© Copyright Fortinet Inc. All rights reserved.

Advanced Threat Protection Webinar 24 May 2016 | Fortinet Italy

2

Agenda

What is Sandbox?

FortiSandbox Cloud Options

FortiSandbox On-premise

FortiSandbox On-premise File Submission

Sniffer Mode

FortiSandbox On-Premise Device Mode

FortiSandbox On-premise FortiClient Integration

HA & Sizing Details

1. What is SandBox

4

Sandbox

VIRTUAL END-USER ENVIRONMENT

• Code is executed in an contained, virtual environment

• Goal is to replicate typical workstations

• Output is analyzed to determine characteristics

• Some characteristics are malicious

• Known virus downloads

• Registry modifications

• Outbound connection to malicious IPs

• Infection of processes

Unsafe action, escape attempt

Controlled communication inspection

X

What is Sandboxing? Virtual analysis – nothing new

5

Why a Customer looks for ATP?

Lateral Movement Categorization Not Enough AntiSpam Ineffective

Against Phishing

6

Breaking the Kill Chain of Advanced Attacks

Antispam

Web Filtering

Antivirus

Intrusion Prevention

App Control

IP Reputation

Spam

Malicious

Link

Exploit

Malware

Bot Commands

& Stolen Data

Spam

Malicious

Link

Exploit

Malware

Bot Commands

& Stolen Data

Malicious

Email

Malicious

Web Site

C2 Server

7

Sa

nd

bo

x

Breaking the Kill Chain of Advanced Attacks

Antispam

Web Filtering

Antivirus

Intrusion Prevention

App Control

IP Reputation

Spam

Malicious

Link

Exploit

Malware

Bot Commands

& Stolen Data

Spam

Malicious

Link

Exploit

Malware

Bot Commands

& Stolen Data

Malicious

Email

Malicious

Web Site

C2 Server

Access

Confirmed

8

Lateral Movement -Two Approaches

ISFW in Transparent Mode (Pro-active) FortiClient (Reactive)

9

Spear Phishing Prevention - Two Approaches

Transparent VDOM on ISFW FortiMail in Gateway Mode

Ineffective

Agaist encrypted

attacks

10

11

Advanced Threat Protection Framework

Access Control

Stateful Firewall

Vulnerability Management

2-Factor Authentication

Threat Prevention

IPS/Application Control

AntiMalware

Email/Web Filtering

Anti-bot

Threat Detection “Sandboxing”

Network Behavior Analysis

Botnet Reporting

Client Reputation

Incident Response Professional Services, Device Quarantine, FortiGuard Updates

Continuous Monitoring Reporting

FortiGuard Research

SIEM/Log Mgt/Intelligence

Service Partners

12

ATP Framework in Action

Unknown URLs and Files

submission to FortiSandbox

FortiSandbox

FortiGate

FortiWeb

FortiMail

FortiClient

Web Server

Mail Server

Extended and fast protection

Internet

13

Call Back Detection

Full Virtual Sandbox

FortiSandbox- key components

• Multi-tiered file processing optimizes resources to improve security, capacity and performance

• Quickly simulates intended activity

• OS independent and immune to evasion/obfuscation

• Applies top-rated (95%+ Reactive And Proactive) engine

• Serves as an efficient pre-filter

Code Emulation

Cloud Query

AV Engine

• Examines real-time, full lifecycle activity

• Provides rich threat information

• Checks FortiSandbox community intelligence

• FortiGuard verified

• Identifies the ultimate aim, call back and exfiltration

• FortiGuard verified

14

Products

2.FortiSandbox Cloud

16

FortiOS 5.4

17

FortiCloud

18

Register your device

19

New Tab of FortiSandbox

20

Tune AV Profile on FortiGate

21

Select AV Profile in Policy

22

FortiSandbox Cloud for FortiMail & FortiWeb

FortiSanbox Cloud

FortiMail

FortiWeb

23

FortiMail Sandbox

24

Select Sandbox in AV Profile

25

FortiWeb Sandbox Cloud Configuration

26

Select Sandbox Cloud in File Upload Policy

3.FortiSandbox On-premise

28

Status Page

29

FortiGuard Updates

30

Pre-requisite

31

It Appears in Scan Profile

32

FSA SimNet - Open or Closed Environment?

Should you risk to degrade your IP reputation by allowing sandbox VM going

through your Internet access?

» Sandbox VM execution is short

» Your reputation is at risk every day (i.e. infected computer in your network)

» Use a dedicated Internet access for FortiSandbox outgoing traffic

INTERNET

port1

port2

port3

33

Why Internet Access is Important for Detection?

Detonating a downloader sample into a sandbox VM with the netsim feature

enabled

DNS Query: A FQDN?

DNS Response: A 192.168.250.1?

HTTP Request: GET URL

HTTP Response

dummy.exe

URL Rating: FQDN

URL Rating: URL

AV Inspection

Execution Time Sandbox VM Rating Engine

IP Reputation: 192.168.250.1

dummy.exe

34

Why Internet Access is Important for Detection?

Detonating a downloader sample into a sandbox VM without netsim

URL Rating: FQDN

URL Rating: URL

Execution Time Rating Engine

AV Inspection:

IP Reputation: a.b.c.d

DNS Query: A FQDN?

DNS Response: A a.b.c.d?

HTTP Request: GET URL

HTTP Response

Sandbox VM

Callback connection: C2

IP Reputation: C2

35

simnet disabled vs simnet enabled

Sample

Network Action Rating Feature

SimNet

Disabled

SimNet

Enabled

DNS Request URL Rating

FQDN

DNS Response IP Reputation

a.b.c.d

HTTP Request URL Rating

URL

HTTP Response AV Inspection

content

Callback connection IP Reputation

C2

36

simnet disabled vs simnet enabled

Sample

Network Action Rating Feature

SimNet

Disabled

SimNet

Enabled

DNS Request URL Rating

FQDN

DNS Response IP Reputation

a.b.c.d

HTTP Request URL Rating

URL

HTTP Response AV Inspection

content

Callback connection IP Reputation

C2

37

For Networks Using Proxy

38

Alert Email Setting

39

Scheduled Reports on Mail

40

SNMP Settings

3.a. Advance Setup On-Premise Mode

42

Configuring VM’s

43

Maximum Number of VM’s

44

Scan Profile

45

Configuring a VM to Scan File type

46

Flexibility to add User-Define File Types

47

What if we don’t have WindowsXP

48

Device/Sniff

er

EXE

New Virtual Machines Support

Android, Windows 8.1 and 10

Not integrated by default

SKUs to come for ordering

Android Windows 8 Windows 10

On-Demand/

REST API

Adapter Network

Share

Device/Sniff

er

PDF

Device/Sniff

er

DOC

Device

*.*

Sniffer

*.*

URL

New design is based on input source and file type

new source and type

49

Blacklist & Whitelist

4. File-On Demand

51

Administrator uses the web-

based Manager to uploads files

or URLs for inspection.

The combination of inspection

methods can be customized

» AV

» Cloud File Query

» VM Sandboxing

Tracking of the inspection

through the On-Demand page

On-Demand: Manual Input Method

52

How to check

53

54

Flexibility to choose Scan Engine

4.a. URL Submission

56

57

5. Sniffer Mode

59

Monitor the network traffic through two

possible connections methods:

» Mirroring/monitoring or SPAN ports

» TAP device

Sniffer Input Method

Monitoring traffic

Switch with mirroring/monitoring/SPAN capabilities.

Monitoring traffic TAP Device

60

6.Device Mode

62

Devices Input Method

FortiGate, FortiMai or FortiWeb Devices.

514/tcp SSL encrypted

- File submission

- Get statistics back

In memory hash table preventing accepting the same files several times. Cleared every week or each time there is a DB update.

Fortinet Appliance FortiSandbox

63

Registering FortiGate on FortiSandbox for File Submission

64

Device should appear in FortiSandbox

65

Device Authorization

66

Configure AV Profile with FortiSandbox

67

Tune WCF Profile to use FortiSandbox

68

Policy

69

FortiView

6.a Device Mode-FortiWeb

71

If FGT is integrated with FSA why I need to Integrate FWEB with FSA?

72

Encrypted Traffic

FGT

FWeb FSA

HTTPS Traffic Encrypted File

Decrypted File

73

FSA Integration

» Configure FSA

Authorise and test connectivity

Setup Admin mail

74

FortiWeb Configuration

FortiWeb

» Configure File Upload

Restriction Policy

6.c Device Mode-FortiMail

76

Threat Vectors

Which threat vector is the most popular for Targeted Attacks ?

a) Web browsing

b) Email

c) Software: bugs, backdoors, exploits

d) USB

Percentage of attacks involving that vector ?

Attacker’s easiest choice for Targeted Attacks

“more than 90% of Targeted Attacks involves email”

77

Integrate with FortiSandbox

78

Enable Sandbox in AV-Profile

79

Select AV-Profile in Recipient Policy

7. FortiClient Integration

81

Prevent known malwares

» Everything that can enforce a

security policy

Detect unknown malwares

» FortiSandbox & everything that is

behavior based

Mitigatation

» FortiGuard teams and automation

Part of the Fortinet ATP Framework

Creating a fix

& update prevention

High risk items

Provide ratings

& results

82

File Submission of supported file types

Every Input source supported

» Internet, removable media and network

drive

Malware Package support from

FortiSandbox

Prevent the user to access the file until a

verdict is received

FortiSandbox Integration

Extending the ATP Framework up to the EndPoint

1. Submit and Hold

the files

2. Receive verdicts

3. Retrieve Malware

Packages

83

FortiSandbox Integration

Execution or Access Hold during the Inspection

2

1

4

3

84

Create a Profile with FortiSandbox IP

85

Register FortiClient on FGT

86

Test FCT FSA Communication

87

Check FCT is registered on FSA & FGT

FortiClient

» On the FGT check the

FCT Monitor

» On the FSA, under Scan Input>FCT

check that the client has been registered

88

Process Next Level

Sniffer

Devices

On-demand

Inputs Methods

Controller

Local DB

Control

AV-Scan Engine

Cloud-Query Engine

VM-Scan Engine

Rating Engine

File Filter

Analysis

Static Scan Engine

Network Share

URL Detection

89

FortiGuard Threat Research & Response

FortiGuard Web

Filtering Service

FortiGuard Anti-spam

Security Service

FortiGuard Intrusion

Prevention Service

FortiGuard Application

Control Service

FortiGuard Database

Security Service

FortiGuard

Antivirus Service

FortiGuard Web

Security Service

FortiGuard IP

Reputation Service

IP FortiGuard Vulnerability

Management Service

Anti-botnet

BOT

AV-Scan Engine

Cloud-Query Engine

VM-Scan Engine

Rating Engine

File Filter

Analysis

Static Scan Engine

90

FortiGuard Lab

FortiGuard Services

The Fortinet ATP Solution

FortiGate

FortiMail

FortiWeb

FortiClient

FortiSandbox

Sizing & Clustering

92

Clean File

✓ Or Unknown Malware

Supported

File Type

New / Known Malware

FortiSandbox Scaling

Confidential

up to

+ 2 ½ minutes

FortiSandbox

pre-filters

15 - 20 seconds

Most files types scanned by Static Scan

EXE/DLL, .bat/.vbs/.ps1/.com, PDF, Office Files,

Flash Files, URLs from device, .jar, Office with

embedded binary, Android All into VMs Clean File

✓

File Filter

Static Scan Engine

Or AV-Scan Engine

Cloud-Query Engine

VM-Scan Engine

Rating Engine

93

File Sizing Summary

This Means……(worse case scenario)

» Maximum of 3 minutes per file (60 minutes / 3) =

» Maximum of 20 files an hour per Virtual Machine (if not caught by the pre-filters)

FortiSandbox Platforms

» FortiSandbox-1000D (8 concurrent VMs * 20) = 160 files per hour

» FortiSandbox-3000D (28 concurrent VMs * 20) = 560 files per hour

» FortiSandbox-Base-Virtual Appliance (4 VMs * 20) = 80 files per hour

» FortiSandbox-Maximum-Virtual Appliance (52 VMs * 20) = 1,040 files per hour

Clustering Allows Up to 100 Members

» In any platform combination (Initial Master / Primary Backup have to be the same)

» All cluster platforms share the file load / distribution

94

Clustering and Load Balancing

Master and Primary Slave have to the same appliance (can be any model)

Regular Slaves can be any appliance

Up to 100 nodes in a cluster

REGULAR

SLAVE

REGULAR

SLAVE

REGULAR

SLAVE

MASTER PRIMARY

SLAVE

Thank You!