FireEye: fighting the new age of cybercrime – Ashar Aziz
What kind of information do hackers want?
Ashar Aziz: Over the last five years, the evolution of malware has been driven by several goals. For some attackers, the main motivation is financial gain. Through their malware, these criminals target financial information such as personal identification, bank logins and credit-card details. More sophisticated criminals conduct cyber-espionage with the goal of accessing information on subjects such as weapons systems or policy planning.
There is also commercial espionage, where there's a clear motivation to steal intellectual property, such as a company's product designs or market research, in order to gain a competitive advantage.
What trends are you seeing in cybercrime and are data breaches on the rise?
We are deployed in many enterprises across every industry and, based on the data we've gathered, we're seeing a ten-fold increase in attacks since 2007, and five times more attacks since 2009 - an upward trend that will continue. When we go to our clients, we often find that over 95% of their networks have already been compromised - and they are unaware of this fact.
There is so much value in digital assets and, given the limitations of the signature-based security technologies in place, it's easy to infiltrate these networks and steal data. Consequently, this information represents a tempting and lucrative target. To respond to the offensives being waged by criminals, organisations need to evolve their security defences.
What are the advanced tactics and weak links you consistently see in organisations?
An attacker's job is to exploit some kind of vulnerability, a weak link in the company's armour. These can be categorised into two areas: human fallibility and software vulnerability. Humans can be deceived and will make faulty decisions that can compromise an organisation's network security - there's no remedy for this. It's the same with software vulnerabilities.
Almost every week, we find new vulnerabilities in applications that are deployed inside enterprise networks. Operating systems, document and video viewers, and office applications have evolved over time and are very complex. As a result, every organisation has a 'back door'.
Attackers will leverage human and software vulnerabilities to infiltrate networks. The high-profile breach of RSA was the exploitation of a mix of human and software vulnerabilities. Often, the human vulnerability will be exploited first; for example, a recruiter evaluating recruiting plans may receive an email that says, "Here is a recruiting plan", and they will open that document, setting the stage for the criminal to exploit a vulnerability in a software component running on the recruiter's system.
Today's advanced attacks are conducted across multiple stages and vectors, including web, email and files. These are coordinated, sophisticated and highly planned. Existing signature-based solutions have no answer to this kind of threat. You need a system that can inspect, detect and block these types of coordinated, sophisticated attacks.
What can organisations do to make sure their critical data stays safe?
First, you need the capabilities for detecting an attack in real time, without having prior information about the attack. Your defences have to work in the absence of signature and pattern matching because attacks are too dynamic.
Second, you must be able to monitor and block attacks across multiple stages of the attack lifecycle, including the initial exploit, malware download and call-back phases. A 360° view of the attack lifecycle will help you to correlate all the stages of an advanced attack.
Third, you need visibility into the different vectors of an attack, which can come in on a web page, email attachment or a file that's been brought into the enterprise network. These all need to be understood in real time and the threat intelligence that is gleaned from these attacks must be correlated so security teams have a complete picture of the threats targeting their networks.
How does FireEye's security architecture work?
We looked at all the structures of these attacks and saw how they entered networks, attempted to exfiltrate information and leveraged unknown vulnerabilities and tactics. Then we examined the right mechanism to detect and block these attacks.
Through this analysis, we developed a next-generation attack detection and analysis engine, the FireEye Virtual Execution Engine. It does a real-time dynamic analysis of specific objects as they traverse network boundaries. Through this analysis, we can determine if there's a threat.