Overview of the Mandiant Cloud Platformconcert.or.kr/2014forecast/pdf/forecast2014_Keynote.pdf ·...

ConCERT Keynote

Justin Harvey Chief Solutions Strategist Mandiant, a FireEye Company

© 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2

We Live the Headlines

Evernote Says Cyber Breach Which Cost Millions Wasn't From China -- BusinessWeek, May 2013

LivingSocial Hack Exposes Data for 50 Million Customers

- New York Times, April 2013

Fed Acknowledges Cybersecurity Breach

- Wall St. Journal, Feb 2013

NASDAQ Confirms a Breach in Network

- Wall Street Journal, Feb 2011

Sony PlayStation Suffers Massive Data Breach

- Reuters, April 2011

3.6 Million Social Security Numbers Hacked in South Carolina

- The State Newspaper, Oct 2012

RSA Faces Angry Users After Breach - New York Times, June 2011

이이이이 이이이 이 이이이이. 이이이 이이이이 이이이이 이이이이 이 이 이이이 이이이이 이이이이이이이. 이이이이 이이 이이이 이 이이이 이이 이이이이. 이이이 이이이 x이 이이이이 이이이이 이이이 이이 이이 이이이이 이이이.


Mandiant In the News


Mandiant CEO Kevin Mandia

4


Experts in Advanced Targeted Threats

• Expert Responders for Critical Security Incidents • Incident responders to the biggest breaches • We train the FBI & Secret Service • Our consultants wrote the book (literally) on incident response • Clients include more than 40% of Fortune 100

• Our Products Are Based on Our Experience

• Built to find and stop advanced attackers • We use our own products in our investigations • SC Magazine 2012 & 2013 “Best Security Company”

• Global Reach & Presence

• 2000+ employees • Offices in global regions: Asia-Pacific-Japan, Australia/NZ,

Americas, Europe & META. 5


Our Customers

The Global Fortune 100 Trust Their Fortunes to Mandiant

By knowing what indicators to look for and having the ability to search our entire network in a matter of hours we are able to shrink our window of exposure when threats evade our preventive measures.

– Chief Information Security Officer, Fortune 500 Financial Services Company

With Mandiant, we believe we can determine the scope of an attack so that we can respond faster, limit losses and minimize the disruption to our ongoing business. – Global Security Architect

“

”

” “

40% of the Fortune 100

Biotech

Defense Contractors

Financial Services

Government

Health Care

Insurance

Law Firms

Manufacturing

Oil & Gas

Pharmaceuticals

Retail

Technology

Telecom

Utilities


One Question To Ask Yourself

Are You Compromised?

7


All Threat Actors Are Not Equal


Targeted Attacks Routinely Bypass Preventive Defenses

Source: Mandiant M-Trends 2013

Commodity Threats

Worms & Bots

Advanced Persistent Threat (APT)

Advanced Targeted Attacks

100% Of Victims Had

Up-To-Date Anti-Virus Signatures

63% Of Companies Learned

They Were Breached from an External Entity

46% Of Compromised

Systems Had No Malware on Them

100% Of Breaches Involved

Use of Stolen Credentials


The High Cost of Being Unprepared

Threat Undetected Remediation

3 months 6 months 9 months

Source: Mandiant M-Trends 2013

243 Days Median # of days attackers are present on

a victim network before detection.

Initial Breach


Why Are Targeted Attacks Different?

• Often a nation-state or state-sponsored • Division of labor for different stages of attack • Utilize change management processes • Escalate sophistication of tactics as needed

• They have specific objectives • Their goal is long-term occupation • Persistence tools ensure ongoing access • They are relentlessly focused on their objective

• There’s a human at a keyboard • Highly tailored and customized attacks • Targeted specifically at you • Effective at bypassing preventive controls

It’s a “Who”, Not a “What”…

They are Professional, Organized & Well Funded…

If You Kick Them Out They Will Return

Organizations that do not fully understand this often react in ways that do more harm than good by tipping off the attackers.


APT Lifecycle Technique Timeline


Cyber Espionage “Real World” Examples

PRC J-31

US F-35

PRC Loong-1

US MQ-9


Goophone “clone”


Overview

• What Led to APT1 Report

• APT1 Report Lessons Learned

• PRC Use of APTs against S. Korea

• Expected APT Actions

• Implications


• Status Quo Was Intolerable

• Example of Actionable Information Sharing

• Why APT1? • Prolific • Sheer volume of stolen data • Progressively more blatant • Comprehensive understanding of TTPs • Not as intel-sensitive as other groups

Why?

Intent to change discussion from “China” to “State-Sponsored”. The importance of who and why have become critical factors.


Media Outlets Exploited

30 January 2013

97 Days

25 October 2012


China’s Response

“It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.” - Chinese Defense Ministry, January 2013


• 18 Feb 2013: Mandiant Released APT1 Intelligence Report • Linked APT1 to PLA unit 61398 • 5 minute video of APT1 in action

• Released 3000+ Actionable Indicators of Compromise (IOCs)

• OpenIOC format • Malware reports • IPs/domain names • MD5s • SSL Certificates

• Attribution Included:

• Technical data from 140+ intrusions • Persona and Infrastructure registration • PLA and PRC Documents • China Telecom information • Geolocational and language data

APT1 Report


China’s Computer Network Operations Tasking to PLA Unit 61398


20 Feb 2013: CNN video of PLA chasing CNN vehicle at Building

(https://www.youtube.com/watch?v=yG2ezzLHSD0)

Accuracy

“I read the Mandiant report. I've also read other reports, classified out of Intelligence, and I think the Mandiant report, which is now unclassified, it's public, is essentially correct”

-- Sen Feinstein, Chairwoman of Senate Intelligence Committee


• Monday 2/18 – Business as Usual

• Report released at 10 PM EST

• Tuesday 2/19 – Action Plan Invoked • Domains parked • WHOIS registry changed • Backdoor/tools removed • Staging/working directories cleared • New backdoors implanted

• PRC Reaction: • High-level public statements • Unusual military presence

APT1 – Reaction

“There is still no internationally clear, unified definition of what consists of a 'hacking attack'. There is no legal evidence behind the report subjectively inducing that the everyday gathering of online (information) is online spying.”

-- 20 Feb 2013, PLA Defense Ministry

20 Feb 2013: PLA guard at MUCD 61398


Impact on APTs

Short-Term Impacts • Unreleased Indicators did not change • NYT coverage did not stop intrusions… • …. But APT1 Report did • ALL APT groups acted in coordination

following APT1 Report

Long-Term Impacts: • All groups resumed normal activity levels • No changes in targeting • No changes in TTPs

MANDIANT

Mandiant learned significant lessons about the nature of APT groups as a collective entity following the APT1 Report. Mandiant considers the uniform actions of ALL suspected China-based groups after the report confirms our attribution as well as speak to the level of Chinese coordination and control.

China Telecom and 61398


Lessons Learned

What Did We Learn? • APTs respond to a command structure • APTs follow media coverage • APT “Re-Tool” time is short • Only adjust disclosed portions

What Does It Mean? • Public disclosures = difficult detection • APTs are resilient • APTs are not going away • “Public shaming” ≠ intrusion response • CCP role is critical • PRC/PLA beliefs are applicable to APTs

MANDIANT

Unit 61398 Office Location

PLA Cyberwarfare Documentary


Threat Landscape

Commodity

Iran

Cybercrime

SEA

China

Emergence of APT Events

APT Target Expansion

SEA Begins Iran Emerges

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Two Factor Subversion

STUXNET DDOS on Banks

The Asian region faces an active cybercriminal element, encounters frequent hacktivist events tied to international issues as well as country conflicts, and has

various nations possessing cyber capabilities. APT threats are the most significant cyber threat to the region based on the importance of the Pacific to the PRC.


China and Cyber

• Chinese Goals: • Protect Chinese Communist Party • Build economy, society, and military • 2020: Reach critical regional goals • 2050: World-class power

• 25 APT Groups supporting PRC: • Ensure CCP stability • Support economic goals • PLA efforts—modernize and prepare • Control “Five Poisons”

“From now through the first two decades of the 21st

century, we have a very critical time period…economy and military modernization must be done together and

supported at all costs” –Jiang Zemin

APT Efforts Against Industries

Industry # of APTs

Aviation 20

Manufacturing 16

NGO 11

Agric/Chemical 10

Defense 9

Biotech/Pharm 5

Software/IT 5

Unit 61398 Office Location


APTs in Action

• Economic Gains: • Steal and replace intellectual property • Theft of entire industry segments • Advanced knowledge of business strategies

• PLA Efforts: • Military modernization • Battlefield visibility • Prepare for three types of future cyberbattle

• Regime Support: • Media influence • “Five Poison” intrusions • Foreign government positions

Multiple APTs over 36+ Months

Targets: - Senior leaders (Cabinet-level) - Multiple MFAs and Gov orgs - US Military - Asian militaries/Coast Guards - US companies - Various Asian companies

Data Theft: - Vessel locations - Shipping manifests - Flight schedules - Treaty issues - Government positions - Negotiation strategies - Military readiness & postures - Press interactions/sources

PRC Gains: - Advanced knowledge of redlines,

strategies, negotiations, limits - Military dispositions - Vessel and aircraft locations - Allied involvement

Mandiant Observed APT Use in Territorial Disputes


Implications

• Activity Likely to Worsen: • All trends are upward • Geopolitical situation is key driver

• Intrusions Matter: • Data theft rapidly synthesized • Used for actionable gains • Intrusion effects are cumulative

Expected APT Actions: • Valid access and trusted partners • Maintenance activity • Specific networks, users, data • APTs at targets that matter


ATR Summary


Highest number of targeted verticals, by country

2013 FireEye Advanced Threat Report

Why Did FireEye Buy Mandiant?


FireEye+Mandiant Threat Intelligence Over 4m sensors deployed worldwide (FE+Mandiant)

Nucleus, patented 32 million node graph-based engine, mines data with 200 terabytes of storage, and 500M+ captured network streams

Global sinkholes to detect malware activity

Helix & Satori malware triage system uses proprietary sandboxing, machine learning, and genotyping tech to identify new samples of interest

Team of 25 PhDs, linguists, analysts, and foreign policy experts from NSA, CIA, DIA, and military put intelligence into context

One of the industry’s largest malware clearinghouses

Hundreds of consulting engagements “close to breach”

90+ Managed Defense customers

DTI APT1 Report

Host Network Events MIR – Live Response NTAP - MD Threat Analytics Platform MSO – FireEye “HX” FireEye NX, IPS

HBI – Host Based Indicators NBI – Network Based Indicators


Indicator Purposes

Attribution • Who/what is responsible for this activity?

Detection • If this event happens, I want to know about it.

Profiling • What are the targeting parameters for this threat?

Prediction • Given the current state, what can I expect from this threat

in the future?


Genesis of the Indicator

File MD5 checksum is 88195c3b0b349c4edbe2aa725d3cf6ff

File path contains \system32\mtxes.dll File name is ripsvc32.dll

File PE header compile time is 2008-04-04T18:14:25

Service DLL is ripsvc32.dll Process has a handle named RipSvc32.dll File path contains \system32\msasn.dll File path contains \system32\msxml15.dll

Registry path contains \SYSTEM\CurrentControlSet\Services\Iprip\Parameters\ServiceDll Registry key text contains ripsvc32.dll

File size is between 500000 and 900000 File name is SPBBCSvc.exe File name is hinv32.exe File name is vprosvc.exe File name is wuser32.exe

Service name is IPRip Service DLL is not iprip.dll

Or

And

And

Or

And


Attacks More Advanced than Current Safeguards

The Gap

• No technical solution

• No legislative solution

• Bad Guys will always exist

Organizations can no longer solely rely on preventive cybersecurity measures ….


New Security Paradigm

• Ability to Operate Through Compromise • Holistic Visibility (Network & Endpoint) • Actionable Threat Intelligence • Shift to Threat Centric Security

Organizations Must Seek to Eliminate the Consequences and Impact of Security Breaches

Threat Intelligence

Network-Based Visibility

Host-Based Visibility


Timing Is Critical for Containment

Contain & Remediate in the Strike Zone • Thorough understanding of the extent of the compromise

• Know the attacker’s tactics

• Can reliably detect the attackers’ malware and tools

TOO EARLY • Extent of compromise

is unknown

• Attackers will change tools, tactics, and procedures (TTPs)

• Attacker active during remediation event

TOO LATE • Attackers may change

their TTPs or become inactive

• Lack of activity increases difficulty to investigate

• Organization loses sense of urgency

Kno

wle

dge

of A

ttack

Time

Need to Start Cycle Again Too

Early

Too Late

STRIKE ZONE


FireEye Product Portfolio

SEG IPS SWG

IPS

MDM

Host Anti-virus

Host Anti-virus

MVX

Threat Analytics Platform

Mobile Threat Prevention Email Threat

Prevention

Dynamic Threat Intelligence

Network Threat Prevention

Content Threat

Prevention

Mobile Threat Prevention

Endpoint Threat

Prevention

Email Threat Prevention


1990s 2000s

Security Re-Imagined: Rise of the Virtual Machines

2010s 2020s

Era of VM-based Threat Detection

Web

Email

File

Cloud Mobile

Endpoint

Era of Pattern-Matching Threat Detection

Endpoint AV

Network, Cloud, Endpoint


What is Threat Analytics Platform (TAP)?

The FireEye Threat Analytics Platform is a cloud-based solution that enables security teams to identify and provide effective response to cyber threats by

applying FireEye’s real-time threat intelligence to streams of enterprise-generated security event data.

FireEye Threat Analytics Platform raises the level of visibility subsequent to the detection from FireEye Threat Prevention Platform by providing rich insights into

threat actor profiles


TAP Overview


Key TAP Value Drivers

Applied Threat Intel Gain Context Quick Time to Value

FireEye Threat Intel (Mandiant + FireEye)

Rules gleaned from

the front lines

Customer Rules & Intel

The investigative data you need, at your

fingertips

Alerts from any system scored for severity and linked to threat dossiers and TTPs

Hosted infrastructure = no hardware or support

resources needed

Agent-less approach reduces deployment time and operational

complexity

+ +


High-Level Architecture

Network devices FW, DNS, DHCP

TAP Communications

Broker

Threat Analytics Platform

Security devices AV, DLP, IdM, AM

Operating systems Microsoft, OSX, *nix

Databases SCOM, SCEP, Trend

Heuristic Rules

Customer Environment

Syslog

Hosted Solution

Mandiant + FireEye Threat Intel

Secure Connection

ODBC


HX (MSO) – How Does It Work?

Fits Within Existing Workflow Bi-directional integration to SIEM and network security solutions.

Accelerate Triage of Suspected Incidents When security analysts review the alert, host-based evidence is already waiting and arranged in a timeline view to speed triage and improve decisions. Suspect files can be collect for further analysis.

Look-Back Matching When Mandiant identifies compromised devices the agent returns detailed information about what was happening when the event occurred.

Isolate Compromised Devices Deny attackers access to systems with a single mouse click while still allowing remote investigation.

“Next Gen” Network Security

SIEM & Log Management

EXISTING SECURITY SOLUTIONS

I N D I C A T O R S O U R C E S

Mandiant

Agent Anywhere™ reaches all of your endpoints no matter where they are.

Custom Indicators Users describe files, network traffic or other indicators they want to detect immediately.

Network Events Automatically generate indicators for attacks seen by border security devices.

Mandiant Intelligence Indicators for the APT and malware missed by antivirus.

Triage Package


The Pyramid of Pain

Overview of the Mandiant Cloud Platformconcert.or.kr/2014forecast/pdf/forecast2014_Keynote.pdf ·...

Documents

Transcript of Overview of the Mandiant Cloud Platformconcert.or.kr/2014forecast/pdf/forecast2014_Keynote.pdf ·...