Fortinet advanced threat protection with forti sandbox - 2016

© Copyright Fortinet Inc. All rights reserved.

Advanced Threat Protection with FortiSandbox

Hillel Kobrovski

Founder & CTO at Sec4Biz LTD

Cyber & Network Security Solutions Architect

Fortinet Senior Trainer since 2007

Hillel@Sec4Biz.co.il

972-54-7700919

2

SandBox ,Why It’s Important ?

“New Studies Reveal Companies are Attacked an Average of 17,000 Times a Year.”

“Companies like J.P. Morgan Plan to Double Spending on Cyber security…”

“Cybercrime Will Remain a Growth Industry for the Foreseeable Future.”

“The Reality of the Internet of Things is the Creation of More Vulnerabilities.”

“43% of firms in the United States have experienced a data breach in the past year.”

3

Companies should be concerned

Prevention techniques sometimes fail, so detection and response tools,

processes, & teams must be addedFACT:

GOAL: Reduce time to Find/Detect incidentsReduce time to Investigate incidentsReduce time to Remediate incidents

229 days

Average time attackers were on a network before detection

67%

Victims were notified by an external entity

4

Known

Good

Known

Bad

Probably

Good

Very

Suspicious

Somewhat

Suspicious

Might be

Good

Completely

Unknown

Whitelists Reputation: File, IP, App,

Email Signatures

Digitally signed files

BlacklistsSignatures

HeuristicsReputation:

File, IP,

App, Email

Generic Signatures

Code

Continuum

Security

Technologies

Sandboxing

Malware? Goodware? I-don’t-know-ware? The Continuum

5

Enter Sandboxing

SpamMaliciousEmailMalicious

Link

MaliciousWeb Site

Exploit

Malware

Bot Commands& Stolen Data

Command &Control Center

Spam

MaliciousLink

Exploit

Malware

Bot Commands& Stolen Data

Sa

nd

bo

x

Anti-spam

Web Filtering

Intrusion Prevention

Antivirus

App Control/

IP Reputation

6

FortiSandbox – 5 Steps to Better Performance

Call Back Detection

Full Virtual Sandbox

Code Emulation

Cloud File Query

AV Prefilter

• Quickly simulate intended activity – Fortinet patented CPRL

• OS independent & immune to evasion – high catch rate

• Apply top-rated anti-malware engine

• Examine real-time, full lifecycle activity in the sandbox

to get the threat to expose itself

• Check community intelligence & file reputation

• Identify the ultimate aim, call back & exfiltration

• Mitigate w/ analytics & FortiGuard updates

7

3 Types of AV - Signatures

Wormchecksum

» It is a hash value (a number derived from a string of text) that uniquely

identifies a specific piece of malware.

» Usually has a "!tr“ or "!worm extension

Script and Macro Checksums

» – It is used to detect scripts and macros that do not change from one

generation to the next.

CPRL (Compact Pattern Recognition Language)

» With CPRL, the analyst can match bytes at different locations of a file.

» It can be used to provide generic detection for a group of malware with

certain commonalities.

8

CPRL Before Sandboxing

Compact Pattern Recognition Language(CPRL)

Fortinet-unique (Patented) way to identify an attack or evasion.

Emulates the code to understand what it is attempting to do.

Explores all the different code paths for attack vectors.

Not as CPU-intensive as spinning up a Virtual OS, so used as a first pass.

Typically catches more than 60%+ of malware.

If malware found, then there is no need to do any further inspection.

Uncovered attacks or evasion techniques are reported back to FortiGuard to

further enhance the ecosystem.

10

CPRL – Manual Steps

•Make sense of machine code

•Utilize reverse engineering tools

Static Analysis

•Compare variations

•Spot patterns in functionality and behavior

•Not just one sequence of bytes

Replication•Creates CPRL code to match those patterns

•Test against known variations

•And new variations

Detection

11

CPRL Strength – Doing More with Less!

12

Introduction Into Polymorphism

• Malware that constantly changes or "morphs", making it difficult to detect with anti-malware

programs

•The appearance of the code varies with each "mutation may change, but the essential function

usually remains the same

Same File

Different Encryption

Same File

13

Polymorphic Techniques - Examples

Padding with NOPs

Packed with no Pattern

Non-Polymorphic

14

Introduction into Packers

• Wrappers used to compress or encrypt software files

•Can be used for legitimate purposes

•Often times used by malware to disguise its contents to circumvent detection and analysis

ROT Base 64

XOR

Level of Difficulty

UPX

ASPACK

Themida

FSG

Native or known unpacking capabilities No native unpacking capabilities

Real-Time Sandbox

Custom Packers

Generic Unpacker

PETITE

FSG

UPACK

MEW

PECompact

ASProtectPecBundle

PEncrypt

ACProtect

ZIP

15

Packer Anatomy - Computer Code – Version 2

Headers

1111010101010

Code

0010101010101

1010101010101

10111101010111

Data

1010101010111

1010101010101

1010101010101

Normal File

Pack Run

Headers

1111010101010Code

0010101011001

1010101010101

10111101010111Data

1010101010111

1010101010101

1010101010101

Packed

program

stored as

encrypted

data

Packed/Encrypted

Decryption routine Headers

1111010101010Code

0010101010101

1010101010101

10111101010111Data

1010101010111

1010101010101

1010101010101Unpacking

Engine

Encrypted code stored

in data is moved into

code at run time and

into memory

CPRL

16

VB100 Reactive: AV w/ all updates

VB100 Proactive: AV w/o updates

Fortinet anti-malware results

» 96% reactive

» 86% proactive

Top Rated Anti-Malware

Independent third-party

tested & validated!

17

Top-rated Breach Detection (NSS Labs Recommended)

Preloaded with Microsoft Windows XP and 7, 32- and 64-bit, plus IE & Office

Genuine Microsoft Licenses for Windows. IE and Office

Top Rated Sandbox

Independent third-party

tested & validated!

18

VMs NA 2+ 8 28

FormCloud service integrated

with FortiGateVirtual appliance Physical appliance Physical appliance

FortiSandbox 1000D

FortiSandbox Platform Options

FortiSandbox VM

FortiSandbox 3000D

FortiSandbox Cloud

19

FortiSandbox Details

Network Traffic

Ob

jects

for

Insp

ection

Up

date

d P

rote

ction

3. Operating Environment

• Code emulation: OS-

independent

• Sandbox: Windows XP, 7, IE,

Office

2. File type support

• AV Prefilter: all

• Full Sandbox: as follows

• Archived: .tar, .gz, .tar.g,

.tgz, .zip, .bz2, .tar.bz2,

.bz, .tar.Z, .cab, .rar, .arj

• Executable: .exe, .dll,

PDF, Windows Office,

Javascript

• Media: .avi, .mpeg, mp3,

mp4

1. Protocol support

• FortiGate Integrated: HTTP,

SMTP, POP3, IMAP, MAPI, FTP,

SMB, IM

and SSL encrypted equivalents

• Stand-alone: HTTP, FTP, POP3,

IMAP, SMTP, SMB

• FortiMail Integrated: SMTP

20

FortiSandbox 2.0

Now includes full sandboxing w/ licenses for Windows, MS Office, IE

Now follows URLs to scan objects

Now inspects Network File Share locations

Now exports to 3rd Party scan tools

Integrated with FortiGate

Provides SSL inspection

Fewer sandboxes needed– 1 sandbox supports multiple FortiGates (Ingress/Egress points)

FortiSandbox Cloud service integrated with FortiGate offers quarantine feature

FortiSandbox 2.0 – Detecting More Attacks

Network Traffic

Network Traffic FortiGate

FortiSandbox

FortiSandbox

FortiMail

21

New in FortiSandbox 2.1

HA Clustering

VM Build Customization (Win8.1/Win2008/Win2010)

SHA1 Support, and Hash Whitelisting

Radius Authentication

Enhanced Search Capabilities

Remove All Files After Scan (HIPAA)

License Expiration Information

Integrated with FortiGate (5.4)

Active Hash Block List

Integrated with FortiMail

Active block list including URI scanning

Integration with FortiClient (5.4)

New in FortiSandbox 2.1 - Detecting Even More Attacks

Network Traffic

Network Traffic FortiGate

FortiSandbox

FortiSandbox

FortiMail

22

Stop Malicious Emails: FortiSandbox, FortiGate, FortiMail

Reputation, behavior and other analysis performed by FortiMail.

At risk messages held for additional FortiSandbox analysis.

Clean emails delivered to mail servers.

Outgoing email also inspected

FortiSandbox prefilters, executes, analyzes

and feeds back to FortiMail and FortiGuard.

Feedback

to FortiGuard

Feedback

to FortiMail

Email

Traffic

Internet

Sandbox

Inspection

Inspected

EmailsNetwork

Traffic

Full NGFW inspection performed on FortiGate.

At risk objects sent to FortiSandbox

FortiMail for Email Inspection

» Blocks known threats

» Holds high risk messages for

Sandbox rating

» Simplified deployment

1 sandbox supports multiple FortiMail

FortiSandbox for Payload Analysis

» Detects unknown threats

» Provides threat intelligence for mitigation

» Ultimately results in updated FortiGuard Security

Services

23

Flexible Appliance Deployment Modes

Flexible Deployment Options

• Offers most suitable implementation depends on requirements and infrastructure

• Allow protection of investment by allowing different deployment modes as requirement changes

• Full automatic Mitigation and blocking with the addition of FortiMail (with FortiSandbox appliances) and FortiGate (with

FortiSandbox Cloud)

Standalone Mode – Ideal for scalable requirements

Data Center

Integrated Mode – Ideal for centralized gateway with inline protection

Headquarters

(Enterprise Core)

Distributed Mode – Ideal for protection in distributed environment

Branch Offices

(Distributed Enterprise)

24

Stand-Alone Integrated

Pros• Specialized coverage

• More robust feature set

• Vendor independent

Cons• More boxes to buy, manage…

• Separate monitoring system

Pros• Fewer boxes

• Extends current security

• Existing/known vendor

Cons• May offer a reduced feature set

• Fewer vendor options

25

Clustering and Load Balancing

REGULAR

SLAVE

REGULAR

SLAVE

REGULAR

SLAVE

MASTERPRIMARY

SLAVE

Master and Primary Slave have to the same appliance (can be any model)

Regular Slaves can be any appliance

Up to 100 nodes in a cluster

26

Demo Configuration Screen Shots

FGT: FortiSandbox configuration

FGT: AV Profile FortiSandbox enable

FML: FortiSandbox configuration

FML: AV Profile FortiSandbox enable

27

FGT: FortiSandbox configuration

28

FGT: AV Profile FortiSandbox enable

29

FML: FortiSandbox configuration

30

FML: AV Profile FortiSandbox enable

31

Demo Screen Shots

Email message sent with clean file attached

FML: Message paused, Attachment sent to FSA

FSA: Attachment sandboxed

FML: FSA clean verdict

FML: FSA clean verdict, message delivered

FML: FSA malicious verdict

FML: Virus message quarantined

32

Email message sent with clean file attached

Message may be sent from any external user

To a FortiSandbox protected email domain.

33

FML: Message paused, Attachment sent to FSA

* The message is held on the FortiMail while the FortiSandbox is processing it.

34

FSA: Attachment sandboxed

If the file is clean

It is released.

35

FML: FSA clean verdict, message delivered

Messages with clean attachments

Are delivered.

36

FSA: Virus Attachment Sandboxed

If the file is malicious

It is quarantined.

37

FML: Virus Message Quarantined

Message quarantined on

the FortiMail

38

FortiClient ATP Integration

FortiClient and FortiSandbox

integration

File Submission and option to

hold till result is received

Receive dynamic threat DB

39

FortiGate v5.4 ATP/Sandbox Integration

40

FortiGate v5.4 ATP/Sandbox Integration

FortiGate and FortiSandbox integration

Applicable to FortiSandbox Appliance and VM

41

DON’T GO UNPROTECTED