翰海源 VULNHUNT Nanjing Vulnhunt Information Technology Co.,Ltd Next generation threats prevention Attacks Prevention:key threats elements Credibility Intention Attack Prevention Capability Security Threats Multi-dimension understanding of APT A dimension: technical approach axis: the stronger technical approach, the more asset information leakage and the more hidden ways, the more continuous loss T dimension: Asset value axis: The more value, the bigger threats P dimension: Time axis: The longer duration, the easier to get the hook point Key event: Gain an inside hook point A dimension: technical means axis: the stronger technical means , the quicker inside hook point will be set. The more hidden means, the more consistent threats will be P dimension: Time axis: The longer duration, the bigger loss 1)APT prevention can be conducted either from single dimension, or from in-depth detection and prevention 2)It is still needed to have strong detection on every single-dimension, though we have in-depth prevention. No single solution can resolve all issues. Understanding of P、T dimension P dimension is mostly depending on A dimension P dimension depends on: intention and capability Before gaining inside hook point : A and P are all serving for gaining the inside hook point. A dimension set the actual needed time at P dimension A dimension set the defender awareness level, and indirectly set the asset value and exposure loss at P dimension. After gaining the inside hook point: P serve for gaining more risky threats. A dimension sets the duration at P dimension. T dimension is highly depending on A and P dimension. T dimension is depending on target asset(A dimension、actual asset)、 duration(P dimension) Understanding of A dimension Network flow detection confrontation Cyber content detection confrontation Cyber Anti Forensics Local carrier detection confrontation Local behaviors detection confrontation Local Anti Forensics Stealthy escape Control and penetration Defender dilemma:castle on sand Security : Design based security Business logic security Open source& nonopen source libnrary External physical dependency External business logic dependency Dependency Software Application Side information channel spreading The development of backdoor:hole in sand Traditional backdoor Vulnerability Weakness Function Data Side communication channel Path Algorithm Root(DNS、domain name) Development of attacking:digging hole in sand Technical confrontation:combined vulnerability attacks、attack at less dimensions、Logical vulnerability Semi-technical confrontation:business 、supply dependency、 combined technical approach ,trust and dependency hijack Non technical confrontation:social engineering、condition dependency、Mean flow New areas、The Internet of things 、Industry Control Unbalanced attack/prevention dimension Rapid-changing attack ways Fixed product design Attack target selection Can not satisfy all needs Blended attacks Single point defense No need to consider easy-touse Need to consider easy-to-use Single point penetration, then comprehensive attack No related information Using non-public or unknown technology Using public or known technology The challenges for defenders Lagging signature techniques Trojan virus implanting prevention SDL vulnerability prevention ? vulnerability with more non-controllable factors;Can not resolve the backdoor issue Disable the vulnerability utilization path ? Complicated path without theory verification. Non technique approach can not handle. Virtual Execution? Endless attack/prevention confrontation and attackers are having advantage Big Data Data abusing; Need professional operation and maintenance team to catch advanced Trojan Independent development ? or open source ? The capability can not secure the credibility and security. The challenges for traditional cyber security products when preventing APT attacks Capability Based on known characters,can not determine the unknown. Poor detection with lagging and out-of-date techniques, Detection limited by balance requirement No easy-to-use features. End users needs expert guidance. Knowledge generating Poor knowledge on attacker’s techniques. No output from security related data No professional knowledge extracting/analysis capability Response lag Weak deployment of new knowledge Professional response guidance needed by end users. Defense from a new perspective Lifecycle view Multiple view Single point defense is not effective ; and traditional defense is not collaborative. Systematic attack prevention for the one-type attack lifecycle Character: known Contents: broad spectrum scan->analysis and confirm Behavior: known+unknown exceptions->analysis and confirm Phenomenon: known+unknown exceptions-> analysis and confirm Big data view Big data is the best approach to detect unknown suspicious behaviors Thoughts on security detection by using big data Big Data Joke: When a statistician passes the airport security check, they discover a bomb in his bag. He explains. "Statistics shows that the probability of a bomb being on an airplane is 1/1000. However, the chance that there are two bombs at one plane is 1/1000000. So, I am much safer..." Objective correlation revealed by big data 1.If the correlation is changed intentionally ,the big data will become no use. 2.Cyber security confrontation is very targetorientated and intentional cyber attack area Value of using big data: --Attackers not aware of initialization phase. --Prediction of development of confrontation techniques --Cross vectors confrontation by using the accumulated data Attack-defense Confrontation Attack-defense confrontation has already been transformed to the confrontation of information/technology grasping and rapid application deployment. Professional Analysis and Verification Multi vectors local detection Big Data Mining Analysis Rule Application Defensive Rules Vulnhunt approach: multi vector detection Trojan Hidden Channel vulnerability utilization Social Engineering ID verification X-ray detection Statistical data analysis Crisis detection: smoke detector, touch alert Monitoring and highly risky behaviors detection Detection: full lifecycle and in-depth coverage APT attacks normally are consisting of multiple steps and approach. Form the in-depth detection system for every APT attack steps. By doing this, it can detect the APT attacks to biggest extent and make attacks more difficult. Detection on stealing path Attack detection based on vulnerability Defect or vulnerability Detection on Trojan implanting Stealing Path Trojan implanting Social Engineering Vulnhunt multivector threats detection system Vulnhunt approach: multi vector detection Every APT attack detection approach has its own limitation on misreport,ease-to-use etc.Hence there will be some attacks utilizing these limitations. For every APT attack way, multiple detection approach will form multi vector detection system, to maximize the detection capacity. In-depth full coverage*Multi-vector grid detection system VX behaviors analysis Vulnerability triggered behaviors VX analysis In-depth data content analysis Highly risky behaviors VX analysis In-depth execution code content analysis Highly suspicious path in-depth analysis Highly risky event signature analysis Signature analysis on known virus Nday vulnerability signature analysis Vulnerability utilization Trojan implanting Social engineering Hidden channel Vulnhunt multivector threats detection system Multi-vector full lifecycle threats detection system Vulnhunt public cloud Cloud data analysis: attacks characters/resource/grouping sharing Intelligent analysis on related event: attacks confirmation, related suspicious event detection, event trace back VX behaviors analysis Enterprise private cloud Vulnerability triggered behaviors VX analysis Highly risky behaviors VX analysis In-depth content analysis of highly suspicious path In-depth analysis on code execution In-depth data content analysis Endpoint detection device Signature analysis on highly risky network event Signature analysis of known virus and Trojan NDAY vulnerability signature analysis Trojan implanting Vulnerability utilization Social Engineering Hidden channel Vulnhunt multivector threats detection system Correlation of static , dynamic and behaviors Deployment topology Mirrored Data Flow /Email data Upgraded Server Switch Collaborate with traditional firewall Xingyun can work together with traditional firewall Firewall focusing on traditional attacks and intrusion prevention Xingyun products specialize in APT attacks prevention of 0day, variant virus, advanced Trojan etc. They can collaborate seamlessly The collaboration between Xingyun products and firewall forms the complete set of APT attacks response. Xingyun detects the attacks,and provide the information of attacker, target, path etc. Firewall generates the prevention strategy to stop the intrusion, based on the information provided by Xingyun products. APT APT detected Notify Generating strategy Operation and Maintenance at cloud Lib, algorithm upgrade Sample confirmation Alert record Suspicious sample XingYun product Normal Sample Non-execution file and no harm Execution file? Harm ? Harm sample Normal executable sample lib Analysis sample risk level Execution file but no harm Low risk sample Highly risky ? Highly risky sample Urgent Notice Call end users to provide the instruction Harmful sample library Harm character Data mining Not urgent,instruction provided by phone call Urgent, on-site professional guidance needed In-depth sample analysis New detection clue Attackers grouping Urgent? New detection algorithm Attackers resource Cloud operation&maintenance Mining at cloud Case Study:WPS 0DAY • December 2013, Xingyun is the only product in China ,which captures the WPS APT attacks. IP outside of China dial into China Internet via VPN Use internal email system Send phishing email to government institutions Xinyun Captures Once end user opens the attachment in phishing email, the host machine will be controlled by the attackers in US. More details on WPS APT attack The phishing email in Chinese If the user is using office 2010 to open the attachment, it will prompt to download wps2012 with 0day vulnerability Case Study:Advanced Trojan • Recently Xingyun captured an advanced Trojan Most antivirus software can not detect. By using the blog, it acquires the C&C address. Case study:advanced Trojan Highly suspicious behaviors UAC close Service creation Search the disk Case study: cloud operation and maintenance service Work with customer/vendor to perform the cloud operation and maintenance service. Verify and confirm attack events in very short time. For the new attacks, the confirmation could be less than 2 hours. Summary The next generation threats prevention Lifecycle in-depth coverage VS Multi-path blended attacks Multi vector detection VS attack-defense confrontation Big data analysis, cloud management VS Quick detection and response of threats • Product and customer support: – Tel:400-086-9086 – Email :[email protected]
© Copyright 2026 Paperzz