Kaip nuo jų apsisaugoti? Kaip susijusios kompiuterių apsaugos sistemos ir vartotojų reputacija? Pranešimo autorius – Rainer Baeder. Įmonės „Fortinet“ sprendimų konsultacijų centro vadovas (Vokietija). Pranešimas skaitytas konferencijoje – INFORMACINIŲ SISTEMŲ SAUGUMAS, vykusioje 2013 m. balandžio 11d., skirtoje valstybės institucijų ir valstybinės reikšmės organizacijoms.

1. Advanced Persistent Threats
(APTs)
Rainer Baeder
Manager Systems Engineering
1 CONFIDENTIAL – INTERNAL ONLY
Fortinet Confidential

2. AGENDA
APT 101
•FortiOS AV solution
•Other tools
2 CONFIDENTIAL – INTERNAL ONLY
Fortinet Confidential

3. Highlight
A.P.T.
• ADVANCED
• Based on Zero Days
• Part of Targeted Attacks
• 75% Patchable Vulnerabilities
• PERSISTENT
• Update Techniques
• Low Profile
• 85% Breachs take >5month to discover
3 CONFIDENTIAL – INTERNAL ONLY
Fortinet Confidential

4. Some Statistics on APT
• Different companies targeted
• 50% Large enterprises / Gov
• 20 % Small Businesses
• Targeted Attacks
• 20% target “C levels”
• Sprawling 0-day market
4 CONFIDENTIAL – INTERNAL ONLY
Fortinet Confidential

5. APT strategy
Advanced Persistent Defence
Fight APTs
 Multi-layer defense
 Cut the link anywhere in the
chain
 Antivirus is the core
 Not the silver bullet though
 ―ALL ON‖ is the answer
 Extensive botnet research
 Communication channel
 Even fight internal threats
5 Fortinet Confidential

6. APT history
Cyberwarfare: VoIP and Convergence
Increase Vulnerability
David L. Fraley
By 2005, the United States and other nations will have the ability to
conduct cyberwarfare. The increasing use of Voice over IP and the
converging of voice/data networks is facilitating it.
The aspects of cyberwarfare have been considered for years. Future cyberattacks could
constitute an entire war or an attack type as part of a larger campaign. Cyberwarfare, like any
military operation, has two components — offensive and defensive operations.
The U.S. military complex continues work on Presidential Directive 16, including developing the
rules and tools. The United States is not the only government thinking about cyberattacks. In the
second quarter of 1995, Major General Wang Pufeng of The Chinese Army published a paper,
―The Challenge of Information Warfare.‖ In this paper, Pufeng writes that the information era will
touch off a revolution in military affairs.
6 Fortinet Confidential

7. APT today
7 Fortinet Confidential

8. Generating APT
rename to CV_xx.pdf
8 Fortinet Confidential

9. Example of APT today
9 Fortinet Confidential

10. APT´s Procedure
Step 1: Reconnaissance
Step 2: Spear-phishing attack
Step 3: Establish presence
Step 4: Exploration and Enumeration
Step 5: Steal Data
Step 6: Stay in
10 Fortinet Confidential

11. Crimeware as a Service
Hacking-
Fraud-as-
as-a-
a-
Service
Botnet- Service
as-a-
Service dDoS-as-
a-
Service
Do-it-
CaaS
Yourself
Spyware-
as-a-
Designer-
Service
Malware- Spam-as-
as-a- a-
Service Service
11 Fortinet Confidential

12. AGENDA
•APT 101
FortiOS APT solution
•Other tools
12 Fortinet Confidential

13. Technologies
Signatures
Signatures Behavioral File Analysis
• Detects and blocks Evaluation • Detects zero-day
known malware and • Detects and blocks threats by executing
some variants malware based on codes on emulators to
scoring system of determine malicious
• Highly accurate, low
known malicious activities.
false positives
behaviors or • Resource intensive,
• Requires up-to-date characteristics performance and
signature updates
• Can be used to flag latency impact
• 3rd party validated out suspicious files for
further analysis
13 Fortinet Confidential

14. Technologies
Application Control Botnet IP Reputation DB
•Detects and blocks nearly 50 active •Detects and blocks known Botnet
botnets C&C Communication by matching
•Botnet network activities by against Botnet command blacklisted
examining traffic IPs
• Prevents zombies from data leaks •Stops dial back by infected zombies.
or communicates for instructions
14 Fortinet Confidential

15. AV Engine
File Sample
Local Sandbox
Signature Match Decryption/unpacking Lightweight Emulators
(CPRL/Checksum) System • Good against VM evasion
OS-Independent file
Behavior Analysis Local Sandbox analysis, all file type
• Java Scripts, Flash, PDF
Best against Malware
FortiGate AV Engine 2.0 Injections via (compromised)
web 2.0 applications
Suspicious Pass Blocked
Forward to cloud-based No Further Action File discarded, option to
FortiGuard AV service Quarantine and event logged
15 Fortinet Confidential

16. FortiGuard AV
File Sample
(Manual or auto Submission)
Botnet Servers
VM Sandbox
Blacklist
AV, IPS & Application
Analyst Review
Signatures
FortiGuard Analytics Database Update Service
File Analysis Service
New detection Pass Update
New signature is developed, Alert No Further Action Push/pull/manual updates
to Inform Administrator
16 Fortinet Confidential

17. FortiGuard AV Service
Cloud Based Sandbox
As part of FortiGuard Analytics Service, Enabled on FortiOS (Proxy Based AV)
True VM Environments – test across various OS, patch levels & application versions
• Windows, MAC, Linux
Bayesian Scoring & Classification using detection criteria
• File system, permission/memory/registry modifications
• Network activities, API calls, etc
Test all filetypes:
• Portable Executables (PEs) – DLL, Font files, object codes
• Browsers & OS Scripts
• PDF, Flash etc …
17 Fortinet Confidential

18. Analytics via Forticloud service
•Inspection stats
•Sample scan status
•Time / IP based correlation
18 Fortinet Confidential

19. FortiOS + Analytics
Local Lightweight FortiGuard Botnet IP
Hardware Accelerated Sandboxing
& Code optimized Reputation DB
Behavior / Attribute Based
Real time updated, Heuristic Detection Cloud Based
3rd party validated Sandboxing
Signature DB Application Control –
Botnet Category
In-box AV functions Cloud Based AV Service
19 Fortinet Confidential

20. AGENDA
•APT 101
•FortiOS APT solution
Other tools
20 Fortinet Confidential

21. Client Reputation
Identify
potential …
zero-day
attacks
Reputation by Activity Threat Status
Multiple Scoring Vectors Real Time, Relative,
Drill-down, Correlated
Policy Score
Identification Ranking
Enforcement Computation
21 Fortinet Confidential

22. Client Reputation Example
• View of “Reputation Score” & clickable detail drill-
down
Click for
further drill-
down detail
22 Fortinet Confidential

23. Intercepting Botnets
Botnet C&C
communications
Extension to AV Signature updates
IP/Port list of know C&C servers
Real Time
X IP
Reputation
DB
23 Fortinet Confidential

24. AV enhancements result
FortiOS 5 Delivers:
 25+ VB100 Awards
 VB100 RAP Leaders (#1)
Reactive & Proactive Test
96% Detection Rate!
 100% Detection on ItW
 In the Wild / Reactive
 Intelligence Proxy Combined with
Cloud Analytics
Allows proactive detection for
new viral variants
24 Fortinet Confidential

25. ONE More thing: Sniffer Mode
One-arm Sniffer
Offline Monitoring with Flow based UTM
25 Fortinet Confidential