Co nowego w rozwiązaniach FireEye?...©2019 FireEye MVX –Controlled Live Mode Extends...

Co nowego w rozwiązaniach FireEye?

Marcin Kacprzak, Damian Hoffman

©2019 FireEye©2019 FireEye

Kto nie szanuje i nie ceni swej

przeszłości ,

ten nie jest godzien szacunku,

teraźniejszości ,

ani prawa do przyszłości .

Dokąd zmierzamy?

Józef Piłsudzki„Myśli, mowy i rozkazy”, 1916 rok


▪ 2004 – Powstanie firmy FireEye

▪ 2012 – Biuro FireEye w Polsce

▪ 2013 – Mandiant (1mld $)

▪ 2014 – nPulse (60 mln $)

▪ 2016 – iSight (275 mln $)

▪ 2016 – Invotas

▪ 2017 – Email Loundry

▪ 2018 – X15 (15 mln $)

▪ 2019 – Verodin (250 mln $)

Cofnijmy się do 2004 roku …

3

MALWARE ANALYSIS

INCIDENT RESPONSE

OPEN IoC

ENDPOINT PROTECTION

NETWORK RECORDER

CYBER THREAT INTELLIGENCE

NETWORK PROTECTION

EMAIL PROTECTION

ORCHESTRATION

SPEAR-PHISHING, MALWARE, CEO FRAUD & SPAM

MACHINE & LOG DATA MANAGEMENT

SOC PLATFORM

SECURITY INSTRUMENTATION

MANAGE DEFENSE

Email Security

©2019 FireEye©2019 FireEye5

$12.5BGlobal loss to CEO fraud


91%of attacks begin with email

281Bemails sent daily


Evolving Email Attacks

7

FireEye Labs – Q4 2018 compared to Q4 2017


Malware-Less versus Malware Attacks8

MALWARE MALWARE-LESS

of attacks blocked

were malware-less90%▷ Impersonation ▷ CEO fraud ▷ Whaling

▷ Spear phishing ▷ W2 fraud

of attacks blocked

contained malware10%▷ Viruses ▷ Ransomware ▷ Worms

▷ Spyware ▷ Trojan horses

Source: FireEye (August 2018). Get One Step Ahead of Email Threats, Email Threat Report for January-June 2018.


Primary Advanced Threat Categories

Multi-Stage Threat ExampleAttachments

Impersonation or Imposter

Multi-Stage

URLs


Protection Against Advanced Threats

10

SMART DNS* COMBINATION

MVX FAUDE

ATTACHMENTS URLs

IMPERSONATION MULTI-STAGE

Stops threats with first-hand knowledge of attacks and attackers

Identifies and blocks

▪Malware

▪ Phishing URLs

▪ Impersonation techniques

▪Multi-stage attacks

*FireEye Email Security Cloud Edition with AVAS

40M+ Mailboxes


Email Security in Action

11

Receive

Message received

by inbound mail

server

Retroactiveanalysis

Detect

Spam and

impersonation

scanning*, known

malware

and malicious URLs

Analyze

MVX and

Advanced URL

Defense for

advanced

threats

Alert

Admin informed

that message

blocked and why

Deliver

Message is clean and delivered to recipient’s inbox

✓

Block

Malicious messages

quarantined for

further review

✘

Inbound Protection

*Server Edition - Executive Impersonation Protection to block C-level display name spoofing


▪ Attachments – ”Easy stuff”, but:

– Archives : including zip, lzh, rar, 7z, cab, TNEF, ace

▪ Encrypted attachments – here you go!

– Password extraction from email Body

– Password extraction from images (OCR)

– Password candidates provided by admin

▪ Password-protected documents – MS Office + PDFs – Done!

▪ “connect to C2 and get additional Payload” – Done!

– Controlled Live Mode via Dirty Line

Email Security – Top Features

12


MVX – Controlled Live Mode

Extends interactions with multi-stage malware to better identify malicious behavior

▪ Attempts to fetch malicious content from CNC servers during MVX analysis.

▪ As an evasion technique, malicious binaries will often reach out to the internet simply to see if they have an internet connection (e.g. google.com). If there is no internet connection the malicious payload will not be executed.

1 File is opened 2 Macro runs &

requests

file…requests

additional file and

then another

additional file

3 Requested file

executes and infects

local system

http://

13


▪ URLs – more challenging, but:

– URLs embedded in emails

– URLs in PDF and archive files, MS Office documents and other file types (AIZip, uuencoded, Jar, HTML)

– Obfuscated and redirected URLs

– Credential-phishing and typosquatting URLs

▪ FAUDE = FireEye Advanced URL Defense

Email Security – Top Features

14


Detection of Spear Phishing Websites (URLs & Content)

15

Overview

▪ Detects zero-day, low-volume, highly-

targeted phishing attacks

▪ Analyzes website content for malicious

behavior by scanning the whole phishing

site (links, content, etc.)

Benefits

▪ High-fidelity detection

▪ Blocking of multi-stage malware and

evolving URL based threats

▪ Low false positive rate

▪ Simplified alert prioritization and faster

attack prevention

FireEye

Email Security

Email Security – What’s new?

16


▪ Phish Screenshot

▪ Retroactive notifications

▪ Retroactive pull*

▪ URL Click Report

▪ Metadata streaming

▪ System Health Check

▪ Evasion mitigation – GI Customisation

▪ Supply Chain Impersonation

Recent Updates


Email Alerts – FAUDE Screenshots Badge

18


Email Alerts – FAUDE Screenshots Badge


Post Email Delivery Weaponized URL Example

20

ALERT AUTO REMEDIATERECEIVE DETECT ANALYZE

1

• Spam• Impersonation• Known malware• Malicious URL

2

MVX and AdvancedURL Defense

7:55 am email received byinbound mail server

✓

7:56 am email is

analyzed as benign

7:56 am email is clean

and delivered to recipient’s inbox

INBOX


Post Email Delivery Weaponized URL Example

21

AUTO REMEDIATE

MVX and AdvancedURL Defense

• Quarantine• Move• Delete

ANALYZE ALERT

RetroactiveAnalysis

1

8:15 am URL is

weaponized post email delivery

2

Admin receives an alert of malicious message after delivery

3

Email Extracted

INBOXX


URL Click Report

22


Auto Remediate for Office 365 Actions – soon for Exchange on Premise!

23

Auto Remediate

Email becomes weaponized post-delivery

(retroactively). Policy action quarantines,

moves or deletes malicious message from inbox

Move

Moves malicious email from the inbox to any

administrator-defined folder

Quarantine

Removes malicious email from the inbox and

places it in quarantine within Cloud Edition

for review

Delete

Permanently deletes malicious email

from the inbox


▪ Prior to Wicklow EX release, FireEye only notified customer (SIEM) of malicious alerts and riskware, etc.

▪ EX metadata streaming is to notify customers of all the emails going through FireEye EX irrespective of whether suspicious or not:

– From

– To

– Subject

– Attachment object

– URLs

– Etc.

Metadata Streaming

24


Service Health Statistics Trend - Analysis

25


Service Health Statistics Trend - System

26

Network Security


Capturing threats in enterprise traffic

28

1. Limited object coverage due to inability to scale

2. Isolated view at uncorrelated objects & flows

3. Heuristics and IOC matching – high FP rates

What competitors are selling

1. Full visibility and correlation across flows

2. Intelligent multi-vector, multi-stage & multi-flow cross correlation

3. Codified intelligence identifies intent for precise detection

How is FireEye platform different?

0

50000

100000

150000

200000

250000

300000

350000

400000

PDFEXE & DLLOffice & ZipFlashJavascriptHTML

Real world traffic example – objects on the wire

Fire

Eye

Pla

tfo

rm

Malicious payloads obfuscated and invisible

without multi-flow

Co

mp

etit

ion

Visible malicious objects95% of traffic

HTML & JS

Sandbox can not scale to examine real world

traffic


Multi-Flow (Session based) Analysis

HTML

JS

FLASH

DNS

CONTENT (CSS/JPEG/TXT)

BINARIES (ZIP/PE/DOC/JAR)

MVX

NX SensorStatic Analysis

Dynamic Analysis

0

5

30

20

40

10

COPY OF SESSION

Total > 50

29


Dissecting an advanced attack – cfr.org

1. Check for the

right

environment

2. Store

encoded

malware in

browser cache

3. Perform heap

spray to load

shellcode in

memory

4. Load text file,

decode to

Javascript and

execute

5. Exploit IE8

vulnerability &

execute the

shellcode

6. Shell code

runs and

decodes the

malware

7. Final malware

exposed and

executed

These objects or files, individually, are NOT malicious


Malware Callback Detection

Exploit

MalwareDownload

Lateral Spread

Exfiltration

Detects and

blocks

callback,

disrupting the

malware

process

Overview

▪ Callback is a type of network behavior generated by malware for collecting data or for remotely controlling threats

Benefits

▪ Superior time-to-detection of botnets, backdoors and other forms of malware that utilize callbacks


SmartVision

Internet

Firewall

FireEye NX

Core Switch

Distribution Switches

FireEye

SensorFireEye

SensorFireEye

Sensor

FireEye

Sensor

Overview

▪ SmartVision is an advanced correlation and analytics engine that detects stealthy, lateral (east/west) attacks within the network

Benefits

▪ Protects from threats moving laterally within the network

▪ Reduces the time to detection

▪ Helps minimize risk of data theft

▪ Helps reduce the spread of malware throughout the network


Detection (Lateral Movement)

33

145+ network correlation rulesMany rules are applicable at multiple stages of the attack lifecycle

AT Remote Service Task

SchedulePsExec

ActivityWindows WMI

Remote Shell Launch

DNS Zone TransferDirectory listing of usersRemote user/share enumeration

Mimikatz binary transferMimikatz output activityWindows Credential Editor binary transfer

Initial Recon

Establish Foothold

Escalate Privileges

Complete Mission

Initial Compromise

Internal Recon

Maintain Presence

Move

Laterally

Maintain

Presence

Malware upload over SMBEXE File Transfer To Remote Recycler Folder

Unusual file transfer activity from ADMIN$ or C$

Malware download C&C

Network Security – What’s new?


▪ SSL Decryption

▪ TLS Fingerprint

▪ ICAP support

▪ SmartVision Enhancements

▪ WebShell Detection

▪ Unified FAUDE

Recent Enhancements


Visibility into Encrypted Traffic

Overview

▪ As of 2018 Q2, FireEye will provide integrated man in the middle SSL/TLS inspection to detect threats hidden in encrypted traffic

Benefits

▪ Visibility into encrypted traffic

▪ Greater detection of malware

▪ URL Categorization included


▪ Dodać slajd z konfiguracją/wyjątkami zvelo

37

SSL Decryption


SSL/TLS Fingerprint Detection Feature

38

◆Detects suspicious TLS handshake initiated by malware by matching the SSL/TLS

handshake fingerprint (JA3 blacklist).

◆Binary on appliances to extract TLS event metadata

◆The JA3 hash blacklist, binary and configuration files are managed through security

content updates

◆There are three levels of severity/confidence (High, medium and silent)


ICAP Support

39

◆Supports ICAP server capability on NX

▶ NX can act as an ICAP server – supporting both secure & plain-text ICAP

communication

◆Supports attack detection on NX for the HTTP payload encapsulated over ICAP

protocol.

◆NX will behave only in monitor-mode for ICAP traffic – no blocking functionality right

now

◆ReqMod/RespMod

◆Use MVX in conjuction with existing security measures, i.e. Proxy


Webshell?

40

A web shell is a script that can be uploaded to a web server to enable

remote administration of the web server machine. Infected web servers can

be either Internet-facing or internal to the network, where the web shell is

used to pivot further to internal hosts. A Web shell may provide a set of

functions to execute or a command-line interface on the infected system. In

addition to a server-side script, a Web shell may have a client interface

program that is used to talk to the Web server (see, for example, China

Chopper Web shell client)

A web shell can be written in any language that the target web

server supports. The most commonly observed web shells are written

in languages that are widely supported, such as PHP,JSP,WAR,ASP etc


WebShell Detection Flow

41

• Newly deployed Webshells

• Already deployed WebShells

• NX will extract server side files (PHP,WAR,JSP,ASP,ASPX etc)

• Extracted files will be subjected to Static and Dynamic analysis

• MVX will leverage two profiles for Dynamic analysis

• Win7x64 → ASP,ASPX

• Centos7.2 → PHP,JSP,WAR

• For server attacks GI will leverage both client and server in same

profile.

• Both client and server activity will be reported

Endpoint Security

42


FireEye Endpoint Protection (HX) = EPP + EDR

44

EDREPPRESPONSE

Look for those who got around, over, or under the wall

PREVENTIONBuild a higher wall

Identify and Respond quickly when prevention fails. Know what

happened.

Endpoint Detection and Response Tools, Jan. 2017

“FireEye's product strength reflects its roots in forensic investigations undertaken by its

predecessor company, Mandiant.”

“FireEye is one of the top-three EDR market competitors”

“CIOs need to rethink their security and risk investments by recommending enterprises move their investments from 90 percent prevention and 10 percent detection and response, to a 60/40 split instead.”

Gartner Symposium/ITxpo 2015


How We Do It

Protect Against

Threats Respond to

Incidents

Detect the

Breaches

▪ Malware Protection

▪ MalwareGuard

▪ ExploitGuard

▪ Platform Interaction

▪ Event Recording

▪ Indicators of Compromise (IoC)

▪ Enterprise Search

▪ Investigative Data Acquisition

• Containment

• On/off network

• Respond at scale


FireEye Endpoint Security in Action

InitialCompromise

MPMalware Protection

Automatic Block & Quarantine

Advanced Detection

Containment

EstablishFoothold

EscalatePrivileges

InternalReconnaissance

MaintainPresence

MoveLaterally

CompleteMission

ExploitGuardEG Real Time IoCRT

MalwareGuardMG

MP MGRT MP RT

RT

EGMG

RT

RTRT

InitialReconnaissance

EG

EG

EG


Alert Triage

47

Last changes on FireEye HX

48


OS Coverage Expansion

Windows Desktop Windows Server Linux MacOS

Windows XP SP2, SP3 Windows Server 2003 SP2, R2 SP2RHEL 6.8, 6.9, 7.1, 7.2, 7.3, 7.4, 7.5,

7.6, 7.7 (64-bit)MAC OS Mavericks 10.9 (64-bit)

Windows Vista SP1, SP2Windows Server 2008 R2, R2 SP1

(64-bit)CentOS 6.9, 6.10, 7.1, 7.2, 7.3, 7.4,

7.5, 7.6 (64-bit)MAC OS Yosemite 10.10 (64-bit)

Windows 7 Windows Server 2012 SUSE Enterprise Linus 11.4, 12.2,

12.3, 15 (64-bit)MAC OS El Capitan 10.11 (64-bit)

Windows 8 Windows Server 2016 (64-bit)Ubuntu 14.04, 16.04, 18.04, 19.04

(64-bit)MAC OS Sieraa 10.12 (64-bit)

Windows 8.1 Windows Server 2019 1809 Amazon Linux AMI 2018.3 (64-bit) MAC OS High Sierra 10.13 (64-bit)

Windows 10 1703, 1609, LTSB, 1803, 1809, 19H2

Oracle Linux 6.10, 7.6 MAC OS Mojave 10.14, 10.15(64-bit)


Linux agent added supported for the following audits

50

▪ Kernel Modules

▪ Login History & Tasks

▪ Agent Events (IoC based)

– Process Events

– Network Events

▪ Triage and auto-triage available

These four modules were included in standard and comprehensive investigative details scripts.

Even more options will come in HX 4.9 ☺

New Endpoint Architecture!

51


Introduction to Modules (Tech Preview)

▪ Future of agent innovation

▪ Scales for in-field, on-demand features.

▪ FireEye Market -> Endpoint Modules

▪ Primary driver: Consultant driven features for current engagements

▪ Customer benefit: Field tested features proven to find threat actors


Modules in Action

OR

Select a module to load into FireEye Endpoint Security

Modules work across all deployment environments

Enable by policy per host set or across

your console


▪ MVX Check - If the file is not whitelisted by context API and MVX is enabled, enricher will check to see if MVX has ever seen the file.

▪ File Acquire - If MVX has never seen the file, a file acquire is queued in HX and when the acquire is complete, enricher will submit the file to MVX.

▪ MVX Report - After MVX completes analysis, the alert/process tracker event will be updated with the results.

▪ HX Update - If MVX finds the file to be malicious, a generic alert will be thrown (process tracker), or the existing alert will be updated with decorators to provide the enrichment status.

Enricher Module Overview/Workflow screen

54

MVX checkFile Acquire by

HXAX API file

check

HX Alert newor existing updated


Process Tracker

55

Process Tracker recognizes unique file executions on a host and reports those executions to HX.

▪ If enrichment is enabled, all process tracker events will be enriched, utilizing the standard enricher workflow.

▪ If enrichment is not enabled, process tracker will still store messages on the bus and in its database.

▪ If alerting is enabled, any events deemed malicious by enricher will throw a generic alert of type “PRO”.

Unique process Check (Enricher) Alert (PRO)

Unique process DB save Alert (PRO)


▪ The Process Guard Module for FireEye Endpoint Security prevents attackersfrom obtaining access to credential data or key material stored within the Windows operating system.

▪Whitelist for „strange” software (file and proces path).

Process Guard

56


▪Added a new setting in the agent configuration:

– True: deny local administrators ability to stop/re-start agent

– False: allow local administrators ability to stop/re-start agent

▪User can change the configuration from Admin->Polices->Tamper Protection

Tamper Protection Improvements

57


Tamper Protection Improvements

58


▪IA architecture given an ability for Module to create their own alerts.

▪Based on certain pre-defined template a Module can create as many types of alerts as they want.

▪ The generic alerts will be displayed along with the existing alerts and could be triaged in the same way.

▪We have introduced few additional parameters for generic alerts like Alert Badge, label, file path and source.

▪All existing alert setting like aging, rate limiting will work with generic alerts.

Generic Alert

59


Triage Trigger Module

60

▪ This module's core capability is to trigger automatic triage for legacy and generic alert rate limit.

▪Alert specific triage can be enabled or disabled.

▪Using this module the triage rate limiting can be modified.

▪ The automatic triage enable/disable and Registry Audit and URL Event Collection before/after timestamp from the acquisition setting is moved into triage trigger module UI.


Malware-Protection is able to work on three different modes:

▪ Signature and Heuristic + Malware Guard

▪ Signature and Heuristic only

▪Malware Guard only

Malware Guard Protection Separation

62


FireEye Malware Analysis

64


Sample Analysis

65


Sample Analysis

66


▪ FireEye Detection On Demand is a threat detection service delivered as an API for integration into the SOC workflow, SIEM analytics, data repositories, or web applications.

▪ Monthly file and hash submission.

▪ File submission rate will be limited to 100/minute.

▪ Hash submission rate will be limited to 200/minutes.

FireEye Detection Trial (SaaS)

68


▪ https://fireeye.dev/

FireEye New Developer Hub!

69

https://fireeye.dev/

KIERUNKI ROZWOJU FIREEYE W 2019-2021CZYLIPRZEWIDYWANIA POLSKIEGOTEAMU INŻYNIERSKIEGO☺

KOMPLEKSOWE ROZWIĄZANIA BEZPIECZEŃSTWA

ROZBUDOWA PORTFOLIO PRODUKTOWEGO

1

PLATFORMA DLA SOC

2

CHMURA

3

USŁUGI,SaaS,MSSP

4


Dziękujęmy

Damian HoffmanSenior System Engineer

Eastern Europe FireEye

Marcin KacprzakSenior System Engineer

Eastern Europe FireEye


Z OSTATNIEJ CHWILI: DZIĘKUJEMY ZA UDZIAŁ W CYBERSECURITY FORUM 2019

Zapraszamy za rok!

WIĘCEJ: fireeye.com11:30

Co nowego w rozwiązaniach FireEye?...©2019 FireEye MVX –Controlled Live Mode Extends...

Documents

Transcript of Co nowego w rozwiązaniach FireEye?...©2019 FireEye MVX –Controlled Live Mode Extends...