CYBERSECURITY'S MAGINOT LINE: A Real-World Assessment of the Defense-in-Depth Model

 
CYBERSECURITY’S
MAGINOT LINE:
A Real-World Assessment
of the Defense-in-Depth Model
A Report by FireEye and Mandiant, A FireEye Company
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

CONTENTS
Executive Summary.......................................................................................................... 3               Peeling the onion, layer by layer.................................................. 11

                                                                                                                                    		Data Theft:
                                                                                                                                    		 Take Everything but the Kitchen Sink....................... 12
Maginot as a Metaphor.......................................................................................... 4
                                                                                                                                    What Today’s Attacks Look Like............................................................... 13
         A new age of war..................................................................................................... 5
                                                                                                                                            All attacks involve a human attacker..................................... 13
		A History of the Maginot Line.................................................. 5
                                                                                                                                            Today’s attacks unfold in stages ................................................ 14
         Cybersecurity’s Maginot Line............................................................... 6
                                                                                                                                            Today’s attacks exploit multiple threat vectors...... 14
         A view from the front.......................................................................................... 6
                                                                                                                                            Today’s attacks are stealthy................................................................ 14
Real-World Testing............................................................................................................. 6
                                                                                                                                            Many attacks are tailored........................................................................ 16
         Diverse geographies and industries........................................... 8
                                                                                                                                    The New Maginot Line............................................................................................. 16
         Deep-dive interviews......................................................................................... 8
                                                                                                                                            How today’s architecture
                                                                                                                                            falls short......................................................................................................................... 16

Facts From the Frontlines: Test Results.................................... 9                                                       		Thinking Outside the Sandbox........................................... 17

         Inbound exploits and binaries.............................................................. 9

         Outbound CnC calls....................................................................................... 10               Conclusion and Recommendations............................................. 18

Cover: A simplified diagram of turrets deployed as part of France’s Maginot
Line in the run-up to World War II.

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of
FireEye, Inc. All other brands, products, or service names are or may be
trademarks or service marks of their respective owners.

2 www.fireeye.com
REPORT

       The upshot:

      It doesn’t matter what types of firewall,              As this report explains, to protect                   And they must complement those with
      intrusion prevention system (IPS),                     themselves effectively, organizations                 rapid endpoint response expertise to
      Web gateway, sandbox and endpoint                      need to evolve their security architecture            confirm and contain attacks as soon as
      systems make up organizations’                         so they do not rely on malware                        they appear.
      Maginot Line; attackers are                            signatures alone. Security teams must
      circumventing them all.                                be able to see the alerts that matter.

Executive summary                                          bypass traditional tools. Like the Maginot                 this report provides. In this report, we
Today, most people know the Maginot                        Line, the prevailing defense-in-depth                      present a first-of-its-kind analysis of
Line as one of history’s biggest                           security model was conceived to defend                     real-world data from more than 1,216
boondoggles. Constructed at a massive                      against yesterday’s threats. As applied                    organizations in 63 countries across
cost to the French government in the                       today, it leaves organizations all but                     more than 20 industries. It reveals a
run-up to World War II, the 940-mile                       defenseless against determined attackers.                  defense-in-depth security architecture
line proved futile in the face of a new                                                                               that is deeply flawed.
style of warfare.                                          Just how (in)effective are today’s defense-
                                                           in-depth deployments? Unfortunately,                       The data comes from organizations
The Maginot Line didn’t fail, exactly.                     industry testing bodies offer little help                  testing FireEye network and email
In fact, it held up superbly against several               for organizations looking to assess their                  appliances but not yet fully protected
direct assaults. But Germany, employing                    defenses. Controlled laboratory settings                   by the FireEye platform. These tests
new weapons and a lightning-fast                           rely on samples of known threats and                       provide a unique vantage point to
blitzkrieg attack style, simply sidestepped                assumptions about cyber attacks, which                     observe other security layers in action
the line and invaded through Belgium.                      may be outdated or incomplete. They                        because FireEye network appliances
                                                           cannot replicate the unpredictable,                        sit behind all conventional security
The IT security industry faces a similar                   constantly evolving nature of real-                        defenses.2 Therefore, by definition, any
predicament. Organizations spend more                      world attacks.                                             threats observed by FireEye in these
than $67 billion on IT security.1 Yet                                                                                 tests have passed through all of an
attackers routinely breach those defenses                  The only true test of a product is in a                    organization’s other security layers.
with clever, fast-moving attacks that                      real-world setting. That is precisely what

Key findings include:

97%
Nearly all (97 percent)
                                             1/4
                                             More than a fourth of all
                                                                                         3/4
                                                                                         Three-fourths of
                                                                                                                                    1.6
                                                                                                                                    Even after an organization
organizations had been                       organizations experienced                   organizations had active                   was breached, attackers
breached, meaning at least                   events known to be                          command-and-control                        attempted to compromise
one attacker had bypassed                    consistent with tools and                   communications, indicating                 the typical organization
all layers of their defense-in               tactics used by advanced                    that attackers had control of              more than once per week
depth architecture.                          persistent threat (APT) actors.             the breached systems and                   on average.
                                                                                         were possibly already
                                                                                         receiving data from them.

1
    “Gartner Says Worldwide Security Market to Grow 8.7 Percent in 2013,” Gartner press release, June 11 2013.
2
    FireEye appliances powered by the patented Multi-Vector Virtual Execution (MVX) engine, monitor Web and email traffic that has passed through firewalls, intrusion
    detection and prevention systems (IDS/IPS), and Web proxies. Rather than relying on binary signatures, the MVX engine analyzes suspicious files and objects
    executed within a virtual machine environment. So it detects malicious activity that other defense-in-depth layers miss. FireEye appliances also identify command-
    and-control traffic from malware not stopped by endpoint tools.

3 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

MAGINOT AS
A METAPHOR
french statesman and world war i leader georges
Clemenceau is often credited with the old adage that generals
are always preparing for the last war rather than the next one.3
He never knew how prescient those words would prove.

                                                            BELGIUM                   GERMANY

                                                        FRANCE
                                                                                            The lessons the French army
                                                                                            had learned as victors in the
                                                                                            first World War failed in the
                                                                                            face of a new and suddenly
                                                                                            unfamiliar conflict.

Figure 1: A map showing Germany’s invasion of France in May 1940. The German army sidestepped with
Maginot Line with blitzkrieg-style attacks through Belgium. (Inset) One of the turrets used in the Maginot line.
The turrets were embedded deep underground, leaving only the barrels showing above ground.

3
    Valentine Williams. “World of Action.” 1938.

4 www.fireeye.com
REPORT

                                                           A History of the
                                                           Maginot Line
Just a few years after Clemenceau’s
death in 1929, France began building                         In its time, the Maginot Line was an                  Impressed as he was, Brooke could not
the famed Maginot Line, a 940-                               impressive military feat and one of the               help worrying that France had neglected
mile string of deep-earth bunker                             most advanced defensive structures                    other parts of its military buildup.
fortresses, anti-tank obstacles, and                         the world had ever seen.
barbed-wire entanglements along                                                                                    “I consider that the French would have
the Franco-German border.4 Named                             The 940-mile string of deep-earth bunker              done better to invest the money in the
after France’s then-Minister of War,                         fortresses, anti-tank obstacles, and                  shape of mobile defences such as
André Maginot, the line was designed                         barbed-wire entanglements lined the                   more and better aircraft and more
to hold off an increasingly hostile                          Franco-German border, with similar                    heavy armored divisions rather than
Germany, which bristled under                                defenses running along the Italian border.            to sink all this money into the ground,”
the yoke of WWI reparations.                                                                                       he wrote in his diary.
                                                             Its largest bunkers featured cannons,
                                                             antitank mortars, and retractable                     The line’s “most dangerous aspect,”
Hailed as the “world’s greatest defense                      turrets.6 Some bunkers reached                        he wrote later, “is the psychological
system” in a 1931 magazine article                           more than 30 meters deep, providing                   one, a false sense of security is
detailing its construction,5 the line was                    ample space for as many as 1,000                      engendered, a feeling of sitting behind
a technological marvel (see sidebar,                         troops along with food, water, and                    an impregnable iron fence…”10
this page).                                                  other supplies.                                       The entry would prove eerily correct.
A new age of war                                             An intricate network of underground                   Indeed, French commanders assumed
                                                             tunnels — which included an electric
But it was all for naught. By the time                                                                             that, based on their experience in the
                                                             railway system — could quickly
Germany invaded in May 1940, warfare                                                                               First World War, the line would give
                                                             transfer soldiers and supplies where
had evolved from WWI trench-style                                                                                  them time to build, test, and produce
                                                             they would be most needed. Inter-
combat to fast-moving blitzkrieg                                                                                   new advanced weapons if Germany
                                                             bunker telephone and electric lines
operations. Hitler’s army sidestepped                                                                              attacked again.11
                                                             included failover connections to
the Maginot Line with a lightning-fast                                                                             The Maginot Line performed superbly
                                                             withstand German sabotage.7
push through Belgium that caught                                                                                   in direct assaults, holding off and even
French and allied forces off guard.                          Surrounding the bunkers were                          repelling several attacks. Unfortunately,
                                                             anti-tank ditches, metal obstacles,                   those attacks were an anticlimax —
The French military — which had                              mines, and small turrets deigned to                   other divisions of the German army
diverted much of its pre-war spending                        slow any invasion and give the military               were already marching on Paris. Using
toward the Maginot Line rather                               time to reinforce its other defenses.                 lightning-fast blitzkrieg tactics, the
than modern weapons — could not                              The line was like “a battleship built on              army had invaded through Belgium,
reinforce the Belgian front quickly                          land,” according to General Sir Alan                  largely sidestepping the Maginot Line.
enough. Crushed on the battlefield,                          Brooke, a British corps commander
France surrendered less than six weeks                                                                             The French military, which had diverted
                                                             who visited the Maginot Line in 1939
later. The lessons the French army                                                                                 much of its budget to the line, could
                                                             and 1940.8 In his diary, he called it “a
had learned as victors in the first                                                                                not mount an effective defense.
                                                             masterpiece in its way” and “a stroke
World War failed in the face of a new                        of genius.”9
and suddenly unfamiliar conflict.

4
   William Allcorn. “The Maginot Line 1928-45.” August 2003.
5
   Modern Mechanics and Inventions. “France Builds World’s Greatest Defense System.” March 1931.
6
   J.E. Kaufmann, H.W. Kaufmann, et al. “The Maginot Line: History and Guide.” 2011.
7
   Ibid.
8
   Alan Brooke (writing as Field Marshal Lord Alanbrooke); Alex Danchev and Daniel Todman (editors). “War Diaries 1939-1945.” June 2003.
9
   Ibid.
10
   Ibid.
11
   J.E. Kaufmann, H.W. Kaufmann, et al. “The Maginot Line: History and Guide.” 2011.

5 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

                                                                                                                       A view from the front
          Using data gathered from more than 1,200 real-world                                                          FireEye is uniquely situated to provide that
          FireEye deployments, this paper explains how attackers                                                       real-world assessment. FireEye network
                                                                                                                       and email appliances sit behind all other
          are changing tactics, why traditional defenses and                                                           conventional security measures.12 This
          testing procedures fall short — and what it means for                                                        means attacks detected by FireEye
                                                                                                                       in these tests have bypassed all of an
          organizations that rely on them to protect intellectual                                                      organization’s other security layers.
          property, customer data, and more.
                                                                                                                       Using data gathered from more than
                                                                                                                       1,200 real-world FireEye deployments,
                                                                                                                       this paper explains how attackers are
                                                             Cybersecurity’s Maginot Line                              changing tactics, why traditional defenses
                                                             Cybersecurity faces a similar                             and testing procedures fall short — and
                                                             transformation. Yesterday’s broad                         what it means for organizations that rely
                                                             scattershot attacks have given way                        on them to protect intellectual property,
                                                             to organized attacks funded by                            customer data, and more.
                                                             deep-pocketed threat actors who
                                                             are laser-focused on breaching
                                                             systems and stealing data.                                Real-World Testing
                                                                                                                       Laboratory testing is inherently flawed. It
                                                             But like generals still fighting the last                 can only gauge the effectiveness of cyber
                                                             war, much of the industry remains stuck                   defenses against threats that are preselected
                                                             in an earlier era. Even as threat actors                  — and therefore known — by the tester.
                                                             invent clever new ways to achieve their                   In addition, testing methodologies often
                                                             mission, traditional security vendors,                    reflect faulty assumptions about how
                                                             testing bodies and the organizations                      real-world attacks unfold. As a result,
                                                             that rely on them have fixed their gaze                   technologies that seem effective in a
                                                             on yesterday’s tactics. As a result, they                 controlled lab setting can fail against
                                                             leave themselves exposed to new highly                    unpredictable real-world threats.
                                                             effective tactics of advanced threat actors.
                                                                                                                       To more accurately gauge the
                                                             In cybersecurity, as in war, even the best-               effectiveness of conventional security
                                                             laid battle plans can fall apart in the face              measures, FireEye analyzed real-time
                                                             of a creative and powerful adversary. The                 data generated automatically by 1,614
                                                             only true test of a product is in a real-                 appliances in proof-of-value (PoV) trials
                                                             world setting.                                            among 1,216 organizations across the
                                                                                                                       globe from October 2013 to March
                                                                                                                       2014. These organizations were testing
                                                                                                                       FireEye network and email appliances
                                                                                                                       but not yet protected by the FireEye
                                                                                                                       platform. This setting offered a unique
                                                                                                                       glimpse into how well traditional security
                                                                                                                       products perform in real-world networks.

12
     FireEye appliances powered by the patented Multi-Vector Virtual Execution (MVX) engine, monitor Web and email traffic that has passed through firewalls, intrusion
     detection and prevention systems (IDS/IPS), and Web proxies. Rather than relying on binary signatures, the MVX engine analyzes suspicious files and objects
     executed within a virtual machine environment. So it detects malicious activity that other defense-in-depth layers miss. FireEye appliances also identify command-and-
     control traffic from malware not stopped by endpoint tools

6 www.fireeye.com
REPORT

                                       NON EXE/DLL Malicious Executable Objects

                                                Watering Hole/Drive-By Attacks

                                     Firewall/NGFW           IDS/IPS           Secure Web                   Antivirus
                                                                                Gateway

                                               Polymorphic Web-based Attacks

                                                       Zero-Day Exploits

                               Figure 2: Where FireEye sits in the typical defense-in-depth architecture.

As illustrated in [Figure 2], FireEye
network and email appliances typically             FireEye analyzed real-time data generated
operate behind other security measures.
Anything detected by a FireEye                     automatically by 1,614 appliances in
appliance, by definition, has passed
through all other layers of a defense-             proof-of-value (PoV) trials among 1,216
in-depth architecture. By monitoring
outbound command-and-control                       organizations across the globe from
(CnC) attempts that went undetected                October 2013 to March 2014.
by anti-virus (AV) we were also able to
assess AV and other endpoint defenses
in these real-world tests.

7 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

Tested Organizations by Geography                                                         Diverse geographies and
                                                                                          industries
                                                                                          Our sample included results from every
                                                                                          region in the world and spanned every
                                        28%                                               major industry. As a result, it reflects a
                                                                                          broad range of attackers, techniques,
                                                            3%                            and motives that cannot be replicated in
                                                                 1%                       a lab environment.

                                                                                          Deep-dive interviews
                                                                                          In addition to the auto-generated data,
                                                                 20%                      we surveyed 348 organizations in our
                                                                                          sample to better understand the rest
                                                                                          of their cybersecurity infrastructure
                              43%                           4%                            and get additional context about each
                                                                                          component of their existing defense-in-
                                                                                          depth architecture.

         North America                                      528               (43%)
         Latin America                                      38                (3%)
         Europe, Middle East, and Africa                    351               (29%)
         Asia Pacific                                       242               (20%)
         Japan                                              54                (4%)
         Rest of the World:                                 3            (less than 1%)

Table 1: The top eight industries represented by concentration.

Industry                                                                   % of Total
                                                                                          The implication is clear: no
Financial Services                                                            18%
                                                                                          corner of the world is remote
Government                                                                    16%
Chemicals and Manufacturing                                                    7%
                                                                                          enough to avoid falling into
High-Tech                                                                      7%         attackers’ crosshairs, and
Consulting                                                                     7%         current defenses are stopping
Energy                                                                         6%         virtually none of them.
Retail                                                                         5%
Healthcare                                                                     4%

8 www.fireeye.com
REPORT

FACTS FROM
THE FRONTLINES:
TEST RESULTS
                                                                 Three-fourths of the systems observed in our tests
For this report, we analyzed the data                            had active CnC sessions taking place. These systems
generated from the 1,21713 FireEye trial
deployments for insight into inbound                             weren’t just compromised; they were being actively
activity (exploits and binaries) and                             used by an attacker for activities that could include
outbound activity (CnC callbacks). By
correlating the survey responses with                            exfiltrating data.
data generated from those respondents’
FireEye appliances, we could gauge how
effective each defense layer performed in
a real-world environment.                                  The implication is clear: no corner of                   In all, the security tools in our tests
                                                           the world is remote enough to avoid                      allowed 208,184 malware downloads.
Inbound exploits and binaries                              falling into attackers’ crosshairs, and                  Of those, 124,289 were unique malware
Over the six-month test period we                          current defenses are stopping virtually                  variants.14 Of those unique variants,
observed the following:                                    none of them.                                            75 percent were detected in only one

97%                                                        27%                                                      122
of organizations were breached                             of organizations experienced events                      On average, 1.6 exploits and 122
                                                           known to be consistent with tools and                    malware droppers passed through
                                                           tactics used by advanced persistent                      other security layers.
                                                           threat (APT) actors.

13
     One of the 1,216 customers cited earlier tested two FireEye deployments.
14
     Multiple binaries of the same malware variant obfuscated with executable compression tools (also known as binary packers) were counted only once.

9 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

                                                                                          environment. This finding reflects the          infrastructure in other countries to carry
                                                                                          growing flood of unique binaries and            out campaigns. But the number and
                                                                                          suggests that many of them were custom          variety of IP addresses shows the global
                                                                                          made for a particular attack.                   nature of the problem.

                                                                                          Outbound CnC calls                              The U.S. is far and away the top
                                                                                          Three-fourths of the systems observed           destination for CnC traffic in the world.
                                                                                          in our tests had active CnC sessions            This ranking is likely due to the country’s
                                                                                          taking place. These systems weren’t just        large and pervasive computer culture and
                                                                                          compromised; they were being actively           the number of attractive targets.
                                                                                          used by an attacker for activities that
                                                                                          could include exfiltrating data.                Based on our data, these industry
                                                                                                                                          verticals had the highest number of
                                                                                          We saw 10,149,477 CnC transmissions             malware callbacks from within their
                                                                                          over the six-month test period to 35,415        network infrastructures:
                                                                                          unique CnC infrastructures, or 360,965
                                                                                          per week.                                       1.    Higher education
                                                                                                                                          2.    Financial services
                                                                                          The CnC traffic flowed just about               3.    Federal government
                                                                                          everywhere in the world, according              4.    State and local government
                                                                                          to first-stage CnC connections logged           5.    High-tech
                                                                                          during our tests. The first-stage CnC           6.    Telecom (including Internet)
                                                                                          server doesn’t always point to the              7.    Chemicals/Manufacturing/Mining
                                                                                          source of the attack — many attackers           8.    Services/Consulting
                                                                                          use compromised machines or buy                 9.    Energy/Utilities/Petroleum
                                                                                                                                          10.   Healthcare/Pharmaceuticals

                                               10,000
                                                                                               Top 10 CnC destinations
Unique first-stage CnC callback destinations

                                                9,000

                                                8,000

                                               7,000

                                                6,000

                                                5,000

                                                4,000

                                               3,000

                                               2,000

                                               1,000

                                                             US          DE          KR          CN          RU          NL          GB            FR          CA           UA

                                                        Figure 3: First-stage CnC volume. The U.S. is far and away the top destination for CnC traffic in the world.

10 www.fireeye.com
REPORT

Education’s top ranking is consistent
with the 2013 FireEye Advanced Threat            Not surprisingly, each layer was heavily represented by
Report, which showed that this vertical          the best-known names in cybersecurity. We saw no
is frequently targeted. Schools’ enticing
combination of valuable intellectual             correlation between efficacy and vendor market share —
property and open network philosophy             all of the tools failed.
likely make them prime targets.

Peeling the onion, layer by layer            Of the more than 120,000 malware
Isolating the performance of each            samples identified in our real-world data,
component of the typical defense-in-depth    more than half had been cataloged in
architecture, we found across-the-board      VirusTotal, an online malware repository
failure — even when multiple layers were     used by security researchers. Even so, the
working together. Analyzed individually,     majority of the AV vendors (the top six)
the most common types of conventional        missed 62% of the malware at the time
security products experienced at least one   of FireEye detection. And a fourth of
breach, leaving systems exposed during       the malware wasn’t detected by any of
our short test period.                       those vendors.

We assessed anti-virus tools, which          Not surprisingly, each layer was heavily
sit below FireEye appliances in most         represented by the best-known names
security architectures, by monitoring        in cybersecurity. We saw no correlation
CnC connections generated by                 between efficacy and vendor market
malware that went undetected by AV.          share — all of the tools failed.

 Table 2: Performance of Defense-In-Depth Security Architecture

 Component                       Customers That Reporting Using This Security Measure        Breach Rate
 Firewall                                                     212                               100%
 IDS/IPS                                                      119                               100%
 Web proxy                                                    138                               100%
 Network anti-virus                                            75                               100%
 Endpoint AV                                                  169                               100%
 Other anti-malware                                            33                               100%

11 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

Vendor distribution in customer surveys
Firewall                     Network AV                   IDS/IPS                     Web Proxy                  Endpoint AV

  Vendor A           32%       Vendor A           28%        Vendor A          15%     Vendor A           26%      Vendor A            32%

  Vendor B           24%       Vendor B           26%        Vendor B          14%     Vendor B           21%      Vendor B            24%

  Vendor C           12%       Vendor C            7%        Vendor C          14%     Vendor C           14%      Vendor C            10%

  Vendor D           12%       Vendor D            6%        Vendor D          13%     Vendor D            7%      Vendor D            11%

  Vendor E            9%       Vendor E            5%        Vendor E          10%     Vendor E            6%      Vendor E            9%

  Other              11%       Other              28%        Other             48%     Other              26%      Other               14%

     Data Theft: Take Everything but the Kitchen Sink
     (excerpted from Mandiant “M-Trends® 2014: Beyond the Breach”)

     When Mandiant responds to an                  based advanced threat actors are            expansive intrusion campaigns to
     incident, the first question clients          keen to acquire data about how              obtain information to support
     often ask is “why am I a target?”             businesses operate — not just about         state-owned enterprises.
     That’s often followed by “I don’t have        how they make their products.               This translates into data theft that
     anything that anyone would want.”             We have written in past M-Trends            goes far beyond the core intellectual
     Our answer, borne out through many            reports that China-based threat             property of a company, to include
     investigations over the past few years,       actors have expanded their targeting        information about how these
     is increasingly, “yes, you do!” Some          well beyond the defense industrial          businesses work and how executives
     nation state threat actors are                base. Across numerous industries,           and key figures make decisions.
     expanding the scope of their cyber            we’ve increasingly observed the
     operations. For example, China-               Chinese government conduct

12 www.fireeye.com
REPORT

What Today’s Attacks                                    Here’s how a typical attack plays out:          4.   Internal reconnaissance. In this
Look Like                                                                                                    step, attackers collect information
                                                        1.    External reconnaissance. Attackers             on surrounding infrastructure, trust
As these results show, today’s attackers                      typically seek out and analyze                 relationships, and the Windows
have evolved their tactics from just a                        potential targets — anyone from                domain structure. The goal: move
few years ago. Broad, opportunistic,                          senior leaders to administrative staff         laterally within the compromised
scattershot attacks designed for mischief                     — to identify persons of interest              network to identify valuable data.
have been eclipsed by sophisticated                           and tailor their tactics to gain access        During this phase attackers typically
attacks that are advanced, targeted,                          to target systems. Attackers can even          deploy additional backdoors so they
stealthy, and persistent.                                     collect personal information from              can regain access to a network if
                                                              public websites to write convincing            they are detected.
This new generation of attacks includes                       spear-phishing email.
high-end cybercrime and state-sponsored                                                                 5.   Mission completed? Once attackers
campaigns known as advanced persistent                  2.    Initial compromise. In this                    secure a foothold and locate valuable
threat (APT) attacks. Although their                          stage, the attacker gains access to            information, they exfiltrate data such
aims differ, both types of attacks share                      the system. The attacker can use               as emails, attachments, and files
several key traits.                                           a variety of methods, including                residing on user workstations and
                                                              well-crafted spear-phishing emails             file servers. Attackers typically try
All attacks involve a                                         and watering-hole attacks that                 to retain control of compromised
human attacker                                                compromise websites known to                   systems, poised to steal the next set
All cyber attacks involve a human                             draw a sought-after audience.                  of valuable data they come across. To
adversary. In many cases they can                                                                            maintain a presence, they often try to
involve groups of people under the same                 3.    Foothold established. The                      cover their tracks to avoid detection.
organizational umbrella, with multiple                        attackers attempt to obtain domain
teams of people assigned to specific                          administrative credentials (usually
tasks as part of a common mission.15                          in encrypted form) from the
                                                              targeted company and transfer
Because attackers are living, breathing                       them out of the network. To
people — not pieces of mindless code                          strengthen their position in the
— they are motivated, organized,                              compromised network, intruders
and unpredictable.                                            often use stealthy malware that
                                                              avoids detection by host-based
Today’s attacks unfold in stages                              and network-based safeguards.
Cyber attacks are not a single event. They                    For example, the malware may
unfold in multiple coordinated stages,                        install with system-level privileges
with calculated steps to get in, establish                    by injecting itself into legitimate
a foothold, surveil the victim’s network                      processes, modifying the registry,
and steal data.                                               or hijacking scheduled services.

15
     Mandiant. “APT1: Exposing One of China’s Cyber Espionage Units.” February 2013.

13 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

Today’s attacks exploit multiple                          multiple HTTP request and responses,                     Here are just a few of the techniques
threat vectors                                            including redirects, and multiple                        attackers use to stay under the radar:
Advanced attacks cut across multiple                      TCP sessions.
threat vectors. For example, a phishing                                                                            •     Process injection. As the name
email might contain a link to a                           One object might be used for a heap                            implies, this technique involves
malicious URL. In another example,                        spray. Another object might include a                          inserting malicious code into
a targeted attack in 2013 against a                       buffer overflow or un-sanitized input                          an otherwise benign process.
U.S.-based financial institution used a                   to exploit. Another object might defeat                        By hijacking a legitimate code,
remote administration tool (RAT) that                     OS protections such as address space                           attackers disguise the source of the
included both Windows and Android                         layout randomization (ASLR) and data                           malicious behavior and evade
components to spy on victims through                      execution prevention (DEP). And finally,                       firewalls and other process-focused
PCs and phones.16                                         another downloaded binary might be an                          security tools.
                                                          image with hidden malicious code that
Many attacks are also multi-flow. Rather                  executes only when extracted by another                  •     Process camouflage. In this
than sending a single malicious file to a                 seemingly benign file.                                         approach, attackers give their
targeted system — where it might trigger                                                                                 malicious file or object a benign-
a malware alert— attackers send several                   Today’s attacks are stealthy                                   looking name or one deceptively
files or objects that appear harmless by                  Today’s attacks use a variety of stealthy                      similar to a known system process or
themselves. When combined, these files                    tactics to evade detection and maintain                        other common process. Svchost.exe
and objects reveal their true nature.                     control of compromised systems.                                and Spoolsv.exe are often spoofed
                                                                                                                         because several copies of these
For instance, many Web-based attacks                                                                                     services are typically running and
comprise multiple downloaded files or                                                                                    can be easily overlooked.
objects. These objects often stem from

                                                                                               Maintain                            Move
                                                                                               presence                          laterally

      External Recon                Initial Compromise                Establish Foothold                  Internal Recon                  Complete Mission

     Identify people, places            Gain initial access              Strengthen position              Identify target data               Package and steal
            and things                     into target                       within target                                                      target data

Figure 4: Stages of an advanced attack.

16
     Thoufique Haq, Hitesh Dharmdasani, et al. (FireEye). “From Windows to Droids: An Insight in to Multi-vector Attack Mechanisms in RATs.” March 2014.

14 www.fireeye.com
REPORT

                                                                     IDS                                                       IDS

                                                                                                                           IDS

                                                                                                                         IDS
                                                                 IDS

                                                               IDS

                          Figure 5: How today’s advanced cyber attacks match up against conventional IT defense.

    Characteristics of today’s advanced attacks and attempted countermeasures
    of the typical defense-in-depth architecture

    Professional Targeted Attacks                                           Common IT Security Defense

    Agile, rapid methods                                                    Signature based

    Tools and techniques modified to avoid signature defense                Impervious to repeat attacks using methods that match signatures

    Persistent, full-time, paid attackers                                   Majority spend in most security budgets

•      Executing code from memory.                      •     File hiding. This technique can                      Trojanizing a binary that is loaded
       By running only in memory,                             be as simple as altering the                         on system boot offers the added
       malicious code can evade malware                       timestamp of a file to disguise                      benefit of persistence.
       scans and leaves no trace of itself                    its creation time in relation to
       for digital forensics investigators.                   a breach.                                      •     Packers. Packers compress and
       This technique was a key part of                                                                            encrypt code to hide the underlying
       Operation Ephemeral Hydra, a                     •     Trojanizing. To avoid leaving                        code. The technique creates new
       sophisticated watering-hole attack                     behind a telltale executable file,                   binaries that have not yet been
       discovered in November 2013.17                         many attacks instead hijack an                       identified by signature-based cyber
                                                              existing executable. Security                        defenses. It also makes reverse-
                                                              experts often overlook these files.                  engineering code more difficult.

17
     Ned Moran, et al (FireEye). “Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method.” November 2013.

15 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

                                                                                                         A bigger problem is foundational. Most
      As our test results show, the Maginot line of                                                      components in the typical security
                                                                                                         architecture rely on a mix of binary
      cybersecurity is no match for the determined                                                       signatures, blacklists, and reputation to
      attackers tasked with stealing corporate secrets.                                                  identify threats. These approaches might
                                                                                                         have held off an earlier generation of
                                                                                                         attacks. But like France’s Maginot Line,
                                                                                                         they are no match against today’s threats.

Many attacks are tailored                               The New Maginot Line                             Signatures are ineffective because
Today’s attacks often involve malware                   As our test results show, the Maginot            AV vendors cannot keep up with the
tailored to compromise a single target. As              line of cybersecurity is no match for            deluge of new malware binaries. In
explained earlier, 75 percent of unique                 the determined attackers tasked with             many cases, the malware is custom-
malware in our samples were detected in                 stealing corporate secrets.                      made for the target, meaning AV
only one environment. That is consistent                                                                 vendors will never see it — let alone
with a comprehensive FireEye analysis                   How today’s architecture                         create a signature for it. Many attacks
of 2013 attacks, which found that 82                    falls short                                      also exploit zero-day vulnerabilities,
percent of malware binaries disappear                   Today’s typical defense-in-depth                 which by definition are unknown.
within an hour. No wonder an executive                  architecture comprises several discrete
at AV software giant Symantec recent                    layers, including anti-virus software,           Application blacklists are blind to
declared the technology “dead.”18                       intrusion-prevention systems (IPS),              attacks that use encrypted binaries or
                                                        so-called “next-generation” firewalls,           hijack legitimate apps and processes.
When attackers make the effort to                       and Web gateways. As our real-world              Often, the initial exploit is not an
customize an attack for a specific target,              data makes clear, this framework is              executable file at all. Other reputation
they tend to continue attacking until                   poorly equipped to combat today’s                based defenses, like those used in
they have achieved their objective.                     advanced attacks.                                Web gateways and IPS, cannot stop
                                                                                                         attacks from newly minted URLs or
                                                        First, the individual components are             compromised websites serving up
                                                        designed to manage a single piece of             drive-by-downloads.
                                                        the security puzzle and are usually not
                                                        well integrated. An organization may             Even sandboxing technology, hailed as
                                                        think that it has covered all of the major       a great leap forward for cybersecurity,
                                                        threat vectors. But without a complete,          is flawed in most implementations
                                                        cohesive view across all attack vectors,         (see sidebar).
                                                        today’s defense-in-depth model can miss
                                                        the signs that an attacker has breached
                                                        their defenses.

18
     Danny Yadron (The Wall Street Journal). “Symantec Develops New Attack on Cyberhacking.” May 2014.

16 www.fireeye.com
REPORT

   Thinking Outside
   the Sandbox

       In a grudging admission that             analysis systems can flag telltale     As explained earlier, today’s attacks
       traditional security tools are no        behavior, such as changes to the       unfold over multiple vectors and
       longer working, security vendors are     operating system or calls to the       multiple data flows. They unfold in
       scrambling to add dynamic analysis       attacker’s CnC servers.                multiple coordinated stages, with
       tools, also known as sandboxes, to                                              calculated steps to get in, establish
       their portfolio. Even incumbent          Why most fall short                    a foothold, surveil the victim’s
       vendors who have long defended                                                  network and steal data.
       their aging legacy tools have            Many sandboxes are easily detected
       embraced the concept.                    and evaded. Some analyze files in      That means dynamic analysis
                                                isolation rather than as part of a     must analyze files and objects in
       Sandboxing remains a nascent             coordinated whole. Some myopically     context and across multiple threat
       technology, and only a handful of the    focus on a single threat vector.       vectors. And they must offer a wide
       systems in our sample had deployed       Some fail to emulate complete          variety of environments to detect
       one. But even in this small set the      systems or emulate only a single       targeted malware.
       trend was clear. Every single system     “golden” image. Some measure only
       with a sandbox was breached.             the beginning and end states of a      Virtual-machine-based analysis
                                                virtual system — missing everything    is even more effective when
       What is sandboxing?                      that happens in between.               augmented by dynamic, real-time
                                                                                       threat intelligence and a full
       Instead of relying on signatures,        What to look for in                    complement of services. With
       automated dynamic analysis systems       dynamic analysis                       a complete view of attacks within
       observe malware behavior using                                                  an enterprise, geography, or
       off the shelf virtual machines (VMs).    To truly protect IT assets, virtual-   industry, security teams can
       These walled-off, simulated computer     machine-based analysis must            better prevent, detect, contain,
       environments allow files to execute      overcome the sandbox-evasion           and resolve advanced attacks.
       without doing any real damage.           techniques of advanced malware.
                                                And when new evasion techniques
       By watching the files in these virtual   emerge, vendors must quickly
       sandbox environments, automated          update their tools.

17 www.fireeye.com
Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

CONCLUSION AND
RECOMMENDATIONS
Despite the billions of dollars organizations
pour into traditional security measures
every year, attackers are compromising                         In our tests, attackers got through organizations’ cyber
organizations almost at will.                                  Maginot line at least 97 percent of the time. They
As our data shows, it doesn’t matter                           compromised more than 1,100 critical systems spanning
what vendor or combination of typical                          a wide gamut of geographies and industries. This
defense-in-depth tools an organization
has invested in. And it doesn’t matter                         suggests that thousands upon thousands of organizations
how well these tools performed in lab                          around the world may be breached and not even know it.
tests. Real-world attackers are bypassing
them all.

Brooke, the British General who found                     “Millions of money stuck in the ground                  In light of this reality, organizations
the Maginot Line so impressive during                     for a purely static defence,” he wrote after            must consider a new approach to
his visits before the German invasion,                    one visit to a Maginot bunker. “The total               securing their IT assets. For many,
privately worried about the French                        firepower developed by these works bears                that shift should include reducing
strategy. He feared, correctly, that the                  no relation to the time, work and money                 waste on redundant, backward-looking
country was spending too much on                          spent on their construction.”19                         technology and redeploying those
the bunker defenses and too little on                                                                             resources on defenses designed to find
modern equipment and weapons that                         Many organizations may be making the                    and stop today’s advanced attacks.
could adapt to the vagaries of war.                       same mistake. In our tests, attackers got
                                                          through organizations’ cyber Maginot
                                                          line at least 97 percent of the time.
                                                          They compromised more than 1,100
                                                          critical systems spanning a wide gamut
                                                          of geographies and industries. This
                                                          suggests that thousands upon thousands
                                                          of organizations around the world may
                                                          be breached and not even know it.

19
     Alan Brooke (writing as Field Marshal Lord Alanbrooke); Alex Danchev and Daniel Todman (editors). “War Diaries 1939-1945.” June 2003.

18 www.fireeye.com
REPORT

Advanced                           Firewall/NGFW          IDS/IPS          Secure Web         Antivirus s
Threat                                                                      Gateway                                 Minimize
                                                                                                                    Legacy
                                                                                                                    Security
Common                                                                                                              Spend
Threat

                                             Continuous Protection
                                             Technologies
                                             1.    Non-signature-based detection
                                                                                                      Majority of
                                             2.    Integrated solutions instead of
                                                                                                      Security
                                                   stove-piped point products
                                                                                                      Investment
                                             3.    Provide effective actions after a
                                                   potential breach is detected
                                             4.    Part of an integrated defense
                                                   community

Figure 6: Organizations should consider reducing waste on redundant, backward-
looking technology and redeploying those resources on defenses designed to find
and stop today’s advanced attacks.

FireEye recommends the following:

Evolve                              Invest                          Build                         Reduce
to a different architecture that    in rapid endpoint-response      (or hire) an incident-        redundant signature-based
is not based on signatures,         capabilities to validate        response capability to        defense-in-depth layers that
whitelists, or reputations.         and contain attacks that        respond when necessary.       don’t catch threats and
Instead, deploy VM-based            get through.                                                  create extra noise. Reinvest
security solutions that provide                                                                   those resources in effective
full attack coverage and                                                                          VM-based security solutions.
generate high-quality,
accurate alerts so you can
see the alerts that matter.

19 www.fireeye.com
FireEye helps organizations defend themselves against the newest generation of cyber attacks. The combination of
our threat prevention platforms, people and intelligence helps eliminate the consequences of security breaches by
detecting attacks as they happen, communicating the risk, and equipping you to rapidly resolve security incidents.

FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393)
info@FireEye.com | www.FireEye.com

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or
service marks of their respective owners. WP.CML.EN-US.052014
You can also read
Next slide ... Cancel