Sie sind auf Seite 1von 176

ATP Tech Bootcamp

Jürgen Hofmann Systems Engineer


Thorsten Biskup Systems Engineer
Dominic Haussmann Systems Engineer

© Copyright Fortinet Inc. All rights reserved.


Agenda
§  09.00 Uhr Beginn
§  09.00 - 09:15 Begrüßung - Vorstellungsrunde, Housekeeping
§  09:15 - 10:00 Fortinet Security Fabric
§  10.00 - 10:30 FortiSandbox
§  10:30 - 10:45 Coffee Break
§  10:45 - 12:15 Integration FSA Live
§  12:15 - 13:30 Mittag
§  13:30 - 14:30 Konfiguration VMs FortiSandbox Live
§  14:30 - 15:30 FSA Adv. 1
§  15:30 - 15:45 Coffee Break
§  15:45 - 16:30 FSA Adv 2
§  16:30 - 17:00 PoC / Q&A
§  What to watch out for in PoCs
2
Fortinet Security Fabric
Fortinet Facts

FOUNDED

2000 HQ OVER
SUNNYVALE, CA
3,0 MILLION
DEVICES SHIPPED
IPO 100+
2009 OFFICES
WORLDWIDE
#1 UNIT SHARE
WORLDWIDE

4660+
$ 1.31B
In Network Security (IDC)

EMPLOYEES
CASH
MARKET LEADING
TECHNOLOGY
40%
GROWTH
300.000+ 358 PATENTS
292 PENDING
CUSTOMERS

4
But The Evolution of Change Never Stops

Green SaaS IoT


Google’s 13 data
centers use 0.01%
of global power
On average, companies
have 10+ applications
running via the Cloud
35B devices, mostly
headless attaching
to the network
5G
Wireless

SDN/NFV IaaS Analytics


Software-defined Security still the No. Big Data
everything. SD WAN 1 inhibitor

FUTURE

Social Internet 2
Bandwidth ever
increasing
100G 100 Gbps and

UHDTV
Virtualization Mobile Bandwidth
80% of data center No control of Wi-Fi speeds rival LANs.
apps are virtualized endpoints (BYOD) 100G networks here

5
Security is borderless.
EndpointMobile
PoS

1.  The attack surface has


increased

2.  Strategy changes bring Mail Mobile


FW
new security challenges LB
SW
Campus
3.  There are security holes Branch Office

in existing infrastructure FW

(ATP, unsecured wireless,


Data Center
no dedicated security...)
0-Day

=> Security is Borderless Remote Office

IoT

6
Need a solution which…

1.  …best blocks new threats AV


FortiWeb
2.  …is based on products FortiSandbox
collaboration to offer both Mail Server

the highest security and WAF


FortiGate
visibility !
FortiMail
3.  …best integrates with AS API
existing infrastructure Wifi
FortiDDOS
EndPpoint FortiAPs

4.  …best adapts to future FortiSIEM


MGMT
needs (strategy changes, FortiManager
performance) FortiAnalyzer
FortiClient

? 7
SECURITY HAS CHANGED

3.2 1.3 3
BILLION BILLION
BILLION SMARTPHONES NEW DEVICES
INTERNET SHIPPED PER YEAR
USERS WORLDWIDE THROUGH 2020

10,000x
PUBLIC CLOUD MARKET IS ESTIMATED TO REACH

INCREASE IN CYBER THREATS $191 BILLION


8
Fortinet Strategy – Security for a New World

COMPLEX BORDERLESS SLOW

SECURITY WITHOUT COMPROMISE

SEAMLESS INTELLIGENT POWERFUL

9
Introducing the Fortinet Security Fabric
Global Intelligence

Client Security Alliance Partners

§  Scalable
§  Aware
Cloud
IoT
§  Secure Security

§  Actionable
§  Open
Secure LAN Application
Access Security

Local Intelligence

Secure WLAN Access

Network Security

10
Scalable from Access to Data Center, IoT to Cloud

Single Pane of Glass Global & Local Single Network


(Management) Security Updates Operating System

Device Access Network Cloud

WLAN / LAN Distributed Edge Segmentation Carrier SDN


Endpoint Data Center Private Cloud IaaS/SaaS
Rugged Enterprise Branch Class Provisioned

Distributed
NSF
Chassis
>Terabit
Appliance
Appliance >300G
Appliance >30G Virtual Machine Virtual Machine
Device
>5G SDN/NFV On Demand
>1G

11
Maintaining Security for the Network
Comprehensive Security with Full Performance

CPU Only Parallel Path Processing (PPP)


More Performance

Packet Policy Content Optimised


Processing Management Inspection
Less Latency
Policy Management
CPU SoC
Packet Processing

Deep Inspection

Less Space

Less Power

12
Security for the Cloud
Securing Throughout the Cloud Journey
Public Cloud
On-Demand
Virtualization Private Cloud
Hypervisor Port SDN - Orchestration Integration

East-West North-South IaaS Cloud

Hypervisor

NGFW WAF Management Reporting APT

Connector API Flow

SaaS Cloud

Proxy Broker
CASI API

13
Security for Access – Unified Secure Access
1 2 3
Infrastructure Integrated Cloud
On Premise Management On Premise Management Cloud Management

WLAN

FortiGate

LAN FortiSwitch

14
Security Across all of the Network - Global and Local
Threat Intelligence for Security Efficiency

Vulnerability Web Cloud


Threat Intelligence Threat App Control Antivirus Anti-spam Management Filtering Sandbox
Exchange Researchers

Deep Mobile
IPS Web App Database Botnet App Control Security

FortiSandbox

FortiClient FortiGate FortiMail FortiWeb Partner

Advanced Threat Protection


15
FortiSandbox
APTs, Data Breaches Top Themen!!

Priority of IT Security Initiatives in 2016


2016 2015
Critical/ Critical/
Critical priority High priority Moderate priority Low priority Not a priority High High
Priority Priority

Protection/detection for APTs


(advanced persistent threats)
30% 49% 16% 4% 79% 77%

Encryption or DLP 24% 51% 18% 6% 75% 67%

Next-Generation Firewall 27% 44% 23% 5% 71% 75%

Internal Network Segmentation security


(Zero Trust, internal firewalls)
24% 43% 25% 4% 68% N/A

Software Defined Network Security 23% 45% 25% 5% 68% N/A

Privileged user access 22% 42% 27% 8% 63% 71%

BYOD and IoT management 15% 43% 28% 9% 59% N/A

Regulating online services (shadow IT) 20% 35% 35% 8% 55% 58%

Outsourcing security services 18% 32% 28% 14% 50% 60%

Source:
IDG Research, January 2016

17
Typischer Ablauf eines zielgerichteten Angriffs
Sowohl Gateway-AV als auch Client-AV vermeintlich
schlagen nicht an, da es sich um einen saubere
Zero-Day Exploit handelt Email mit
Anhang
Anti-Spam / Anti-Virus oder
bösartiger Link in Email /
Aufrufen einer bösartigen “aktivem”
Webseite Inhalt
Web Filtering
Zero-day Exploit bösartige
Webseite
Intrusion Prevention Exploit
unbekannte Datei
durchläuft AV-Filter Malware Command &
Gateway-Anti-Virus
Control Center
App Control/
Abfluss von Daten via IP Reputation
Botnet oder versteckter Email verschlüsselte Kommunikation
durchläuft Filter, wenn keine
SSL-Interception aktiviert ist

18
Malware? Goodware? I-don’t-know-ware?

FortiGate / FortiGate /
FortiSandbox
FortiMail FortiMail
99,5 %
of malware samples are
unique to an organization

Known Probably Might be Completely Somewhat Very Known


Good Good Good Unknown Suspicious Suspicious Bad

Whitelists Reputation: Sandboxing Heuristics Blacklists


App Signatures Reputation: Signatures
Digitally signed files App, Email
Generic Signatures

19
Die FortiSandbox als ganzheitlicher Ansatz

vermeintlich
Anti-Spam / Anti-Virus saubere

Sandbox
bösartiger Link Email
Web Filtering
bösartige
Zero-day Exploit
Webseite
Intrusion Prevention Exploit
unbekannte Datei
durchläuft AV-Filter Malware Command &
Gateway-Anti-Virus
Control Center
App Control/
Botnet Kommunikation IP Reputation
und Abfluss von Daten verschlüsselte Kommunikation
durchläuft Filter, wenn keine
SSL-Interception aktiviert ist

20
Flexible input methods
•  Devices : FortiMail, FortiGate, FortiWeb
and FortiClient can provide the
Switch
FortiSandbox with samples as part of the
Security Fabric.
TAP

ICAP
•  Sniffer / TAP : Port mirroring / Span ports
configured on a switch, TAP device
API
•  Network shares: standard CIFS or NFS
shares can be inspected.
FWB
•  API / On-demand: JSON API is available
to all third party devices. WebUI is an
easy way to post a sample and check the FGT
FCL
result of the analysis.
FML
•  + 3rd party integration: Carbon black,
ICAP, …

21
Flexible deployment methods
standalone integrated Distributed

CAMPUS
DATA CENTER / PRIVATE CLOUD
FortiClient FortiGate
Secure Access
Point

FortiGate VMX
PUBLIC CLOUD
Switching

FortiCloud Sandboxing

FortiSandbox
Web
Server

FortiADC Email FortiCloud


FortiWeb Server

FortiGate

Share FortiMail

FortiSandbox

BRANCH FortiClient

OFFICE

22
FortiMail ATP Integration
»  Übertragen von Anhängen bzw. Inhalten zur tieferen
Analyse an die FortiSandbox FortiMail

»  Filterung kann basierend auf Dateitypen erfolgen


eingehende Email
»  Mails werden während der Analyse in der Queue
gehalten Rückmeldung mit
Risk-Rating
Anhang/Inhalt wird zur
»  Automatisches Weiterleiten bzw. Blocken der Mail Sandbox geschickt
basierend auf dem Analyseergebnis

»  Nutzung der Analyseergebnisse über dynamische 5-Stufen-Analyse auf der Sandbox


Thread-DB Updates FortiSandbox
à Daten werden nicht doppelt analysiert und somit
auch schneller erkannt

23
FortiMail ATP Integration

Erweiterte Integration
§  Granulare Konfiguration
»  Individueller Scan timeout (6-360 mins)
§  Datei-Filtering
»  Auswahl der zu scannenden Datei-Typen
»  Hinzufügen von Datei-Typen
§  Malicious URI Scanning
»  Auswahl, ob für alle Mails oder nur verdächtige
gescannt werden sollen
»  Auswahl, ob alle URIs oder nur unbekannte
gescannt werden sollen

24
FortiMail ATP Integration

Erweiterte Integration
§  AntiVirus-Aktion konfigurierbar je nach
Rückmeldung von der Sandbox in
Bezug auf das Risiko
»  Hohes bzw. mittleres Risiko à z. B. Mail
in die System-Quarantäne bzw. Löschen
der Mail bzw. des Anhangs
»  Geringes Risiko à z. B. Mail in die User
Quarantäne

25
FortiGate ATP Integration

§  Datei aus dem Verkehrsstrom ausfiltern


»  Extrahiert die Datei aus dem evtl.
SSL-verschlüsselten Datenstrom
»  Nutzt das AV Profil – Flow (full) und Proxy Mode
? §  Dateiübertragung zur Sandbox
Datei- »  FortiGate überträgt nur unterstützte Dateitypen
übertragung
»  Filterung erfolgt über die FGT AV Engine
»  Dateitypen können manuell auf eine Whitelist
gesetzt werden, um Bandbreite und Performance
auf der Sandbox zu schonen

26
FortiGate ATP Integration

FortiView FortiSandbox Viewer


Status Summary auf dem Analyse Report via FortiView drill down
Dashboard

Status Report

FortiGate ç FortiSandbox Integration


§  Status Reporting

27
FortiGate ATP Integration
FortiGate ç FortiSandbox Integration
§ Threat Protection Updates
» Periodisches push update auf alle
an der FSA registrierten Geräte
» Malicious File checksum DB
» Malicious URL List
Dynamisches
à Bereits analyisierte Dateien und URLs
Threat DB Update können nun unternehmensweit geblockt
werden!

28
FortiGate - ATP Integration

FortiGate è Netzwerk
§ IP-basierte Quarantäne
» Der Verkehr eines infizierten Systems wird
temporär an der FortiGate geblockt
» Somit kann das Nachladen von Malware
Netzwerk bzw. der Abfluß von Daten verhindert
Quarantäne
werden.
» Der Administrator kann den Client über
den “User Quarantine Monitor” wieder
freigeben

29
FortiGate - FortiClient ATP Integration

FortiGate è FortClient Integration


§ Endpoint Control / Host Quarantäne
» Manuelle FortiClient Quarantäne via
FortiView-Rechtsklick
Host » Der Host kann nur noch eine direkte
Quarantäne Verbindung zur FortiGate aufbauen
» Der Administrator kann den Client über
den “User Quarantine Monitor” freigeben

30
FortiClient ATP Integration

FortClient è FortSandbox
Integration
§ Datei an Sandbox senden
» Optional kann die Datei bis zur
Datei- vollständigen Analyse für den
übertragung
User gesperrt werden

31
FortiClient ATP Integration

FortClient è FortSandbox
Integration
Datei Status § Status Feedback
Report » Dateien, die als “Malicious”
Dynamisches gekennzeichet sind, werden in die
Threat DB Update
Quarantäne verschoben.
§ Threat Protection Updates
» Der Client empfängt periodische
Updates von der FortiSandbox für
bereits analysierte Dateien.

32
FortiWeb ATP-Integration

Datei-Upload auf Webserver FortiWeb

» Uploads zu Web Applikationen werden


zur erweiterten Analyse an die FortiSandbox
gesendet werden Rückmeldung mit
Risk-Rating zum
Datei wird zur Blocken der Datei
» Die FortiWeb wird über die Analyse-Ergebnisse Sandbox geschickt

informiert

» Verdächtige Dateien werden dementsprechend 5-Stufen-Analyse auf der Sandbox


geblockt und gleiche Dateien werden zukünftig FortiSandbox
ohne weitere Analyse entsprechend behandelt.

33
Die ganzheitliche Fortinet ATP Lösung
Datei wird zur 3 Status Report für
1 Sandbox FortiSandbox die Funktionen
übertragen “auto File Hold” &
1 1 “Quarantine”
2
Status Report mit 2
Analyse-Ergebnis
5a Erzwingen der
4 3
Sandbox überträgt Host Quarantäne
4
Threat DB Update 4

(Dateien & URLs) 5b Erzwingen der


FortiWeb Netzwerk Quarantäne

FortiMail Real-time engine and FortiClient


intelligence updates
FortiGate
5a

5b

34
Fortinet Security Fabric – Example ATP
FortiSandbox
Rückmeldung
c a nned!
mit S
Risk-Rating
FortiWeb
Malware Server

FortiMail

e d!
Block
Mailserver
FortiGate

FortiClient

35
Fortinet Security Fabric – Example ATP
FortiSandbox

FortiWeb
Malware Server

FortiMail

Mailserver
FortiGate
e d!
Block
FortiClient

36
Fortinet Security Fabric – Example ATP

Malware Server

ed!
Block

FortiClient
(outside)

37
FortiSandbox – 5 Stufen für optimale Leistung

Anti-Malware Prefilter •  proaktiver Anti-Malware-Engine Scan

Sandbox Community •  Optionale, hashbasierte Cloud-Prüfung


Cloud

•  Pre-Emulation von Scripting und Makros,


Code Emulation Code Interpreter inkl. Timer Abfrage

Full Virtual Sandbox •  Code Ausführung in der VM*

•  Erkennen von Calling-Home Aktivitäten


Call Back Detection > auch ohne Internet-Zugang
* Enthält alle notwendigen Microsoft Windows & Office Lizenzen
38
Was sehen wir in der Sandbox?

39
FortiSandbox Details

Network Traffic

1. Protocol support 2. File type support 3. Operating Environment

Objects for Inspection


•  FortiGate Integrated: HTTP, •  AV Prefilter: all •  Code emulation: OS-

Ratings and Updates


SMTP, POP3, IMAP, MAPI, FTP, •  Full Sandbox: as follows independent
SMB, IM and SSL encrypted ü  Archived: .tar, .gz, .tar.g, •  Sandbox: Windows XP, 7, 8, 10,
equivalents .tgz, .zip, .bz2, .tar.bz2, Android, IE, Adobe,
•  Stand-alone: HTTP, FTP, POP3, .bz, .tar.Z, .cab, .rar, .arj Office 2007, 2010, Custom VM
IMAP, SMTP, SMB ü  Executable: PE, .dll, .scr
•  FortiMail Integrated: SMTP ü  File: PDF, Office, SWF,
•  FortiClient Integrated: All Google APKs
ü  URLs

40
Fabric Attribute: Global and Local Security

Vulnerability Web Cloud


Threat Intelligence Threat App Control Antivirus Anti-spam Management Filtering Sandbox
Exchange Researchers

Deep Mobile
IPS Web App Database Botnet
App Control Security

Advanced
Threat
Protection

FortiClient FortiGate FortiMail FortiWeb Partner

41
Unabhängig getestete und ausgezeichnete Sandbox
2014 2015

42
Unabhängig getestete und ausgezeichnete Sandbox
Nowhere to Hide
100% Exploit and Evasion Detection
Fortinet Security Fabric
NSS Recommended Breach Detection
Highlights
§  3rd annual BDS Test, 3rd NSS recommendation
for Fortinet FortiSandbox
§  FortiSandbox Appliance (with FortiClient),
FortiSandbox Cloud (and FortiGate) recommended
§  100% detection of exploits and evasions,
99%+ overall effectiveness
§  Exceptional Time to Detection at an average of
4.1 minutes by FortiSandbox Cloud
§  10Gbps real-world throughput by FortiSandbox 3000D,
1 Gbps by FortiGate + FortiSandbox Cloud
§  Fortinet NGFW, DCIPS, WAF, and EPP, also
NSS Recommended along with BDS
43
FortiSandbox Optionen

§ flexible Lösung – Cloud – VM-based - Appliances / Cluster


FortiSandbox 3000D

FortiSandbox 1000D

FortiSandbox VM

FortiSandbox Cloud

VMs NA 2+ 8 28

44
FortiSwitch
FortiSwitch Family
FSW-3032D
40G
Center
Data

40G ì
10G

FSW-1024D FSW-1048D

FL Stacking FL Stacking FSW-548D-FPOE


FSW-524D-FPOE
FL Stacking FSW-524D FL Stacking FSW-548D
Secure Access

POE+
POE+ FSW-424D-FPOE FSW-448D-FPOE
FSW-424D-POE POE
POE
POE FSW-448D-POE
FSW-108D-POE
1G

FSW-424D FSW-448D
POE+ POE+
FSW-224D-FPOE FSW-248D-FPOE
POE
FSW-224D-POE POE
FSW-248D-POE
POE FSW-124D-POE
FSW-124D
Access

POE FSW-80-POE

8 ports 24 ports 32 ports 48 ports

46
VLAN Assignment

1.  Create VLAN interface under


interface dedicated to
FortiSwitch

2.  Assign to FortiSwitch ports

47
Ready to apply FortiGate Top Class Security

§ Security Policy

48
FortiSandbox Appliance vs. FortiSandbox Cloud
Fortinet European Datacenter (ISO27001:2005 zertifiziert)

https://
e urope.f
orticlou
d.com

50
Overview
§  Choosing between FortiSandbox Appliances and the FortiSandbox Cloud
»  Are there FortiGates deployed in the environment? How many?
»  Is FortiMail deployed in the environment?
»  Have they deployed a FortiWeb WAF?
»  Are they using a FortiGate or EMS to manage FortiClient EPP?
»  Do they have a CarbonBlack Enterprise Protection server?
»  Are there Network Share Scanning and/or Network Malicious Activity Detection
requirements?
»  Does the security team need detailed incident response information?
§  Are forensic tools or forensic reporting required?

»  Choosing the right solution for the customer depends on the feature requirements,
the size of the customer, forensics and reporting requirements and the tools
required by the security team.

51
Advantages of the FortiSandbox Cloud Solution

§ No additional hardware


§ No upgrade effort in cloud, it just happens
§ Faster analytics for unknown files if already submitted by another
FortiSandbox Cloud user
§ TCO can be lower for smaller companies
§ Less of a performance hit on FortiGate
»  If file was submitted by another FortiSandbox Cloud user the file will not
need to be uploaded to the sandbox.

52
Considerations when using the FortiSandbox Cloud
§  Bandwidth cost/impact uploading to cloud
§  Potential data privacy issues/concerns
§  No upgrade control in cloud
§  Sample submission rate limits
§  15 minute update intervals
§  Reporting / Sorting / Less details in the verdict report
§  Less forensics – no PCAP or Screen Capture
§  Integration only with FortiGate (FGT) and/or FortiMail (FML)
§  Subscription License per (FGT/FML) / year

53
Advantages of the FortiSandbox Appliances
§  Integrated with FortiGate and / or Sniffer configuration.
»  Detect malicious traffic east / west as well as north / south. IPS Engine / Signatures
§  FortiMail Secure Email Gateway (SEG) integration (both Cloud and Appliance support)
»  Checks file/URI reputation before submitting file for sandboxing.
»  Temporarily holds messages until FSA determines risk rating - then quarantine or deliver.
§  FortiWeb Web Application Firewall (WAF) Integration
»  Detect malicious file uploads
§  FortiClient Integration
»  File submission of Internet files, network share and removable media. Hold file execution until a verdict is received (configurable).
§  CarbonBlack Enterprise Protection integration
»  Files are submitted by the Bit9 server to FortiSandbox for analysis.
§  Updates to integrated devices every five minutes
§  On Demand file/URI scanning
§  Scheduled Network Share Scanning – CIFS or NFS
§  REST API for submission or extracting information
§  URL Sandboxing – Sniffer, On Demand and/or through REST API
§  Scan Profiling to tune submissions for larger environments
§  TCO can be lower for larger companies

54
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
Deployment
FortiSandbox FortiSandbox
Deployment Options Appliance Cloud

Onsite Deployment - Centralized or Distributed X

Multiple Appliance Options - 1000D, 3000D and FSA-VM X

FortiGate Integration X X

FortiMail Integration X X

FortiClient Integration X

FortiWeb Integration X

FortiAnalyzer Integration X X*

FortiManager Integration X X*

CarbonBlack Enterprise Protection X


Up to 150K per
Daily Submission limit No Limit day

* Through FGT Integration

55
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
Detec4on
FortiSandbox FortiSandbox
Detection Capabilities Appliance Cloud

File Based Detection X X


Device Input – FortiGate/FortiMail X X
Device Input – FortiWeb/FortiClient X
Device Input – CarbonBlack Enterprise Protection X
Sniffer Input via TAP or Mirror/Span Port X
Network Share Input (File Share Scanning CIFS & NFS) X
On Demand Scanning (manual upload of suspicious files) X
API Input (REST API) X
Network Detection via Sniffer X
Attack Detection via IPS Engine & Sniffer Configuration X
BotNet Detection X
URL Detection - Host Traffic to Malicious Sites X
URL Detection - REST API Integration for Web Scanning X
Ability to Scan Web URLs for Malicious files through REST API X
On Demand Scanning (manual upload of URL List) X

56
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
File Type and Protocol Support
FortiSandbox FortiSandbox
Profiling, File Type and Protocol Support Appliance Cloud
Scan Profiling
Ability to Tune Scanning to Environment X
Adobe Reader Versions 8,9,10,11 - enable or disable scanning of each version X
Microsoft Office 2007, 2013 - enable or disable scanning of either version X
Adobe Flash with IE 7,8,9,10 - enable or disable scanning of each version X
File Type Support
A/V & CPRL Pre-Filter support all file types regardless of Operating System X X
Virtual Machine Sandboxing: X X
Archived: .7z, Z, xz, tar, .gz, .tar.g, .tgz, .zip, .bz2, .bz, .tar.Z, .cab, .rar, .arj X X
Executable: .exe, .dll, PDF, Office, JS, VBS, BAT, PS1, JAR, MSI X X
Media: .avi, .mpeg, mp3, mp4 X X
Protocol Support
FortiGate Integrated: HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL
and encrypted equivalent X X
Stand-alone: HTTP, FTP, POP3, IMAP, SMTP, SMB X
FortiMail Integrated: SMTP X X

57
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
Alerting, Reporting, Monitoring
FortiSandbox FortiSandbox
Alerting, Reporting, Monitoring and Logging Appliance Cloud
Alerting:
Detailed Alerting with Source & Destination, Protocol, File Name + Forensic / Incident Response Info X
Summary Email Alerting with Source & Destination, Protocol, File Name X X
Reporting:
Scheduled Summary and Threat Detail Reporting delivered via Email X
On Demand Summary and Threat Detail Reporting by Date Range X

Filtering and Search capabilities - granular drill down and export to detailed report in .PDF format X
File Submission Summary Web View X X*
Limited Daily Canned Report X X*
Filter by Rating (Malicious, Suspicious - Low, Medium, High Risk, Clean) X X*
Monitoring:
At a Glance View Submission by Device (easily see if one site is submitting more than others) X
Separate Views for Each Device (not reportable or monitored in aggregate) X X*

Consolidated or Separate views of Input by Device, Network, Sniffer, or On Demand submission X


Logging:
Syslog to Remote Log Server X X**
FortiAnalyzer X X**
Common Event Format to Remote Log Server X

* FortiGate only
** Through FortiGate Integration

58
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix

Mitigation

FortiSandbox FortiSandbox
Mitigation Appliance Cloud

URL and Malware packages update from FSA – FortiGate X X

Malware packages update from FSA – FortiClient X

File/URI status query and/or file/URI analysis submission - FortiMail X X

Automated Host Infection Remediation – CarbonBlack Enterprise Protection X

59
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix

Forensics, Auditing, 3rd Party Tools

FortiSandbox FortiSandbox
Forensics, Auditing, 3rd Party Tools Appliance Cloud

Forensic / Incident Response Information X

Source and Destination IP Address for tracking IOC X X

PCAP, Screen Captures X

Export Suspicious files for further analysis or inspection by 3rd party applications X

60
Live Einrichtung FSA – FML - FGT
Live Konfiguration der VM’s
Deep-Dive Troubleshooting
Advanced Malware Techniques
Malware Techniques Information Resources

§ FortiGuard https://fortiguard.com
»  Threat Response Blog is excellent
§  Easily readable and understandable

§ FortiGuard Threat Intelligence Brief


»  Free Weekly summary of current threat
§  High subscription levels from C-level staff
§  Sign up at http://demand.fortinet.com/FortiGuard

§ Cyber Threat Alliance (Threat Intelligence Component of FSA)


»  http://cyberthreatalliance.org/index.html
§ High-Level Data Breach Information
»  http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

65
Sandboxing Evasion Techniques

Cat Mouse Typical Game!!!

66
Sandboxing Evasion Techniques
§  Saturated, extensively discussed topic in the field!
§  How much a security company disclose its protection techniques, how much it
become more vulnerable!
§  Evasion techniques includes, but not limited to:
»  Logic (time, behavior) Bombs:
§  Hard to detect these in Sandboxes- conditions are rarely met in closed
environments
§  VM instance typically maintained for a short lifespan
§  Excessive sleep times, NxMouse Clicks, Scroll to page X, fast mouse
movements etc.

67
Sandboxing Evasion Techniques
§  Rootkits & Bootkits
» Rootkits subvert the OS to take control of the system.
» Rootkits can tamper with system output – tampering with the sandbox
during boot-up- before sandbox is ready.
§  Sandbox detection, i.e…malware wouldn’t fire if TRUE!
» Attempts to determine if the environment is VM based (memory, CPU,
MAC, NIC, disk…etc)
» Volume based detection (Nx Number of Network Packets)
» Common adware cookies: google, facebook…etc
§  Windows domain queries
§  Shell code morphing

68
Sandboxing Evasion Techniques

§ Botnet C2 Window
»  non-malicious waiting for instructions.
§ Network Fast Flux
»  Domain generation algorithms to change the URL/IP that malware will
connect to for C2.
»  Single URL can resolve to different IPs (GSLB) – still single URL.
»  Multiple IP addresses that store the same commands. Cloned C2... start
with IP#1 command, continue IP#2 command. Encrypted Archives & Binary
Packers

etc etc...etc...

69
Troubleshooting v2.3.3 (build205)
Troubleshooting Areas

§ Connectivity
§ Security Services (Webfilter, Fortiguard etc.)
§ Virtual Images
§ Devices and device submission
§ File tracing inside FSA

71
Troubleshooting: Connectivity/ Reachability
FSA Troubleshooting: Connectivity (1)

§  ping
§  tcpdump
§  traceroute

73
FSA Troubleshooting: Connectivity (2)
test-network, which can provide detailed network condition
against 3 domains: www.google.com, fsavm.fortinet.net
and go.microsoft.com.

Why?
- ping, tcp/80, tcp/443 Why?

Port1
- only resolution, no speed J

- why? J

- http, https

No Speed J

74
FSA Troubleshooting: Connectivity (3)
§  VM Internet Access status on dashboard should show green icon (better catch rate)

§  If yellow:
§  In Scan Policy > General page, “Allow Virtual
Machines to access external network through outgoing
port3” should be checked
§  A valid Gateway should be provided. If no DNS server
is set, the system one will be sued
§  In CLI, test-network command will show network
condition through port3.

75
Troubleshooting: VM Initialization
FSA Troubleshooting: VM Initialization

§  Windows VM in Dashboard is showing yellow icon

§  Sometimes it takes sometime to activate because of


§  First time (fresh installation)
§  VM Version
§  Note: FSA oftp deamon (responsible for devices registrations and submissions) starts after Windows
Initialization, if “device test connection” executed before Windows VM initialization -> CONNECTION
FAILURE.
77
FSA Troubleshooting: VM Initialization

§ Logs are your friends…have a look to them....


§ Examples:
»  msg="Failed to clone WIN7X86VM_clone17” itime=1472624546 date=2016-08-31 time=08:22:26
logid=0106000001 type=event subtype=system pri=debug user=system ui=system action=update
status=success reason=none letype=4

Ø  Reboot

»  Try to reset VMs


§  vm-reset CLI

78
FSA Troubleshooting: VM Initialization
§  You check the logs and you see, Msg= “Windows Activation Error, time Out”

§  Take Screen Shot ;)

79
FSA Troubleshooting: VM Initialization

§  Log entry: “Failed to activate WIN7X86VM1 message="Installation ID:


011036048243425236332544839462164671777963470212468040 Error: 0xC004C008 The activation server
determined that the specified product key could not be used"
Failed to activate WIN7X86VM1 with key GGC2J-Q9M7J-8KKBH-342FP-Q8RCY”

§  Call Microsoft ;)

§  Follow the procedure described in:


http://kb.fortinet.com/kb/microsites/search.do?
cmd=displayKC&docType=kc&externalId=FD36441&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=99083
803&stateId=0%200%2099085152

80
FSA Troubleshooting: VM Initialization
§  After successful initialization, Windows VM and Office License in Dashboard should show green icon

81
FSA Troubleshooting: VM Initialization
§  Go to Virtual Machine -> VM Images page, make sure there are installed VM images and there is at
least one clone is enabled

§  Check if there are valid Windows license keys installed

§  Go to Log & Report > VM Events or All


Events, and check logs since the
moment of system boot up

82
Troubleshooting: Security Services
FSA Troubleshooting: Security Services (Web filter, Community cloud and
FGD…etc)
Ø  FSA used ports file:
§  http://docs.fortinet.com/uploaded/files/3020/fortinet-communication-ports-and-protocols-54.pdf

no port
override!

Hash request on fqsvr.fortinet.net (udp/53).

Ø  Some missed info in this diagram J JASON file download/ File Submission (suspicious) on
fqdl.fortinet.net (tcp/443).
§  High availability port numbers (tcp/2015, tcp/2018)

§  Download windows packages (fsavm.fortinet.net, tcp/443)


Threat intelligence: fortiguard server (udp/53,udp/8888)

84
FSA Troubleshooting: Security Services (Web filter, Community cloud and
FGD…etc)
test-network provides connection status to FDN, Web
Filtering Service and FSA Community Cloud.

§  Selection based on time zone

85
FSA Troubleshooting: Security Services (Web filter, community cloud and
FGD…etc)
Ø  FortiGuard or Community Cloud Service icon is Yellow:
§  Some firewalls/IPSs are configured to block crafted (udp/53).

§  Toggle between ports 53/8888

§  Override destination server from the outpt of #testing web filtering service with test-network command
§  If you are using a proxy, u need SOCKv5.0 proxy for UDP traffic

86
FSA Jobs Queue Optimization:
hints and best practices
FSA Jobs Queue Optimization
§ Running a file inside a VM (sandboxing) is very expensive regarding to
resources (you have limited number of VMs in FSA), i.e 8VMs in
FSA-1000D, 28 VMs in FSA3000D…etc.
§ Job optimization is based on some ideas which are IN ORDER:
1)  Allocate optimal number of clones of each VM type.
2)  Runing single file on single VM type (not to make different VM types run the
same file)
3)  Minimize number of files reaching the expensive sandboxing stage (enable
prefiltering). Performance Vs. Security!
4)  Free the harddisk as soon as possible from extra unnessary data – FSA is highly
dependent on HDD, more HDD free space -> better performance.

88
FSA Jobs Queue Optimization: which queue is the longest?

89
FSA Jobs Queue Optimization: Number of Clones Allocation
§  Allocate clone numbers of each VM type according to distribution of file types
§  Assuming doc and pdf files only in FSA-1KD
> pending-jobs show all pdf > pending-jobs show all doc
Source: On-Demand, File type: PDF files, Jobs: 0 Source: On-Demand, File type: Microsoft Office files (Word, Excel,
Source: File RPC, File type: PDF files, Jobs: 0 PowerPoint files etc), Jobs: 0
Source: Device, File type: PDF files, Jobs: 212 Source: File RPC, File type: Microsoft Office files (Word, Excel,
Source: Sniffer, File type: PDF files, Jobs: 0 PowerPoint files etc), Jobs: 0
Source: Adapter, File type: PDF files, Jobs: 0 Source: Device, File type: Microsoft Office files (Word, Excel,
Source: Network Share, File type: PDF files, Jobs: PowerPoint files etc), Jobs: 49
982 Source: Sniffer, File type: Microsoft Office files (Word, Excel,
Source: URL On-Demand, File type: PDF files, Jobs: PowerPoint files etc), Jobs: 0
0 Source: Adapter, File type: Microsoft Office files (Word, Excel,
Source: URL RPC, File type: PDF files, Jobs: 0 PowerPoint files etc), Jobs: 0
Source: URL Device, File type: PDF files, Jobs: 0 Source: Network Share, File type: Microsoft Office files (Word,
Source: URL Adapter, File type: PDF files, Jobs: 0 Excel, PowerPoint files etc), Jobs: 230
Total Jobs: 1194 Source: URL On-Demand, File type: Microsoft Office files (Word,
Excel, PowerPoint files etc), Jobs: 0
Number of clones to run (pdf) : Number of clones (doc) Source: URL RPC, File type: Microsoft Office files (Word, Excel,
1194:279 PowerPoint files etc), Jobs: 0
FSA-1KD: Source: URL Device, File type: Microsoft Office files (Word, Excel,
#ofClones to Run doc = (279/(279+1194))*8(#Clones) = 1.5 PowerPoint files etc), Jobs: 0
=>2 Clones Source: URL Adapter, File type: Microsoft Office files (Word, Excel,
PowerPoint files etc), Jobs: 0
#ofClones to Run pdf= (1194/(279+1194))*8(#Clones) = 6.4 Total Jobs: 279
=>6 Clones >

90
FSA Jobs Queue Optimization: file types assignment

§  Associate every file type to only ONE VM type

91
FSA Jobs Queue Optimization: enable pre-filtering

2 3

92
FSA Jobs Queue Optimization: Clear Disk for Clean Jobs and
Unnecessary extra storage

Ø  On Scan Policy->General, Only keep jobs with clean rating for a short period.

93
During a POC…..Can you answer the following?
Ø  What do you mean by “Not Assigned files” ?
Ø  Which file type degrade the system performance most? Why?
Ø  Which FSA Model do I need to propose “best option”?

94
Troubleshooting…
Communication between FG/FML and FSA
FSA Troubleshooting: communication between
FortiGate and FSA

Ø  On FortiGate side, make sure FortiSandbox is available by clicking Test Connectivity in FortiSandbox configuration
page

96
FSA Troubleshooting: Communication Between
FortiGate and FSA

Ø  On FortiSandbox side, make sure the FortiGate is Visible and Authorized in Scan Input > Device page.

97
FSA Troubleshooting: communication between
FortiGate and FSA
, run the following CLI command to see files are extracted and sent over

#diag debug application quarantine -1 <<- enable debug

#diag debug enable <<- show detailed dbg msg


#diagnose debug reset <<- turn off showing detailed dbg msg
#diagnose debug application quarantine -1<<- for tracking quard activity.

#diagnose test application quarantine 2 <<- show quard summary


#diagnose test application quarantine 7<<-display the analytics cache
#diagnose test application quarantine 8:<<-flush the analytics cache

#fnsysctl killall quard <<restart quard daemon.

, run the following CLI command to see the activity with FG.

#diagnose-debug device [device-serial-no] <<- track device communication

98
FSA Troubleshooting: Communication between FortiGate and FSA.

99
FSA Troubleshooting: Communication between Fortigate and
FSA

FG

FSA

100
FSA Troubleshooting: Communication between FortiMail and
FSA

101
FSA Troubleshooting: File Submission from FortiMail to FSA

102
FSA Troubleshooting: File Submission from FortiMail to FSA
– FML Side

103
Troubleshooting…
Tracking File/Job inside FSA
FSA troubleshooting: file tracing inside FSA
Ø  In Log & Report > All Events page, put file’s checksum or name in message filter

105
FSA troubleshooting: File tracing inside FSA
Ø  In FortiView > Search page, search file’s name or checksum within a time-range. Then click Show
Detail button to show job’s detailed information

106
MSSP and API Deployments
MSSP Options Available Today – Restricted Admin
§ Per Admin Files/Log View

108
MSSP Options Available Today – VDOM Reports
§ VDOM based reporting

109
MSSP Options Available Today – FortiAnalyzer
§  Using pre-defined reports and flexibility of FortiAnalyzer (or any other SIEM)

110
MSSP Options
§ FortiSandbox Cloud uses the API interface
§ MSSPs options:
»  Provide a portal for customers to submit files
»  Automatically extract files using and submit them via the API (non-Fortinet devices)
»  Allow customers Fortinet devices to submit files to their Sandbox cluster
§  New 2.4 feature allows submission control
§  Use ICAP?

111
FortiSandbox JSON API
§ Larger MSSPs prefer to build a
back-end Sandbox cluster and front-
end it with the API
§ FortiSandbox allows JSON API calls
»  Rich feature set for configuration and
information extraction
»  API is enabled by default
§  API access is configurable per admin
»  Reference documentation is only
available on the Fortinet Developer
Network

112
Why use the API?

§ API allows configuration, data extraction and automation without the


Web GUI
§ Preferred option for MSSP customers who can create their own
portals and interfaces
§ With the focus on Threat Intelligence, the API allows access to new
threat information that can be consumed by 3rd Party solutions

113
What can I do with the API?
§  Feature rich, but definitely not every feature of the Web GUI
§  Reference Guide lists available options (with necessary flags)
§  2.3 ‘get’ and ‘query’ options:
§  get system information
§  get configurations of sniffer
§  general options, including cloud upload and vm network access settings
§  get scanning statistics for last 7 days 13 9. get a copy of backed up config file, in base64 format
§  query file's verdict through its sha256 checksum
§  query file's rating through its sha256 checksum
§  query url's rating
§  query job's verdict detail through its job id
§  Get job id list for one submission
§  Get job behavior details for a file
§  Get malware package, malicious URL package or bonet package
§  Get AV-Rescan results
§  Return all installed VM name and their clone number

114
What can I do with the API?

§ 2.3 ‘set’, ‘upload’ and miscellaneous options:


§  set configurations of sniffer
§  set general options, including cloud upload and vm network access settings
§  upload file (on-demand submit)
§  upload url file (on-demand submit)
§  cancel a job submission
§  Register (login) a FGT/FML/(others) device to FSA
§  Delete (actually hide) a device from FSA
§  Download list of SHA256, or SHA1, or MD5, or URL from malware package or URL package
§  Return all installed VM name and their clone number
§  Allow user to add/delete checksums to white/black list
§  Mark a sample as False Negative/False Positive

115
What can I do with the API?

§ 2.3 ‘configure’ options:


§  Configure system hostname
§  Configure system timezone
§  Configure system time and NTP server
§  Configure system interface
§  Configure system DNS
§  Configure system routing
§  Configure system administrator
§  Configure system LDAP
§  Configure system RADIUS
§  Configure system FortiGuard
§  Configure system mail
§  Configure system log server
§  Configure Scan Profile
§  Configure Scan Benign URLs
§  Configure Scan Job Archive
§  Configure Yara Rule
116
How do I call?

§ Example Python (2.7) script


»  Import Modules

117
Who do I call? (Henry Script)
§ Example Python (2.7) script
»  URL Defined at top
»  Test List
§  Only one ‘test’ at a time
»  API Login/Logout configuration

118
File upload example (Henry Script)
§  Enable Test

§  Configure parameters

119
File upload example (Henry Script)
§  Run Test

§  FortiSandbox GUI Logs

§  API Results using submission ID (after changing script parameters)

120
MSSP Caching
§  Try submitting the same file via the API more than once
»  Why wasn’t it rejected even if you had this option enabled?

§  The API isn’t a device


§  MSSPs seem to focus on file caching, the API does not use the Device cache
§  Each VM maintains its own file cache, which contains up to 20k entries,
however this is cleared whenever one of the following conditions occur:
»  Reboot
»  VM re-initialization
»  Rater package update
»  Tracer package update
»  White list/black list update
»  Yara package update
»  URL category change
»  VM clone number change
§  20k entries per VM is still too low for MSSPs, solution is two use a 2-step API
121
MSSP Caching – 2-Step API (Connor Script)
§  Make use to of the all the historical data on FortiSandbox before submitting a file
»  e.g FSA3KD has 8TB total storage capacity (of course not all can be used for files)

§  First API call checks file SHA256 hash, only if the result is ‘unknown’ is the file
submitted to FortiSandbox

122
MSSP Caching – 2-Step API in Action (Connor Script)
§ Change URLs to HTTP submission and configure input file
»  Should be in the same directory as the script

»  First call determines that the file is unknown

»  Second call submits the file


123
MSSP Caching – 2-Step API in Action (Connor Script)
§ File scanned and cached by FortiSandbox

§ Same script run again, this time no submission as rating is ‘clean’

124
What is STIX
§ Structured Threat Information Expression (STIX) is a structured
language for describing cyber threat information so it can be
shared, stored and analysed in a consistent manner
§ TAXII (Trusted Automated eXchange of Indicator Information) is
the main transport mechanism for cyber threat information
represented in STIX. Through the use of TAXII services,
organizations can share cyber threat information in a secure and
automated manner
§ The STIX and TAXII communities work closely together (and in
fact consist of many of the same people) to ensure that they
continue to provide a full stack for sharing threat intelligence
source: stixproject.github.io
125
Download Malware Package in STIX Format (Henry Script)
§  Edit Parameters (Reference Guide)

§  Run Test (‘download file’ is base64 encoded)

126
File upload example (Henry Script)
§  Save ‘download file’ contents into a text file (stix-based64) and convert to xml with
following command
Linux

Mac – push output to text file and leave


only download file contents

Mac – convert base64 file to text

§  STIX XML or Text File can now be opened

§  This then leads very nicely into the Threat Intelligence conversation
127
Using your STIX file
§ Anomail Staxx server in lab
»  https://anomali.etlab.net:8080/login

»  FortiSandbox hashes now in Threat Feed server

128
IOC/STIX and Threat Feeds
FortiGuard Threat Intelligence

Readable Reports
Strategic Threat actors, their intentions, motivations,
capabilities, plans, etc.

Tactical Readable Reports or Machine Feed


Understanding the Tactics, Techniques and
Procedures of the Threat actors.

Operational Machine Feed


Indicators of Compromise (IOC) such as
IPs, hashes, URLs domains and any
other artifact.

130
Why is it important

131
What is an IOC (Indicator of Compromise)

§ A piece of information that can be used to search for or identify


potentially compromised systems
»  Examples
§  IPs / Domains
§  URL
§  File Hash
§  Email Address
§  X-Mailer
§  HTTP User Agent
§  File Mutex

source: C. Harrington, RSA Conference

132
FortiGuard Threat Feed Contents

Our feed contains the following indicators:

§ Domain Watchlist § URL Watchlist


»  Malicious domains »  Malicious URLs
»  Phishing domains »  Phishing URLs

§ IP Watchlist
»  Open Proxy IPs
»  Suspicious IPs

133
IOC with FortiAnlayzer

•  Malware ID
•  Malware Domain
•  Malware URL
… ‣  APT Detection
•  Crowd Sourced URLs
‣  Web Filter Logs
FortiGuard TIDB
‣  Daily Threat Intelligence

‣  Actionable Report
package download

‣  Subscription License

Logs
Detection
Engine

FortiAnalyzer

134
1
3
4
IOC with FortiAnlayzer

135
IOC with FortiAnlayzer

136
CTI STIX Feed File Explanation – Malicious Domains
<stix:Indicator id="fortiguard:indicator-d4e86481-ca69-4fba-97f0-627f19932e44"
timestamp="2016-09-10T12:50:21.926967+00:00" xsi:type='indicator:IndicatorType'>
•  Malicious domains
<indicator:Title>Malicious domains</indicator:Title> §  Malicious domain indicator
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Valid_Time_Position> •  Domain Watchlist
<indicator:Start_Time precision="day">2016-09-10T00:00:00</indicator:Start_Time>
<indicator:End_Time precision="day">2016-09-13T00:00:00</indicator:End_Time> §  Part of Domain Watchlist
</indicator:Valid_Time_Position> indicator group
<indicator:Observable id="fortiguard:Observable-70c79b9d-98f5-4021-9722-435fa8d9ceb8">
<cybox:Object id="fortiguard:URI-79c3a400-4fd8-4876-a1ea-6b5fc87b51e9"> •  2016-09-10T00:00:00
<cybox:Properties xsi:type="URIObj:URIObjectType" type="Domain Name">
<URIObj:Value>phiprashyngy.enchiladainvesting.com</URIObj:Value>
§  72-hour sliding window start
</cybox:Properties> time when this IOC is active
</cybox:Object>
</indicator:Observable> •  2016-09-13T00:00:00
<indicator:Indicated_TTP>
<stixCommon:TTP idref="fortiguard:ttp-fdd1ab22-f634-4150-9672-7485e3380841" xsi:type='ttp:TTPType'/>
§  72-hour sliding window end
</indicator:Indicated_TTP> time when this IOC will be
</stix:Indicator> re-evaluated to see if it’s
still active
•  phiprashyngy.enchiladain
vesting.com
§  Domain of this indicator

137
72-Hour Sliding Window Example

abcabcabc.com domain is detected as malicious and active before the next Monday feed release cycle.

§  Monday feed
»  Contains abcabcabc.com (new+active)

§  Tuesday feed
»  Does not contain abcabcabc.com (inferred to be still active)

§  Wednesday feed
»  Does not contain abcabcabc.com (inferred to be still active)

§  Thursday feed
»  If our probes determine that abcabcabc.com is still malicious and active, the feed will contain abcabcabc.com
again
»  If our probes determine that abcabcabc.com is no longer malicious or active, the feed will not contain
abcabcabc.com

138
FortiGuard CTI Feed – Format and Delivery

Feed Format Feed Delivery Mechanism


§  Single feed file containing all §  Customer to share PGP public key with
indicators Fortinet
§  Indicators formatted in STIX-v1.2 §  Feed file will be encrypted with
customer’s PGP public key.
and mapped with an expiry token
§  PGP-encrypted feed file would be sent
§  Indicators will be based on 72- via email to the customer once a day
hour sliding window §  If other delivery mechanisms are
§  If other formats are required (eg. required (HTTPS, SFTP, TAXII, etc…),
CSV, text, etc…), let us know in let us know in advance and we can
evaluate the possibility to support it
advance and we can evaluate
the possibility to support it

139
Clustering
FortiSandbox HA and Load-Balancing

MASTER PRIMARY SLAVE PRIMARY SLAVE MASTER


HA

LB

REGULAR SLAVES REGULAR SLAVES

141
FortiSandbox HA/LB at a Glance

§  3 types of nodes:
§  Master, Primary and Regular slaves
§  It is possible to have multiple primary slaves
§  Master and Primary Slave can be any type of appliance
§  Recommended FSA-3000D or above
§  Regular Slaves can be any type of appliance
§  Minimum is 2 nodes, maximum is 100 nodes in a single cluster
§  Master distributes and does inspection
§  Primary slave takes over the master and does inspection
§  Regular slaves do inspection only

142
FSA HA Overview: Cluster Node Rules
Master Node

§ Manages the cluster.


§ Distributes jobs.
§ Gathers the results.
§ Interacts with clients. It can also perform normal file scans.
§ All scan configuration done on the master overwrites scan
configuration of the nodes

143
FSA HA Overview: Cluster Node Rules
Master Node (cont.)

•  On the Master node, users can


•  Change a slave node's role (Primary and Regular slave)
•  Configure a slave node's network settings
•  Upgrade slave nodes
•  View VM status page of slave nodes
•  Configure FortiGuard settings of slave nodes
•  Configure VM images of slave nodes, such as setting clone numbers of
each VM image
•  Configure a Ping server to frequently check unit's network condition and
•  downgrade itself as a Primary Slave node when necessary to trigger a
failover in the cluster.

144
FSA HA Overview: Cluster Node Rules
Slaves Nodes

§ Primary Slave node


»  Perform file scans and report results back to the master node.
»  Keep monitoring the master's condition , if the master node fails, the
primary slave will take over as master.
»  The former master will become a primary slave when it comes up back.
§ Slave node
»  Perform file scans and report results back to the master and primary
slave.
»  They can also store detailed job information.
»  Slave nodes should have its own network settings (port1, port3, routing…
etc) and VM image settings (Clones#, VM Image types…etc).
»  Slave node can be any FortiSandbox model, including FortiSandbox VM.

145
Cluster Internal Communication
Synchronization
Master -> Primary Slave (activated upon
Master -> All other Nodes fail-over)
§  Users
§  Job cleanup schedule
§  Archive server settings
§  FortiGuard page settings §  Sniffer settings
§  Mail server settings
§  Malware package generation settings §  Network settings (including DNS, proxy, and routing tables)
§  Black and White lists §  Scheduled task settings (network share scans, and
scheduled report generation)
§  Yara rules §  Log server settings
§  Uploaded certificates
§  Scan profile settings §  Devices
§  SNMP settings
§  Widget settings
§  Adapter settings
§  Others (login disclaimers)

146
About the Processing Capacity of the Master

§ Default setting is half of the VM (50%)


»  Conservative setting for preserving the load balancing capacity
§ hc-master CLI to manually adjust the capacity (%)
> hc-master -l
File scan is enabled with 50 processing capacity

> hc-master -s90


File scan is enabled with 90 processing capacity

§ In order to preserve its load balancing capacity, the


recommendation is to remove 1 VM from the master every 5 VMs
on the slaves
147
Finding the Processing Capacity of the Master

§ Same rule for every model (make your own calculation to verify)
Slave
Recommended CLI to adjust
Nodes
Processing Capacity (%) Master processing capacity
#
1 80 hc-master –s80
2 60 hc-master –s60
3 40 hc-master –s40
4 20 hc-master –s20
5 0 hc-master –u

§ Recommendation tells that starting 5 nodes, master must be


dedicated to load balancing only (i.e. hc-master –u)

148
Processing Capacity of the Cluster
Sizing

§ Files/hour considering the worst case condition (i.e. 3 min per


guest VM detonation) and the default processing capacity on the
master node (i.e. 50%)

20 x VMs# x ( N – 0.5 )

149
Processing Capacity per Model
Max. Files/hour, worst cast scenario (i.e. 3 min per guest VM detonation)

FSA-VM00 FSA-1KD FSA-3KD FSA-3KE FSA-35D


Nodes
4 VMs 8 VMs 28 VMs 56 VMs 8 x 8 VMs
2 120 240 840 1680 1920
3 200 400 1400 2800 3200
4 280 560 1960 3920 4480
5 360 720 2520 5040 5760
6 440 880 3080 6160 7040
7 520 1040 3640 7280 8320
8 600 1200 4200 8400 9600
9 680 1360 4760 9520 10880
10 760 1520 5320 10640 12160
100 7960 15920 55720 111440 127360

150
Requirements for Building FSA Cluster

§ Same scan environment on all nodes


»  same set of virtual machines
»  same scan profile
§ Interface port3 on all nodes should have a distinguished IP
address
»  this interface is not synchronized
§ Each node should have a dedicated network port for internal
cluster communication

151
Internal Cluster Communication

§  It is not possible to configure more than 1 port for this purpose


§  Hence it is recommended these ports are connected to the same
switch to help preventing a split-brain scenario
§  Ports 2015/tcp and 2018/tcp are used so there shouldn’t be issues to
build a geographic cluster
§  Internal Communications includes
»  Job dispatching
»  Job result reply
»  Setting synchronization
»  Cluster topology broadcasting
»  Master monitoring

152
Conditions for a Cluster Failover

§ Primary slaves cannot see any heartbeat message from the


master, through the HA interfaces
»  primary is down or has rebooted
»  network path failure
§ Health Check
»  Master triggers the fail over when its network condition is bad

153
Link Monitoring

§ Link monitoring for master and primary


slaves
§ Criteria
»  Interface
»  Destination IP
»  Service: ICMP/TCP ECHO
»  Interval, threshold
§ When master node detects a link failure from
one of the configured health checks, it
triggers a cluster failover
154
Master Election Process

§ When failover happens


1.  All primary slaves make sure their network
connections + health checks are fine. Those in
bad condition reject the master role
2.  If a primary slave was a former master that lose
its role without a system reboot/down, it has
higher priority
3.  Among the remaining candidates, the one with
the latest SN has higher priority

155
Building FSA Cluster
CLI

§ hc-settings
»  configure the unit as an HA cluster mode unit
§ hc-status
»  list the stats of HA cluster units
§ hc-slave
»  add, update, remove a slafe unit to/from the HA cluster
§ hc-master
»  turn on/off the file scan on the master node
»  adjust the master’s scan processing capacity
»  remove slave nodes from cluster by its S/N

156
Building FSA Cluster
CLI: hc-settings

> hc-settings -h

Usage: hc-settings -h

-h Help information.

-l List the Cluster configuration.

-sc Set this unit to be a HA-Cluster mode unit.

-t<N|M|P|R> Set this unit to be a HA-Cluster mode unit.

N: N/A

M:Master unit

P:Primary slave unit

R:Regular slave unit

-n<name string> Set alias name for this unit.

-c<HA-CLUSTER name> Set the HA-Cluster name for Master unit.

-p<authentication code> Set the authentication code for Master unit.

-i<interface> Set interface used for cluster internal communication.

-si Set the external IPs for this cluster.

-i<interface> Specify the interface for external communication.

-a<IP/netmask> Specify the IP address and netmask for external communication.

This IP address will be applied as alias IP of the specified interface.

And it must be in the same subnet as the unit IP subnet of the specified interface.

157
Building FSA Cluster
CLI: hc-status

> hc-status -h
Usage: hc-status -h
-h Help information.
-l List the status of HA-Cluster units.

158
Building FSA Cluster
CLI: hc-slave

> hc-slave -h
Usage: hc-slave -h
-h Help information.
-a Add the slave unit to HA-Cluster.
-r Remove the slave unit from HA-Cluster.
-u Update the slave unit information.
-s The master unit IP address.
-p The authentication code of HA-Cluster.

159
Building FSA Cluster
CLI: hc-master

> hc-master -h
Usage: hc-master -h
-h Help information.
-u Turn off file scan on master unit.
-s<10-100> Turn on file scan on master unit
with 10%-100% processing capacity.
-l Display file scan status on master unit.
-r<slave sn> Remove the slave unit from
cluster by its serial number.
160
Building a Cluster
Example with a FSA-3500D

§ Check List
Example
Cluster Name FSAHA
Cluster Password fortisandbox
Network Addresses port role address
port1 MGMT 10.210.16.0/24
port2 OFTP 10.14.0.0/24
port3 VM 10.15.0.0/24
port5 HA 10.16.0.0/24
External IP for MGMT 10.210.16.239
External IP for OFTP 10.14.0.239
System Default Gateway 10.210.16.254
Guest VMs Default Gateway 10.15.0.246
161
Building FSA Cluster
Network Configuration

set port1-ip 10.210.16.234/24 set port1-ip 10.210.16.235/24

PRIMARY
MASTER

set port2-ip 10.14.0.234/24 set port2-ip 10.14.0.235/24

SLAVE
set port3-ip 10.15.0.234/24 set port3-ip 10.15.0.235/24
set port5-ip 10.16.0.234/24 set port5-ip 10.16.0.235/24
set default-gw 10.210.16.254 set default-gw 10.210.16.254
vm-internet -s –g10.15.0.254 -d8.8.8.8 vm-internet -s –g10.15.0.254 -d8.8.8.8

set port1-ip 10.210.16.236/24 set port1-ip 10.210.16.237/24


REGULAR

REGULAR
set port2-ip 10.14.0.236/24 set port2-ip 10.14.0.237/24
SLAVE

SLAVE
set port3-ip 10.15.0.236/24 set port3-ip 10.15.0.237/24
set port5-ip 10.16.0.236/24 set port5-ip 10.16.0.237/24
set default-gw 10.210.16.254 set default-gw 10.210.16.254
vm-internet -s –g10.15.0.254 -d8.8.8.8 vm-internet -s –g10.15.0.254 -d8.8.8.8

set port1-ip 10.210.16.238/24


REGULAR

set port2-ip 10.14.0.238/24


SLAVE

set port3-ip 10.15.0.238/24


set port5-ip 10.16.0.238/24
set default-gw 10.210.16.254
vm-internet -s –g10.15.0.254 -d8.8.8.8

162
Building FSA Cluster
Cluster Configuration

hc-settings -sc -tM -nMaster -cFSAHA -pfortisandbox -iport5


hc-settings -si -iport1 -a10.210.16.239/24
hc-settings -si -iport2 -a10.14.0.239/24

hc-settings -sc -tP -nPrimarySlave -cFSAHA -pfortisandbox -iport5


hc-slave -a -s10.16.0.234 -pfortisandbox

hc-settings -sc -tR –nRegularSlave1 -cFSAHA -pfortisandbox -iport5


hc-slave -a -s10.16.0.234 -pfortisandbox

hc-settings -sc -tR –nRegularSlave2 -cFSAHA -pfortisandbox -iport5


hc-slave -a -s10.16.0.234 -pfortisandbox

hc-settings -sc -tR –nRegularSlave3 -cFSAHA -pfortisandbox -iport5


hc-slave -a -s10.16.0.234 -pfortisandbox

163
Building FSA Cluster
Cluster Status

hc-status -l
Status for all units in cluster: FSAHA
--------------------------------------------------------------------------------
SN Type Name IP Active
FSA35D3R16000007 Master Master 10.16.0.234 1 second ago
FSA35D3R16000008 Primary Slave PrimarySlave 10.16.0.235 0 second(s) ago
FSA35D3R16000009 Regular Slave RegularSlave1 10.16.0.236 6 second(s) ago
FSA35D3R16000010 Regular Slave RegularSlave2 10.16.0.237 6 second(s) ago
FSA35D3R16000011 Regular Slave RegularSlave3 10.16.0.238 6 second(s) ago

hc-status -l
Status of master and primary slave units in cluster: FSAHA
--------------------------------------------------------------------------------
SN Type Name IP Active
FSA35D3R16000007 Master Master 10.16.0.234 1 second(s) ago
FSA35D3R16000008 Primary Slave PrimarySlave 10.16.0.235 1 second(s) ago

164
Running Advanced Demos
Demos

§ AV Engine Scan


§ FAZ IOC
§ ICAP
§ Ransomware
§ SCADA

166
What to watch out for in PoCs
Kash’s List
§  Count all the interfaces on your hand (MGT, HA, Port3, Submission)
§  Make it difficult for the competition (talk about deterministic performance)
§  Licensing
§  The curiously interesting case in Hungary
§  “This is the Remote FortiSandbox that you’re looking for….”

§  Basic ATP Fabric Demo (Intro FSA Workshop Lab 1 and 2)


»  Use the Remote FSA3KD
§  Real Malware Samples https://vimeo.com/142383539 (f0rtinet@sandb0x)

168
Alain’s List

§ Get that test plan


§ The smoothest way to use the submit virus process
§ Rubik Cube Tool
§ Detecting Metasploit samples
§ MacOS Scanning

169
Ahmad’s List

§ The missing downloader


»  FSA, You have failed me! AV Scan = Malicious File / FSA VM Scan = Clean File
§ How not to panic when you miss a sample

170
Sizing
Considerations when deploying FortiSandbox Appliances

§  New hardware to manage


»  Upgrades & Patches
»  Hardware lifecycle management
»  Redundancy considerations
»  Sizing & Performance with company growth projections

172
The Right Fit for the Customer
»  Are FortiGates or FortiMails deployed in the environment?
§  If No:
»  The only choice is the FortiSandbox Appliance.
»  FSA can sniff network traffic and detect malicious files & activities.
»  Integrate via SPAN or TAP.
§  If Yes:
»  Cloud:
§  How many FGT/FML? -- Cloud is licensed by each device.
§  If the environment is smaller, then FortiSandbox Cloud may be an option
depending on other features needed.
§  Updates are provided from the global community.
»  Appliance:
§  Each FGT/FML can be configured to point to a central FSA.
§  Standard appliance purchase + FortiCare maintenance.
§  No subscription licensing fee per FGT.
§  Pre-defined API integration with CarbonBlack Enterprise Protection.
§  Updates are provided to the specific company for targeted attacks.

173
What does the Security Team need?
§  What features are needed?

§  FortiGuard Cloud Sandbox is simple file based detection:


»  Email Alerts with Summary Information.
»  High level Reporting Sent Daily, Weekly or Monthly.
»  FortiGuard Cloud Web Portal or Monitor Submitted Files by FGT.
»  Only sees files passing through the FGT/FML.

§  FortiSandbox Appliance is very fully featured:


»  File based Detection + Network Attack / Malicious Activity Detection
»  Detailed Alerting and Flexible Reporting Options.
»  Forensics such as PCAPs, IOC, Screen Captures.
»  Detects in both North/South traffic as well as East/West traffic

174
Sizing – Files per hour!!!

175

Das könnte Ihnen auch gefallen