Un verano para el cibercrimen
McAfee Labs Threats Report: Third Quarter 2013

Juan Carlos Vázquez
Sales Systems Engineer, ...
Agenda
 Highlights Threats Report Q3 2013

 Advanced Malware
 McAfee Advanced Threat Defense (MATD)

 Find, Freeze & F...
McAfee Global Threat Intelligence
 McAfee Labs identifies more than 200,000 new threats each day.
This process begins wit...
Key Trends
 Growing focus on subverting the digital signature “trust” upon which the
internet has relied for so long:

 ...
Mobile Malware
TREND

683,000 new Android malware samples in Q3

RISKS

• New signature checking circumvention family disc...
Android Attacks

New Android Malware Samples
1,000,000
900,000
800,000
700,000
600,000

500,000
400,000
300,000
200,000
10...
Global Spam Volume Spikes
TREND

•
•

RISKS

•
•
•
•

POLICIES

• No endpoint devices on network without client anti-spam ...
Global Spam Trend
Spam Volume
Trillions of Messages per Month

4.5
4.0
3.5

3.0
2.5
2.0
1.5
1.0

0.5
0.0

8

McAfee Confid...
PC Malware Growth
TREND

New PC malware 23% to more than 20 million, Malware Zoo 172M

RISKS

• Confidential data exfiltra...
Total Malware Samples
The McAfee Malware “Zoo” is currently growing by 200,000 new samples per day.

Total PC Malware Samp...
Subverting Digital Signature Authentication

New Signed PC Malware
1,800,000
1,600,000
1,400,000
1,200,000
1,000,000
800,0...
A Day in the Life of some Big Data

12

December 10, 2013

McAfee Confidential—Internal Use Only
Visualizing and Mapping MalCerts

13

December 10, 2013

McAfee Confidential—Internal Use Only
Highlights
• You can quantify if you have a large enough data set:
– +-15% of any particular days samples will have marker...
Ransomware
 312,000 unique samples
 Anonymous Payment Services
 Global Problem
 Mexico (Police virus)
 Mass email spa...
Highlights
 Rootkits (stealth malware) ~75K New samples
 Koutodoor - 20K samples Low
 Autorun malware (hides on USB dri...
Bitcoin
Virtual currency market value $47.5 billion as of 20121

TREND
RISKS

• Bitcoin “mining” malware installation and ...
Virtual Currencies

18

McAfee Confidential—Internal Use Only
APTs, Zero-day and Advanced Malware
Total Malware Samples in the McAfee Labs Database
160,000,000
140,000,000
120,000,000
...
WHAT IS ADVANCED MALWARE?
EVADES
Legacy-Based Defenses
• Stealthy
• Targeted
• Unknown

Bottom Line

Typically

CRIMINAL
•...
ADVANCED MALWARE MARKET WISDOM
Signature-Based
Defenses Ineffective
Against the Unknown

UNKNOWN
?

?

?

Sandboxing
• Run...
ADVANCED THREAT DEFENSE
KEY DIFFERENTIATORS

Comprehensive
Approach

5

High Detection
Accuracy

Centralized
Deployment

M...
COMPREHENSIVE APPROACH TO MALWARE

ADVANCED
THREAT DEFENSE

FIND
Advanced Threats

24

FREEZE
Threats, Stopping
Their Infi...
COMPREHENSIVE APPROACH TO MALWARE
Faster Time to Malware Conviction, Containment and Remediation
McAfee
FIND
FREEZE
FIX

M...
ADVANCED THREAT DEFENSE
KEY DIFFERENTIATORS

Comprehensive
Approach

5

High Detection
Accuracy

Centralized
Deployment

M...
COMPREHENSIVE LAYERED APPROACH
Advanced Sandboxing
Static Code And Dynamic Analysis

Emulation Engine
Gateway Antimalware
...
ATD On Box Analysis order
Local white
list check

(GAM)
Emulation

Sandbox
Analysis
28

GTI
reputation

Yara rules

Decemb...
DYNAMIC AND STATIC ANALYSIS

DYNAMIC ANALYSIS
Adobe

PE Files
• Observe Registry Modifications
Reader

STATIC ANALYSIS
Mob...
ADVANCED THREAT DEFENSE
KEY DIFFERENTIATORS

Comprehensive
Approach

12

High Detection
Accuracy

Centralized
Deployment

...
CENTRALIZED DEPLOYMENT
PROTOCOL-SPECIFIC DEPLOYMENT
Lower Cost of Ownership and Scalability
Numerous appliances

DMZ

Data...
McAfee Advanced Threat Defense (MATD)
Use Case: McAfee Network Security Platform

File Downloaded from the
Internet

polic...
ATD NSM Report Summary
•

•

33

A summary report can be accessed from the Analysis Tab in the top menu bar and then the
M...
McAfee Advanced Threat Defense (MATD)
Use Case: McAfee Web Gateway Integration (Proposal)

File Downloaded from the
Intern...
ATD Web Gateway Configuration
File submission to MATD will be another mechanism for analysis. This will trigger the
progre...
ATD available in block pages

36

December 10, 2013

McAfee Confidential—Internal Use Only
Analysis Summary
• Sample Name, Hash, and File Size
• Analysis Environment

37

December 10, 2013

McAfee Confidential—Int...
Reports – Analysis Tab – Analysis
• Family Classification
• Processes analyzed in sample
• Classification / Thread Score

...
Analysis Summary
• Behavior Summary
• Severity Levels

The Behavior Summary illustrates that when the Malware was run in
T...
Analysis Summary
Individual File Analysis and Detail

40

December 10, 2013

McAfee Confidential—Internal Use Only
Disassembly Listing
• ATD adds
comments in the
Disassembly
Listing as shown.

41

December 10, 2013

McAfee Confidential—I...
Execution Path Listing
•
•
•
•

Execution Path Listing
Download a free GML viewer at yWorks.
Open .gml file and change the...
Execution Path Listing
• After changing the layout, you will get a large summary layout
• This can be zoomed in/out on by ...
Execution Path Listing
• The execution path can be zoomed down into multiple times
• The blue paths show what was executed...
Hardware
Chassis

High end (LHP) 32 Cores

Chassis Form Factor

1U

2U

16
128GB
Common

32
256GB
Common

SAS 6g Raid 10 i...
MCAFEE ADVANCED THREAT DEFENSE

Faster Time to Malware

Conviction, Containment,
and Remediation
Comprehensive
Approach

H...
I have a question…
•
•

•
•

•
•
•

47

How do you collect samples for analysis?
What malware detection techniques do you
...
48

December 10, 2013

McAfee Confidential—Internal Use Only
15

December 10, 2013

McAfee Confidential—Internal Use Only
Upcoming SlideShare
Loading in …5
×

McAfee Webcast | Un Verano para el cibercrimen, las nuevas tendencias de ataques sofisticados del 2013

1,552 views

Published on

Diariamente nuevas amenazas y ataques dirigidos afectan a organizaciones, gobiernos o infraestructuras críticas que antes parecían impenetrables.
Los dispositivos móviles siguen siendo foco de las nuevas técnicas cibercriminales, pues tan solo de julio a septiembre de 2013, los ataques al sistema Android se incrementaron hasta un 30% y el Spam un 125%.
Por otra parte, las empresas se ven ante el reto de diferenciar entre piezas de código genuinas vs “malware firmado” por certificados apócrifos que han penetrado sus redes. Finalmente el usuario final quien es el más desprotegido, sufre la problemática de pérdida de su información, con nuevas variantes de “ransomware” que están afectando fuertemente el mercado latinoamericano.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,552
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

McAfee Webcast | Un Verano para el cibercrimen, las nuevas tendencias de ataques sofisticados del 2013

  1. 1. Un verano para el cibercrimen McAfee Labs Threats Report: Third Quarter 2013 Juan Carlos Vázquez Sales Systems Engineer, LTAM December 10, 2013 McAfee Confidential—Internal Use Only
  2. 2. Agenda  Highlights Threats Report Q3 2013  Advanced Malware  McAfee Advanced Threat Defense (MATD)  Find, Freeze & Fix  Demo (Standalone) 2 December 10, 2013 McAfee Confidential—Internal Use Only
  3. 3. McAfee Global Threat Intelligence  McAfee Labs identifies more than 200,000 new threats each day. This process begins with 500 threat researchers aided by some of the most sophisticated automated threat identification technology in the industry. The data that drives this research is generated by more than 100 million sensors globally. This threat data is then pumped into the McAfee GTI cloud where it is made available to all McAfee products to enhance their detection effectiveness. McAfee Global Threat Intelligence processes more than 80 billion threat reputation requests each day. 3 December 10, 2013 McAfee Confidential—Internal Use Only
  4. 4. Key Trends  Growing focus on subverting the digital signature “trust” upon which the internet has relied for so long:  Digitally “signed” malware samples increased 50 percent, to more than 1.5 million new samples  Attacks undermining digital signature checking process for mobile apps  Attacks on Android based devices increased more than 30%  Global spam volume spikes increasing 125%  20m new Q3 PC malware samples bring total “zoo” to 170m  Use of new digital and virtual currencies by cybercriminals to both execute illegal transactions and to launder profits McAfee Confidential—Internal Use Only
  5. 5. Mobile Malware TREND 683,000 new Android malware samples in Q3 RISKS • New signature checking circumvention family discovered • SMS password stealing Trojans (Turkey & UK) • Weaponized versions of legitimate applications POLICIES • No unmanaged devices allowed on corporate nets • No rooted or unlocked devices allowed anywhere • Only approved, signed applications installed PROCEDURES • • • • PRODUCTS • Enterprise Mobility Management • ePolicy Orchestrator • Web Gateway Device management software installed on all devices Password change twice yearly Disable or scrub lost and stolen devices Consider policies to proxy mobile web traffic through web gateway for protection Android malware will be “more advanced” than PC malware. McAfee Confidential—Internal Use Only
  6. 6. Android Attacks New Android Malware Samples 1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 2011 2011 2011 2012 2012 2012 2012 2013 2013 2013 6 McAfee Confidential—Internal Use Only
  7. 7. Global Spam Volume Spikes TREND • • RISKS • • • • POLICIES • No endpoint devices on network without client anti-spam on board • All inbound mail to be filtered at least twice (cloud, perimeter, or device) Global spam volume spiked 125% in Q3 China, Italia > 50%, “Snowshoe” spam most popular (it spreads the load across many IP Address to avoid rapid eviction by ISPs) Legitimate email throughput slowed Malicious attachments Fraudulent products and services Phishing attacks designed to steal confidential information or PII PROCEDURES • Deploy anti-spam filters on all endpoint devices and either gateway or cloud • Block access to known spamming SMTP server addresses • Annual email security/hygiene training to cover latest observed targeted attacks and phishing scams PRODUCTS • McAfee Content Security Suite • McAfee Security for Email Servers • McAfee SaaS Web and Email Security Suite McAfee Confidential—Internal Use Only
  8. 8. Global Spam Trend Spam Volume Trillions of Messages per Month 4.5 4.0 3.5 3.0 2.5 2.0 1.5 1.0 0.5 0.0 8 McAfee Confidential—Internal Use Only
  9. 9. PC Malware Growth TREND New PC malware 23% to more than 20 million, Malware Zoo 172M RISKS • Confidential data exfiltration • Botnet malware installation followed by total system compromise POLICIES • Endpoint anti-virus, host intrusion prevention, and web security and hygiene products deployed on all corporate network enabled devices • Application/device control deployed on all corporate network enabled devices PROCEDURES • Comprehensive malware protection suites deployed on all endpoint devices • Remote device monitoring and management deployed PRODUCTS • VirusScan Enterprise • Real Time ePO • Host Intrusion Prevention • Enterprise Security Manager • Site Advisor Enterprise • Application Control, Deep Defender • Web Gateway • Advanced Threat Defense • Network Security Platform • Email Gateway McAfee Confidential—Internal Use Only
  10. 10. Total Malware Samples The McAfee Malware “Zoo” is currently growing by 200,000 new samples per day. Total PC Malware Samples 200,000,000 180,000,000 160,000,000 140,000,000 120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0 10 McAfee Confidential—Internal Use Only
  11. 11. Subverting Digital Signature Authentication New Signed PC Malware 1,800,000 1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 11 0 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 McAfee Confidential—Internal Use Only Q2 2013 Q3 2013
  12. 12. A Day in the Life of some Big Data 12 December 10, 2013 McAfee Confidential—Internal Use Only
  13. 13. Visualizing and Mapping MalCerts 13 December 10, 2013 McAfee Confidential—Internal Use Only
  14. 14. Highlights • You can quantify if you have a large enough data set: – +-15% of any particular days samples will have markers of “advanced” malware (as defined by APG). • 0.0014% have new Zeus and Citadel markers. • Advanced web injects are consistent at around 0.026%. • Potentially attributable malware like IXSHE, NetTraveler, Taidoor and Preshin, though low numerically, are consistent daily. • 0x20 XOR’d javascript is prevalent and consistent at around 0.126%. – +-0.1045% of any particular days samples will be digitally signed • Almost 29% of those daily signed suspicious samples have a VeriSign cert. • Thwate and Comodo digital cets are the second and third most abused. • Android malware is now the most prevalent signed malware class: 24% 14 December 10, 2013 McAfee Confidential—Internal Use Only
  15. 15. Ransomware  312,000 unique samples  Anonymous Payment Services  Global Problem  Mexico (Police virus)  Mass email spamming, tens of millions of UK customers.  Caution with e-mail attachments.  Don’t pay the ransom.  Cryptolocker  TA released by McAfee 15 December 10, 2013 McAfee Confidential—Internal Use Only
  16. 16. Highlights  Rootkits (stealth malware) ~75K New samples  Koutodoor - 20K samples Low  Autorun malware (hides on USB drivers) - ~710K samples  New Fake AV - ~380K Low  New Password stealers – >1M  New Mac Malware – 300 samples Low  Top SQL-Injection attackers (US, China, Spain, UK, South Korea)  Top SQL-Injection Victims (US, China, Taiwan, Spain, South Korea)  Top Botnet C&C Servers – UK, Germany, Turkey, China, Rusia, UK)  Location of Servers hosting Malicious Content (Brazil, Arg, Chile)  Top Countries Hosting Phishing URLs (US, Germany, UK, Brazil, Fr) 16 December 10, 2013 McAfee Confidential—Internal Use Only
  17. 17. Bitcoin Virtual currency market value $47.5 billion as of 20121 TREND RISKS • Bitcoin “mining” malware installation and operation compromising enterprise laptops POLICIES • Host intrusion prevention, web security and application/device control deployed on all corporate network enabled devices PROCEDURES • Comprehensive malware protection suites deployed on all endpoint devices • Remote device monitoring and management deployed PRODUCTS • Host Intrusion Prevention • Real Time ePO • Site Advisor Enterprise • McAfee Enterprise Security Manager • McAfee Application Control • Network Security Platform • Web Gateway De 139 dólares el 1 de octubre a más de 1,200 dólares el 1 de diciembre @Forbes 1- Yankee Group McAfee Confidential—Internal Use Only
  18. 18. Virtual Currencies 18 McAfee Confidential—Internal Use Only
  19. 19. APTs, Zero-day and Advanced Malware Total Malware Samples in the McAfee Labs Database 160,000,000 140,000,000 120,000,000 of network security professionals say advanced malware is a major concern 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0 JUL 2012 AUG 2012 SEPT 2012 OCT 2012 NOV 2012 DEC 2012 JAN 2013 FEB 2013 MAR 2013 APR 2013 MAY 2013 JUN 2013 McAfee Threat Reports: Second Quarter 2013 of network security professionals spend more than 20 hours a week working on advanced malware Survey of Network Security professionals at Black Hat USA 2013 Malware shows no sign of changing its steady growth, which has risen steeply during the last three quarters. At the end of this quarter we now have more than 170 million samples in our malware “zoo.” 19 December 10, 2013 McAfee Confidential—Internal Use Only
  20. 20. WHAT IS ADVANCED MALWARE? EVADES Legacy-Based Defenses • Stealthy • Targeted • Unknown Bottom Line Typically CRIMINAL • Theft • Sabotage • Espionage Discovered • Malware has evolved to become a persistent threat with a potent delivery ecosystem. • Layered defenses are failing to fully contain the risk due to advanced persistent threats (APTs) and other defense challenges. • Enterprises must enhance their vigilance. AFTER THE FACT Truly advanced malware is about a -15% problem. Source: Malware, APTs, and the Challenges of Defense, McAfee Confidential—Internal Use Only Gartner (updated 26 December 2012)
  21. 21. ADVANCED MALWARE MARKET WISDOM Signature-Based Defenses Ineffective Against the Unknown UNKNOWN ? ? ? Sandboxing • Run suspect file in safe (virtual) environment ? ? ? • Analyze actual behavior of unknown file Sandboxing • Resource intensive • Not real-time • By itself, dynamic analysis is not effective against all malware 3 Safe Malware Malware SANDBOXING McAfee Confidential—Internal Use Only
  22. 22. ADVANCED THREAT DEFENSE KEY DIFFERENTIATORS Comprehensive Approach 5 High Detection Accuracy Centralized Deployment McAfee Confidential—Internal Use Only
  23. 23. COMPREHENSIVE APPROACH TO MALWARE ADVANCED THREAT DEFENSE FIND Advanced Threats 24 FREEZE Threats, Stopping Their Infiltration and Spread Within the Infrastructure FIX Impacted Systems by Initiating Remediation McAfee Confidential—Internal Use Only
  24. 24. COMPREHENSIVE APPROACH TO MALWARE Faster Time to Malware Conviction, Containment and Remediation McAfee FIND FREEZE FIX McAfee Global Threat Intelligence McAfee ENDPOINT AGENT FREEZE McAfee NETWORK IPS McAfee Solutions Advanced Threat Defense PDF FIND GTI Efficient AV Signatures GTI Reputation Real-Time Emulation Engine Target-Specific Sandboxing McAfee WEB GATEWAY Static Code Analysis McAfee EMAIL GATEWAY 7 McAfee ePO FIX Automated Host Cleaning (McAfee Real Time) Malware Fingerprint Query (McAfee Real Time) McAfee Confidential—Internal Use Only
  25. 25. ADVANCED THREAT DEFENSE KEY DIFFERENTIATORS Comprehensive Approach 5 High Detection Accuracy Centralized Deployment McAfee Confidential—Internal Use Only
  26. 26. COMPREHENSIVE LAYERED APPROACH Advanced Sandboxing Static Code And Dynamic Analysis Emulation Engine Gateway Antimalware Global File Reputation McAfee Global Threat Intelligence Anti Virus Signatures McAfee Anti Virus Inspection Local Lists Known Bad, Known Good Balances Performance and 27 Protection McAfee Confidential—Internal Use Only
  27. 27. ATD On Box Analysis order Local white list check (GAM) Emulation Sandbox Analysis 28 GTI reputation Yara rules December 10, 2013 Local black list check MFE AV scan GTI query / update* McAfee Confidential—Internal Use Only
  28. 28. DYNAMIC AND STATIC ANALYSIS DYNAMIC ANALYSIS Adobe PE Files • Observe Registry Modifications Reader STATIC ANALYSIS Mobile Microsoft Office Archives • Unpacking • Observe Network Communications • Static Analysis of Disassembled Code • Observe Process Activities • Discovery of Latent Code • Observe File System Changes • Hidden Logic Paths Classification and Report Classification and Report Based on Behavior Only… Based on Observed Behavior and Familiarity of Good, but Not Good Enough! Unexecuted Code McAfee Confidential—Internal Use Only
  29. 29. ADVANCED THREAT DEFENSE KEY DIFFERENTIATORS Comprehensive Approach 12 High Detection Accuracy Centralized Deployment McAfee Confidential—Internal Use Only
  30. 30. CENTRALIZED DEPLOYMENT PROTOCOL-SPECIFIC DEPLOYMENT Lower Cost of Ownership and Scalability Numerous appliances DMZ Data Center Servers Web Malware Analysis Files Server Malware Analysis FW IPS IPS Email Gateway Email Malware Analysis Web Gateway Email/DNS/App Management and Forensics Network Security Manager End-User Endpoints 13 Malware Analysis/ Forensics ATD ePO Central Manager McAfee Confidential—Internal Use Only Supported versions: NSP 8.0.x and MWG 7.4.x
  31. 31. McAfee Advanced Threat Defense (MATD) Use Case: McAfee Network Security Platform File Downloaded from the Internet policy update, enforcement Network Security Platform infected hosts McAfee Network Security Manager MD5 query request McAfee ePO MD5, attack info, reports Individual files sent 32 McAfee Advanced Threat Defense December 10, 2013 McAfee Confidential—Internal Use Only
  32. 32. ATD NSM Report Summary • • 33 A summary report can be accessed from the Analysis Tab in the top menu bar and then the Malware Downloads tab in the left menu. Clicking on the Advanced Threat Icon as shown below will bring up the summary report. From this summary report, you will find a link at the bottom directing you to a link to download a Full Analysis Report if required. December 10, 2013 McAfee Confidential—Internal Use Only
  33. 33. McAfee Advanced Threat Defense (MATD) Use Case: McAfee Web Gateway Integration (Proposal) File Downloaded from the Internet File Uploaded for Analysis Static / Dynamic Analysis REST API Report Results Returned McAfee Advanced Threat Defense Host Profile Query McAfee Web Gateway McAfee ePO / Common Catalog 34 December 10, 2013 McAfee Confidential—Internal Use Only
  34. 34. ATD Web Gateway Configuration File submission to MATD will be another mechanism for analysis. This will trigger the progress page system in McAfee Web Gateway. The file can be set to be held until the sandbox has analyzed it. GAM and other down select mechanisms will be disabled on MATD as these will be run before the decision to be sent to MATD will be made. With McAfee Web Gateway specific conditions can be put in place. E.g. if GAM is 60% sure it is malware, send it to MATD for further analysis. McAfee Web Gateway will communicate over the restful API to MATD. If a sample is sent to MATD for analysis an indicator like the below will appear. 35 December 10, 2013 McAfee Confidential—Internal Use Only
  35. 35. ATD available in block pages 36 December 10, 2013 McAfee Confidential—Internal Use Only
  36. 36. Analysis Summary • Sample Name, Hash, and File Size • Analysis Environment 37 December 10, 2013 McAfee Confidential—Internal Use Only
  37. 37. Reports – Analysis Tab – Analysis • Family Classification • Processes analyzed in sample • Classification / Thread Score Family Classification is based on the similarity that the piece of malware had with other code in the wild. An example would be Zeus. (http://en.wikipedia.org/wiki/ Zeus_%28Trojan_horse%29 ) or Voter_1 in this example. The Classification and Thread Score gives the user a better idea of what the malware was and it’s intent. 38 December 10, 2013 In this example, “setup_361.exe” was initially loaded to MATD’s analyzer. It subsequently created “vstart.exe” which created “update .exe. The level color shows the severity of the sample. Yellow is low, orange is medium and red is high. McAfee Confidential—Internal Use Only
  38. 38. Analysis Summary • Behavior Summary • Severity Levels The Behavior Summary illustrates that when the Malware was run in The Severity the code was actually executed. This was done the sandbox, 57% of Levels show what analyzed the sample (GTI, GAM, a throughcombinationanalysis. This also gives the user a was the final severity static code of multiple down-selects) and what high level of rating and if the e.g. was malicious or not. The Final Score is based what the malware did. file “Hide file by changing its attribute” or on the combination of System Directory”. These Behaviors “Created content or Windows scores from the down-selects. come directly from the YARA Rule correlation . 39 December 10, 2013 McAfee Confidential—Internal Use Only
  39. 39. Analysis Summary Individual File Analysis and Detail 40 December 10, 2013 McAfee Confidential—Internal Use Only
  40. 40. Disassembly Listing • ATD adds comments in the Disassembly Listing as shown. 41 December 10, 2013 McAfee Confidential—Internal Use Only
  41. 41. Execution Path Listing • • • • Execution Path Listing Download a free GML viewer at yWorks. Open .gml file and change the view to Hierarchical from the Layout Menu Select the defaults and click ok 42 December 10, 2013 McAfee Confidential—Internal Use Only
  42. 42. Execution Path Listing • After changing the layout, you will get a large summary layout • This can be zoomed in/out on by clicking the zoom button(s) 43 December 10, 2013 McAfee Confidential—Internal Use Only
  43. 43. Execution Path Listing • The execution path can be zoomed down into multiple times • The blue paths show what was executed in the sandbox and the red paths were not • This will show what functions were called as well for example “CopyFIleA” 44 December 10, 2013 McAfee Confidential—Internal Use Only
  44. 44. Hardware Chassis High end (LHP) 32 Cores Chassis Form Factor 1U 2U 16 128GB Common 32 256GB Common SAS 6g Raid 10 interface; 1GB Cache Disk space HDD 2 x 2TB 4 x 2TB SSD (VM Image repository) 20-30VMs, 25K files/day dynamic analysis Low end (GP) 16 cores 400GB 600GB AC Redundant, Hot Swappable On Board 10/100/1000 mbps RJ45 4 ports Yes Worldwide AC Redundant Hot Swappable On Board 10/100/1000 mbps RJ45 4 ports Yes Worldwide 150,000 total objects / day; 25,000 dynamically 250,000 total objects / day; 50,000 dynamically Cores Memory Disk Controller equivalent to a Intel Part Number RMS25PB040 Power Supplies 40-60VMs, 50K files/day dynamic analysis Network Interfaces RMM Regulatory Compliance for Safety and EMI Scanning Capacity McAfee Confidential—Internal Use Only
  45. 45. MCAFEE ADVANCED THREAT DEFENSE Faster Time to Malware Conviction, Containment, and Remediation Comprehensive Approach High Detection Centralized Better Detection, Accuracy Deployment Better Protection Lower Total Cost of Ownership 14 McAfee Confidential—Internal Use Only
  46. 46. I have a question… • • • • • • • 47 How do you collect samples for analysis? What malware detection techniques do you implement? • Blacklisting • Whitelisting • Sandboxing • Code emulation • Code disassembly Can your product unpack samples, if required? How do you determine the environment (OS & applications) in which to sandbox a sample? What provisions do you have to block further instances of malware, once detected? Once detected, can you find malware elsewhere in the estate? What is your approach to product integration? December 10, 2013 McAfee Confidential—Internal Use Only
  47. 47. 48 December 10, 2013 McAfee Confidential—Internal Use Only
  48. 48. 15 December 10, 2013 McAfee Confidential—Internal Use Only

×