Cyber Attacks on Government - chippewa.ca · against advanced targeted attacks for Web, email, and files. FireEye, Inc. Cyber Attacks on Government 8 Gain a Cohesive, Correlated View

Cyber Attacks on GovernmentHow APT Attacks are Compromising Federal Agencies and How to Stop Them

White Paper

FireEye, Inc. Cyber Attacks on Government 2

Contents

Executive Summary 3

The Problem: Federal Agencies are Under Constant Attack—and Existing Defenses Fail to Defend Their Networks 3

Why Traditional Tools Fail to Detect APTs 5

The Multi-Vector, Multi-Stage Nature of Today’s APT Attacks 6

The Requirements: What is Needed to Combat APTs 7

Why Federal Agencies are Choosing FireEye 7

Gain a Cohesive, Correlated View of All Major Threat Vectors—Web, Email, and File Shares 8

Leverage Signature-less, Real-Time Security That Thwarts Zero-Day Attacks 9

Guard Against Malicious Code Installs and Block Callbacks 9

Harness Timely, Actionable Threat Intelligence and Malware Forensics 10

Conclusion 10

White Paper

FireEye, Inc. Cyber Attacks on Government 3

Executive Summary

Today, federal agencies are under virtually constant attack, targeted by increasingly sophisticated and well-funded criminals and nation-states. The increasing efficacy of advanced persistent threats (APTs) continues to highlight the inadequacies of traditional signature-based defense mechanisms such as firewalls, IPS, AV, and gateways—and underscore the need for a new layer of defense. This paper outlines how today’s attacks are infiltrating federal agencies, and reveals the capabilities needed to identify and thwart these attacks.

The Problem: Federal Agencies are Under Constant Attack—and Existing Defenses Fail to Defend Their Networks

Today, federal agencies continue to be the victims of coordinated, sophisticated attacks that have proven difficult to defend against.

Federal agencies are increasingly the victims of advanced persistent threats, often comprised of multi-staged, coordinated attacks that feature dynamic malware and targeted spear phishing emails. In fact, in spite of massive investments in IT security infrastructure, on a weekly basis, over 95% of organizations have at least 10 malicious infections bypass existing security mechanisms and enter the network. Further, 80% experience more than 100 new infections each week.1 Every day, mission-critical systems are compromised, and sensitive and classified data is exfiltrated from federal government and civilian networks.

During the course of one year, the United States Computer Emergency Readiness Team (CERT) processed 43,889 incidents involving federal agencies—and that number continues to grow. Over 50% of these incidents are attributed to phishing.2

“We are literally getting hundreds or thousands of attacks every day that try to exploit information in various [U.S.] agencies or departments.”

– Leon Panetta, United States Secretary of Defense

1 FireEye, “FireEye Advanced Threat Report—2H 2011”

2 Government Computer News, “To hackers, government users are phish in a barrel”, Kevin McCaney, March 19, 2012, http://gcn.com/articles/2012/03/19/phishing-goverment-cyber-attacks-us-cert.aspx?s=gcndaily_210312

FireEye, Inc. Cyber Attacks on Government 4

U.S. Defense Secretary Leon Panetta recently remarked on the severity and scope of the threat: “We are literally getting hundreds or thousands of attacks every day that try to exploit information in various [U.S.] agencies or departments. There are, obviously, growing technology and growing expertise in the use of cyber warfare. The danger is, I think, the capabilities are available in cyber to virtually cripple this nation: to bring down the power grid, to impact on our governmental systems, to impact on Wall Street and our financial system and to literally paralyze this country.”3

The continued perpetration of these attacks presents federal agencies with an immediate and urgent mandate to respond with more advanced, sophisticated defenses. Failure to respond means that classified and sensitive data could be exfiltrated at any time.

Recently, U.S. FBI Director Robert Mueller also echoed the gravity of these concerns: “In the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country. Today, terrorists have not used the Internet to launch a full-scale cyber attack, but we cannot underestimate their intent.”4

3 LaJolla Patch, “When It Comes to Hackers, Be Afraid, Be Very Afraid”, Jeffrey J. Rose, March 7, 2012, http://lajolla.patch.com/articles/when-it-comes-to-hackers-be-afraid-be-very-afraid-b858fdd7

4 LaJolla Patch, “When It Comes to Hackers, Be Afraid, Be Very Afraid”, Jeffrey J. Rose, March 7, 2012, http://lajolla.patch.com/articles/when-it-comes-to-hackers-be-afraid-be-very-afraid-b858fdd7

“In the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country.”

– Robert Mueller, Director of the United States Federal Bureau of Investigation

Figure 1: 450 median net new infections per week at only 1 Gbps

Perc

ent

ag

e o

f De

plo

yme

nts

Infections/Week at Normalized Bandwidth

100,0001,000 10,000

1 Gbps

5 Gbps

10010

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

20% of deployments have thousands ofinfections/week/Gbps

Median is about 450 incidents/week/Gbps

98.5% of deployments see at least ten infections/week/Gbps

FireEye, Inc. Cyber Attacks on Government 5

Why Traditional Tools Fail to Detect APTs

Why are so many compromises occurring? In large part, it’s because the defenses that many U.S. federal agencies have in place today are ill-equipped to combat today’s APT attacks. While firewalls, next-generation firewalls, IPS, AV, and gateways remain important security defenses, they continue to be proven ineffective at stopping APT attacks.

These technologies rely on approaches like URL blacklists and signatures. By definition, these approaches don’t work against dynamic attacks that exploit zero-day vulnerabilities. If an IPS or AV program doesn’t recognize the signature of a new exploit, it won’t stop it. When highly dynamic malicious URLs are employed, URL blacklists don’t cut it. Quite simply, traditional defenses stop “known” attacks, but are rendered defenseless against “unknown” advanced targeted attacks.

Figure 3: Networks are being compromised as APTs easily bypass traditional signature-based defenses like NGFW, IPS, AV, and gateways

* Percentages add up to 101% because of rounding. ** Growth in demand or requirements, shared services, politics, analytics, investment management, specific technologies, change management, leadership. Source: TechAmerica, “Fiscal Constraints and Future Challenges Driving Innovation at the CIO Level”, May 2012

virus

worm

Multi-pronged attacks fromboth email andWeb vectors

NGFW, IPS AV,

Gateways

APT

Targeted

Zero

-Day

Top concernsWhat are federal CIOs’ top concerns, the things that keep them awake at night? We asked respondents to name their chief worries. The top 5 are featured in the table below.

Rank/Concern Percentage of times concern mentioned*

Cybersecurity 20%

Controlling costs 15%

Human capital 12%

Central agency policy 10%

Mobility 7%

Others** 37%

FireEye, Inc. Cyber Attacks on Government 6

The Multi-Vector, Multi-Stage Nature of Today’s APT Attacks

APT attacks are often comprised of a number of distinct, yet coordinated facets.

These attacks are coordinated and often use multiple attack vectors. They can be delivered through websites or email, they can be blended (for example, email-based attacks that contain malicious URLs), and they can use application and OS exploits.

In addition, these attacks typically include several distinct, yet coordinated stages. The following list provides an overview of the different stages that typically comprise these attacks:

• System exploitation. Leveraging zero-day exploits, sophisticated, targeted spear phishing tactics, or sometimes both, APT attacks can effectively compromise specific systems, which is the critical first step of the campaign.

• Malware download. Once a system has been exploited, the attacker downloads a malicious executable, such as a key logger, Trojan backdoor, password cracker, or file grabber. Just one initial exploit can translate into dozens of infections on the same system.

• Callbacks and control established. Once the malware installs, the attacker has cracked the first step to establishing a control point from within your defenses. The malware, once in place, calls out to criminal servers for further instructions. Malware can also replicate itself and implement disguises in order to avoid detection during scans. Some will turn off AV scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed through the firewall and various network layers. At this point, the criminal has established long-term control over systems.

• Data exfiltration. Next, data acquired from infected servers is staged for exfiltration. Data can be exfiltrated over any commonly allowed protocol, such as FTP or HTTP. During this process, the criminal may use encryption to disguise the assets being transmitted, and send data to another compromised machine outside the targeted organization, for example at a hosting provider, to further disguise their identities and whereabouts.

• Lateral movement. During this phase, the criminal works to move beyond the system initially exploited, and begins to move laterally within the target organization, accessing additional systems and gaining elevated access to important user, service, and administrative accounts. To do so, they may leverage automated, self-replicating malware to infect multiple network assets.

FireEye, Inc. Cyber Attacks on Government 7

The Requirements: What is Needed to Combat APTs

To address these attacks, federal agencies need to be able to:

• Detect and stop Web-based and email-based attacks that exploit zero-day vulnerabilities—when they first appear on the network.

• Expose the entire cyber-attack lifecycle by correlating intelligence across various threats and channels.

• Produce complete cyber forensic details of attacks that exploit Web, email, file, or hybrid attack vectors.

Why Federal Agencies are Choosing FireEye

Clearly, federal agencies need a next-generation security system, one that detects and blocks today’s advanced APT attacks. That’s why many of the top agencies are turning to FireEye®. With the FireEye Malware Protection System™ (MPS), federal agencies get the multi-faceted, coordinated defense capabilities they need to guard against the sophisticated APT attacks being waged today. The following sections provide more details on how FireEye delivers on the requirements for effective next-generation threat protection.

Figure 4: Complete protection against advanced targeted attacks for Web, email, and files

FireEye, Inc. Cyber Attacks on Government 8

Gain a Cohesive, Correlated View of All Major Threat Vectors—Web, Email, and File Shares

With the FireEye MPS, organizations get a real-time correlated view of all the potential threat vectors that cyber criminals use, including:

• Email. Spear phishing emails represent one of the most common approaches for launching an APT attack on federal agencies. The FireEye Email MPS™ can guard against these types of threats, providing real-time analysis of URLs in emails, email attachments, and Web objects to determine whether they are malicious.

• Web. Browser-based threats and malicious communications can take many forms and move across a range of protocols, including FTP, HTTP, and IRC. The FireEye Web MPS™ tracks sites and communications in real time, across these different protocols to thwart APT attacks.

• File Shares. Even if Web and email channels are secured, malicious files can still make it into a corporate network in any number of ways, whether through a USB drive, a mobile device, download from a cloud service, or a host of other means. These malicious files can ultimately be purposely or inadvertently saved to any number of locations throughout an organization, and even lie dormant for a certain period of time, before they exhibit their malicious behavior. The FireEye File MPS™ detects and eliminates malware resident on file shares.

FireEye Email MPS

Email Gateway

FireEye File MPS

IPS and Web Gateway

FireEye CMSFireEye Web MPS

Data center

Lateral malwaremovement

Proactive, real-time defense

Signature-based defensesFigure 5: FireEye advanced threat protection architecture

FireEye, Inc. Cyber Attacks on Government 9

Most importantly, the FireEye Central Management System™ (CMS) correlates all of this intelligence. For example, to guard against sophisticated spear phishing attacks, security teams need capabilities for discovering a Web-based attack in real time, tracing the initial email that spawned the attack, and then doing the analysis required to determine if others within the organization have been targeted. By providing this kind of correlation, the FireEye CMS can deliver timely, actionable information about current threats and how they can be stopped. Further, the FireEye CMS can inspect across many protocols and throughout the protocol stack, including the network layer, operating systems, applications, browsers, and plug-ins like Flash—enabling federal agencies to effectively defend their networks.

Leverage Signature-less, Real-Time Security That Thwarts Zero-Day Attacks

The FireEye MPS solution provides dynamic, real-time analysis of network traffic and processes, rather than just comparing bits of code to signatures. This signature-less analysis is critical to detecting and stopping polymorphic malware on the wire as well as malware hosted on dynamic, fast-changing domains.

If suspicious code is detected, the FireEye MPS executes it in an instrumented environment, one in which activities are monitored at every layer in the technology stack, from active memory to browser plug-ins. With this full-fledged testing, the FireEye MPS can irrefutably determine the intention and activities of the attacker, zeroing in on real threats and avoiding false positives and false negatives.

Guard Against Malicious Code Installs and Block Callbacks

To be effective at combatting APT attacks, systems must identify whether malware binaries and executables are malicious. Further, resulting callback communications need to be inspected to determine if they are malicious in nature. This must include monitoring outbound host communications over multiple protocols in real time to determine if the transmissions indicate an infected system is on the network. Callbacks need to be identified as malicious based on the unique characteristics of the communication protocols employed, rather than just the destination IP or domain name.

The FireEye MPS addresses all of these key requirements. Once malicious code is flagged, the FireEye MPS blocks its communication ports, IP addresses, and protocols in order to completely halt any dangerous transmissions. When the binary of zero-day malware has been captured, the FireEye MPS gathers and disseminates the information organizations need to block subsequent attacks using that binary.

FireEye, Inc. Cyber Attacks on Government 10

Harness Timely, Actionable Threat Intelligence and Malware Forensics

Once malicious code has been analyzed in detail, the FireEye MPS helps ensure that the information gathered is fully leveraged. With the FireEye MPS, organizations can leverage this information for a number of purposes:

• Security analysts can use the fingerprint of the malicious code to identify and remediate compromised systems and prevent the infection from spreading.

• Forensics researchers can individually run files through automated offline tests to confirm and dissect malicious code.

• Information can be shared through unified intelligence systems that keep other experts and organizations current. The FireEye Malware Protection Cloud™ network provides real-time global exchange of threat intelligence, enabling efficient sharing of information on new threats.

Conclusion

Today’s APT attacks represent an immediate and dire threat to today’s federal agencies. Unless they deploy additional safeguards that effectively thwart these sophisticated attacks, agencies will increasingly run the risk of devastating breaches that result in the compromise of confidential and classified information. By providing real-time, coordinated security capabilities that thwart today’s APT attacks, the FireEye MPS enables federal agencies to ensure they safeguard their sensitive assets and remain compliant with internal security policies and regulatory mandates.

FireEye, Inc. | 1390 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | [email protected] | www.fireeye.com

© 2012 FireEye, Inc. All rights reserved. FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. – WP.FED.052012

About FireEyeFireEye is the leader in stopping advanced targeted attacks that use advanced malware, zero-day exploits, and APT tactics. FireEye’s solutions supplement traditional and next-generation firewalls, IPS, AV, and gateways, which cannot stop advanced threats, leaving security holes in networks. FireEye offers the industry’s only solution that detects and blocks attacks across both Web and email threat vectors as well as latent malware resident on file shares. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis to detect zero-day threats. Based in Milpitas, California, FireEye is backed by premier financial partners including Sequoia Capital, Norwest Venture Partners, and Juniper Networks.