Co nowego w rozwiązaniach FireEye?...©2019 FireEye MVX –Controlled Live Mode Extends...
Transcript of Co nowego w rozwiązaniach FireEye?...©2019 FireEye MVX –Controlled Live Mode Extends...
Co nowego w rozwiązaniach FireEye?
Marcin Kacprzak, Damian Hoffman
©2019 FireEye©2019 FireEye
Kto nie szanuje i nie ceni swej
przeszłości ,
ten nie jest godzien szacunku,
teraźniejszości ,
ani prawa do przyszłości .
Dokąd zmierzamy?
Józef Piłsudzki„Myśli, mowy i rozkazy”, 1916 rok
©2019 FireEye©2019 FireEye
▪ 2004 – Powstanie firmy FireEye
▪ 2012 – Biuro FireEye w Polsce
▪ 2013 – Mandiant (1mld $)
▪ 2014 – nPulse (60 mln $)
▪ 2016 – iSight (275 mln $)
▪ 2016 – Invotas
▪ 2017 – Email Loundry
▪ 2018 – X15 (15 mln $)
▪ 2019 – Verodin (250 mln $)
Cofnijmy się do 2004 roku …
3
MALWARE ANALYSIS
INCIDENT RESPONSE
OPEN IoC
ENDPOINT PROTECTION
NETWORK RECORDER
CYBER THREAT INTELLIGENCE
NETWORK PROTECTION
EMAIL PROTECTION
ORCHESTRATION
SPEAR-PHISHING, MALWARE, CEO FRAUD & SPAM
MACHINE & LOG DATA MANAGEMENT
SOC PLATFORM
SECURITY INSTRUMENTATION
MANAGE DEFENSE
Email Security
©2019 FireEye©2019 FireEye5
$12.5BGlobal loss to CEO fraud
©2019 FireEye©2019 FireEye6
91%of attacks begin with email
281Bemails sent daily
©2019 FireEye©2019 FireEye
Evolving Email Attacks
7
FireEye Labs – Q4 2018 compared to Q4 2017
©2019 FireEye©2019 FireEye
Malware-Less versus Malware Attacks8
MALWARE MALWARE-LESS
of attacks blocked
were malware-less90%▷ Impersonation ▷ CEO fraud ▷ Whaling
▷ Spear phishing ▷ W2 fraud
of attacks blocked
contained malware10%▷ Viruses ▷ Ransomware ▷ Worms
▷ Spyware ▷ Trojan horses
Source: FireEye (August 2018). Get One Step Ahead of Email Threats, Email Threat Report for January-June 2018.
©2019 FireEye©2019 FireEye
Primary Advanced Threat Categories
Multi-Stage Threat ExampleAttachments
Impersonation or Imposter
Multi-Stage
URLs
©2019 FireEye©2019 FireEye
Protection Against Advanced Threats
10
SMART DNS* COMBINATION
MVX FAUDE
ATTACHMENTS URLs
IMPERSONATION MULTI-STAGE
Stops threats with first-hand knowledge of attacks and attackers
Identifies and blocks
▪Malware
▪ Phishing URLs
▪ Impersonation techniques
▪Multi-stage attacks
*FireEye Email Security Cloud Edition with AVAS
40M+ Mailboxes
©2019 FireEye©2019 FireEye
Email Security in Action
11
Receive
Message received
by inbound mail
server
Retroactiveanalysis
Detect
Spam and
impersonation
scanning*, known
malware
and malicious URLs
Analyze
MVX and
Advanced URL
Defense for
advanced
threats
Alert
Admin informed
that message
blocked and why
Deliver
Message is clean and delivered to recipient’s inbox
✓
Block
Malicious messages
quarantined for
further review
✘
Inbound Protection
*Server Edition - Executive Impersonation Protection to block C-level display name spoofing
©2019 FireEye©2019 FireEye
▪ Attachments – ”Easy stuff”, but:
– Archives : including zip, lzh, rar, 7z, cab, TNEF, ace
▪ Encrypted attachments – here you go!
– Password extraction from email Body
– Password extraction from images (OCR)
– Password candidates provided by admin
▪ Password-protected documents – MS Office + PDFs – Done!
▪ “connect to C2 and get additional Payload” – Done!
– Controlled Live Mode via Dirty Line
Email Security – Top Features
12
©2019 FireEye©2019 FireEye
MVX – Controlled Live Mode
Extends interactions with multi-stage malware to better identify malicious behavior
▪ Attempts to fetch malicious content from CNC servers during MVX analysis.
▪ As an evasion technique, malicious binaries will often reach out to the internet simply to see if they have an internet connection (e.g. google.com). If there is no internet connection the malicious payload will not be executed.
1 File is opened 2 Macro runs &
requests
file…requests
additional file and
then another
additional file
3 Requested file
executes and infects
local system
http://
13
©2019 FireEye©2019 FireEye
▪ URLs – more challenging, but:
– URLs embedded in emails
– URLs in PDF and archive files, MS Office documents and other file types (AIZip, uuencoded, Jar, HTML)
– Obfuscated and redirected URLs
– Credential-phishing and typosquatting URLs
▪ FAUDE = FireEye Advanced URL Defense
Email Security – Top Features
14
©2019 FireEye©2019 FireEye
Detection of Spear Phishing Websites (URLs & Content)
15
Overview
▪ Detects zero-day, low-volume, highly-
targeted phishing attacks
▪ Analyzes website content for malicious
behavior by scanning the whole phishing
site (links, content, etc.)
Benefits
▪ High-fidelity detection
▪ Blocking of multi-stage malware and
evolving URL based threats
▪ Low false positive rate
▪ Simplified alert prioritization and faster
attack prevention
FireEye
Email Security
Email Security – What’s new?
16
©2019 FireEye©2019 FireEye
▪ Phish Screenshot
▪ Retroactive notifications
▪ Retroactive pull*
▪ URL Click Report
▪ Metadata streaming
▪ System Health Check
▪ Evasion mitigation – GI Customisation
▪ Supply Chain Impersonation
Recent Updates
©2019 FireEye©2019 FireEye
Email Alerts – FAUDE Screenshots Badge
18
©2019 FireEye©2019 FireEye19
Email Alerts – FAUDE Screenshots Badge
©2019 FireEye©2019 FireEye
Post Email Delivery Weaponized URL Example
20
ALERT AUTO REMEDIATERECEIVE DETECT ANALYZE
1
• Spam• Impersonation• Known malware• Malicious URL
2
MVX and AdvancedURL Defense
7:55 am email received byinbound mail server
✓
7:56 am email is
analyzed as benign
7:56 am email is clean
and delivered to recipient’s inbox
INBOX
©2019 FireEye©2019 FireEye
Post Email Delivery Weaponized URL Example
21
AUTO REMEDIATE
MVX and AdvancedURL Defense
• Quarantine• Move• Delete
ANALYZE ALERT
RetroactiveAnalysis
1
8:15 am URL is
weaponized post email delivery
2
Admin receives an alert of malicious message after delivery
3
Email Extracted
INBOXX
©2019 FireEye©2019 FireEye
URL Click Report
22
©2019 FireEye©2019 FireEye
Auto Remediate for Office 365 Actions – soon for Exchange on Premise!
23
Auto Remediate
Email becomes weaponized post-delivery
(retroactively). Policy action quarantines,
moves or deletes malicious message from inbox
Move
Moves malicious email from the inbox to any
administrator-defined folder
Quarantine
Removes malicious email from the inbox and
places it in quarantine within Cloud Edition
for review
Delete
Permanently deletes malicious email
from the inbox
©2019 FireEye©2019 FireEye
▪ Prior to Wicklow EX release, FireEye only notified customer (SIEM) of malicious alerts and riskware, etc.
▪ EX metadata streaming is to notify customers of all the emails going through FireEye EX irrespective of whether suspicious or not:
– From
– To
– Subject
– Attachment object
– URLs
– Etc.
Metadata Streaming
24
©2019 FireEye©2019 FireEye
Service Health Statistics Trend - Analysis
25
©2019 FireEye©2019 FireEye
Service Health Statistics Trend - System
26
Network Security
©2019 FireEye©2019 FireEye
Capturing threats in enterprise traffic
28
1. Limited object coverage due to inability to scale
2. Isolated view at uncorrelated objects & flows
3. Heuristics and IOC matching – high FP rates
What competitors are selling
1. Full visibility and correlation across flows
2. Intelligent multi-vector, multi-stage & multi-flow cross correlation
3. Codified intelligence identifies intent for precise detection
How is FireEye platform different?
0
50000
100000
150000
200000
250000
300000
350000
400000
PDFEXE & DLLOffice & ZipFlashJavascriptHTML
Real world traffic example – objects on the wire
Fire
Eye
Pla
tfo
rm
Malicious payloads obfuscated and invisible
without multi-flow
Co
mp
etit
ion
Visible malicious objects95% of traffic
HTML & JS
Sandbox can not scale to examine real world
traffic
©2019 FireEye©2019 FireEye
Multi-Flow (Session based) Analysis
HTML
JS
FLASH
DNS
CONTENT (CSS/JPEG/TXT)
BINARIES (ZIP/PE/DOC/JAR)
MVX
NX SensorStatic Analysis
Dynamic Analysis
0
5
30
20
40
10
COPY OF SESSION
Total > 50
29
©2019 FireEye©2019 FireEye
Dissecting an advanced attack – cfr.org
1. Check for the
right
environment
2. Store
encoded
malware in
browser cache
3. Perform heap
spray to load
shellcode in
memory
4. Load text file,
decode to
Javascript and
execute
5. Exploit IE8
vulnerability &
execute the
shellcode
6. Shell code
runs and
decodes the
malware
7. Final malware
exposed and
executed
These objects or files, individually, are NOT malicious
©2019 FireEye©2019 FireEye31
Malware Callback Detection
Exploit
MalwareDownload
Lateral Spread
Exfiltration
Detects and
blocks
callback,
disrupting the
malware
process
Overview
▪ Callback is a type of network behavior generated by malware for collecting data or for remotely controlling threats
Benefits
▪ Superior time-to-detection of botnets, backdoors and other forms of malware that utilize callbacks
©2019 FireEye©2019 FireEye32
SmartVision
Internet
Firewall
FireEye NX
Core Switch
Distribution Switches
FireEye
SensorFireEye
SensorFireEye
Sensor
FireEye
Sensor
Overview
▪ SmartVision is an advanced correlation and analytics engine that detects stealthy, lateral (east/west) attacks within the network
Benefits
▪ Protects from threats moving laterally within the network
▪ Reduces the time to detection
▪ Helps minimize risk of data theft
▪ Helps reduce the spread of malware throughout the network
©2019 FireEye©2019 FireEye
Detection (Lateral Movement)
33
145+ network correlation rulesMany rules are applicable at multiple stages of the attack lifecycle
AT Remote Service Task
SchedulePsExec
ActivityWindows WMI
Remote Shell Launch
DNS Zone TransferDirectory listing of usersRemote user/share enumeration
Mimikatz binary transferMimikatz output activityWindows Credential Editor binary transfer
Initial Recon
Establish Foothold
Escalate Privileges
Complete Mission
Initial Compromise
Internal Recon
Maintain Presence
Move
Laterally
Maintain
Presence
Malware upload over SMBEXE File Transfer To Remote Recycler Folder
Unusual file transfer activity from ADMIN$ or C$
Malware download C&C
Network Security – What’s new?
©2019 FireEye©2019 FireEye
▪ SSL Decryption
▪ TLS Fingerprint
▪ ICAP support
▪ SmartVision Enhancements
▪ WebShell Detection
▪ Unified FAUDE
Recent Enhancements
©2019 FireEye©2019 FireEye36
Visibility into Encrypted Traffic
Overview
▪ As of 2018 Q2, FireEye will provide integrated man in the middle SSL/TLS inspection to detect threats hidden in encrypted traffic
Benefits
▪ Visibility into encrypted traffic
▪ Greater detection of malware
▪ URL Categorization included
©2019 FireEye©2019 FireEye
▪ Dodać slajd z konfiguracją/wyjątkami zvelo
37
SSL Decryption
©2019 FireEye©2019 FireEye
SSL/TLS Fingerprint Detection Feature
38
◆Detects suspicious TLS handshake initiated by malware by matching the SSL/TLS
handshake fingerprint (JA3 blacklist).
◆Binary on appliances to extract TLS event metadata
◆The JA3 hash blacklist, binary and configuration files are managed through security
content updates
◆There are three levels of severity/confidence (High, medium and silent)
©2019 FireEye©2019 FireEye
ICAP Support
39
◆Supports ICAP server capability on NX
▶ NX can act as an ICAP server – supporting both secure & plain-text ICAP
communication
◆Supports attack detection on NX for the HTTP payload encapsulated over ICAP
protocol.
◆NX will behave only in monitor-mode for ICAP traffic – no blocking functionality right
now
◆ReqMod/RespMod
◆Use MVX in conjuction with existing security measures, i.e. Proxy
©2019 FireEye©2019 FireEye
Webshell?
40
A web shell is a script that can be uploaded to a web server to enable
remote administration of the web server machine. Infected web servers can
be either Internet-facing or internal to the network, where the web shell is
used to pivot further to internal hosts. A Web shell may provide a set of
functions to execute or a command-line interface on the infected system. In
addition to a server-side script, a Web shell may have a client interface
program that is used to talk to the Web server (see, for example, China
Chopper Web shell client)
A web shell can be written in any language that the target web
server supports. The most commonly observed web shells are written
in languages that are widely supported, such as PHP,JSP,WAR,ASP etc
©2019 FireEye©2019 FireEye
WebShell Detection Flow
41
• Newly deployed Webshells
• Already deployed WebShells
• NX will extract server side files (PHP,WAR,JSP,ASP,ASPX etc)
• Extracted files will be subjected to Static and Dynamic analysis
• MVX will leverage two profiles for Dynamic analysis
• Win7x64 → ASP,ASPX
• Centos7.2 → PHP,JSP,WAR
• For server attacks GI will leverage both client and server in same
profile.
• Both client and server activity will be reported
Endpoint Security
42
©2019 FireEye©2019 FireEye43
©2019 FireEye©2019 FireEye
FireEye Endpoint Protection (HX) = EPP + EDR
44
EDREPPRESPONSE
Look for those who got around, over, or under the wall
PREVENTIONBuild a higher wall
Identify and Respond quickly when prevention fails. Know what
happened.
Endpoint Detection and Response Tools, Jan. 2017
“FireEye's product strength reflects its roots in forensic investigations undertaken by its
predecessor company, Mandiant.”
“FireEye is one of the top-three EDR market competitors”
“CIOs need to rethink their security and risk investments by recommending enterprises move their investments from 90 percent prevention and 10 percent detection and response, to a 60/40 split instead.”
Gartner Symposium/ITxpo 2015
©2019 FireEye©2019 FireEye
How We Do It
Protect Against
Threats Respond to
Incidents
Detect the
Breaches
▪ Malware Protection
▪ MalwareGuard
▪ ExploitGuard
▪ Platform Interaction
▪ Event Recording
▪ Indicators of Compromise (IoC)
▪ Enterprise Search
▪ Investigative Data Acquisition
• Containment
• On/off network
• Respond at scale
©2019 FireEye©2019 FireEye
FireEye Endpoint Security in Action
InitialCompromise
MPMalware Protection
Automatic Block & Quarantine
Advanced Detection
Containment
EstablishFoothold
EscalatePrivileges
InternalReconnaissance
MaintainPresence
MoveLaterally
CompleteMission
ExploitGuardEG Real Time IoCRT
MalwareGuardMG
MP MGRT MP RT
RT
EGMG
RT
RTRT
InitialReconnaissance
EG
EG
EG
©2019 FireEye©2019 FireEye
Alert Triage
47
Last changes on FireEye HX
48
©2019 FireEye©2019 FireEye
OS Coverage Expansion
Windows Desktop Windows Server Linux MacOS
Windows XP SP2, SP3 Windows Server 2003 SP2, R2 SP2RHEL 6.8, 6.9, 7.1, 7.2, 7.3, 7.4, 7.5,
7.6, 7.7 (64-bit)MAC OS Mavericks 10.9 (64-bit)
Windows Vista SP1, SP2Windows Server 2008 R2, R2 SP1
(64-bit)CentOS 6.9, 6.10, 7.1, 7.2, 7.3, 7.4,
7.5, 7.6 (64-bit)MAC OS Yosemite 10.10 (64-bit)
Windows 7 Windows Server 2012 SUSE Enterprise Linus 11.4, 12.2,
12.3, 15 (64-bit)MAC OS El Capitan 10.11 (64-bit)
Windows 8 Windows Server 2016 (64-bit)Ubuntu 14.04, 16.04, 18.04, 19.04
(64-bit)MAC OS Sieraa 10.12 (64-bit)
Windows 8.1 Windows Server 2019 1809 Amazon Linux AMI 2018.3 (64-bit) MAC OS High Sierra 10.13 (64-bit)
Windows 10 1703, 1609, LTSB, 1803, 1809, 19H2
Oracle Linux 6.10, 7.6 MAC OS Mojave 10.14, 10.15(64-bit)
©2019 FireEye©2019 FireEye
Linux agent added supported for the following audits
50
▪ Kernel Modules
▪ Login History & Tasks
▪ Agent Events (IoC based)
– Process Events
– Network Events
▪ Triage and auto-triage available
These four modules were included in standard and comprehensive investigative details scripts.
Even more options will come in HX 4.9 ☺
New Endpoint Architecture!
51
©2019 FireEye©2019 FireEye
Introduction to Modules (Tech Preview)
▪ Future of agent innovation
▪ Scales for in-field, on-demand features.
▪ FireEye Market -> Endpoint Modules
▪ Primary driver: Consultant driven features for current engagements
▪ Customer benefit: Field tested features proven to find threat actors
©2019 FireEye©2019 FireEye
Modules in Action
OR
Select a module to load into FireEye Endpoint Security
Modules work across all deployment environments
Enable by policy per host set or across
your console
©2019 FireEye©2019 FireEye
▪ MVX Check - If the file is not whitelisted by context API and MVX is enabled, enricher will check to see if MVX has ever seen the file.
▪ File Acquire - If MVX has never seen the file, a file acquire is queued in HX and when the acquire is complete, enricher will submit the file to MVX.
▪ MVX Report - After MVX completes analysis, the alert/process tracker event will be updated with the results.
▪ HX Update - If MVX finds the file to be malicious, a generic alert will be thrown (process tracker), or the existing alert will be updated with decorators to provide the enrichment status.
Enricher Module Overview/Workflow screen
54
MVX checkFile Acquire by
HXAX API file
check
HX Alert newor existing updated
©2019 FireEye©2019 FireEye
Process Tracker
55
Process Tracker recognizes unique file executions on a host and reports those executions to HX.
▪ If enrichment is enabled, all process tracker events will be enriched, utilizing the standard enricher workflow.
▪ If enrichment is not enabled, process tracker will still store messages on the bus and in its database.
▪ If alerting is enabled, any events deemed malicious by enricher will throw a generic alert of type “PRO”.
Unique process Check (Enricher) Alert (PRO)
Unique process DB save Alert (PRO)
©2019 FireEye©2019 FireEye
▪ The Process Guard Module for FireEye Endpoint Security prevents attackersfrom obtaining access to credential data or key material stored within the Windows operating system.
▪Whitelist for „strange” software (file and proces path).
Process Guard
56
©2019 FireEye©2019 FireEye
▪Added a new setting in the agent configuration:
– True: deny local administrators ability to stop/re-start agent
– False: allow local administrators ability to stop/re-start agent
▪User can change the configuration from Admin->Polices->Tamper Protection
Tamper Protection Improvements
57
©2019 FireEye©2019 FireEye
Tamper Protection Improvements
58
©2019 FireEye©2019 FireEye
▪IA architecture given an ability for Module to create their own alerts.
▪Based on certain pre-defined template a Module can create as many types of alerts as they want.
▪ The generic alerts will be displayed along with the existing alerts and could be triaged in the same way.
▪We have introduced few additional parameters for generic alerts like Alert Badge, label, file path and source.
▪All existing alert setting like aging, rate limiting will work with generic alerts.
Generic Alert
59
©2019 FireEye©2019 FireEye
Triage Trigger Module
60
▪ This module's core capability is to trigger automatic triage for legacy and generic alert rate limit.
▪Alert specific triage can be enabled or disabled.
▪Using this module the triage rate limiting can be modified.
▪ The automatic triage enable/disable and Registry Audit and URL Event Collection before/after timestamp from the acquisition setting is moved into triage trigger module UI.
©2019 FireEye©2019 FireEye61
©2019 FireEye©2019 FireEye
Malware-Protection is able to work on three different modes:
▪ Signature and Heuristic + Malware Guard
▪ Signature and Heuristic only
▪Malware Guard only
Malware Guard Protection Separation
62
©2019 FireEye
FireEye Malware Analysis
©2019 FireEye©2019 FireEye
FireEye Malware Analysis
64
©2019 FireEye©2019 FireEye
Sample Analysis
65
©2019 FireEye©2019 FireEye
Sample Analysis
66
©2019 FireEye
FireEye Detection Trial
©2019 FireEye©2019 FireEye
▪ FireEye Detection On Demand is a threat detection service delivered as an API for integration into the SOC workflow, SIEM analytics, data repositories, or web applications.
▪ Monthly file and hash submission.
▪ File submission rate will be limited to 100/minute.
▪ Hash submission rate will be limited to 200/minutes.
FireEye Detection Trial (SaaS)
68
©2019 FireEye©2019 FireEye
▪ https://fireeye.dev/
FireEye New Developer Hub!
69
KIERUNKI ROZWOJU FIREEYE W 2019-2021CZYLIPRZEWIDYWANIA POLSKIEGOTEAMU INŻYNIERSKIEGO☺
KOMPLEKSOWE ROZWIĄZANIA BEZPIECZEŃSTWA
ROZBUDOWA PORTFOLIO PRODUKTOWEGO
1
PLATFORMA DLA SOC
2
CHMURA
3
USŁUGI,SaaS,MSSP
4
©2019 FireEye©2019 FireEye71
Dziękujęmy
Damian HoffmanSenior System Engineer
Eastern Europe FireEye
Marcin KacprzakSenior System Engineer
Eastern Europe FireEye
©2019 FireEye©2019 FireEye72
Z OSTATNIEJ CHWILI: DZIĘKUJEMY ZA UDZIAŁ W CYBERSECURITY FORUM 2019
Zapraszamy za rok!
WIĘCEJ: fireeye.com11:30