Beruflich Dokumente
Kultur Dokumente
FOUNDED
2000 HQ OVER
SUNNYVALE, CA
3,0 MILLION
DEVICES SHIPPED
IPO 100+
2009 OFFICES
WORLDWIDE
#1 UNIT SHARE
WORLDWIDE
4660+
$ 1.31B
In Network Security (IDC)
EMPLOYEES
CASH
MARKET LEADING
TECHNOLOGY
40%
GROWTH
300.000+ 358 PATENTS
292 PENDING
CUSTOMERS
4
But The Evolution of Change Never Stops
FUTURE
Social Internet 2
Bandwidth ever
increasing
100G 100 Gbps and
UHDTV
Virtualization Mobile Bandwidth
80% of data center No control of Wi-Fi speeds rival LANs.
apps are virtualized endpoints (BYOD) 100G networks here
5
Security is borderless.
EndpointMobile
PoS
in existing infrastructure FW
IoT
6
Need a solution which…
? 7
SECURITY HAS CHANGED
3.2 1.3 3
BILLION BILLION
BILLION SMARTPHONES NEW DEVICES
INTERNET SHIPPED PER YEAR
USERS WORLDWIDE THROUGH 2020
10,000x
PUBLIC CLOUD MARKET IS ESTIMATED TO REACH
9
Introducing the Fortinet Security Fabric
Global Intelligence
§ Scalable
§ Aware
Cloud
IoT
§ Secure Security
§ Actionable
§ Open
Secure LAN Application
Access Security
Local Intelligence
Network Security
10
Scalable from Access to Data Center, IoT to Cloud
Distributed
NSF
Chassis
>Terabit
Appliance
Appliance >300G
Appliance >30G Virtual Machine Virtual Machine
Device
>5G SDN/NFV On Demand
>1G
11
Maintaining Security for the Network
Comprehensive Security with Full Performance
Deep Inspection
Less Space
Less Power
12
Security for the Cloud
Securing Throughout the Cloud Journey
Public Cloud
On-Demand
Virtualization Private Cloud
Hypervisor Port SDN - Orchestration Integration
Hypervisor
SaaS Cloud
Proxy Broker
CASI API
13
Security for Access – Unified Secure Access
1 2 3
Infrastructure Integrated Cloud
On Premise Management On Premise Management Cloud Management
WLAN
FortiGate
LAN FortiSwitch
14
Security Across all of the Network - Global and Local
Threat Intelligence for Security Efficiency
Deep Mobile
IPS Web App Database Botnet App Control Security
FortiSandbox
Regulating online services (shadow IT) 20% 35% 35% 8% 55% 58%
Source:
IDG Research, January 2016
17
Typischer Ablauf eines zielgerichteten Angriffs
Sowohl Gateway-AV als auch Client-AV vermeintlich
schlagen nicht an, da es sich um einen saubere
Zero-Day Exploit handelt Email mit
Anhang
Anti-Spam / Anti-Virus oder
bösartiger Link in Email /
Aufrufen einer bösartigen “aktivem”
Webseite Inhalt
Web Filtering
Zero-day Exploit bösartige
Webseite
Intrusion Prevention Exploit
unbekannte Datei
durchläuft AV-Filter Malware Command &
Gateway-Anti-Virus
Control Center
App Control/
Abfluss von Daten via IP Reputation
Botnet oder versteckter Email verschlüsselte Kommunikation
durchläuft Filter, wenn keine
SSL-Interception aktiviert ist
18
Malware? Goodware? I-don’t-know-ware?
FortiGate / FortiGate /
FortiSandbox
FortiMail FortiMail
99,5 %
of malware samples are
unique to an organization
19
Die FortiSandbox als ganzheitlicher Ansatz
vermeintlich
Anti-Spam / Anti-Virus saubere
Sandbox
bösartiger Link Email
Web Filtering
bösartige
Zero-day Exploit
Webseite
Intrusion Prevention Exploit
unbekannte Datei
durchläuft AV-Filter Malware Command &
Gateway-Anti-Virus
Control Center
App Control/
Botnet Kommunikation IP Reputation
und Abfluss von Daten verschlüsselte Kommunikation
durchläuft Filter, wenn keine
SSL-Interception aktiviert ist
20
Flexible input methods
• Devices : FortiMail, FortiGate, FortiWeb
and FortiClient can provide the
Switch
FortiSandbox with samples as part of the
Security Fabric.
TAP
ICAP
• Sniffer / TAP : Port mirroring / Span ports
configured on a switch, TAP device
API
• Network shares: standard CIFS or NFS
shares can be inspected.
FWB
• API / On-demand: JSON API is available
to all third party devices. WebUI is an
easy way to post a sample and check the FGT
FCL
result of the analysis.
FML
• + 3rd party integration: Carbon black,
ICAP, …
21
Flexible deployment methods
standalone integrated Distributed
CAMPUS
DATA CENTER / PRIVATE CLOUD
FortiClient FortiGate
Secure Access
Point
FortiGate VMX
PUBLIC CLOUD
Switching
FortiCloud Sandboxing
FortiSandbox
Web
Server
FortiGate
Share FortiMail
FortiSandbox
BRANCH FortiClient
OFFICE
22
FortiMail ATP Integration
» Übertragen von Anhängen bzw. Inhalten zur tieferen
Analyse an die FortiSandbox FortiMail
23
FortiMail ATP Integration
Erweiterte Integration
§ Granulare Konfiguration
» Individueller Scan timeout (6-360 mins)
§ Datei-Filtering
» Auswahl der zu scannenden Datei-Typen
» Hinzufügen von Datei-Typen
§ Malicious URI Scanning
» Auswahl, ob für alle Mails oder nur verdächtige
gescannt werden sollen
» Auswahl, ob alle URIs oder nur unbekannte
gescannt werden sollen
24
FortiMail ATP Integration
Erweiterte Integration
§ AntiVirus-Aktion konfigurierbar je nach
Rückmeldung von der Sandbox in
Bezug auf das Risiko
» Hohes bzw. mittleres Risiko à z. B. Mail
in die System-Quarantäne bzw. Löschen
der Mail bzw. des Anhangs
» Geringes Risiko à z. B. Mail in die User
Quarantäne
25
FortiGate ATP Integration
26
FortiGate ATP Integration
Status Report
27
FortiGate ATP Integration
FortiGate ç FortiSandbox Integration
§ Threat Protection Updates
» Periodisches push update auf alle
an der FSA registrierten Geräte
» Malicious File checksum DB
» Malicious URL List
Dynamisches
à Bereits analyisierte Dateien und URLs
Threat DB Update können nun unternehmensweit geblockt
werden!
28
FortiGate - ATP Integration
FortiGate è Netzwerk
§ IP-basierte Quarantäne
» Der Verkehr eines infizierten Systems wird
temporär an der FortiGate geblockt
» Somit kann das Nachladen von Malware
Netzwerk bzw. der Abfluß von Daten verhindert
Quarantäne
werden.
» Der Administrator kann den Client über
den “User Quarantine Monitor” wieder
freigeben
29
FortiGate - FortiClient ATP Integration
30
FortiClient ATP Integration
FortClient è FortSandbox
Integration
§ Datei an Sandbox senden
» Optional kann die Datei bis zur
Datei- vollständigen Analyse für den
übertragung
User gesperrt werden
31
FortiClient ATP Integration
FortClient è FortSandbox
Integration
Datei Status § Status Feedback
Report » Dateien, die als “Malicious”
Dynamisches gekennzeichet sind, werden in die
Threat DB Update
Quarantäne verschoben.
§ Threat Protection Updates
» Der Client empfängt periodische
Updates von der FortiSandbox für
bereits analysierte Dateien.
32
FortiWeb ATP-Integration
informiert
33
Die ganzheitliche Fortinet ATP Lösung
Datei wird zur 3 Status Report für
1 Sandbox FortiSandbox die Funktionen
übertragen “auto File Hold” &
1 1 “Quarantine”
2
Status Report mit 2
Analyse-Ergebnis
5a Erzwingen der
4 3
Sandbox überträgt Host Quarantäne
4
Threat DB Update 4
5b
34
Fortinet Security Fabric – Example ATP
FortiSandbox
Rückmeldung
c a nned!
mit S
Risk-Rating
FortiWeb
Malware Server
FortiMail
e d!
Block
Mailserver
FortiGate
FortiClient
35
Fortinet Security Fabric – Example ATP
FortiSandbox
FortiWeb
Malware Server
FortiMail
Mailserver
FortiGate
e d!
Block
FortiClient
36
Fortinet Security Fabric – Example ATP
Malware Server
ed!
Block
FortiClient
(outside)
37
FortiSandbox – 5 Stufen für optimale Leistung
39
FortiSandbox Details
Network Traffic
40
Fabric Attribute: Global and Local Security
Deep Mobile
IPS Web App Database Botnet
App Control Security
Advanced
Threat
Protection
41
Unabhängig getestete und ausgezeichnete Sandbox
2014 2015
42
Unabhängig getestete und ausgezeichnete Sandbox
Nowhere to Hide
100% Exploit and Evasion Detection
Fortinet Security Fabric
NSS Recommended Breach Detection
Highlights
§ 3rd annual BDS Test, 3rd NSS recommendation
for Fortinet FortiSandbox
§ FortiSandbox Appliance (with FortiClient),
FortiSandbox Cloud (and FortiGate) recommended
§ 100% detection of exploits and evasions,
99%+ overall effectiveness
§ Exceptional Time to Detection at an average of
4.1 minutes by FortiSandbox Cloud
§ 10Gbps real-world throughput by FortiSandbox 3000D,
1 Gbps by FortiGate + FortiSandbox Cloud
§ Fortinet NGFW, DCIPS, WAF, and EPP, also
NSS Recommended along with BDS
43
FortiSandbox Optionen
FortiSandbox 1000D
FortiSandbox VM
FortiSandbox Cloud
VMs NA 2+ 8 28
44
FortiSwitch
FortiSwitch Family
FSW-3032D
40G
Center
Data
40G ì
10G
FSW-1024D FSW-1048D
POE+
POE+ FSW-424D-FPOE FSW-448D-FPOE
FSW-424D-POE POE
POE
POE FSW-448D-POE
FSW-108D-POE
1G
FSW-424D FSW-448D
POE+ POE+
FSW-224D-FPOE FSW-248D-FPOE
POE
FSW-224D-POE POE
FSW-248D-POE
POE FSW-124D-POE
FSW-124D
Access
POE FSW-80-POE
46
VLAN Assignment
47
Ready to apply FortiGate Top Class Security
§ Security Policy
48
FortiSandbox Appliance vs. FortiSandbox Cloud
Fortinet European Datacenter (ISO27001:2005 zertifiziert)
https://
e urope.f
orticlou
d.com
50
Overview
§ Choosing between FortiSandbox Appliances and the FortiSandbox Cloud
» Are there FortiGates deployed in the environment? How many?
» Is FortiMail deployed in the environment?
» Have they deployed a FortiWeb WAF?
» Are they using a FortiGate or EMS to manage FortiClient EPP?
» Do they have a CarbonBlack Enterprise Protection server?
» Are there Network Share Scanning and/or Network Malicious Activity Detection
requirements?
» Does the security team need detailed incident response information?
§ Are forensic tools or forensic reporting required?
» Choosing the right solution for the customer depends on the feature requirements,
the size of the customer, forensics and reporting requirements and the tools
required by the security team.
51
Advantages of the FortiSandbox Cloud Solution
52
Considerations when using the FortiSandbox Cloud
§ Bandwidth cost/impact uploading to cloud
§ Potential data privacy issues/concerns
§ No upgrade control in cloud
§ Sample submission rate limits
§ 15 minute update intervals
§ Reporting / Sorting / Less details in the verdict report
§ Less forensics – no PCAP or Screen Capture
§ Integration only with FortiGate (FGT) and/or FortiMail (FML)
§ Subscription License per (FGT/FML) / year
53
Advantages of the FortiSandbox Appliances
§ Integrated with FortiGate and / or Sniffer configuration.
» Detect malicious traffic east / west as well as north / south. IPS Engine / Signatures
§ FortiMail Secure Email Gateway (SEG) integration (both Cloud and Appliance support)
» Checks file/URI reputation before submitting file for sandboxing.
» Temporarily holds messages until FSA determines risk rating - then quarantine or deliver.
§ FortiWeb Web Application Firewall (WAF) Integration
» Detect malicious file uploads
§ FortiClient Integration
» File submission of Internet files, network share and removable media. Hold file execution until a verdict is received (configurable).
§ CarbonBlack Enterprise Protection integration
» Files are submitted by the Bit9 server to FortiSandbox for analysis.
§ Updates to integrated devices every five minutes
§ On Demand file/URI scanning
§ Scheduled Network Share Scanning – CIFS or NFS
§ REST API for submission or extracting information
§ URL Sandboxing – Sniffer, On Demand and/or through REST API
§ Scan Profiling to tune submissions for larger environments
§ TCO can be lower for larger companies
54
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
Deployment
FortiSandbox FortiSandbox
Deployment Options Appliance Cloud
FortiGate Integration X X
FortiMail Integration X X
FortiClient Integration X
FortiWeb Integration X
FortiAnalyzer Integration X X*
FortiManager Integration X X*
55
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
Detec4on
FortiSandbox FortiSandbox
Detection Capabilities Appliance Cloud
56
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
File Type and Protocol Support
FortiSandbox FortiSandbox
Profiling, File Type and Protocol Support Appliance Cloud
Scan Profiling
Ability to Tune Scanning to Environment X
Adobe Reader Versions 8,9,10,11 - enable or disable scanning of each version X
Microsoft Office 2007, 2013 - enable or disable scanning of either version X
Adobe Flash with IE 7,8,9,10 - enable or disable scanning of each version X
File Type Support
A/V & CPRL Pre-Filter support all file types regardless of Operating System X X
Virtual Machine Sandboxing: X X
Archived: .7z, Z, xz, tar, .gz, .tar.g, .tgz, .zip, .bz2, .bz, .tar.Z, .cab, .rar, .arj X X
Executable: .exe, .dll, PDF, Office, JS, VBS, BAT, PS1, JAR, MSI X X
Media: .avi, .mpeg, mp3, mp4 X X
Protocol Support
FortiGate Integrated: HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL
and encrypted equivalent X X
Stand-alone: HTTP, FTP, POP3, IMAP, SMTP, SMB X
FortiMail Integrated: SMTP X X
57
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
Alerting, Reporting, Monitoring
FortiSandbox FortiSandbox
Alerting, Reporting, Monitoring and Logging Appliance Cloud
Alerting:
Detailed Alerting with Source & Destination, Protocol, File Name + Forensic / Incident Response Info X
Summary Email Alerting with Source & Destination, Protocol, File Name X X
Reporting:
Scheduled Summary and Threat Detail Reporting delivered via Email X
On Demand Summary and Threat Detail Reporting by Date Range X
Filtering and Search capabilities - granular drill down and export to detailed report in .PDF format X
File Submission Summary Web View X X*
Limited Daily Canned Report X X*
Filter by Rating (Malicious, Suspicious - Low, Medium, High Risk, Clean) X X*
Monitoring:
At a Glance View Submission by Device (easily see if one site is submitting more than others) X
Separate Views for Each Device (not reportable or monitored in aggregate) X X*
* FortiGate only
** Through FortiGate Integration
58
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
Mitigation
FortiSandbox FortiSandbox
Mitigation Appliance Cloud
59
FortiSandbox Appliances / FortiSandbox Cloud Feature Matrix
FortiSandbox FortiSandbox
Forensics, Auditing, 3rd Party Tools Appliance Cloud
Export Suspicious files for further analysis or inspection by 3rd party applications X
60
Live Einrichtung FSA – FML - FGT
Live Konfiguration der VM’s
Deep-Dive Troubleshooting
Advanced Malware Techniques
Malware Techniques Information Resources
§ FortiGuard https://fortiguard.com
» Threat Response Blog is excellent
§ Easily readable and understandable
65
Sandboxing Evasion Techniques
66
Sandboxing Evasion Techniques
§ Saturated, extensively discussed topic in the field!
§ How much a security company disclose its protection techniques, how much it
become more vulnerable!
§ Evasion techniques includes, but not limited to:
» Logic (time, behavior) Bombs:
§ Hard to detect these in Sandboxes- conditions are rarely met in closed
environments
§ VM instance typically maintained for a short lifespan
§ Excessive sleep times, NxMouse Clicks, Scroll to page X, fast mouse
movements etc.
67
Sandboxing Evasion Techniques
§ Rootkits & Bootkits
» Rootkits subvert the OS to take control of the system.
» Rootkits can tamper with system output – tampering with the sandbox
during boot-up- before sandbox is ready.
§ Sandbox detection, i.e…malware wouldn’t fire if TRUE!
» Attempts to determine if the environment is VM based (memory, CPU,
MAC, NIC, disk…etc)
» Volume based detection (Nx Number of Network Packets)
» Common adware cookies: google, facebook…etc
§ Windows domain queries
§ Shell code morphing
68
Sandboxing Evasion Techniques
§ Botnet C2 Window
» non-malicious waiting for instructions.
§ Network Fast Flux
» Domain generation algorithms to change the URL/IP that malware will
connect to for C2.
» Single URL can resolve to different IPs (GSLB) – still single URL.
» Multiple IP addresses that store the same commands. Cloned C2... start
with IP#1 command, continue IP#2 command. Encrypted Archives & Binary
Packers
etc etc...etc...
69
Troubleshooting v2.3.3 (build205)
Troubleshooting Areas
§ Connectivity
§ Security Services (Webfilter, Fortiguard etc.)
§ Virtual Images
§ Devices and device submission
§ File tracing inside FSA
71
Troubleshooting: Connectivity/ Reachability
FSA Troubleshooting: Connectivity (1)
§ ping
§ tcpdump
§ traceroute
73
FSA Troubleshooting: Connectivity (2)
test-network, which can provide detailed network condition
against 3 domains: www.google.com, fsavm.fortinet.net
and go.microsoft.com.
Why?
- ping, tcp/80, tcp/443 Why?
Port1
- only resolution, no speed J
- why? J
- http, https
No Speed J
74
FSA Troubleshooting: Connectivity (3)
§ VM Internet Access status on dashboard should show green icon (better catch rate)
§ If yellow:
§ In Scan Policy > General page, “Allow Virtual
Machines to access external network through outgoing
port3” should be checked
§ A valid Gateway should be provided. If no DNS server
is set, the system one will be sued
§ In CLI, test-network command will show network
condition through port3.
75
Troubleshooting: VM Initialization
FSA Troubleshooting: VM Initialization
Ø Reboot
78
FSA Troubleshooting: VM Initialization
§ You check the logs and you see, Msg= “Windows Activation Error, time Out”
79
FSA Troubleshooting: VM Initialization
§ Call Microsoft ;)
80
FSA Troubleshooting: VM Initialization
§ After successful initialization, Windows VM and Office License in Dashboard should show green icon
81
FSA Troubleshooting: VM Initialization
§ Go to Virtual Machine -> VM Images page, make sure there are installed VM images and there is at
least one clone is enabled
82
Troubleshooting: Security Services
FSA Troubleshooting: Security Services (Web filter, Community cloud and
FGD…etc)
Ø FSA used ports file:
§ http://docs.fortinet.com/uploaded/files/3020/fortinet-communication-ports-and-protocols-54.pdf
no port
override!
Ø Some missed info in this diagram J JASON file download/ File Submission (suspicious) on
fqdl.fortinet.net (tcp/443).
§ High availability port numbers (tcp/2015, tcp/2018)
84
FSA Troubleshooting: Security Services (Web filter, Community cloud and
FGD…etc)
test-network provides connection status to FDN, Web
Filtering Service and FSA Community Cloud.
85
FSA Troubleshooting: Security Services (Web filter, community cloud and
FGD…etc)
Ø FortiGuard or Community Cloud Service icon is Yellow:
§ Some firewalls/IPSs are configured to block crafted (udp/53).
§ Override destination server from the outpt of #testing web filtering service with test-network command
§ If you are using a proxy, u need SOCKv5.0 proxy for UDP traffic
86
FSA Jobs Queue Optimization:
hints and best practices
FSA Jobs Queue Optimization
§ Running a file inside a VM (sandboxing) is very expensive regarding to
resources (you have limited number of VMs in FSA), i.e 8VMs in
FSA-1000D, 28 VMs in FSA3000D…etc.
§ Job optimization is based on some ideas which are IN ORDER:
1) Allocate optimal number of clones of each VM type.
2) Runing single file on single VM type (not to make different VM types run the
same file)
3) Minimize number of files reaching the expensive sandboxing stage (enable
prefiltering). Performance Vs. Security!
4) Free the harddisk as soon as possible from extra unnessary data – FSA is highly
dependent on HDD, more HDD free space -> better performance.
88
FSA Jobs Queue Optimization: which queue is the longest?
89
FSA Jobs Queue Optimization: Number of Clones Allocation
§ Allocate clone numbers of each VM type according to distribution of file types
§ Assuming doc and pdf files only in FSA-1KD
> pending-jobs show all pdf > pending-jobs show all doc
Source: On-Demand, File type: PDF files, Jobs: 0 Source: On-Demand, File type: Microsoft Office files (Word, Excel,
Source: File RPC, File type: PDF files, Jobs: 0 PowerPoint files etc), Jobs: 0
Source: Device, File type: PDF files, Jobs: 212 Source: File RPC, File type: Microsoft Office files (Word, Excel,
Source: Sniffer, File type: PDF files, Jobs: 0 PowerPoint files etc), Jobs: 0
Source: Adapter, File type: PDF files, Jobs: 0 Source: Device, File type: Microsoft Office files (Word, Excel,
Source: Network Share, File type: PDF files, Jobs: PowerPoint files etc), Jobs: 49
982 Source: Sniffer, File type: Microsoft Office files (Word, Excel,
Source: URL On-Demand, File type: PDF files, Jobs: PowerPoint files etc), Jobs: 0
0 Source: Adapter, File type: Microsoft Office files (Word, Excel,
Source: URL RPC, File type: PDF files, Jobs: 0 PowerPoint files etc), Jobs: 0
Source: URL Device, File type: PDF files, Jobs: 0 Source: Network Share, File type: Microsoft Office files (Word,
Source: URL Adapter, File type: PDF files, Jobs: 0 Excel, PowerPoint files etc), Jobs: 230
Total Jobs: 1194 Source: URL On-Demand, File type: Microsoft Office files (Word,
Excel, PowerPoint files etc), Jobs: 0
Number of clones to run (pdf) : Number of clones (doc) Source: URL RPC, File type: Microsoft Office files (Word, Excel,
1194:279 PowerPoint files etc), Jobs: 0
FSA-1KD: Source: URL Device, File type: Microsoft Office files (Word, Excel,
#ofClones to Run doc = (279/(279+1194))*8(#Clones) = 1.5 PowerPoint files etc), Jobs: 0
=>2 Clones Source: URL Adapter, File type: Microsoft Office files (Word, Excel,
PowerPoint files etc), Jobs: 0
#ofClones to Run pdf= (1194/(279+1194))*8(#Clones) = 6.4 Total Jobs: 279
=>6 Clones >
90
FSA Jobs Queue Optimization: file types assignment
91
FSA Jobs Queue Optimization: enable pre-filtering
2 3
92
FSA Jobs Queue Optimization: Clear Disk for Clean Jobs and
Unnecessary extra storage
Ø On Scan Policy->General, Only keep jobs with clean rating for a short period.
93
During a POC…..Can you answer the following?
Ø What do you mean by “Not Assigned files” ?
Ø Which file type degrade the system performance most? Why?
Ø Which FSA Model do I need to propose “best option”?
94
Troubleshooting…
Communication between FG/FML and FSA
FSA Troubleshooting: communication between
FortiGate and FSA
Ø On FortiGate side, make sure FortiSandbox is available by clicking Test Connectivity in FortiSandbox configuration
page
96
FSA Troubleshooting: Communication Between
FortiGate and FSA
Ø On FortiSandbox side, make sure the FortiGate is Visible and Authorized in Scan Input > Device page.
97
FSA Troubleshooting: communication between
FortiGate and FSA
, run the following CLI command to see files are extracted and sent over
, run the following CLI command to see the activity with FG.
98
FSA Troubleshooting: Communication between FortiGate and FSA.
99
FSA Troubleshooting: Communication between Fortigate and
FSA
FG
FSA
100
FSA Troubleshooting: Communication between FortiMail and
FSA
101
FSA Troubleshooting: File Submission from FortiMail to FSA
102
FSA Troubleshooting: File Submission from FortiMail to FSA
– FML Side
103
Troubleshooting…
Tracking File/Job inside FSA
FSA troubleshooting: file tracing inside FSA
Ø In Log & Report > All Events page, put file’s checksum or name in message filter
105
FSA troubleshooting: File tracing inside FSA
Ø In FortiView > Search page, search file’s name or checksum within a time-range. Then click Show
Detail button to show job’s detailed information
106
MSSP and API Deployments
MSSP Options Available Today – Restricted Admin
§ Per Admin Files/Log View
108
MSSP Options Available Today – VDOM Reports
§ VDOM based reporting
109
MSSP Options Available Today – FortiAnalyzer
§ Using pre-defined reports and flexibility of FortiAnalyzer (or any other SIEM)
110
MSSP Options
§ FortiSandbox Cloud uses the API interface
§ MSSPs options:
» Provide a portal for customers to submit files
» Automatically extract files using and submit them via the API (non-Fortinet devices)
» Allow customers Fortinet devices to submit files to their Sandbox cluster
§ New 2.4 feature allows submission control
§ Use ICAP?
111
FortiSandbox JSON API
§ Larger MSSPs prefer to build a
back-end Sandbox cluster and front-
end it with the API
§ FortiSandbox allows JSON API calls
» Rich feature set for configuration and
information extraction
» API is enabled by default
§ API access is configurable per admin
» Reference documentation is only
available on the Fortinet Developer
Network
112
Why use the API?
113
What can I do with the API?
§ Feature rich, but definitely not every feature of the Web GUI
§ Reference Guide lists available options (with necessary flags)
§ 2.3 ‘get’ and ‘query’ options:
§ get system information
§ get configurations of sniffer
§ general options, including cloud upload and vm network access settings
§ get scanning statistics for last 7 days 13 9. get a copy of backed up config file, in base64 format
§ query file's verdict through its sha256 checksum
§ query file's rating through its sha256 checksum
§ query url's rating
§ query job's verdict detail through its job id
§ Get job id list for one submission
§ Get job behavior details for a file
§ Get malware package, malicious URL package or bonet package
§ Get AV-Rescan results
§ Return all installed VM name and their clone number
114
What can I do with the API?
115
What can I do with the API?
117
Who do I call? (Henry Script)
§ Example Python (2.7) script
» URL Defined at top
» Test List
§ Only one ‘test’ at a time
» API Login/Logout configuration
118
File upload example (Henry Script)
§ Enable Test
§ Configure parameters
119
File upload example (Henry Script)
§ Run Test
120
MSSP Caching
§ Try submitting the same file via the API more than once
» Why wasn’t it rejected even if you had this option enabled?
§ First API call checks file SHA256 hash, only if the result is ‘unknown’ is the file
submitted to FortiSandbox
122
MSSP Caching – 2-Step API in Action (Connor Script)
§ Change URLs to HTTP submission and configure input file
» Should be in the same directory as the script
124
What is STIX
§ Structured Threat Information Expression (STIX) is a structured
language for describing cyber threat information so it can be
shared, stored and analysed in a consistent manner
§ TAXII (Trusted Automated eXchange of Indicator Information) is
the main transport mechanism for cyber threat information
represented in STIX. Through the use of TAXII services,
organizations can share cyber threat information in a secure and
automated manner
§ The STIX and TAXII communities work closely together (and in
fact consist of many of the same people) to ensure that they
continue to provide a full stack for sharing threat intelligence
source: stixproject.github.io
125
Download Malware Package in STIX Format (Henry Script)
§ Edit Parameters (Reference Guide)
126
File upload example (Henry Script)
§ Save ‘download file’ contents into a text file (stix-based64) and convert to xml with
following command
Linux
§ This then leads very nicely into the Threat Intelligence conversation
127
Using your STIX file
§ Anomail Staxx server in lab
» https://anomali.etlab.net:8080/login
128
IOC/STIX and Threat Feeds
FortiGuard Threat Intelligence
Readable Reports
Strategic Threat actors, their intentions, motivations,
capabilities, plans, etc.
130
Why is it important
131
What is an IOC (Indicator of Compromise)
132
FortiGuard Threat Feed Contents
§ IP Watchlist
» Open Proxy IPs
» Suspicious IPs
133
IOC with FortiAnlayzer
• Malware ID
• Malware Domain
• Malware URL
… ‣ APT Detection
• Crowd Sourced URLs
‣ Web Filter Logs
FortiGuard TIDB
‣ Daily Threat Intelligence
‣ Actionable Report
package download
‣ Subscription License
Logs
Detection
Engine
FortiAnalyzer
134
1
3
4
IOC with FortiAnlayzer
135
IOC with FortiAnlayzer
136
CTI STIX Feed File Explanation – Malicious Domains
<stix:Indicator id="fortiguard:indicator-d4e86481-ca69-4fba-97f0-627f19932e44"
timestamp="2016-09-10T12:50:21.926967+00:00" xsi:type='indicator:IndicatorType'>
• Malicious domains
<indicator:Title>Malicious domains</indicator:Title> § Malicious domain indicator
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
<indicator:Valid_Time_Position> • Domain Watchlist
<indicator:Start_Time precision="day">2016-09-10T00:00:00</indicator:Start_Time>
<indicator:End_Time precision="day">2016-09-13T00:00:00</indicator:End_Time> § Part of Domain Watchlist
</indicator:Valid_Time_Position> indicator group
<indicator:Observable id="fortiguard:Observable-70c79b9d-98f5-4021-9722-435fa8d9ceb8">
<cybox:Object id="fortiguard:URI-79c3a400-4fd8-4876-a1ea-6b5fc87b51e9"> • 2016-09-10T00:00:00
<cybox:Properties xsi:type="URIObj:URIObjectType" type="Domain Name">
<URIObj:Value>phiprashyngy.enchiladainvesting.com</URIObj:Value>
§ 72-hour sliding window start
</cybox:Properties> time when this IOC is active
</cybox:Object>
</indicator:Observable> • 2016-09-13T00:00:00
<indicator:Indicated_TTP>
<stixCommon:TTP idref="fortiguard:ttp-fdd1ab22-f634-4150-9672-7485e3380841" xsi:type='ttp:TTPType'/>
§ 72-hour sliding window end
</indicator:Indicated_TTP> time when this IOC will be
</stix:Indicator> re-evaluated to see if it’s
still active
• phiprashyngy.enchiladain
vesting.com
§ Domain of this indicator
137
72-Hour Sliding Window Example
abcabcabc.com domain is detected as malicious and active before the next Monday feed release cycle.
§ Monday feed
» Contains abcabcabc.com (new+active)
§ Tuesday feed
» Does not contain abcabcabc.com (inferred to be still active)
§ Wednesday feed
» Does not contain abcabcabc.com (inferred to be still active)
§ Thursday feed
» If our probes determine that abcabcabc.com is still malicious and active, the feed will contain abcabcabc.com
again
» If our probes determine that abcabcabc.com is no longer malicious or active, the feed will not contain
abcabcabc.com
138
FortiGuard CTI Feed – Format and Delivery
139
Clustering
FortiSandbox HA and Load-Balancing
LB
141
FortiSandbox HA/LB at a Glance
§ 3 types of nodes:
§ Master, Primary and Regular slaves
§ It is possible to have multiple primary slaves
§ Master and Primary Slave can be any type of appliance
§ Recommended FSA-3000D or above
§ Regular Slaves can be any type of appliance
§ Minimum is 2 nodes, maximum is 100 nodes in a single cluster
§ Master distributes and does inspection
§ Primary slave takes over the master and does inspection
§ Regular slaves do inspection only
142
FSA HA Overview: Cluster Node Rules
Master Node
143
FSA HA Overview: Cluster Node Rules
Master Node (cont.)
144
FSA HA Overview: Cluster Node Rules
Slaves Nodes
145
Cluster Internal Communication
Synchronization
Master -> Primary Slave (activated upon
Master -> All other Nodes fail-over)
§ Users
§ Job cleanup schedule
§ Archive server settings
§ FortiGuard page settings § Sniffer settings
§ Mail server settings
§ Malware package generation settings § Network settings (including DNS, proxy, and routing tables)
§ Black and White lists § Scheduled task settings (network share scans, and
scheduled report generation)
§ Yara rules § Log server settings
§ Uploaded certificates
§ Scan profile settings § Devices
§ SNMP settings
§ Widget settings
§ Adapter settings
§ Others (login disclaimers)
146
About the Processing Capacity of the Master
§ Same rule for every model (make your own calculation to verify)
Slave
Recommended CLI to adjust
Nodes
Processing Capacity (%) Master processing capacity
#
1 80 hc-master –s80
2 60 hc-master –s60
3 40 hc-master –s40
4 20 hc-master –s20
5 0 hc-master –u
148
Processing Capacity of the Cluster
Sizing
20 x VMs# x ( N – 0.5 )
149
Processing Capacity per Model
Max. Files/hour, worst cast scenario (i.e. 3 min per guest VM detonation)
150
Requirements for Building FSA Cluster
151
Internal Cluster Communication
152
Conditions for a Cluster Failover
153
Link Monitoring
155
Building FSA Cluster
CLI
§ hc-settings
» configure the unit as an HA cluster mode unit
§ hc-status
» list the stats of HA cluster units
§ hc-slave
» add, update, remove a slafe unit to/from the HA cluster
§ hc-master
» turn on/off the file scan on the master node
» adjust the master’s scan processing capacity
» remove slave nodes from cluster by its S/N
156
Building FSA Cluster
CLI: hc-settings
> hc-settings -h
Usage: hc-settings -h
-h Help information.
N: N/A
M:Master unit
And it must be in the same subnet as the unit IP subnet of the specified interface.
157
Building FSA Cluster
CLI: hc-status
> hc-status -h
Usage: hc-status -h
-h Help information.
-l List the status of HA-Cluster units.
158
Building FSA Cluster
CLI: hc-slave
> hc-slave -h
Usage: hc-slave -h
-h Help information.
-a Add the slave unit to HA-Cluster.
-r Remove the slave unit from HA-Cluster.
-u Update the slave unit information.
-s The master unit IP address.
-p The authentication code of HA-Cluster.
159
Building FSA Cluster
CLI: hc-master
> hc-master -h
Usage: hc-master -h
-h Help information.
-u Turn off file scan on master unit.
-s<10-100> Turn on file scan on master unit
with 10%-100% processing capacity.
-l Display file scan status on master unit.
-r<slave sn> Remove the slave unit from
cluster by its serial number.
160
Building a Cluster
Example with a FSA-3500D
§ Check List
Example
Cluster Name FSAHA
Cluster Password fortisandbox
Network Addresses port role address
port1 MGMT 10.210.16.0/24
port2 OFTP 10.14.0.0/24
port3 VM 10.15.0.0/24
port5 HA 10.16.0.0/24
External IP for MGMT 10.210.16.239
External IP for OFTP 10.14.0.239
System Default Gateway 10.210.16.254
Guest VMs Default Gateway 10.15.0.246
161
Building FSA Cluster
Network Configuration
PRIMARY
MASTER
SLAVE
set port3-ip 10.15.0.234/24 set port3-ip 10.15.0.235/24
set port5-ip 10.16.0.234/24 set port5-ip 10.16.0.235/24
set default-gw 10.210.16.254 set default-gw 10.210.16.254
vm-internet -s –g10.15.0.254 -d8.8.8.8 vm-internet -s –g10.15.0.254 -d8.8.8.8
REGULAR
set port2-ip 10.14.0.236/24 set port2-ip 10.14.0.237/24
SLAVE
SLAVE
set port3-ip 10.15.0.236/24 set port3-ip 10.15.0.237/24
set port5-ip 10.16.0.236/24 set port5-ip 10.16.0.237/24
set default-gw 10.210.16.254 set default-gw 10.210.16.254
vm-internet -s –g10.15.0.254 -d8.8.8.8 vm-internet -s –g10.15.0.254 -d8.8.8.8
162
Building FSA Cluster
Cluster Configuration
163
Building FSA Cluster
Cluster Status
hc-status -l
Status for all units in cluster: FSAHA
--------------------------------------------------------------------------------
SN Type Name IP Active
FSA35D3R16000007 Master Master 10.16.0.234 1 second ago
FSA35D3R16000008 Primary Slave PrimarySlave 10.16.0.235 0 second(s) ago
FSA35D3R16000009 Regular Slave RegularSlave1 10.16.0.236 6 second(s) ago
FSA35D3R16000010 Regular Slave RegularSlave2 10.16.0.237 6 second(s) ago
FSA35D3R16000011 Regular Slave RegularSlave3 10.16.0.238 6 second(s) ago
hc-status -l
Status of master and primary slave units in cluster: FSAHA
--------------------------------------------------------------------------------
SN Type Name IP Active
FSA35D3R16000007 Master Master 10.16.0.234 1 second(s) ago
FSA35D3R16000008 Primary Slave PrimarySlave 10.16.0.235 1 second(s) ago
164
Running Advanced Demos
Demos
166
What to watch out for in PoCs
Kash’s List
§ Count all the interfaces on your hand (MGT, HA, Port3, Submission)
§ Make it difficult for the competition (talk about deterministic performance)
§ Licensing
§ The curiously interesting case in Hungary
§ “This is the Remote FortiSandbox that you’re looking for….”
168
Alain’s List
169
Ahmad’s List
170
Sizing
Considerations when deploying FortiSandbox Appliances
172
The Right Fit for the Customer
» Are FortiGates or FortiMails deployed in the environment?
§ If No:
» The only choice is the FortiSandbox Appliance.
» FSA can sniff network traffic and detect malicious files & activities.
» Integrate via SPAN or TAP.
§ If Yes:
» Cloud:
§ How many FGT/FML? -- Cloud is licensed by each device.
§ If the environment is smaller, then FortiSandbox Cloud may be an option
depending on other features needed.
§ Updates are provided from the global community.
» Appliance:
§ Each FGT/FML can be configured to point to a central FSA.
§ Standard appliance purchase + FortiCare maintenance.
§ No subscription licensing fee per FGT.
§ Pre-defined API integration with CarbonBlack Enterprise Protection.
§ Updates are provided to the specific company for targeted attacks.
173
What does the Security Team need?
§ What features are needed?
174
Sizing – Files per hour!!!
175