Kaip nuo jų apsisaugoti? Kaip susijusios kompiuterių apsaugos sistemos ir vartotojų reputacija?
Pranešimo autorius – Rainer Baeder. Įmonės „Fortinet“ sprendimų konsultacijų centro vadovas (Vokietija).
Pranešimas skaitytas konferencijoje – INFORMACINIŲ SISTEMŲ SAUGUMAS, vykusioje 2013 m. balandžio 11d., skirtoje valstybės institucijų ir valstybinės reikšmės organizacijoms.
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
1. Advanced Persistent Threats
(APTs)
Rainer Baeder
Manager Systems Engineering
1 CONFIDENTIAL – INTERNAL ONLY
Fortinet Confidential
2. AGENDA
APT 101
•FortiOS AV solution
•Other tools
2 CONFIDENTIAL – INTERNAL ONLY
Fortinet Confidential
3. Highlight
A.P.T.
• ADVANCED
• Based on Zero Days
• Part of Targeted Attacks
• 75% Patchable Vulnerabilities
• PERSISTENT
• Update Techniques
• Low Profile
• 85% Breachs take >5month to discover
3 CONFIDENTIAL – INTERNAL ONLY
Fortinet Confidential
4. Some Statistics on APT
• Different companies targeted
• 50% Large enterprises / Gov
• 20 % Small Businesses
• Targeted Attacks
• 20% target “C levels”
• Sprawling 0-day market
4 CONFIDENTIAL – INTERNAL ONLY
Fortinet Confidential
5. APT strategy
Advanced Persistent Defence
Fight APTs
Multi-layer defense
Cut the link anywhere in the
chain
Antivirus is the core
Not the silver bullet though
―ALL ON‖ is the answer
Extensive botnet research
Communication channel
Even fight internal threats
5 Fortinet Confidential
6. APT history
Cyberwarfare: VoIP and Convergence
Increase Vulnerability
David L. Fraley
By 2005, the United States and other nations will have the ability to
conduct cyberwarfare. The increasing use of Voice over IP and the
converging of voice/data networks is facilitating it.
The aspects of cyberwarfare have been considered for years. Future cyberattacks could
constitute an entire war or an attack type as part of a larger campaign. Cyberwarfare, like any
military operation, has two components — offensive and defensive operations.
The U.S. military complex continues work on Presidential Directive 16, including developing the
rules and tools. The United States is not the only government thinking about cyberattacks. In the
second quarter of 1995, Major General Wang Pufeng of The Chinese Army published a paper,
―The Challenge of Information Warfare.‖ In this paper, Pufeng writes that the information era will
touch off a revolution in military affairs.
6 Fortinet Confidential
10. APT´s Procedure
Step 1: Reconnaissance
Step 2: Spear-phishing attack
Step 3: Establish presence
Step 4: Exploration and Enumeration
Step 5: Steal Data
Step 6: Stay in
10 Fortinet Confidential
11. Crimeware as a Service
Hacking-
Fraud-as-
as-a-
a-
Service
Botnet- Service
as-a-
Service dDoS-as-
a-
Service
Do-it-
CaaS
Yourself
Spyware-
as-a-
Designer-
Service
Malware- Spam-as-
as-a- a-
Service Service
11 Fortinet Confidential
13. Technologies
Signatures
Signatures Behavioral File Analysis
• Detects and blocks Evaluation • Detects zero-day
known malware and • Detects and blocks threats by executing
some variants malware based on codes on emulators to
scoring system of determine malicious
• Highly accurate, low
known malicious activities.
false positives
behaviors or • Resource intensive,
• Requires up-to-date characteristics performance and
signature updates
• Can be used to flag latency impact
• 3rd party validated out suspicious files for
further analysis
13 Fortinet Confidential
14. Technologies
Application Control Botnet IP Reputation DB
•Detects and blocks nearly 50 active •Detects and blocks known Botnet
botnets C&C Communication by matching
•Botnet network activities by against Botnet command blacklisted
examining traffic IPs
• Prevents zombies from data leaks •Stops dial back by infected zombies.
or communicates for instructions
14 Fortinet Confidential
15. AV Engine
File Sample
Local Sandbox
Signature Match Decryption/unpacking Lightweight Emulators
(CPRL/Checksum) System • Good against VM evasion
OS-Independent file
Behavior Analysis Local Sandbox analysis, all file type
• Java Scripts, Flash, PDF
Best against Malware
FortiGate AV Engine 2.0 Injections via (compromised)
web 2.0 applications
Suspicious Pass Blocked
Forward to cloud-based No Further Action File discarded, option to
FortiGuard AV service Quarantine and event logged
15 Fortinet Confidential
16. FortiGuard AV
File Sample
(Manual or auto Submission)
Botnet Servers
VM Sandbox
Blacklist
AV, IPS & Application
Analyst Review
Signatures
FortiGuard Analytics Database Update Service
File Analysis Service
New detection Pass Update
New signature is developed, Alert No Further Action Push/pull/manual updates
to Inform Administrator
16 Fortinet Confidential
17. FortiGuard AV Service
Cloud Based Sandbox
As part of FortiGuard Analytics Service, Enabled on FortiOS (Proxy Based AV)
True VM Environments – test across various OS, patch levels & application versions
• Windows, MAC, Linux
Bayesian Scoring & Classification using detection criteria
• File system, permission/memory/registry modifications
• Network activities, API calls, etc
Test all filetypes:
• Portable Executables (PEs) – DLL, Font files, object codes
• Browsers & OS Scripts
• PDF, Flash etc …
17 Fortinet Confidential
18. Analytics via Forticloud service
•Inspection stats
•Sample scan status
•Time / IP based correlation
18 Fortinet Confidential
19. FortiOS + Analytics
Local Lightweight FortiGuard Botnet IP
Hardware Accelerated Sandboxing
& Code optimized Reputation DB
Behavior / Attribute Based
Real time updated, Heuristic Detection Cloud Based
3rd party validated Sandboxing
Signature DB Application Control –
Botnet Category
In-box AV functions Cloud Based AV Service
19 Fortinet Confidential
21. Client Reputation
Identify
potential …
zero-day
attacks
Reputation by Activity Threat Status
Multiple Scoring Vectors Real Time, Relative,
Drill-down, Correlated
Policy Score
Identification Ranking
Enforcement Computation
21 Fortinet Confidential
22. Client Reputation Example
• View of “Reputation Score” & clickable detail drill-
down
Click for
further drill-
down detail
22 Fortinet Confidential
23. Intercepting Botnets
Botnet C&C
communications
Extension to AV Signature updates
IP/Port list of know C&C servers
Real Time
X IP
Reputation
DB
23 Fortinet Confidential
24. AV enhancements result
FortiOS 5 Delivers:
25+ VB100 Awards
VB100 RAP Leaders (#1)
Reactive & Proactive Test
96% Detection Rate!
100% Detection on ItW
In the Wild / Reactive
Intelligence Proxy Combined with
Cloud Analytics
Allows proactive detection for
new viral variants
24 Fortinet Confidential
25. ONE More thing: Sniffer Mode
One-arm Sniffer
Offline Monitoring with Flow based UTM
25 Fortinet Confidential
Notas del editor
##need to update with screenshot of drill-down {to-do later!}