Advance Persistent Threats –

A Technical Analysis

“Move from Reactive to Proactive”

Lau Boon Peng, CISSP

Sr Channel SE – South Asia Pacific 1

FireEye, Inc.
 The New Threat Landscape
Cyber-espionage
and Cybercrime

s age of Attacks Dama

Cybercrime
• # of threats are up 5X Advanced

• Advanced attacks Disruption Spyware/

Persistent Threats

• accelerating
Nature of threats changing
Zero-day
Bots
Targeted Attacks

Dynamic Trojans

–– High
Fromprofile
broad victims
to targeted
common Worms
Stealth Bots
Viruses
(e.g., RSA, Symantec, Google) 2004 2006 2008 2010 2012

“Organizations face an evolving threat scenario that they are ill-prepared dt to

deal with….advanced threats that have bypassed their traditional security
protection techniques and reside undetected on their systems.”
Gartner, 2012

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2

 Defining Next Generation Threats

The New Threat Landscape

• Uses zero-day exploits, There is a new breed of attacks that are

commercial quality toolkits, advanced, zero-day, and targeted

and social engineering Unknown and

Stealthy Targeted Persistent

• Utilizes advanced Zero DayADVANCED

techniques Advanced Targeted

and/or malware Attack

• Often targets IP,

credentials
Known and
Open Broad One Time
• throughout network
Spreads laterally Patchable
TRADITIONAL

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3

 Attacks Increasingly Sophisticated

Dynamic Web Attacks

Multi-Vector
• Web, email or files

Multi-Stage
• Exploit to exfiltration
Malicious Exploits

Spear Phishing Emails

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4

 The Adcaned Attack Lifecycle – Multiple Stages

Web server, or
16 Web 2.0 site
Attack & Drop Zones Command and Control
Compromised
Spread

Public Internet

1 12 13 51 14
Initial Infected Further Updated Call
Request Content Infection Exploits Back

Enterprise

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5

 Typical Enterprise Security Architecture

Firewalls/ Secure Web Anti- -Spam Desktop AV

IPS
NGFW Gateways Gateways

APT APT APT APT

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6

 The Enterprise Security Hole
Attack Vector

NGFW FW
Web-based
Attacks

IPS SECURITY Spear Phishing

HOLE Emails

Malicious
SWG AV Files

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7

 Public Spear
Phishing Examples

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8

 Spear Phishing: The Preferred Intrusion Method

Callback Server
Spear
Phishing
Email
1 Spear phish attack exploits PC
More than 50% use malicious URLs
Attachments: PDF, PPT, XLS and DOC
Targeted mid- & high-level energy execs 3 1
Also targeted Vendors (Investment Bankers,
Oil & Gas Service companies)

2 Back door opened & lateral spread Anti-Spam

Exploit code executed Gateway
ZIP file on Windows 7 when ZIP opened

3 Callbacks
Second phase
related objects and callbacks
to RSA intrusion 2 Exploit in ZIP
linked
Data to initial
exfiltration exploit
commences Sensitive data Mail Servers

Passwords

Desktop antivirus DMZ

Losing the threat arms race

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9

 VirusTotal is Helpful for Investigations

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10

 RSA Spear Phish (H/T @mikko)

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11

 Social Networks are a Data Gold Mine

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12

 We Are Only Seeing the Tip of the Iceberg

HEADLINE GRABBING ATTACKS

THOUSANDS MORE BELOW THE SURFACE

APTAttacks
Zero-Day Attacks
Polymorphic Attacks
Targeted Attacks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13

 The Degree of Compromise is Significant
Deployments Infections/Weeks at Normalized Bandwidth
100%

90% 1 Gbps 5 Gbps

Percent of
80%
98.5% of deployments see at
least 10 incidents/week/Gbps 70%

60%

50%
Median is about
40%
450 incidents/week/Gbps
30%
10 100 1,000 10,000 100,000

20%
Source: FireEye Advanced Threat Report, Feb. 2012

20% of deployments have 10%

thousands of incidents/week/Gbps

0%

450 Median Net New Infections Per Week at Only 1 Gbps!

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
 Dynamism of Malware: Binary MD5s

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15

 Industries Most Affected by Advanced Threats

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16

 APT Threat Actors &
Surprising Collusions

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17

 Advanced Persistent Threat (APT) Actors

Crimeware Hacktivists
APT Actors
Actors
(nation state
(cyber crime (Anonymous,
threats)
gangs) LulzSec)

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18

 Advanced Threat Actors & Crimeware Actors

Sell “used” zero-day

exploits that became
known too widely

APT Crimeware
Actors Actors

Sell compromised
systems (access &
control over)

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19

 Case Study: Wermud Trojan

[March [April 2011]

2011] Wermud
Created passed to
and used crimeware
by APT actors

[15 March [June 2011]

2011] Seen used
FireEye by FakeAV
created (crimeware)
callback
rules
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
 Example of
Bypassing
Traditional Security
Basic Evasion Tactics

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21

 Builders Used In Team Attacks. H/T alienvault +
threatexpert

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22

 Anti-Virus Evasion is Done through Simplicity

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23

 Callbacks Done Through Legitimate Channels

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24

 Callbacks Done Through Legitimate Channels

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25

 Blogs are Free to Set up

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26

The Point?

• Advanced targeted attacks run rampant inside

networks, easily infiltrating existing defenses

• Advanced targeted attacks can occur as unique

exploits, e.g. Aurora and RSA attacks

• BUT, if you have a fair amount of common malware

infections (crimeware), you may never see unique
targeted APT attacks

• APT actors may simply leverage existing crimeware

backdoors

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27

• Therefore, you still have to respond to the low grade

attacks, because they can become high grade for a
 5 Criteria for Advanced Threat Protection

1. Dynamic, signature-less engine to detect & block

zero-day and targeted inbound attacks (as used
by APT actors, crimeware actors, and
Hacktivists)

2. Real-time protection to stop data exfiltration

3. Integrated, cross-protocol Web & Email inbound

infection and outbound callback protection

4. Accurate, no tuning, and very low false positive

rate
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
 Cyber Security = Proactive

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29

 FireEye Malware Protection System

Complete Protection Against

Advanced Targeted Attacks

• Integrated solution to combat

advanced malware across multiple
analysis like
vectors, to address all stages
Web, Email and File
of attack lifecycle
Shares
Web Email

Malware Malware
Protection Protection

• Malware forensics complements System

File
System

• Exploit,
real-timecallback, andwith
protections payload
deep
Malware
Protection

malware intelligence System

• Systems share real-time malware

intelligence locally and globally

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30

 Thank You

Twitter @fireeye
www.fireeye.com

Contact us online for a complimentary security

assessment. You’ll find out if you are infected and
what to do about it.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31

31
Sign Up for a Free FireEye Security Assessment

http://www.fireeye.com/stopapts
32