Professional Documents
Culture Documents
User Attacks
Server Side Attacks (Scan and Exploit) Still exist New Wave of Attacks are User Side, strongly related to APT and Crimeware
Seen through the increase of Malware Users Interaction with the Internet is the primary means of lost intellectual property and business disruption: Aurora, Night Dragon, Zeus Web Gateways provide a basic solution
NTR Architecture
Internet
Sensor
Manager
Services
Sensors
Internet
Local Sensors
NTR Sensors are deployed in at the boundaries and exchanges of the network
The NTR Sensor detects events and objects that need to be reviewed and validated.
Manager
Internet
Manager
Collects data from the sensors and matches analysis to services
Services
Internet
Local Services
File Scanner, Additional AV Checks, Local Reputation and Scanners
McAfee Services
Global Threat Intelligence Database
The NTR Manager uses Internet and Local Services to Validate Events and Objects.
NTR Services Global Threat Intel File Scanner Anti-Virus Farm FoundStone Services Reverse Engineering Incident Response
McAfee ConfidentialInternal Use Only
CS-4000 (4 Gbps)
CS Blade Center (10g)
Defining Knowledge
File Address URL
Shellcode
Reputation
Heuristics
Obfuscation
Signatures
Vulnerability Policy Threat
OOS Overview
Down Selection Analysis (Validation) Anchors
Signatures / Heuristics
Reputation
address hostname URL
Filtering
Waypoints
DS
file users
+ reputations
BLACKLIST WHITELIST
feedback
10
Operational Impact
Dynamic Analysis Capacity
Down Select is essential to handle load 10 Samples per hour 32 Core System = 7,680 per day 100k Samples/Day = 416 Cores/Day = 14 (32 Core Systems) Systems
Emulation
No Down Select 5 Core System = 80 Samples/Sec 57,600 Samples per hour 5 Core System = 6.9 Million per day 100k Samples/Day = 1 Core/Day < 1 System
11
Attack Vector
Stages
Information Stealing Command and Control 5D Effects File Mismatching XOR File Packed Executable Fake Program Browser / Browser Application PDF Java Archive Record (JAR) JavaScript Email (Spam/Spear Phishing) Messaging Maintained malicious page iframe insertion Landing Escalation Malware Impact Reconnaissance