CYBERSECURITY'S MAGINOT LINE: A Real-World Assessment of the Defense-in-Depth Model
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CYBERSECURITY’S MAGINOT LINE: A Real-World Assessment of the Defense-in-Depth Model A Report by FireEye and Mandiant, A FireEye Company
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
CONTENTS
Executive Summary.......................................................................................................... 3 Peeling the onion, layer by layer.................................................. 11
Data Theft:
Take Everything but the Kitchen Sink....................... 12
Maginot as a Metaphor.......................................................................................... 4
What Today’s Attacks Look Like............................................................... 13
A new age of war..................................................................................................... 5
All attacks involve a human attacker..................................... 13
A History of the Maginot Line.................................................. 5
Today’s attacks unfold in stages ................................................ 14
Cybersecurity’s Maginot Line............................................................... 6
Today’s attacks exploit multiple threat vectors...... 14
A view from the front.......................................................................................... 6
Today’s attacks are stealthy................................................................ 14
Real-World Testing............................................................................................................. 6
Many attacks are tailored........................................................................ 16
Diverse geographies and industries........................................... 8
The New Maginot Line............................................................................................. 16
Deep-dive interviews......................................................................................... 8
How today’s architecture
falls short......................................................................................................................... 16
Facts From the Frontlines: Test Results.................................... 9 Thinking Outside the Sandbox........................................... 17
Inbound exploits and binaries.............................................................. 9
Outbound CnC calls....................................................................................... 10 Conclusion and Recommendations............................................. 18
Cover: A simplified diagram of turrets deployed as part of France’s Maginot
Line in the run-up to World War II.
© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of
FireEye, Inc. All other brands, products, or service names are or may be
trademarks or service marks of their respective owners.
2 www.fireeye.comREPORT
The upshot:
It doesn’t matter what types of firewall, As this report explains, to protect And they must complement those with
intrusion prevention system (IPS), themselves effectively, organizations rapid endpoint response expertise to
Web gateway, sandbox and endpoint need to evolve their security architecture confirm and contain attacks as soon as
systems make up organizations’ so they do not rely on malware they appear.
Maginot Line; attackers are signatures alone. Security teams must
circumventing them all. be able to see the alerts that matter.
Executive summary bypass traditional tools. Like the Maginot this report provides. In this report, we
Today, most people know the Maginot Line, the prevailing defense-in-depth present a first-of-its-kind analysis of
Line as one of history’s biggest security model was conceived to defend real-world data from more than 1,216
boondoggles. Constructed at a massive against yesterday’s threats. As applied organizations in 63 countries across
cost to the French government in the today, it leaves organizations all but more than 20 industries. It reveals a
run-up to World War II, the 940-mile defenseless against determined attackers. defense-in-depth security architecture
line proved futile in the face of a new that is deeply flawed.
style of warfare. Just how (in)effective are today’s defense-
in-depth deployments? Unfortunately, The data comes from organizations
The Maginot Line didn’t fail, exactly. industry testing bodies offer little help testing FireEye network and email
In fact, it held up superbly against several for organizations looking to assess their appliances but not yet fully protected
direct assaults. But Germany, employing defenses. Controlled laboratory settings by the FireEye platform. These tests
new weapons and a lightning-fast rely on samples of known threats and provide a unique vantage point to
blitzkrieg attack style, simply sidestepped assumptions about cyber attacks, which observe other security layers in action
the line and invaded through Belgium. may be outdated or incomplete. They because FireEye network appliances
cannot replicate the unpredictable, sit behind all conventional security
The IT security industry faces a similar constantly evolving nature of real- defenses.2 Therefore, by definition, any
predicament. Organizations spend more world attacks. threats observed by FireEye in these
than $67 billion on IT security.1 Yet tests have passed through all of an
attackers routinely breach those defenses The only true test of a product is in a organization’s other security layers.
with clever, fast-moving attacks that real-world setting. That is precisely what
Key findings include:
97%
Nearly all (97 percent)
1/4
More than a fourth of all
3/4
Three-fourths of
1.6
Even after an organization
organizations had been organizations experienced organizations had active was breached, attackers
breached, meaning at least events known to be command-and-control attempted to compromise
one attacker had bypassed consistent with tools and communications, indicating the typical organization
all layers of their defense-in tactics used by advanced that attackers had control of more than once per week
depth architecture. persistent threat (APT) actors. the breached systems and on average.
were possibly already
receiving data from them.
1
“Gartner Says Worldwide Security Market to Grow 8.7 Percent in 2013,” Gartner press release, June 11 2013.
2
FireEye appliances powered by the patented Multi-Vector Virtual Execution (MVX) engine, monitor Web and email traffic that has passed through firewalls, intrusion
detection and prevention systems (IDS/IPS), and Web proxies. Rather than relying on binary signatures, the MVX engine analyzes suspicious files and objects
executed within a virtual machine environment. So it detects malicious activity that other defense-in-depth layers miss. FireEye appliances also identify command-
and-control traffic from malware not stopped by endpoint tools.
3 www.fireeye.comCybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
MAGINOT AS
A METAPHOR
french statesman and world war i leader georges
Clemenceau is often credited with the old adage that generals
are always preparing for the last war rather than the next one.3
He never knew how prescient those words would prove.
BELGIUM GERMANY
FRANCE
The lessons the French army
had learned as victors in the
first World War failed in the
face of a new and suddenly
unfamiliar conflict.
Figure 1: A map showing Germany’s invasion of France in May 1940. The German army sidestepped with
Maginot Line with blitzkrieg-style attacks through Belgium. (Inset) One of the turrets used in the Maginot line.
The turrets were embedded deep underground, leaving only the barrels showing above ground.
3
Valentine Williams. “World of Action.” 1938.
4 www.fireeye.comREPORT
A History of the
Maginot Line
Just a few years after Clemenceau’s
death in 1929, France began building In its time, the Maginot Line was an Impressed as he was, Brooke could not
the famed Maginot Line, a 940- impressive military feat and one of the help worrying that France had neglected
mile string of deep-earth bunker most advanced defensive structures other parts of its military buildup.
fortresses, anti-tank obstacles, and the world had ever seen.
barbed-wire entanglements along “I consider that the French would have
the Franco-German border.4 Named The 940-mile string of deep-earth bunker done better to invest the money in the
after France’s then-Minister of War, fortresses, anti-tank obstacles, and shape of mobile defences such as
André Maginot, the line was designed barbed-wire entanglements lined the more and better aircraft and more
to hold off an increasingly hostile Franco-German border, with similar heavy armored divisions rather than
Germany, which bristled under defenses running along the Italian border. to sink all this money into the ground,”
the yoke of WWI reparations. he wrote in his diary.
Its largest bunkers featured cannons,
antitank mortars, and retractable The line’s “most dangerous aspect,”
Hailed as the “world’s greatest defense turrets.6 Some bunkers reached he wrote later, “is the psychological
system” in a 1931 magazine article more than 30 meters deep, providing one, a false sense of security is
detailing its construction,5 the line was ample space for as many as 1,000 engendered, a feeling of sitting behind
a technological marvel (see sidebar, troops along with food, water, and an impregnable iron fence…”10
this page). other supplies. The entry would prove eerily correct.
A new age of war An intricate network of underground Indeed, French commanders assumed
tunnels — which included an electric
But it was all for naught. By the time that, based on their experience in the
railway system — could quickly
Germany invaded in May 1940, warfare First World War, the line would give
transfer soldiers and supplies where
had evolved from WWI trench-style them time to build, test, and produce
they would be most needed. Inter-
combat to fast-moving blitzkrieg new advanced weapons if Germany
bunker telephone and electric lines
operations. Hitler’s army sidestepped attacked again.11
included failover connections to
the Maginot Line with a lightning-fast The Maginot Line performed superbly
withstand German sabotage.7
push through Belgium that caught in direct assaults, holding off and even
French and allied forces off guard. Surrounding the bunkers were repelling several attacks. Unfortunately,
anti-tank ditches, metal obstacles, those attacks were an anticlimax —
The French military — which had mines, and small turrets deigned to other divisions of the German army
diverted much of its pre-war spending slow any invasion and give the military were already marching on Paris. Using
toward the Maginot Line rather time to reinforce its other defenses. lightning-fast blitzkrieg tactics, the
than modern weapons — could not The line was like “a battleship built on army had invaded through Belgium,
reinforce the Belgian front quickly land,” according to General Sir Alan largely sidestepping the Maginot Line.
enough. Crushed on the battlefield, Brooke, a British corps commander
France surrendered less than six weeks The French military, which had diverted
who visited the Maginot Line in 1939
later. The lessons the French army much of its budget to the line, could
and 1940.8 In his diary, he called it “a
had learned as victors in the first not mount an effective defense.
masterpiece in its way” and “a stroke
World War failed in the face of a new of genius.”9
and suddenly unfamiliar conflict.
4
William Allcorn. “The Maginot Line 1928-45.” August 2003.
5
Modern Mechanics and Inventions. “France Builds World’s Greatest Defense System.” March 1931.
6
J.E. Kaufmann, H.W. Kaufmann, et al. “The Maginot Line: History and Guide.” 2011.
7
Ibid.
8
Alan Brooke (writing as Field Marshal Lord Alanbrooke); Alex Danchev and Daniel Todman (editors). “War Diaries 1939-1945.” June 2003.
9
Ibid.
10
Ibid.
11
J.E. Kaufmann, H.W. Kaufmann, et al. “The Maginot Line: History and Guide.” 2011.
5 www.fireeye.comCybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
A view from the front
Using data gathered from more than 1,200 real-world FireEye is uniquely situated to provide that
FireEye deployments, this paper explains how attackers real-world assessment. FireEye network
and email appliances sit behind all other
are changing tactics, why traditional defenses and conventional security measures.12 This
testing procedures fall short — and what it means for means attacks detected by FireEye
in these tests have bypassed all of an
organizations that rely on them to protect intellectual organization’s other security layers.
property, customer data, and more.
Using data gathered from more than
1,200 real-world FireEye deployments,
this paper explains how attackers are
Cybersecurity’s Maginot Line changing tactics, why traditional defenses
Cybersecurity faces a similar and testing procedures fall short — and
transformation. Yesterday’s broad what it means for organizations that rely
scattershot attacks have given way on them to protect intellectual property,
to organized attacks funded by customer data, and more.
deep-pocketed threat actors who
are laser-focused on breaching
systems and stealing data. Real-World Testing
Laboratory testing is inherently flawed. It
But like generals still fighting the last can only gauge the effectiveness of cyber
war, much of the industry remains stuck defenses against threats that are preselected
in an earlier era. Even as threat actors — and therefore known — by the tester.
invent clever new ways to achieve their In addition, testing methodologies often
mission, traditional security vendors, reflect faulty assumptions about how
testing bodies and the organizations real-world attacks unfold. As a result,
that rely on them have fixed their gaze technologies that seem effective in a
on yesterday’s tactics. As a result, they controlled lab setting can fail against
leave themselves exposed to new highly unpredictable real-world threats.
effective tactics of advanced threat actors.
To more accurately gauge the
In cybersecurity, as in war, even the best- effectiveness of conventional security
laid battle plans can fall apart in the face measures, FireEye analyzed real-time
of a creative and powerful adversary. The data generated automatically by 1,614
only true test of a product is in a real- appliances in proof-of-value (PoV) trials
world setting. among 1,216 organizations across the
globe from October 2013 to March
2014. These organizations were testing
FireEye network and email appliances
but not yet protected by the FireEye
platform. This setting offered a unique
glimpse into how well traditional security
products perform in real-world networks.
12
FireEye appliances powered by the patented Multi-Vector Virtual Execution (MVX) engine, monitor Web and email traffic that has passed through firewalls, intrusion
detection and prevention systems (IDS/IPS), and Web proxies. Rather than relying on binary signatures, the MVX engine analyzes suspicious files and objects
executed within a virtual machine environment. So it detects malicious activity that other defense-in-depth layers miss. FireEye appliances also identify command-and-
control traffic from malware not stopped by endpoint tools
6 www.fireeye.comREPORT
NON EXE/DLL Malicious Executable Objects
Watering Hole/Drive-By Attacks
Firewall/NGFW IDS/IPS Secure Web Antivirus
Gateway
Polymorphic Web-based Attacks
Zero-Day Exploits
Figure 2: Where FireEye sits in the typical defense-in-depth architecture.
As illustrated in [Figure 2], FireEye
network and email appliances typically FireEye analyzed real-time data generated
operate behind other security measures.
Anything detected by a FireEye automatically by 1,614 appliances in
appliance, by definition, has passed
through all other layers of a defense- proof-of-value (PoV) trials among 1,216
in-depth architecture. By monitoring
outbound command-and-control organizations across the globe from
(CnC) attempts that went undetected October 2013 to March 2014.
by anti-virus (AV) we were also able to
assess AV and other endpoint defenses
in these real-world tests.
7 www.fireeye.comCybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
Tested Organizations by Geography Diverse geographies and
industries
Our sample included results from every
region in the world and spanned every
28% major industry. As a result, it reflects a
broad range of attackers, techniques,
3% and motives that cannot be replicated in
1% a lab environment.
Deep-dive interviews
In addition to the auto-generated data,
20% we surveyed 348 organizations in our
sample to better understand the rest
of their cybersecurity infrastructure
43% 4% and get additional context about each
component of their existing defense-in-
depth architecture.
North America 528 (43%)
Latin America 38 (3%)
Europe, Middle East, and Africa 351 (29%)
Asia Pacific 242 (20%)
Japan 54 (4%)
Rest of the World: 3 (less than 1%)
Table 1: The top eight industries represented by concentration.
Industry % of Total
The implication is clear: no
Financial Services 18%
corner of the world is remote
Government 16%
Chemicals and Manufacturing 7%
enough to avoid falling into
High-Tech 7% attackers’ crosshairs, and
Consulting 7% current defenses are stopping
Energy 6% virtually none of them.
Retail 5%
Healthcare 4%
8 www.fireeye.comREPORT
FACTS FROM
THE FRONTLINES:
TEST RESULTS
Three-fourths of the systems observed in our tests
For this report, we analyzed the data had active CnC sessions taking place. These systems
generated from the 1,21713 FireEye trial
deployments for insight into inbound weren’t just compromised; they were being actively
activity (exploits and binaries) and used by an attacker for activities that could include
outbound activity (CnC callbacks). By
correlating the survey responses with exfiltrating data.
data generated from those respondents’
FireEye appliances, we could gauge how
effective each defense layer performed in
a real-world environment. The implication is clear: no corner of In all, the security tools in our tests
the world is remote enough to avoid allowed 208,184 malware downloads.
Inbound exploits and binaries falling into attackers’ crosshairs, and Of those, 124,289 were unique malware
Over the six-month test period we current defenses are stopping virtually variants.14 Of those unique variants,
observed the following: none of them. 75 percent were detected in only one
97% 27% 122
of organizations were breached of organizations experienced events On average, 1.6 exploits and 122
known to be consistent with tools and malware droppers passed through
tactics used by advanced persistent other security layers.
threat (APT) actors.
13
One of the 1,216 customers cited earlier tested two FireEye deployments.
14
Multiple binaries of the same malware variant obfuscated with executable compression tools (also known as binary packers) were counted only once.
9 www.fireeye.comCybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
environment. This finding reflects the infrastructure in other countries to carry
growing flood of unique binaries and out campaigns. But the number and
suggests that many of them were custom variety of IP addresses shows the global
made for a particular attack. nature of the problem.
Outbound CnC calls The U.S. is far and away the top
Three-fourths of the systems observed destination for CnC traffic in the world.
in our tests had active CnC sessions This ranking is likely due to the country’s
taking place. These systems weren’t just large and pervasive computer culture and
compromised; they were being actively the number of attractive targets.
used by an attacker for activities that
could include exfiltrating data. Based on our data, these industry
verticals had the highest number of
We saw 10,149,477 CnC transmissions malware callbacks from within their
over the six-month test period to 35,415 network infrastructures:
unique CnC infrastructures, or 360,965
per week. 1. Higher education
2. Financial services
The CnC traffic flowed just about 3. Federal government
everywhere in the world, according 4. State and local government
to first-stage CnC connections logged 5. High-tech
during our tests. The first-stage CnC 6. Telecom (including Internet)
server doesn’t always point to the 7. Chemicals/Manufacturing/Mining
source of the attack — many attackers 8. Services/Consulting
use compromised machines or buy 9. Energy/Utilities/Petroleum
10. Healthcare/Pharmaceuticals
10,000
Top 10 CnC destinations
Unique first-stage CnC callback destinations
9,000
8,000
7,000
6,000
5,000
4,000
3,000
2,000
1,000
US DE KR CN RU NL GB FR CA UA
Figure 3: First-stage CnC volume. The U.S. is far and away the top destination for CnC traffic in the world.
10 www.fireeye.comREPORT Education’s top ranking is consistent with the 2013 FireEye Advanced Threat Not surprisingly, each layer was heavily represented by Report, which showed that this vertical the best-known names in cybersecurity. We saw no is frequently targeted. Schools’ enticing combination of valuable intellectual correlation between efficacy and vendor market share — property and open network philosophy all of the tools failed. likely make them prime targets. Peeling the onion, layer by layer Of the more than 120,000 malware Isolating the performance of each samples identified in our real-world data, component of the typical defense-in-depth more than half had been cataloged in architecture, we found across-the-board VirusTotal, an online malware repository failure — even when multiple layers were used by security researchers. Even so, the working together. Analyzed individually, majority of the AV vendors (the top six) the most common types of conventional missed 62% of the malware at the time security products experienced at least one of FireEye detection. And a fourth of breach, leaving systems exposed during the malware wasn’t detected by any of our short test period. those vendors. We assessed anti-virus tools, which Not surprisingly, each layer was heavily sit below FireEye appliances in most represented by the best-known names security architectures, by monitoring in cybersecurity. We saw no correlation CnC connections generated by between efficacy and vendor market malware that went undetected by AV. share — all of the tools failed. Table 2: Performance of Defense-In-Depth Security Architecture Component Customers That Reporting Using This Security Measure Breach Rate Firewall 212 100% IDS/IPS 119 100% Web proxy 138 100% Network anti-virus 75 100% Endpoint AV 169 100% Other anti-malware 33 100% 11 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
Vendor distribution in customer surveys
Firewall Network AV IDS/IPS Web Proxy Endpoint AV
Vendor A 32% Vendor A 28% Vendor A 15% Vendor A 26% Vendor A 32%
Vendor B 24% Vendor B 26% Vendor B 14% Vendor B 21% Vendor B 24%
Vendor C 12% Vendor C 7% Vendor C 14% Vendor C 14% Vendor C 10%
Vendor D 12% Vendor D 6% Vendor D 13% Vendor D 7% Vendor D 11%
Vendor E 9% Vendor E 5% Vendor E 10% Vendor E 6% Vendor E 9%
Other 11% Other 28% Other 48% Other 26% Other 14%
Data Theft: Take Everything but the Kitchen Sink
(excerpted from Mandiant “M-Trends® 2014: Beyond the Breach”)
When Mandiant responds to an based advanced threat actors are expansive intrusion campaigns to
incident, the first question clients keen to acquire data about how obtain information to support
often ask is “why am I a target?” businesses operate — not just about state-owned enterprises.
That’s often followed by “I don’t have how they make their products. This translates into data theft that
anything that anyone would want.” We have written in past M-Trends goes far beyond the core intellectual
Our answer, borne out through many reports that China-based threat property of a company, to include
investigations over the past few years, actors have expanded their targeting information about how these
is increasingly, “yes, you do!” Some well beyond the defense industrial businesses work and how executives
nation state threat actors are base. Across numerous industries, and key figures make decisions.
expanding the scope of their cyber we’ve increasingly observed the
operations. For example, China- Chinese government conduct
12 www.fireeye.comREPORT
What Today’s Attacks Here’s how a typical attack plays out: 4. Internal reconnaissance. In this
Look Like step, attackers collect information
1. External reconnaissance. Attackers on surrounding infrastructure, trust
As these results show, today’s attackers typically seek out and analyze relationships, and the Windows
have evolved their tactics from just a potential targets — anyone from domain structure. The goal: move
few years ago. Broad, opportunistic, senior leaders to administrative staff laterally within the compromised
scattershot attacks designed for mischief — to identify persons of interest network to identify valuable data.
have been eclipsed by sophisticated and tailor their tactics to gain access During this phase attackers typically
attacks that are advanced, targeted, to target systems. Attackers can even deploy additional backdoors so they
stealthy, and persistent. collect personal information from can regain access to a network if
public websites to write convincing they are detected.
This new generation of attacks includes spear-phishing email.
high-end cybercrime and state-sponsored 5. Mission completed? Once attackers
campaigns known as advanced persistent 2. Initial compromise. In this secure a foothold and locate valuable
threat (APT) attacks. Although their stage, the attacker gains access to information, they exfiltrate data such
aims differ, both types of attacks share the system. The attacker can use as emails, attachments, and files
several key traits. a variety of methods, including residing on user workstations and
well-crafted spear-phishing emails file servers. Attackers typically try
All attacks involve a and watering-hole attacks that to retain control of compromised
human attacker compromise websites known to systems, poised to steal the next set
All cyber attacks involve a human draw a sought-after audience. of valuable data they come across. To
adversary. In many cases they can maintain a presence, they often try to
involve groups of people under the same 3. Foothold established. The cover their tracks to avoid detection.
organizational umbrella, with multiple attackers attempt to obtain domain
teams of people assigned to specific administrative credentials (usually
tasks as part of a common mission.15 in encrypted form) from the
targeted company and transfer
Because attackers are living, breathing them out of the network. To
people — not pieces of mindless code strengthen their position in the
— they are motivated, organized, compromised network, intruders
and unpredictable. often use stealthy malware that
avoids detection by host-based
Today’s attacks unfold in stages and network-based safeguards.
Cyber attacks are not a single event. They For example, the malware may
unfold in multiple coordinated stages, install with system-level privileges
with calculated steps to get in, establish by injecting itself into legitimate
a foothold, surveil the victim’s network processes, modifying the registry,
and steal data. or hijacking scheduled services.
15
Mandiant. “APT1: Exposing One of China’s Cyber Espionage Units.” February 2013.
13 www.fireeye.comCybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
Today’s attacks exploit multiple multiple HTTP request and responses, Here are just a few of the techniques
threat vectors including redirects, and multiple attackers use to stay under the radar:
Advanced attacks cut across multiple TCP sessions.
threat vectors. For example, a phishing • Process injection. As the name
email might contain a link to a One object might be used for a heap implies, this technique involves
malicious URL. In another example, spray. Another object might include a inserting malicious code into
a targeted attack in 2013 against a buffer overflow or un-sanitized input an otherwise benign process.
U.S.-based financial institution used a to exploit. Another object might defeat By hijacking a legitimate code,
remote administration tool (RAT) that OS protections such as address space attackers disguise the source of the
included both Windows and Android layout randomization (ASLR) and data malicious behavior and evade
components to spy on victims through execution prevention (DEP). And finally, firewalls and other process-focused
PCs and phones.16 another downloaded binary might be an security tools.
image with hidden malicious code that
Many attacks are also multi-flow. Rather executes only when extracted by another • Process camouflage. In this
than sending a single malicious file to a seemingly benign file. approach, attackers give their
targeted system — where it might trigger malicious file or object a benign-
a malware alert— attackers send several Today’s attacks are stealthy looking name or one deceptively
files or objects that appear harmless by Today’s attacks use a variety of stealthy similar to a known system process or
themselves. When combined, these files tactics to evade detection and maintain other common process. Svchost.exe
and objects reveal their true nature. control of compromised systems. and Spoolsv.exe are often spoofed
because several copies of these
For instance, many Web-based attacks services are typically running and
comprise multiple downloaded files or can be easily overlooked.
objects. These objects often stem from
Maintain Move
presence laterally
External Recon Initial Compromise Establish Foothold Internal Recon Complete Mission
Identify people, places Gain initial access Strengthen position Identify target data Package and steal
and things into target within target target data
Figure 4: Stages of an advanced attack.
16
Thoufique Haq, Hitesh Dharmdasani, et al. (FireEye). “From Windows to Droids: An Insight in to Multi-vector Attack Mechanisms in RATs.” March 2014.
14 www.fireeye.comREPORT
IDS IDS
IDS
IDS
IDS
IDS
Figure 5: How today’s advanced cyber attacks match up against conventional IT defense.
Characteristics of today’s advanced attacks and attempted countermeasures
of the typical defense-in-depth architecture
Professional Targeted Attacks Common IT Security Defense
Agile, rapid methods Signature based
Tools and techniques modified to avoid signature defense Impervious to repeat attacks using methods that match signatures
Persistent, full-time, paid attackers Majority spend in most security budgets
• Executing code from memory. • File hiding. This technique can Trojanizing a binary that is loaded
By running only in memory, be as simple as altering the on system boot offers the added
malicious code can evade malware timestamp of a file to disguise benefit of persistence.
scans and leaves no trace of itself its creation time in relation to
for digital forensics investigators. a breach. • Packers. Packers compress and
This technique was a key part of encrypt code to hide the underlying
Operation Ephemeral Hydra, a • Trojanizing. To avoid leaving code. The technique creates new
sophisticated watering-hole attack behind a telltale executable file, binaries that have not yet been
discovered in November 2013.17 many attacks instead hijack an identified by signature-based cyber
existing executable. Security defenses. It also makes reverse-
experts often overlook these files. engineering code more difficult.
17
Ned Moran, et al (FireEye). “Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method.” November 2013.
15 www.fireeye.comCybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
A bigger problem is foundational. Most
As our test results show, the Maginot line of components in the typical security
architecture rely on a mix of binary
cybersecurity is no match for the determined signatures, blacklists, and reputation to
attackers tasked with stealing corporate secrets. identify threats. These approaches might
have held off an earlier generation of
attacks. But like France’s Maginot Line,
they are no match against today’s threats.
Many attacks are tailored The New Maginot Line Signatures are ineffective because
Today’s attacks often involve malware As our test results show, the Maginot AV vendors cannot keep up with the
tailored to compromise a single target. As line of cybersecurity is no match for deluge of new malware binaries. In
explained earlier, 75 percent of unique the determined attackers tasked with many cases, the malware is custom-
malware in our samples were detected in stealing corporate secrets. made for the target, meaning AV
only one environment. That is consistent vendors will never see it — let alone
with a comprehensive FireEye analysis How today’s architecture create a signature for it. Many attacks
of 2013 attacks, which found that 82 falls short also exploit zero-day vulnerabilities,
percent of malware binaries disappear Today’s typical defense-in-depth which by definition are unknown.
within an hour. No wonder an executive architecture comprises several discrete
at AV software giant Symantec recent layers, including anti-virus software, Application blacklists are blind to
declared the technology “dead.”18 intrusion-prevention systems (IPS), attacks that use encrypted binaries or
so-called “next-generation” firewalls, hijack legitimate apps and processes.
When attackers make the effort to and Web gateways. As our real-world Often, the initial exploit is not an
customize an attack for a specific target, data makes clear, this framework is executable file at all. Other reputation
they tend to continue attacking until poorly equipped to combat today’s based defenses, like those used in
they have achieved their objective. advanced attacks. Web gateways and IPS, cannot stop
attacks from newly minted URLs or
First, the individual components are compromised websites serving up
designed to manage a single piece of drive-by-downloads.
the security puzzle and are usually not
well integrated. An organization may Even sandboxing technology, hailed as
think that it has covered all of the major a great leap forward for cybersecurity,
threat vectors. But without a complete, is flawed in most implementations
cohesive view across all attack vectors, (see sidebar).
today’s defense-in-depth model can miss
the signs that an attacker has breached
their defenses.
18
Danny Yadron (The Wall Street Journal). “Symantec Develops New Attack on Cyberhacking.” May 2014.
16 www.fireeye.comREPORT
Thinking Outside
the Sandbox
In a grudging admission that analysis systems can flag telltale As explained earlier, today’s attacks
traditional security tools are no behavior, such as changes to the unfold over multiple vectors and
longer working, security vendors are operating system or calls to the multiple data flows. They unfold in
scrambling to add dynamic analysis attacker’s CnC servers. multiple coordinated stages, with
tools, also known as sandboxes, to calculated steps to get in, establish
their portfolio. Even incumbent Why most fall short a foothold, surveil the victim’s
vendors who have long defended network and steal data.
their aging legacy tools have Many sandboxes are easily detected
embraced the concept. and evaded. Some analyze files in That means dynamic analysis
isolation rather than as part of a must analyze files and objects in
Sandboxing remains a nascent coordinated whole. Some myopically context and across multiple threat
technology, and only a handful of the focus on a single threat vector. vectors. And they must offer a wide
systems in our sample had deployed Some fail to emulate complete variety of environments to detect
one. But even in this small set the systems or emulate only a single targeted malware.
trend was clear. Every single system “golden” image. Some measure only
with a sandbox was breached. the beginning and end states of a Virtual-machine-based analysis
virtual system — missing everything is even more effective when
What is sandboxing? that happens in between. augmented by dynamic, real-time
threat intelligence and a full
Instead of relying on signatures, What to look for in complement of services. With
automated dynamic analysis systems dynamic analysis a complete view of attacks within
observe malware behavior using an enterprise, geography, or
off the shelf virtual machines (VMs). To truly protect IT assets, virtual- industry, security teams can
These walled-off, simulated computer machine-based analysis must better prevent, detect, contain,
environments allow files to execute overcome the sandbox-evasion and resolve advanced attacks.
without doing any real damage. techniques of advanced malware.
And when new evasion techniques
By watching the files in these virtual emerge, vendors must quickly
sandbox environments, automated update their tools.
17 www.fireeye.comCybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model
CONCLUSION AND
RECOMMENDATIONS
Despite the billions of dollars organizations
pour into traditional security measures
every year, attackers are compromising In our tests, attackers got through organizations’ cyber
organizations almost at will. Maginot line at least 97 percent of the time. They
As our data shows, it doesn’t matter compromised more than 1,100 critical systems spanning
what vendor or combination of typical a wide gamut of geographies and industries. This
defense-in-depth tools an organization
has invested in. And it doesn’t matter suggests that thousands upon thousands of organizations
how well these tools performed in lab around the world may be breached and not even know it.
tests. Real-world attackers are bypassing
them all.
Brooke, the British General who found “Millions of money stuck in the ground In light of this reality, organizations
the Maginot Line so impressive during for a purely static defence,” he wrote after must consider a new approach to
his visits before the German invasion, one visit to a Maginot bunker. “The total securing their IT assets. For many,
privately worried about the French firepower developed by these works bears that shift should include reducing
strategy. He feared, correctly, that the no relation to the time, work and money waste on redundant, backward-looking
country was spending too much on spent on their construction.”19 technology and redeploying those
the bunker defenses and too little on resources on defenses designed to find
modern equipment and weapons that Many organizations may be making the and stop today’s advanced attacks.
could adapt to the vagaries of war. same mistake. In our tests, attackers got
through organizations’ cyber Maginot
line at least 97 percent of the time.
They compromised more than 1,100
critical systems spanning a wide gamut
of geographies and industries. This
suggests that thousands upon thousands
of organizations around the world may
be breached and not even know it.
19
Alan Brooke (writing as Field Marshal Lord Alanbrooke); Alex Danchev and Daniel Todman (editors). “War Diaries 1939-1945.” June 2003.
18 www.fireeye.comREPORT
Advanced Firewall/NGFW IDS/IPS Secure Web Antivirus s
Threat Gateway Minimize
Legacy
Security
Common Spend
Threat
Continuous Protection
Technologies
1. Non-signature-based detection
Majority of
2. Integrated solutions instead of
Security
stove-piped point products
Investment
3. Provide effective actions after a
potential breach is detected
4. Part of an integrated defense
community
Figure 6: Organizations should consider reducing waste on redundant, backward-
looking technology and redeploying those resources on defenses designed to find
and stop today’s advanced attacks.
FireEye recommends the following:
Evolve Invest Build Reduce
to a different architecture that in rapid endpoint-response (or hire) an incident- redundant signature-based
is not based on signatures, capabilities to validate response capability to defense-in-depth layers that
whitelists, or reputations. and contain attacks that respond when necessary. don’t catch threats and
Instead, deploy VM-based get through. create extra noise. Reinvest
security solutions that provide those resources in effective
full attack coverage and VM-based security solutions.
generate high-quality,
accurate alerts so you can
see the alerts that matter.
19 www.fireeye.comFireEye helps organizations defend themselves against the newest generation of cyber attacks. The combination of our threat prevention platforms, people and intelligence helps eliminate the consequences of security breaches by detecting attacks as they happen, communicating the risk, and equipping you to rapidly resolve security incidents. FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) info@FireEye.com | www.FireEye.com © 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. WP.CML.EN-US.052014
You can also read
