Overview of the Mandiant Cloud Platformconcert.or.kr/2014forecast/pdf/forecast2014_Keynote.pdf ·...
Transcript of Overview of the Mandiant Cloud Platformconcert.or.kr/2014forecast/pdf/forecast2014_Keynote.pdf ·...
ConCERT Keynote
Justin Harvey Chief Solutions Strategist Mandiant, a FireEye Company
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
We Live the Headlines
Evernote Says Cyber Breach Which Cost Millions Wasn't From China -- BusinessWeek, May 2013
LivingSocial Hack Exposes Data for 50 Million Customers
- New York Times, April 2013
Fed Acknowledges Cybersecurity Breach
- Wall St. Journal, Feb 2013
NASDAQ Confirms a Breach in Network
- Wall Street Journal, Feb 2011
Sony PlayStation Suffers Massive Data Breach
- Reuters, April 2011
3.6 Million Social Security Numbers Hacked in South Carolina
- The State Newspaper, Oct 2012
RSA Faces Angry Users After Breach - New York Times, June 2011
이이이이 이이이 이 이이이이. 이이이 이이이이 이이이이 이이이이 이 이 이이이 이이이이 이이이이이이이. 이이이이 이이 이이이 이 이이이 이이 이이이이. 이이이 이이이 x이 이이이이 이이이이 이이이 이이 이이 이이이이 이이이.
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
Mandiant In the News
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Mandiant CEO Kevin Mandia
4
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Experts in Advanced Targeted Threats
• Expert Responders for Critical Security Incidents • Incident responders to the biggest breaches • We train the FBI & Secret Service • Our consultants wrote the book (literally) on incident response • Clients include more than 40% of Fortune 100
• Our Products Are Based on Our Experience
• Built to find and stop advanced attackers • We use our own products in our investigations • SC Magazine 2012 & 2013 “Best Security Company”
• Global Reach & Presence
• 2000+ employees • Offices in global regions: Asia-Pacific-Japan, Australia/NZ,
Americas, Europe & META. 5
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Our Customers
The Global Fortune 100 Trust Their Fortunes to Mandiant
By knowing what indicators to look for and having the ability to search our entire network in a matter of hours we are able to shrink our window of exposure when threats evade our preventive measures.
– Chief Information Security Officer, Fortune 500 Financial Services Company
With Mandiant, we believe we can determine the scope of an attack so that we can respond faster, limit losses and minimize the disruption to our ongoing business. – Global Security Architect
“
”
” “
40% of the Fortune 100
Biotech
Defense Contractors
Financial Services
Government
Health Care
Insurance
Law Firms
Manufacturing
Oil & Gas
Pharmaceuticals
Retail
Technology
Telecom
Utilities
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
One Question To Ask Yourself
Are You Compromised?
7
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
All Threat Actors Are Not Equal
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
Targeted Attacks Routinely Bypass Preventive Defenses
Source: Mandiant M-Trends 2013
Commodity Threats
Worms & Bots
Advanced Persistent Threat (APT)
Advanced Targeted Attacks
100% Of Victims Had
Up-To-Date Anti-Virus Signatures
63% Of Companies Learned
They Were Breached from an External Entity
46% Of Compromised
Systems Had No Malware on Them
100% Of Breaches Involved
Use of Stolen Credentials
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
The High Cost of Being Unprepared
Threat Undetected Remediation
3 months 6 months 9 months
Source: Mandiant M-Trends 2013
243 Days Median # of days attackers are present on
a victim network before detection.
Initial Breach
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Why Are Targeted Attacks Different?
• Often a nation-state or state-sponsored • Division of labor for different stages of attack • Utilize change management processes • Escalate sophistication of tactics as needed
• They have specific objectives • Their goal is long-term occupation • Persistence tools ensure ongoing access • They are relentlessly focused on their objective
• There’s a human at a keyboard • Highly tailored and customized attacks • Targeted specifically at you • Effective at bypassing preventive controls
It’s a “Who”, Not a “What”…
They are Professional, Organized & Well Funded…
If You Kick Them Out They Will Return
Organizations that do not fully understand this often react in ways that do more harm than good by tipping off the attackers.
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
APT Lifecycle Technique Timeline
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
APT Lifecycle Technique Timeline
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
APT Lifecycle Technique Timeline
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
APT Lifecycle Technique Timeline
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
APT Lifecycle Technique Timeline
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
APT Lifecycle Technique Timeline
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
Cyber Espionage “Real World” Examples
PRC J-31
US F-35
PRC Loong-1
US MQ-9
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
Goophone “clone”
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Overview
• What Led to APT1 Report
• APT1 Report Lessons Learned
• PRC Use of APTs against S. Korea
• Expected APT Actions
• Implications
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
• Status Quo Was Intolerable
• Example of Actionable Information Sharing
• Why APT1? • Prolific • Sheer volume of stolen data • Progressively more blatant • Comprehensive understanding of TTPs • Not as intel-sensitive as other groups
Why?
Intent to change discussion from “China” to “State-Sponsored”. The importance of who and why have become critical factors.
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
Media Outlets Exploited
30 January 2013
97 Days
25 October 2012
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
China’s Response
“It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.” - Chinese Defense Ministry, January 2013
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
• 18 Feb 2013: Mandiant Released APT1 Intelligence Report • Linked APT1 to PLA unit 61398 • 5 minute video of APT1 in action
• Released 3000+ Actionable Indicators of Compromise (IOCs)
• OpenIOC format • Malware reports • IPs/domain names • MD5s • SSL Certificates
• Attribution Included:
• Technical data from 140+ intrusions • Persona and Infrastructure registration • PLA and PRC Documents • China Telecom information • Geolocational and language data
APT1 Report
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
China’s Computer Network Operations Tasking to PLA Unit 61398
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
20 Feb 2013: CNN video of PLA chasing CNN vehicle at Building
(https://www.youtube.com/watch?v=yG2ezzLHSD0)
Accuracy
“I read the Mandiant report. I've also read other reports, classified out of Intelligence, and I think the Mandiant report, which is now unclassified, it's public, is essentially correct”
-- Sen Feinstein, Chairwoman of Senate Intelligence Committee
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
• Monday 2/18 – Business as Usual
• Report released at 10 PM EST
• Tuesday 2/19 – Action Plan Invoked • Domains parked • WHOIS registry changed • Backdoor/tools removed • Staging/working directories cleared • New backdoors implanted
• PRC Reaction: • High-level public statements • Unusual military presence
APT1 – Reaction
“There is still no internationally clear, unified definition of what consists of a 'hacking attack'. There is no legal evidence behind the report subjectively inducing that the everyday gathering of online (information) is online spying.”
-- 20 Feb 2013, PLA Defense Ministry
20 Feb 2013: PLA guard at MUCD 61398
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
Impact on APTs
Short-Term Impacts • Unreleased Indicators did not change • NYT coverage did not stop intrusions… • …. But APT1 Report did • ALL APT groups acted in coordination
following APT1 Report
Long-Term Impacts: • All groups resumed normal activity levels • No changes in targeting • No changes in TTPs
MANDIANT
Mandiant learned significant lessons about the nature of APT groups as a collective entity following the APT1 Report. Mandiant considers the uniform actions of ALL suspected China-based groups after the report confirms our attribution as well as speak to the level of Chinese coordination and control.
China Telecom and 61398
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
Lessons Learned
What Did We Learn? • APTs respond to a command structure • APTs follow media coverage • APT “Re-Tool” time is short • Only adjust disclosed portions
What Does It Mean? • Public disclosures = difficult detection • APTs are resilient • APTs are not going away • “Public shaming” ≠ intrusion response • CCP role is critical • PRC/PLA beliefs are applicable to APTs
MANDIANT
Unit 61398 Office Location
PLA Cyberwarfare Documentary
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
Threat Landscape
Commodity
Iran
Cybercrime
SEA
China
Emergence of APT Events
APT Target Expansion
SEA Begins Iran Emerges
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Two Factor Subversion
STUXNET DDOS on Banks
The Asian region faces an active cybercriminal element, encounters frequent hacktivist events tied to international issues as well as country conflicts, and has
various nations possessing cyber capabilities. APT threats are the most significant cyber threat to the region based on the importance of the Pacific to the PRC.
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31
China and Cyber
• Chinese Goals: • Protect Chinese Communist Party • Build economy, society, and military • 2020: Reach critical regional goals • 2050: World-class power
• 25 APT Groups supporting PRC: • Ensure CCP stability • Support economic goals • PLA efforts—modernize and prepare • Control “Five Poisons”
“From now through the first two decades of the 21st
century, we have a very critical time period…economy and military modernization must be done together and
supported at all costs” –Jiang Zemin
APT Efforts Against Industries
Industry # of APTs
Aviation 20
Manufacturing 16
NGO 11
Agric/Chemical 10
Defense 9
Biotech/Pharm 5
Software/IT 5
Unit 61398 Office Location
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 32
APTs in Action
• Economic Gains: • Steal and replace intellectual property • Theft of entire industry segments • Advanced knowledge of business strategies
• PLA Efforts: • Military modernization • Battlefield visibility • Prepare for three types of future cyberbattle
• Regime Support: • Media influence • “Five Poison” intrusions • Foreign government positions
Multiple APTs over 36+ Months
Targets: - Senior leaders (Cabinet-level) - Multiple MFAs and Gov orgs - US Military - Asian militaries/Coast Guards - US companies - Various Asian companies
Data Theft: - Vessel locations - Shipping manifests - Flight schedules - Treaty issues - Government positions - Negotiation strategies - Military readiness & postures - Press interactions/sources
PRC Gains: - Advanced knowledge of redlines,
strategies, negotiations, limits - Military dispositions - Vessel and aircraft locations - Allied involvement
Mandiant Observed APT Use in Territorial Disputes
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 33
Implications
• Activity Likely to Worsen: • All trends are upward • Geopolitical situation is key driver
• Intrusions Matter: • Data theft rapidly synthesized • Used for actionable gains • Intrusion effects are cumulative
Expected APT Actions: • Valid access and trusted partners • Maintenance activity • Specific networks, users, data • APTs at targets that matter
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 34
ATR Summary
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 35
Highest number of targeted verticals, by country
2013 FireEye Advanced Threat Report
Why Did FireEye Buy Mandiant?
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 37
FireEye+Mandiant Threat Intelligence Over 4m sensors deployed worldwide (FE+Mandiant)
Nucleus, patented 32 million node graph-based engine, mines data with 200 terabytes of storage, and 500M+ captured network streams
Global sinkholes to detect malware activity
Helix & Satori malware triage system uses proprietary sandboxing, machine learning, and genotyping tech to identify new samples of interest
Team of 25 PhDs, linguists, analysts, and foreign policy experts from NSA, CIA, DIA, and military put intelligence into context
One of the industry’s largest malware clearinghouses
Hundreds of consulting engagements “close to breach”
90+ Managed Defense customers
DTI APT1 Report
Host Network Events MIR – Live Response NTAP - MD Threat Analytics Platform MSO – FireEye “HX” FireEye NX, IPS
HBI – Host Based Indicators NBI – Network Based Indicators
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 38
Indicator Purposes
Attribution • Who/what is responsible for this activity?
Detection • If this event happens, I want to know about it.
Profiling • What are the targeting parameters for this threat?
Prediction • Given the current state, what can I expect from this threat
in the future?
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 39
Genesis of the Indicator
File MD5 checksum is 88195c3b0b349c4edbe2aa725d3cf6ff
File path contains \system32\mtxes.dll File name is ripsvc32.dll
File PE header compile time is 2008-04-04T18:14:25
Service DLL is ripsvc32.dll Process has a handle named RipSvc32.dll File path contains \system32\msasn.dll File path contains \system32\msxml15.dll
Registry path contains \SYSTEM\CurrentControlSet\Services\Iprip\Parameters\ServiceDll Registry key text contains ripsvc32.dll
File size is between 500000 and 900000 File name is SPBBCSvc.exe File name is hinv32.exe File name is vprosvc.exe File name is wuser32.exe
Service name is IPRip Service DLL is not iprip.dll
Or
And
And
Or
And
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 40
Attacks More Advanced than Current Safeguards
The Gap
• No technical solution
• No legislative solution
• Bad Guys will always exist
Organizations can no longer solely rely on preventive cybersecurity measures ….
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 41
New Security Paradigm
• Ability to Operate Through Compromise • Holistic Visibility (Network & Endpoint) • Actionable Threat Intelligence • Shift to Threat Centric Security
Organizations Must Seek to Eliminate the Consequences and Impact of Security Breaches
Threat Intelligence
Network-Based Visibility
Host-Based Visibility
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 42
Timing Is Critical for Containment
Contain & Remediate in the Strike Zone • Thorough understanding of the extent of the compromise
• Know the attacker’s tactics
• Can reliably detect the attackers’ malware and tools
TOO EARLY • Extent of compromise
is unknown
• Attackers will change tools, tactics, and procedures (TTPs)
• Attacker active during remediation event
TOO LATE • Attackers may change
their TTPs or become inactive
• Lack of activity increases difficulty to investigate
• Organization loses sense of urgency
Kno
wle
dge
of A
ttack
Time
Need to Start Cycle Again Too
Early
Too Late
STRIKE ZONE
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 43
FireEye Product Portfolio
SEG IPS SWG
IPS
MDM
Host Anti-virus
Host Anti-virus
MVX
Threat Analytics Platform
Mobile Threat Prevention Email Threat
Prevention
Dynamic Threat Intelligence
Network Threat Prevention
Content Threat
Prevention
Mobile Threat Prevention
Endpoint Threat
Prevention
Email Threat Prevention
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 44
1990s 2000s
Security Re-Imagined: Rise of the Virtual Machines
2010s 2020s
Era of VM-based Threat Detection
Web
File
Cloud Mobile
Endpoint
Era of Pattern-Matching Threat Detection
Endpoint AV
Network, Cloud, Endpoint
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 45
What is Threat Analytics Platform (TAP)?
The FireEye Threat Analytics Platform is a cloud-based solution that enables security teams to identify and provide effective response to cyber threats by
applying FireEye’s real-time threat intelligence to streams of enterprise-generated security event data.
FireEye Threat Analytics Platform raises the level of visibility subsequent to the detection from FireEye Threat Prevention Platform by providing rich insights into
threat actor profiles
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 46
TAP Overview
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 47
Key TAP Value Drivers
Applied Threat Intel Gain Context Quick Time to Value
FireEye Threat Intel (Mandiant + FireEye)
Rules gleaned from
the front lines
Customer Rules & Intel
The investigative data you need, at your
fingertips
Alerts from any system scored for severity and linked to threat dossiers and TTPs
Hosted infrastructure = no hardware or support
resources needed
Agent-less approach reduces deployment time and operational
complexity
+ +
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 48
High-Level Architecture
Network devices FW, DNS, DHCP
TAP Communications
Broker
Threat Analytics Platform
Security devices AV, DLP, IdM, AM
Operating systems Microsoft, OSX, *nix
Databases SCOM, SCEP, Trend
Heuristic Rules
Customer Environment
Syslog
Hosted Solution
Mandiant + FireEye Threat Intel
Secure Connection
ODBC
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 49
HX (MSO) – How Does It Work?
Fits Within Existing Workflow Bi-directional integration to SIEM and network security solutions.
Accelerate Triage of Suspected Incidents When security analysts review the alert, host-based evidence is already waiting and arranged in a timeline view to speed triage and improve decisions. Suspect files can be collect for further analysis.
Look-Back Matching When Mandiant identifies compromised devices the agent returns detailed information about what was happening when the event occurred.
Isolate Compromised Devices Deny attackers access to systems with a single mouse click while still allowing remote investigation.
“Next Gen” Network Security
SIEM & Log Management
EXISTING SECURITY SOLUTIONS
I N D I C A T O R S O U R C E S
Mandiant
Agent Anywhere™ reaches all of your endpoints no matter where they are.
Custom Indicators Users describe files, network traffic or other indicators they want to detect immediately.
Network Events Automatically generate indicators for attacks seen by border security devices.
Mandiant Intelligence Indicators for the APT and malware missed by antivirus.
Triage Package
END
© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 51
The Pyramid of Pain