Advanced Threat Protection

Webinar 24 May 2016 | Fortinet Italy

© Copyright Fortinet Inc. All rights reserved.

Agenda

 What is Sandbox?
 FortiSandbox Cloud Options
 FortiSandbox On-premise
 FortiSandbox On-premise File Submission
 Sniffer Mode
 FortiSandbox On-Premise Device Mode
 FortiSandbox On-premise FortiClient Integration
 HA & Sizing Details

2
1. What is SandBox
 Sandbox

What is Sandboxing?
Virtual analysis – nothing new

Unsafe action, escape attempt

VIRTUAL END-USER ENVIRONMENT
X
• Code is executed in an contained, virtual environment
• Goal is to replicate typical workstations
• Output is analyzed to determine characteristics
• Some characteristics are malicious
• Known virus downloads
• Registry modifications
• Outbound connection to malicious IPs Controlled communication inspection

• Infection of processes

4
 Why a Customer looks for ATP?

Lateral Movement Categorization Not Enough AntiSpam Ineffective

Against Phishing

5
Breaking the Kill Chain of Advanced Attacks

Spam Spam
Malicious
Antispam Email

Malicious Malicious
Link Link

Web Filtering

Malicious
Exploit Exploit Web Site
Intrusion Prevention

Malware Malware
Antivirus

Bot Commands App Control Bot Commands

& Stolen Data & Stolen Data C2 Server
IP Reputation

6
Breaking the Kill Chain of Advanced Attacks

Spam Spam
Malicious
Antispam Email

Malicious Malicious
Link Link

Sandbox
Web Filtering

Malicious
Exploit Exploit Web Site
Intrusion Prevention

Malware Malware
Antivirus

Bot Commands App Control Bot Commands

& Stolen Data & Stolen Data C2 Server
IP Reputation
Access
Confirmed

7
 Lateral Movement
-Two Approaches
ISFW in Transparent Mode (Pro-active) FortiClient (Reactive)

8
 Spear Phishing Prevention
- Two Approaches

Transparent VDOM on ISFW FortiMail in Gateway Mode

Ineffective
Agaist encrypted
attacks

9
10
 Advanced Threat Protection Framework
Access Control Threat Prevention
Stateful Firewall IPS/Application Control
Vulnerability Management AntiMalware
2-Factor Authentication Email/Web Filtering
Anti-bot

Continuous Monitoring Threat Detection

Reporting “Sandboxing”
FortiGuard Research Network Behavior Analysis
SIEM/Log Mgt/Intelligence Botnet Reporting
Service Partners Client Reputation

Incident Response
Professional Services, Device Quarantine, FortiGuard Updates

11
 ATP Framework in Action
Extended and fast protection

FortiClient
FortiSandbox

Unknown URLs and Files

submission to FortiSandbox

Web Server

Internet
FortiMail

FortiGate

Mail Server
FortiWeb

12
 FortiSandbox- key components
• Multi-tiered file processing optimizes resources to improve security, capacity and performance

Call Back Detection • Identifies the ultimate aim, call back and exfiltration
• FortiGuard verified

• Examines real-time, full lifecycle activity

Full Virtual Sandbox
• Provides rich threat information

• Quickly simulates intended activity

Code Emulation
• OS independent and immune to evasion/obfuscation

• Checks FortiSandbox community intelligence

Cloud Query
• FortiGuard verified

• Applies top-rated (95%+ Reactive And Proactive) engine

AV Engine
• Serves as an efficient pre-filter

13
Products

14
2.FortiSandbox Cloud
FortiOS 5.4

16
FortiCloud

17
Register your device

18
New Tab of FortiSandbox

19
Tune AV Profile on FortiGate

20
Select AV Profile in Policy

21
FortiSandbox Cloud for FortiMail & FortiWeb

FortiMail

FortiSanbox Cloud

FortiWeb

22
FortiMail Sandbox

23
Select Sandbox in AV Profile

24
FortiWeb Sandbox Cloud Configuration

25
Select Sandbox Cloud in File Upload Policy

26
3.FortiSandbox On-premise
Status Page

28
FortiGuard Updates

29
Pre-requisite

30
It Appears in Scan Profile

31
FSA SimNet - Open or Closed Environment?

 Should you risk to degrade your IP reputation by allowing sandbox VM going

through your Internet access?
» Sandbox VM execution is short
» Your reputation is at risk every day (i.e. infected computer in your network)
» Use a dedicated Internet access for FortiSandbox outgoing traffic

port1 port3

port2

INTERNET

32
Why Internet Access is Important for Detection?

 Detonating a downloader sample into a sandbox VM with the netsim feature

enabled

Execution Time
Sandbox VM Rating Engine

DNS Query: A FQDN?

URL Rating: FQDN
DNS Response: A 192.168.250.1?

IP Reputation: 192.168.250.1

HTTP Request: GET URL URL Rating: URL

HTTP Response

AV Inspection dummy.exe

dummy.exe

33
Why Internet Access is Important for Detection?

 Detonating a downloader sample into a sandbox VM without netsim

Execution Time
Sandbox VM Rating Engine

DNS Query: A FQDN?

URL Rating: FQDN
DNS Response: A a.b.c.d?

IP Reputation: a.b.c.d

HTTP Request: GET URL

URL Rating: URL

HTTP Response
AV Inspection:

Callback connection: C2

IP Reputation: C2

34
simnet disabled vs simnet enabled

Sample SimNet SimNet

Rating Feature
Network Action Disabled Enabled
URL Rating
DNS Request
FQDN
IP Reputation
DNS Response
a.b.c.d
URL Rating
HTTP Request
URL
AV Inspection
HTTP Response
content
IP Reputation
Callback connection
C2

35
simnet disabled vs simnet enabled

Sample SimNet SimNet

Rating Feature
Network Action Disabled Enabled
URL Rating
DNS Request
FQDN
IP Reputation
DNS Response
a.b.c.d
URL Rating
HTTP Request
URL
AV Inspection
HTTP Response
content
IP Reputation
Callback connection
C2

36
For Networks Using Proxy

37
Alert Email Setting

38
Scheduled Reports on Mail

39
SNMP Settings

40
3.a. Advance Setup On-Premise Mode
Configuring VM’s

42
Maximum Number of VM’s

43
Scan Profile

44
Configuring a VM to Scan File type

45
Flexibility to add User-Define File Types

46
What if we don’t have WindowsXP

47
New Virtual Machines Support
new source and type

Android, Windows 8.1 and 10

Not integrated by default
SKUs to come for ordering
Android Windows 8 Windows 10

New design is based on input source and file type

On-Demand/ Device/Sniff Device/Sniff Device/Sniff URL Device Sniffer Adapter Network
REST API er er er Share

EXE DOC PDF *.* *.*

48
Blacklist & Whitelist

49
4. File-On Demand
On-Demand: Manual Input Method

 Administrator uses the web-

based Manager to uploads files
or URLs for inspection.
 The combination of inspection
methods can be customized
» AV
» Cloud File Query
» VM Sandboxing
 Tracking of the inspection
through the On-Demand page

51
How to check

52
53
Flexibility to choose Scan Engine

54
4.a. URL Submission
56
57
5. Sniffer Mode
 Sniffer Input Method

 Monitor the network traffic through two

possible connections methods:
» Mirroring/monitoring or SPAN ports
» TAP device

Switch with
mirroring/monitoring/SPAN Monitoring traffic
capabilities.

TAP Device
Monitoring traffic

59
60
6.Device Mode
Devices Input Method

514/tcp
SSL encrypted
- File submission
FortiGate, FortiMai or - Get statistics back
FortiWeb Devices.

Fortinet Appliance FortiSandbox

In memory hash table preventing accepting the

same files several times.
Cleared every week or each time there is a DB
update.

62
Registering FortiGate on FortiSandbox for File
Submission

63
Device should appear in FortiSandbox

64
Device Authorization

65
Configure AV Profile with FortiSandbox

66
Tune WCF Profile to use FortiSandbox

67
Policy

68
FortiView

69
6.a Device Mode-FortiWeb
If FGT is integrated with FSA why I need to Integrate
FWEB with FSA?

71
Encrypted Traffic

Encrypted File HTTPS Traffic

FGT

FSA Decrypted File FWeb

72
FSA Integration

» Configure FSA
 Authorise and test connectivity
 Setup Admin mail

73
 FortiWeb Configuration

 FortiWeb
» Configure File Upload
Restriction Policy

74
6.c Device Mode-FortiMail
Threat Vectors

Which threat vector is the most popular for Targeted Attacks ?

a) Web browsing
Attacker’s easiest choice for Targeted Attacks
b) Email
c) Software: bugs, backdoors, exploits
d) USB
Percentage of attacks involving that vector ?

“more than 90% of Targeted Attacks involves email”

76
Integrate with FortiSandbox

77
Enable Sandbox in AV-Profile

78
Select AV-Profile in Recipient Policy

79
7. FortiClient Integration
Part of the Fortinet ATP Framework

High risk items

 Prevent known malwares

» Everything that can enforce a
security policy
 Detect unknown malwares
» FortiSandbox & everything that is
behavior based
 Mitigatation
» FortiGuard teams and automation

Creating a fix Provide ratings

& update prevention & results

81
FortiSandbox Integration

Extending the ATP Framework up to the EndPoint

 File Submission of supported file types
 Every Input source supported
» Internet, removable media and network
drive
 Malware Package support from 1. Submit and Hold
FortiSandbox the files
2. Receive verdicts
 Prevent the user to access the file until a 3. Retrieve Malware
Packages
verdict is received

82
 FortiSandbox Integration
Execution or Access Hold during the Inspection

1 3

2
83
Create a Profile with FortiSandbox IP

84
Register FortiClient on FGT

85
Test FCT FSA Communication

86
 Check FCT is registered on FSA & FGT

 FortiClient

» On the FGT check the

FCT Monitor

» On the FSA, under Scan Input>FCT

check that the client has been registered

87
Process Next Level

Inputs Methods Analysis

File Filter
Sniffer Control

Static Scan Engine

Devices Controller

AV-Scan Engine

Network Share

Cloud-Query Engine

On-demand Local DB

VM-Scan Engine

URL Detection

Rating Engine

88
FortiGuard Threat Research & Response

Analysis
FortiGuard File Filter
Antivirus Service

Static Scan Engine

FortiGuard Application FortiGuard Anti-spam
Control Service Security Service
AV-Scan Engine
FortiGuard Intrusion FortiGuard Web
Prevention Service Security Service
Cloud-Query Engine

FortiGuard Web FortiGuard Database

VM-Scan Engine
Filtering Service Security Service

FortiGuard Vulnerability IP FortiGuard IP Rating Engine

Management Service BOT Reputation Service

Anti-botnet

89
The Fortinet ATP Solution
FortiClient

FortiMail

FortiSandbox

FortiGate FortiWeb

FortiGuard Lab

FortiGuard Services

90
Sizing & Clustering
FortiSandbox Scaling
FortiSandbox

Supported
File Type

File Filter
Most files types scanned by Static Scan

EXE/DLL, .bat/.vbs/.ps1/.com, PDF, Office Files,

Flash Files, URLs from device, .jar, Office with
embedded binary, Android All into VMs
pre-filters
15 - 20 seconds
✓
Static Scan Engine

Clean File Or
AV-Scan Engine
New / Known Malware

Cloud-Query Engine

up to
+ 2 ½ minutes ✓
VM-Scan Engine

Rating
Clean OrEngineMalware
File
Unknown

92
Confidential
File Sizing Summary

 This Means……(worse case scenario)

» Maximum of 3 minutes per file (60 minutes / 3) =
» Maximum of 20 files an hour per Virtual Machine (if not caught by the pre-filters)
 FortiSandbox Platforms
» FortiSandbox-1000D (8 concurrent VMs * 20) = 160 files per hour
» FortiSandbox-3000D (28 concurrent VMs * 20) = 560 files per hour
» FortiSandbox-Base-Virtual Appliance (4 VMs * 20) = 80 files per hour
» FortiSandbox-Maximum-Virtual Appliance (52 VMs * 20) = 1,040 files per hour
 Clustering Allows Up to 100 Members
» In any platform combination (Initial Master / Primary Backup have to be the same)
» All cluster platforms share the file load / distribution

93
Clustering and Load Balancing

 Master and Primary Slave have to the same appliance (can be any model)
 Regular Slaves can be any appliance
 Up to 100 nodes in a cluster

PRIMARY
MASTER
SLAVE

REGULAR REGULAR REGULAR

SLAVE SLAVE SLAVE

94
Thank You!