Over the past several years, our Defence In Depth strategy has been working overtime to keep up with Advanced Persistent Threats and Zero Day Exploits. Firewalls, Intrusion Prevention, URL filtering, and AntiVirus are no longer sufficient to stave off a data breach.
Ask any Military Tactician, and they will tell you that the Defence in Depth strategy is intended to merely slow down an attacker, to buy time, and potentially exhaust the attackers resources. In and of itself, this strategy, given time, will fall.
According to a report by analyst firm Gartner, adding more layers of defense will not necessarily improve protection from targeted threats. What is needed, the analysts say, is the evolution of better security controls.
A new way of thinking needs to be employed... A counter methodology needs to be embedded in the corporate security culture, and tooling needs to be put in place to proactively remediate against today's type of attacks.
RSA: The Malware Factory and Massive Morphing Malware
We've been hearing more and more about Advanced Persistent Threats or Advanced Volatile Threats or just Advanced Threats.. where a Threat Actor (person/agency/government) is intent on getting access to your confidential or sensitive data, and has the time and resources to invest in a calculated exercise to achieve this goal. Malicious tools have evolved to the point where you can automate the build of thousands of variants to piece of malware, and deliver each one to a specific person or machine. No Signature based AntiVirus on the planet would catch a one-off piece of malicious code.
Enter FireEye® with it's Advanced Malware Protection appliances. Established in 2004 as a security research company, they came up with the novel concept of using Virtualization to launch and assess the activity of "payloads" such as email attachments or downloaded files. Any attachment, executable, zip file etc.. is run within a series of sanitized virtual environments, and any unexpected activity would be flagged for analysis. One of the malicious activities identified early on was the "callback" to botnet Command and Control servers.
As a valuable byproduct of the development of this system, FireEye amassed a large database of "known" Threat Actors. This intelligence is then used to block any subsequent activities to those Threat Actors across FireEye's entire customer base.
When installed inline at the Internet landing zone, FireEye (Both Mail and Web) adds a proactive member to your existing reactive firewall, IPS, and URL filters.
From FireEye's report : Less Than Zero: A Survey of Zero-day Attacks in 2013 and What They Say About the Traditional Security Model
“Advanced threats against enterprises today thrive on exploiting the unknown and evading blocking techniques thanks to a growing, global marketplace for selling software vulnerabilities,” said Zheng Bu, vice president of security research, FireEye. “The old security model of tracking known threats and relying on signature-based solutions are simply powerless to stop zero-day threats. The number of zero-day attacks profiled in the paper highlight why organizations need to take a new approach to security by combining next-generation technology with human expertise.”
A methodology first described by Lockheed Martin, the Cyber "Kill Chain" can be used to identify, and proactively mitigate and remediate against these advanced security threats.
(I added the Red Text to show the result of implementing FireEye)
- Reconnaissance - Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies.
- If the reconnaissance is done as a form of phishing exercise, there will likely be links in the email back to a C&C server on the Internet. Any attempt to connect to that network (ie: clicking the link) would be blocked by FireEye and generate an alert to the SIEM.
- Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable.
- Email attachments as well as files downloaded from the Internet will be assessed by FireEye (Executed in several virtual sandboxes), and if deemed malicious, will alert the SIEM, block callbacks, and prevent further downloads.
- Delivery - Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media.
- As in Weaponization, Email attachments as well as files downloaded from the Internet will be assessed by FireEye (Executed in several virtual sandboxes), and if deemed malicious, will alert the SIEM, block callbacks, and prevent further downloads.
- Exploitation - After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
- *IF* a malicious application DOES get installed out of band, ie: from CD or USB drive, any callbacks would be blocked by FireEye, raising an alert in SIEM, and preventing subsequent communication with the C&C and subsequent downloads.
- Host Protection tools on your servers are HIGHLY recommended to prevent installation and execution of any such malicious applications in the first place.
- Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
- Host Protection tools on your servers are HIGHLY recommended to prevent installation and execution of any such malicious applications in the first place.
- Command and Control (C2) - Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have “hands on the keyboard” access inside the target environment.
- FireEye will block callbacks to the Command and Control, and prevent further downloads.
- Actions on Objectives - Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network.
- Malicious code will not be able to exfiltrate data, if callbacks are blocked, and the Command and Control IP addresses are blocked. Again, any attempt to do so, would send alerts to the SIEM while still being blocked.
I am not suggesting that FireEye in and of itself is a full Malware mitigation strategy. I HIGHLY recommend that you also install Host Protection tools on your servers, and run network firewall, Intrusion Prevention, layer two segregation, and Email/URL filtering as well.
With FireEye installed in your internet egress, inspecting both Mail and Web content, you significantly reduce the risk of malware infection and subsequent Data Breach by phishing emails or drive by downloads.
References:
Dell Secureworks: Managed FireEye - Advanced Malware Protection Service
Gartner: Best-Practices-for-Mitigating-Advanced-Persistent-Threats CISCO: Advanced Malware Protection
DarkReading: FireEye Releases Comprehensive Analysis of 2013 Zero-day Attacks; Impact on Security Models
RSA: The Malware Factory and Massive Morphing Malware
http://www.symantec.com/theme.jsp?themeid=apt-infographic-1
Email Security (FireEye EX Series)
FireEye: Cybersecurity's Maginot Line A real World Assessment
FireEye: Advanced Threat Report 2013
FireEye: Multi-Vector Virtual Execution (MVX) engine
http://newsroNSS Labs Ranks Cisco Advanced Malware Protection Among Top Breach Detection Systemsom.cisco.com/press-release-content?articleId=1403242
Paloalto: Advanced Persistent Threats
OWASP: Defense_in_depth
NSA: Defence in Depth
Government of Canada: Mitigation Guidelines for Advanced Persistent Threats
Lockheed Martin: Kill Chain Analysis
RSA: Adversary ROI: Evaluating Security from the Threat Actor’s Perspective
http://www.fireeye.com/blog/technical/malware-research/2014/06/turing-test-in-reverse-new-sandbox-evasion-techniques-seek-human-interaction.html
http://www.csoonline.com/article/2134037/strategic-planning-erm/the-practicality-of-the-cyber-kill-chain-approach-to-security.html
Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks
Microsoft: The evolution of malware and the threat landscape. – a 10-year review
Kaspersky: MALWARE EVOLUTION. THE TOP SECURITY STORIES OF 2013
McAfee Identified an Astounding 200 New Malware Samples Per Minute in 2013
Paloalto: The Modern Malware Review
