Deep Discovery. Technical details

Transcription

1 Deep Discovery Technical details

2 Deep Discovery Technologies DETECT Entry point Lateral Movement Exfiltration 360 Approach Network Monitoring Content Inspection Document Emulation Payload Download Behavior Tracing Exploit Detection Network Content Inspection Engine Advanced Threat Security Engine IP & URL reputation Virtual Analyzer Network Content Correlation Engine HTTP CIFS More than 80 protocols analyzed SMTP SQL DNS P2P Embedded doc exploits Drive-by downloads Dropper Unknown Malware C&C access Data stealing Worms/Propagation Backdoor activities Data exfiltration FTP /06/2014

3 Single Appliance for Advanced Protection DETECT Entry point Lateral Movement Deep Discovery Exfiltration Inspector 360 Approach Appliance All-in-One Content Up to 4 Inspection Gbps model Document Bare Metal Emulation & VA available Payload Custom Download sandboxes Behavior embedded Tracing Exploit Can be Detection linked to external SB Network Monitoring Network Content Inspection Engine Advanced Threat Security Engine IP & URL reputation Virtual Analyzer Network Content Correlation Engine All HTTP protocols SMTP DNS analyzed FTP CIFS on a SQL single P2P box Detect known, unknown and custom threats Embedded doc exploits Leverage Drive-by Trend downloads Micro Threat Intelligence Dropper technologies Unknown Malware C&C access Adapts and responds to Data stealing threats Worms/Propagation in your unique environment Backdoor activities Data exfiltration 11/06/2014

4 Deeper Look into Deep Discovery Virtual Analyzer Your Custom Sandbox Custom OS image Execution acceleration Anti-Analysis detection 32 & 64 bits Execute binaries, documents, URL... Live monitoring Kernel integration (hook, dll injection..) Network flow analysis Event correlation Isolated Network LoadLibraryA Win7 WinXP SP3 ARGs: ( NETAPI32.dll Win7 ) Return value: 73e50000 Base Hardened LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000 LoadLibraryA ARGs: ( WININET.dll ) Return value: 777a0000 key: HKEY_CURRENT_USER\Local Settings\MuiCache\48\52C64B7E Modifies file with infectible type : eqawoc.exe \LanguageList value: key: Inject HKEY_CURRENT_USER\Software\Microsoft\Onheem\20bi1d4f processus : 2604 taskhost.exe Write: Access path: suspicious %APPDATA%\Ewada\eqawoc.exe host : mmlzntponzkfuik.biz type: VSDT_EXE_W32 Injecting process API ID: 2604 Fake Inject API: CreateRemoteThread Fake Target Fake AV process ID: Hooks 1540 Target Explorer image path: taskhost.exe Server socket ARGs: ( 2, 2, 0 ) Return value: 28bfe socket ARGs: ( 23, 1, 6 ) Return value: 28c02 window API Name: Core CreateWindowExW Threat Simulator ARGs: ( 200, 4b2f7c,, , 0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2 internet_helper API Name: InternetConnectA ARGs: ( cc0004, mmlzntponzkfuik.biz, 10050,,, 3, 0, 0 ) Return value: cc0008 Filesystem Registry Process Rootkit Network... monitor monitor monitor scanner driver ANALYZE 11/06/2014 4

5 Deep Discovery Simple & Efficient Infection & payload Lateral movement C&C callback Web proxy Dynamic blacklist Storage Mail Server App Server SMTP relay Inspector af12e45b49cd : :80 d4.mydns.cc b1.mydns.cc... Endpoint 11/06/2014 5

6 Create your Custom Defense Analyzer External sandbox system Automatic Analysis Labs Manual & API submission tools Multi-box (5 nodes, 100k files/day) Integrated into Trend Micro solutions Threat profil export (IOC, hash) API & scripting Inspector reputation & attachment analysis Embedded URL analysis in VA MTA (inline) or BCC (monitor) mode Up to 2M mails/day per box Threat Intelligence Center Central event dashboards Custom searches & reports Central alerting and reporting 11/06/2014 6

7 Get a complete picture of targeted attacks Deep Discovery Endpoint Sensor Context-aware endpoint solution designed to speed the discovery, investigation and response to security incidents Accelerate you response process Confirm endpoint infiltration alerts from network security See which endpoints have specific malware or C&C activity Discover full context and spread of an attack Get a full picture of threats Records detailed system activities Performs multi-level search across endpoints Uses rich search criteria Compatible with any AV security solution

8 Catch all endpoint activities & Make the story of the attack Deep Discovery Endpoint Sensor RESPONSE Record all events across endpoint and network to filter out Ghost Alert noise and re- classify alert severity with REAL threat File changes/dropped Registry changes User account modifica%on URL request Connec%on to direct IP DNS resolu%on Adap%ve Inves'ga'on empowers InfoSec immediate incident responses rather of relying on vendor solu%on delivery OpenIOC support Memory snapshot Registry snapshot Retrospec%ve Replay DDES 11/06/ IOC DD Virtual Analyzer OpenIOC Yara

9 Deep Discovery Flexible & Efficient Inspector HQ/DC Site Traditionnal Security Layer Infection & payload Lateral movement C&C callback Major Remote Site Inspector Local App Server Endpoint Sensor Analyzer Inspector * Threat Intelligence Center 11/06/ * Can be virtualized

10 Trend Micro Products Integrated Advanced Protection Storage OfficeScan Deep Security Mail ScanMail Server Endpoint App Server Web IWSva proxy SMTP IMSva relay 11/06/ Infection & payload C&C callback Analyzer 3c4çba176915c3ee3df8 7b9c127ca1a1bcçba17 Custom Signature Dynamic blacklist af12e45b49cd : :80 d4.mydns.cc b1.mydns.cc...

11 Demo-time