Huawei Big Data-based Anti-APT Solution

Solution Overview
Advanced Persistent Threat or APT is a network attack and intrusion
against enterprises. APT attackers access enterprise networks and stealthily
monitor target computer systems over a long period of time to steal core
data. In recent years, APT attacks have become a hot topic in the industry.
With unique patterns and methods, APT attacks render traditional defense
tools ineffective and their growing complexity is a big headache for
enterprises.
A typical APT attack includes multiple phases, such as reconnaissance,
external penetration, command and control, expansion, and data
exfiltration. Once breaking into the enterprise network, the attacker can
move horizontally in the network, collect sensitive information, and send
them back, causing great loss to the enterprise.
Independent from signatures, Huawei APT big data security analysis
solution can effectively detect APT attacks using models for defense,
detection, tracking and investigation, and situational awareness. The
solution collects all files, logs, and traffic on the network and realizes the
analysis and detection of unusual behavior. In addition, in coordination
with multiple security products, the solution can promptly detect, alert,
report, and display APT attacks. Huawei anti-APT solution implements
network-wide security protection to maintain enterprise core information
assets intact. Therefore, this solution is especially applicable to financial
and government agencies, power suppliers, and Internet enterprises.

Huawei anti-APT model Global Threat Intelligence Center APT detection service

Posture Defense Attack blocking Intelligence information update Advanced threat analysis
Display of awareness
known attacks Attack surface
reduction
Alert on
Reducing false CIS Big Data Security Analysis
potential attacks
positives Abnormal terminal Abnormal Abnormal traffic Abnormal Enterprise-defined Threat
detection behavior detection detection content detection suspicious act detection visualization
Context-aware
security File information
Mobile
Synchronize Synchronize Log & events
FireHunter sandbox behaviors
Full Packet information information PCAP packets
PC behaviors
Posture Unknown threat MetaData Detect file-based zero-day attacks. required for required for Netflow/
Server
awareness detection coordination coordination NetStream
behaviors
File upload
Attack analysis Infection scope Evasion attacks
detection Traffic Huawei next generation security Terminal Log
Evidence collection identification
Minimizing attack
collection (coordinated execution components) information collection collection
Response
efficiency time window Traffic probe NGFW NGIPS vNGFW Anti-DDoS AnyOffice NG Series Terminal probe Log collection
enhancement Investigation Detection Alert and response

Solution Model and Feature

Lightweight Solution
The lightweight solution only implements in-depth detection and blocking
for critical malware and external channels in APT attacks. On the basis of
Huawei sandbox, the solution integrates the interworking with Huawei
NGFW and LogCenter to display APT attacks. Huawei FireHunter detects
malware and C&C channels in depth and sends the IOC information
to the NGFW within seconds. The NGFW automatically responds and
implements blocking policies. Meanwhile, the LogCenter collects the log
information on both devices. After correlation analysis, the scope of APT
malware infection, malware download, and the overall security posture
can be displayed in an accurate manner.

INNOVATIVE ICT BUILDING A BETTER CONNECTED WORLD

Huawei Big Data-based Anti-APT Solution

Solution components and key information

Internet
Defense
FireHunter sandbox USG6000/NIP6000: context awareness and risk rating

Detection
NGFW/NGIPS LogCenter FireHunter: prompt detection and response

Investigation
LogCenter: path display and infection locating

Posture awareness
E E E E LogCenter: display of known attacks and alerts on possible
Mail server Terminal attacks
management system

Lightweight Solution Features

•• Detection of known and unknown threats
The solution deploys the NGFWs for border defense and the detection
of known threats. With the next generation detection engine, Huawei
NGFW has strong context awareness capability to identify and block
known threats in a faster and more accurate manner. FireHunter
sandbox, on the other hand, effectively detects unknown advanced
malware through heuristic detection and virtualized execution. Web-
based detection, especially the detection of zero-day malicious codes,
enhances the FireHunter's detection efficiency.
•• Interworking and blocking within seconds
The FireHunter can promptly interwork with and send IOCs to
the USG6000 once an unknown threat is detected. Based on the
information received, the NGFW immediately updates the reputation
database for real-time blocking to prevent further intrusion of the
advanced malware and consolidate the defense of the enterprise.
•• Comprehensive display of threats
By correlating information, such as network logs, test results of
malicious files, and user authentication records, multiple times from
multiple perspectives and layers, the LogCenter provides a clear picture
of the threat and makes tracking much easier. As an advanced log
collection, storage, and correlation system, the LogCenter provides an
easy platform for network administrators to learn about the analysis
results and spread of unknown files and helps the detection and
defense against APT attacks. Administrators can learn about the spread
and behavior of each malware program as well as the history behavior
of victims. In addition, a variety of statistical analysis reports display
the percentage of each malware type, which provides references for
configuring traffic analysis and file restoration policies on the NGFW.

Lightweight Solution Application Scenarios

1. Internet egress protection

Challenges
•• Exploits of web, application vulnerabilities, Botnets, Trojan horses, worms, and viruses
•• Phishing (mails and web pages) and DDoS attacks
•• Zero-day, watering hole, and APT attacks
•• Ineffective collection of logs on network and security devices

Solution
•• Deploy the NGFW at the Internet border and FireHunter + LogCenter in O&M
management area.
•• The NGFW provides comprehensive defense against known threats. The NGFW and
anti-APT sandbox interwork to prevent unknown threats.
NGFW
•• Provide optimized security policies, all-round security reports, and situational awareness.

FireHunter LogCenter Values to customer

DMZ •• Defense against known threats: effective defense against various known threats, such
O&M management area
as DDoS, using over 3500 intrusion signatures, features of over 5,000,000 viruses, and
the URL category database with over 85,000,000 items
•• Unknown threat detection: accurate detection of APT attacks and malicious behavior
blocking through in-depth analysis of malicious codes with the help of heuristic
  detection engine and virtual detection environment
•• Situational awareness: network and security logs collection, network-wide situational
Finance department R&D department Testing department awareness, real-time alert on attacks, in-depth display of malicious file expansion paths,
and a clear picture of user history behavior
Huawei Big Data-based Anti-APT Solution

2. Data center border protection

Terminal access zone WAN access zone Internet access zone Challenges
•• DDoS attacks
•• Intrusion and confidential data theft by exploiting web, application vulnerabilities,
Botnet, Trojan horses, worms, and viruses
•• Zero-day, watering hole, and APT attacks
•• Requirement of independent security management for multiple tenants

Solution
•• Deploy NGFWs at the data center border and FireHunter + LogCenter in the O&M
management area.
Core switch •• NGFWs provide comprehensive defense against known threats. The NGFW and anti-APT
sandbox interwork to prevent unknown threats.
FireHunter LogCenter
•• Remote VPN access
O&M management area •• All-round security reports and situational awareness
NGFW
Values to customer
Data center •• Premium security performance: 10GE-level comprehensive threat defense
performance (a maximum of 40 Gbps)
•• Virtualization of all businesses: at most 1000 virtual firewalls, meeting custom security
requirements of multiple tenants
vFW vFW •• Full defense against known threats: intrusion defense, antivirus, data breach
prevention, and anti-DDoS
•• Accurate detection of unknown threats: accurate detection of APT attacks and
malicious behavior blocking through in-depth analysis of malicious codes with the help
of heuristic detection engine and virtual detection environment
Ordinary business Important business Core business •• Situational awareness: network and security logs collection and real-time awareness
of network-wide security posture

Heavyweight Solution
Based on the Cybersecurity Intelligence System (CIS) big data security
analysis platform, the heavyweight solution collects the traffic of key
paths on the live network and the log information of key systems, adopts
machine learning, and promptly detects various unusual behaviors of
the APT attack chain, including web, mail, and DNS anomalies. After the
anomaly analysis from multiple dimensions, APT attacks can be quickly
identified and alert can be generated so that the time window for security
response is effectively shortened. Besides detection, the CIS also allows
APT attack investigation by displaying a complete attack kill chain and
drilling data at each node of the chain with a large amount of data.

Solution components and key information

Internet
Border defense
• NGFW/NGIPS: defense against known threats
• vNGFW: prevention of cross-virtual machine threats
IPS NGFW FireHunter
Intranet detection
Log probe • CIS: network-wide deployment of probes for information
collection and analysis
CIS • FireHunter: detection of all files transmitted on the network
Traffic probe
Backtracking and investigation
• Backtracking attack paths and providing evidence on
known and advanced threats
vNGFWs
Situational awareness
VM VM VM VM
• Major threats rating and future attack trend prediction
LogCenter

Heavyweight Solution Features

•• Accurate and prompt threat detection
After key network traffic, such as web, mail, and DNS traffic, logs generated
by key devices and servers, and behavior of relevant software are collected,
big data correlation can be implemented.
Huawei anti-APT solution provides abundant anomaly detection models to
detect the entire APT lifecycle using offline detection, real-time detection,
correlation analysis, machine learning, and holistic assessment with the
assistance of context verification, implementing accurate alerting and
proactive defense and minimizing the attack time window and losses.
•• Network-wide interworking mitigating risks through one-click terminal
isolation and repair
Huawei anti-APT solution provides comprehensive and rapid eradication
capabilities. It implements in-depth threat assessment on traffic
and related information, visualizes attack paths, threat events, and
suspicious behavior, retrieves attack events within seconds, accurately
Huawei Big Data-based Anti-APT Solution

locates infected hosts and terminals with the assistance of context When such information as network logs, test results of malicious files,
verification, and automatically quarantines and fixes terminals by only and user authentication records, is correlated multiple times from
one click, removing internal and external hidden risks. multiple perspectives and layers, the picture of the threat is clear. Threat
events on any node of the attack chain and original data (such as traffic
•• Network-wide situational awareness and threat source tracing for and logs) can be easily obtained. Therefore, the source tracing and
forensics evidence collection can be trustworthy and easy.

Heavyweight Solution Application Scenarios

1. Data security for financial and large enterprises

Global Threat Intelligence Center APT detection cloud service Solution values
CIS
vSwitch Telecommuting
Detection of unknown and advanced threats
VM1 VM2 •• Detect traffic for unknown attacks and identify infected hosts and zombie hosts.
•• Detect files for unknown malicious files and identify the transmission of unknown
Traffic probe
internet
malicious files.
EDC •• Detect files and traffic for APT infiltration and covert channels.

Sandbox Traffic probe Traffic probe Sandbox Information leak prevention

Campus network •• Full APT attack chain detection helps identify information leak risks in a timely manner.
Core layer •• The C&C traffic capturing and the counting & analysis of outgoing files protect key assets.

Attack source tracking/evidence collection

Aggregation •• Protocol metadata stored on the big data platform assist in the investigation and
Traffic probe Network security devices
layer analysis of advanced threats.
•• PCAP packet capturing for suspicious traffic assists in the confirmation and investigation
of events.
Access layer
Network-wide situational awareness
•• Network-wide situational awareness and detection of C&C, advanced threats, intranet
infected hosts, and abnormal outgoing files.

Security protection through interworking

•• Interwork with security devices on executing defense actions, such as removing the
R&D area Finance area Marketing area Guest area malicious programs on infected devices, blocking C&C communications, and blocking
covert channels.

2. Metropolitan area network (MAN) situational awareness

Global Threat Intelligence Center APT detection cloud service Solution values

CIS
DNS response traffic NAT tracing logs Detection of known threats
NAT
tracing •• Detect traffic for DDoS attacks and identify zombie hosts.
system •• Detect traffic for intrusions at the application layer and identify attack behavior.
•• Detect files for malware and identify the transmission of malicious files.
Interworking

Detection Detection of unknown and advanced threats

•• Detect traffic for unknown attacks and identify infected hosts.
Security logs

Mirrored traffic logs

Sandbox
•• Detect files for unknown malicious files and identify the transmission of unknown
malicious files.
Interworking

File
•• Detect files and traffic for APT infiltration and covert channels.
inspection
Anti-
DDoS Detection Attack source tracking/evidence collection
logs •• Protocol metadata stored on the big data platform assist in the investigation and
Anti- Device IDS
cleaning Traffic-based attack analysis of advanced threats.
DDoS detection device
•• PCAP packet capturing for suspicious traffic assists in the confirmation and investigation
(traffic detection) Known application-
DPI of events.
based threat
system detection device
Mirrored traffic
(sample detection) Network-wide situational awareness
Diversion

•• Provide visibility to Botnets, Trojan horses, worms, C&C, advanced threats, and infected
Reinjection

hosts on the network.

Carrier/IDC network
Network-wide cleaning
•• Clean the Botnet and DDoS traffic and reduce inter-network settlement.

e.huawei.coma