  In the Wild / Reactive  Intelligence Proxy Combined with Cloud Analytics Allows proactive detection for new viral variants24 Fortinet Confidential
    25. 25. ONE More thing: Sniffer Mode One-arm Sniffer Offline Monitoring with Flow based UTM25 Fortinet Confidential