Advance Threat Protection - Sandboxing

David Leinberry, Don MurphyEnhanced Technologies – Americas

Industry Information In the US, estimated $300 Billion a year of Intellectual Property (IP) is Stolen The Average incursion went 200+ days without detection 300% uptick, $206 Mil, FBI - in Ransomware in the last 3 months Verizon 2016 Data Breach Report: "Phishing Tops The List Of Increasing

Concerns Incident Response results:

o 100% of victims had Up-to-Date Antivirus signatureso 100% of the breaches involved use of stolen credentialso 67% of companies learned they were breached from and external entityo 46% of the compromised systems had no Malware on themo Breaches are not any one industry All verticals are vulnerable

• Healthcare 80 million records• Home Improvement Chain 56 million records• Finance 76 million records

A new defense strategy is needed

Audience Poll #1

What do you think the average cost of a data breach was in 2014?A. $2mB. $3.5mC. $3.8mD. $162mE. Don’t Know

Data Breach Cost Data PointsB.

Why a Sandbox?

To provide a pristine & isolated environment that automatically tests potentially malicious softwareo Will need a feature to act like a mouse, executes the file just like a human would ( double

click)o Sandbox steps through the file open other programs as need to execute it ( Office , Adobe,

etc,)o If a GUI is opened we screen shot the malware installo Call back/C2 is trackedo A forensics report needs to be created and emailed to the pre-defined alias list

After testing, intelligence is applied in deciding to alert Multiple VM in a single appliance allows for multiple files and threats to be

analyzed at once Integrated with multiple Security Platforms is critical in being proactive – Mail,

endpoint, edge (FW) Integration with all major SIEMs should be a part of the integration

Insider Threat the Unintentional Participant (This can lead to APT) Intentional Participants are IMHO already APT s Who are they?

o Any Employee, it is not intentional (executives are usually a High Value Target) Use Case 1 Why did I click it?

o A user clicks a link that they don’t know is bad • FortiGate coupled with FortiSandbox can detect, block, and alert on bad links

Use Case 2 phishing spear phishing A user opens an attachment they shouldn’t have o Attacks are sophisticated now its no longer a smash and grabo FortiMail , FortiSandbox will block, clean, and alert even if you have another spam

solution Use Case 3 insufficient best practices for password, user behavior (Audits)

o Default Admin/Application passwords or shared passwordso Unusual Behavior in DB access ( that little healthcare breach)o FortiDB, FortiAuthenticator User Profiling and Strong Authentication no default or

shared PW’s

Audience Poll #3

What are you most concerned about losing as result of a cyber attack? Customer Data System Availability/Business Continuity Intellectual Property Employee Data Company Brand

Sandbox – Usually has 4 Steps to Enhance Security

Call Back Detection

Full Virtual Sandbox

Cloud File Query

AV Prefilter • Apply top-rated anti-malware engine

• Examine real-time, full lifecycle activity in the sandbox to get the threat to expose itself

• Check community intelligence & file reputation

• Identify the ultimate aim, call back & exfiltration• Mitigate w/ analytics

14 Types of Danger and some examples

Adware BitTorrent

Riskware smsreg

Botnet Fastflux

Hijack Trovi

Trojan CryptoLocker 40 Variants

in the Extreme DB

Worm Backdoor Rootkit Dropper Downloader Injector Attacker Stealer Infector

Flexible Deployment Modes

Standalone Mode – Ideal for scalable requirements

Data Center

Integrated Mode – Ideal for centralized gateway with inline protection

Headquarters(Enterprise Core)

Distributed Mode – Ideal for protection in distributed environment

Branch Offices(Distributed Enterprise)

All Input Methods Supported Simultaneously

Deviceso Files submitted from a edge

FW product Sniffer

o Files extraction from monitored traffic

File Shareo Files are examined on a

network share On-demand

o Files or URLs manually submitted through the web-based manager of the Sandbox

Sandbox

Devices Sniffer On-demand

File SharesNFS/CIFS

Breaking the Kill Chain of Advanced Threats

Spam MaliciousEmailMalicious

Link

MaliciousWeb Site

Exploit

Malware

Bot Commands& Stolen Data

Command &Control Center

Spam

MaliciousLink

Exploit

Malware

Bot Commands& Stolen Data

Anti-spam

Web Filtering

Intrusion Prevention

Antivirus

App Control/IP Reputation

Breaking the Kill Chain of Advanced Threats

Spam MaliciousEmailMalicious

Link

MaliciousWeb Site

Exploit

Malware

Bot Commands& Stolen Data

Command &Control Center

Spam

MaliciousLink

Exploit

Malware

Bot Commands& Stolen Data

Anti-spam

Web Filtering

Intrusion Prevention

Antivirus

App Control/IP Reputation

Sand

box

FortiSandbox Detecting Targeted Attacks

Prefilters objects, identifying known threats

Uncovers full threat lifecycle and presents indicators of compromise

Full deployment capabilities Sniffer: span port mode to capture all

packets On-demand: manual submission &

analysis Integrated: with FortiGate, FortiMail,

FortiWeb & FortiClient to feed into and act on intelligence out of FortiSandbox

Integrated File Share scan capability True dynamic URL analysis engine plus

integration with other Forti-components

Network Traffic

CloudFile Query

AVPrefilter

Code Emulation

Full Sandbox

CallbackDetection

Products

How Should It All Work?

File Submission/ Result

Quarantine Devices/Block Traffic

Sandbox

Client

Device/File Quarantine

Fire Wall/Mail/Web Sever

Block Objects

Security, follow the sun analytical Labs

Intelligence Sharing

Security Updates

Forensics and Response

File Submission/ Result

3b

2a

2b2d

2c

11

4

Real-time intelligence updates3a

Ongoing

A Sandbox Should Sit at the Heart of Every Security System

Web Server

Analytical Lab

Mail Server

Web Server

Mail Server

QUESTIONS?

Our PartnersADNET proudly partners with leading technology and business solution providers to help our clients find the best possible fit for their needs. We encourage you to visit our partners' websites to learn more about their services.

@FORTINET

@FORTINET

@FORTINET

www.FORTINET.com

@ADNETTech

@ADNETTechnologiesLLC

@ADNETTechnologiesLLC

www.thinkADNET.com

@MarcumLLP

@Marcum-LLP

@MarcumLLP

www.marcumllp.com