FireEye Technical Briefing 19th March 2015 part 1

I attended a pretty interesting technical update afternoon hosted by FireEye recently and as usual made notes during the talks.

The first talk was titled ‘Staying one step ahead of the attacker‘ by David Dewalt the CEO of FireEye

This was a broad talk covering the gap between current security defensive and offensive capabilities followed by some thoughts on how to best combat this and detect advanced attacks.

State of the Defence

– Is Offence outweighing defence? Offensive skills and tooling are outpacing defensive at the moment.

-Number of offensive groups growing rapidly, great skills

-Lots of state sponsored action occurring – Russia, China, US etc.

-Low barrier of entry

-Emerging states -just need skilled people to enter game.

– Less to protect, more to gain

– Less advanced / wealthy nations can enter game at a much higher level than in the traditional physical offense / defense world.


Offence has been winning – they only have to succeed once!

Mean number of days before breach detection is still 205 days.  This has reduced since last year, but it is still orders of magnitude too high.

69% of companies breached learned about the breach from an external entities.

The majority of breaches occurred in companies that had up to date AV etc. – These are still valuable as hackers will go for the low hanging fruit.  However many advanced threats can evade traditional defences.

Defensive capabilities are currently too reactive, and there is a huge volume of noise to sift through to find the one ‘real’ security event.

The basic attack pattern has been unchanged for some time – research through initial exploit to malware and call-back to maintaining presence onto ongoing data exfiltration.

Very often research leads to spear fishing to exploit.

Data exfiltration may just be monitoring information such as financial data to enable insider trading and fraud, there may not actually be high volumes of data actually exfiltrated – makes detection even harder.


Detecting the exploit is key since every phase after that can be encrypted by the attacker.

Advanced threats are everywhere.

Knowing where to focus is key – not a mile wide one inch deep, but an inch wide, a mile deep.

Must understand that;

– Significant % of traffic is not through firewalls

– 100% of attacks are multi flow

– 91% of attacks are multi vector

– Attacks increasingly off band / off network

– Consumerisation increasing surface – more vectors, more flows


Need more pro-active defence.

Monitoring across multiple attack vectors

Need to be able to spot malware that evades traditional defences

Must have skills available in security teams (in house or external) to understand, investigate, respond and automate

Must combine with advanced threat intelligence to know what to look for, what current threats are and how to best respond.

Take away thoughts:

Security needs to provide an overall advanced threat management and response capability;

– Detect

– Protect

– Analyse

– Respond

Its about joining the dots to provide a complete picture.