You are on page 1of 14

Advanced Malware Protection

Chris Jordan VP Threat Intelligence

McAfee ConfidentialInternal Use Only

User Attacks
Server Side Attacks (Scan and Exploit) Still exist New Wave of Attacks are User Side, strongly related to APT and Crimeware
Seen through the increase of Malware Users Interaction with the Internet is the primary means of lost intellectual property and business disruption: Aurora, Night Dragon, Zeus Web Gateways provide a basic solution

NTR is McAfees Premier APT Solution and User Attack Detection

McAfee ConfidentialInternal Use Only

NTR Architecture

Internet

Sensor

Manager

Services

McAfee ConfidentialInternal Use Only

Sensors

Internet

Local Sensors
NTR Sensors are deployed in at the boundaries and exchanges of the network

The NTR Sensor detects events and objects that need to be reviewed and validated.

McAfee ConfidentialInternal Use Only

Manager

Internet

Manager
Collects data from the sensors and matches analysis to services

The NTR Manager collects alerts and informational events.

McAfee ConfidentialInternal Use Only

Services

Internet

Local Services
File Scanner, Additional AV Checks, Local Reputation and Scanners

McAfee Services
Global Threat Intelligence Database

The NTR Manager uses Internet and Local Services to Validate Events and Objects.

McAfee ConfidentialInternal Use Only

NTR Product Suite NTR Core Suite NTR Manager


Sensors

VM ESX 2 Gbps SSU


High Speed Sensors

NTR Services Global Threat Intel File Scanner Anti-Virus Farm FoundStone Services Reverse Engineering Incident Response
McAfee ConfidentialInternal Use Only

CS-4000 (4 Gbps)
CS Blade Center (10g)

Defining Knowledge
File Address URL

Shellcode

Reputation

Heuristics

Obfuscation

Signatures
Vulnerability Policy Threat

McAfee ConfidentialInternal Use Only

OOS Overview
Down Selection Analysis (Validation) Anchors
Signatures / Heuristics

Reputation
address hostname URL

Filtering

Waypoints

DS

file users

PDF

+ reputations

BLACKLIST WHITELIST

feedback

McAfee ConfidentialInternal Use Only

Speed Equals Capacity

10

McAfee ConfidentialInternal Use Only

Operational Impact
Dynamic Analysis Capacity
Down Select is essential to handle load 10 Samples per hour 32 Core System = 7,680 per day 100k Samples/Day = 416 Cores/Day = 14 (32 Core Systems) Systems

Emulation

No Down Select 5 Core System = 80 Samples/Sec 57,600 Samples per hour 5 Core System = 6.9 Million per day 100k Samples/Day = 1 Core/Day < 1 System

11

McAfee ConfidentialInternal Use Only

Attack Vector

Microsoft Security Intelligence Report Volume 11 Worldwide Threat Assessment

McAfee ConfidentialInternal Use Only

Stages

Information Stealing Command and Control 5D Effects File Mismatching XOR File Packed Executable Fake Program Browser / Browser Application PDF Java Archive Record (JAR) JavaScript Email (Spam/Spear Phishing) Messaging Maintained malicious page iframe insertion Landing Escalation Malware Impact Reconnaissance

McAfee ConfidentialInternal Use Only

You might also like