breaking the lifecycle of the modern threat santiago polo sr. systems engineer palo alto networks,...
TRANSCRIPT
Breaking the Lifecycle of the Modern Threat
Santiago Polo
Sr. Systems Engineer
Palo Alto Networks, Inc.
About Palo Alto Networks
• Palo Alto Networks is the Network Security Company
• World-class team with strong security and networking experience - Founded in 2005, first customer July 2007
- Top-tier investors
• Builds next-generation firewalls that identify / control 1400+ applications- Restores the firewall as the core of the enterprise network security infrastructure
- Innovations: App-ID™, User-ID™, Content-ID™
• Global footprint: 6,000+ customers in 70+ countries, 24/7 support
What Has Changed / What is the Same
• The attacker changed- Nation-states
- Criminal organizations
- Political groups
• Attack strategy evolved- Patient, multi-step process
- Compromise user, then expand
• Attack techniques evolved- New ways of delivering malware
- Hiding malware communications
- Signature avoidance
The Sky is Not Falling
- Not new, just more common
- Solutions exist
- Don’t fall into “the APT ate my homework” trap
Strategy: Patient Multi-Step Intrusions• The Enterprise
Infection
Command and Control
Escalation
Exfiltration Exfiltration
Organized Attackers
Challenges to Traditional Security
• Threats coordinate multiple techniques, while security is segmented into silos- Exploits, malware, spyware, obfuscation all part of a
patient, multi-step intrusion
• Threats take advantage of security blind spots to keep from being seen- Patient attacks must repeatedly cross the perimeter
without being detected
• Targeted and custom malware can bypass traditional signatures- The leading edge of an attack is increasingly malware
that has never been seen before.
Regaining Control Over Modern Threats
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 6 |
New Requirements for Threat Prevention
1. Full Visibility - all traffic regardless of port, protocol, evasive tactic or SSL
2. Stop all known network threats - (IPS, Anti-malware, URL, etc.) while maintaining multi-gigabit performance
3. Find and stop new and unknown threats - even without a pre-existing signature
Vulnerabilities
Malware
DangerousURLs
Malware Sites
SQL Injection
Cross-SiteScripting
Denial of Service
Botnets
Key Loggers
Fast Flux
Visibility
• Visibility is Fundamental- You can’t stop what you can’t see- Virtually all threats other than DoS depend on avoiding
security
• Full Stack Inspection of All Traffic- All traffic, on all ports, all the time- Progressive decoding of traffic to find hidden, tunneled
streams- Contextual decryption of SSL
• Control the Applications That Hide Traffic- Limit traffic to approved proxies, remote desktop
applications- Block bad applications like encrypted tunnels,
circumventors
Control the Methods Threats Use to Hide
© 2011 Palo Alto Networks. Proprietary and Confidential.
• Encrypted Traffic• SSL is the new standard
• Proxies• Reverse proxies are hacker favorites
• Remote Desktop• Increasingly standard
• Compressed Content• ZIP files, compressed HTTP
• Encrypted Tunnels• Hamachi, Ultrasurf, Tor• Purpose-built to avoid security
Encryption (e.g. SSL)
Compression (e.g. GZIP)
Proxies (e.g CGIProxy)
Circumventors and Tunnels
Outbound C&C Traffic
If you can’t see it, you can’t stop it
Page 8 |
Block the Applications That Hide Traffic
• Block Unneeded and High-Risk Applications- Block (or limit) peer-to-peer
applications- Block unneeded applications
that can tunnel other applications
- Review the need for applications known to be used by malware
- Block anonymizers such as Tor- Block encrypted tunnel
applications such as UltraSurf- Limit use to approved proxies- Limit use of remote desktop
Control Known Threats
• Modern attacks are patient and use multiple techniques- Threats are more than exploits- Malware- Dangerous URLs- Spyware- Command and Control Traffic- Circumvention Techniques
• Context is Key- Clear visibility into all URLs, users,
applications and files connected to a particular threat
• Brute Force
• Code-Execution
• Denial of Service
• Data Leakage
• Overflows
• Scanning
• SQL Injection
• Botnets
• Browser Hijacks
• Adware
• Backdoors
• Keyloggers
• Net-Worms
• Peer-to-Peer
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 11 |
“Okay, but what about unknown and targeted malware?”
The Malware Window of Opportunity
Time required to capture 1st sample of malware in the wild
Time required to create and verify malware signature
Time before antivirus definitions are updated
Total Time Exposed
Days and weeks until users are protected by traditional signatures
Attackers Target the Window of Opportunity
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 13 |
Refreshed Malware
Malware Construction KitsTargeted Attacks
Controlling Unknown Malware Using the Next-Generation Firewall
• Introducing WildFire- New feature of the Palo Alto Networks NGFW
- Captures unknown inbound files and analyzes them for 70+ malicious behaviors
- Analysis performed in a cloud-based, virtual sandbox
• Automatically generates signatures for identified malware- Infecting files and command-and-control
- Distributes signatures to all firewalls via regular threat updates
• Provides forensics and insight into malware behavior- Actions on the target machine
- Applications, users and URLs involved with the malware
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 14 |
Case Study - Password Stealing Botnets
© 2010 Palo Alto Networks. Proprietary and Confidential.
Overview
Threat Type Botnet, similar to the notorious ZeuS banking botnet
Target Targets end-users with the goal of stealing passwords
Transmission Methods Heavy use of email, Some use of HTTP
Key Actions • Steals email and FTP credentials• Steals cookies from browsers• Decrypts and sniffs SSL sessions• Uses anti-VM techniques
File Name(s) • American_Airlines_E-Ticket-printing-copy• DHL-express-tracking-delivery-notification
Initial Detection Rates Very low detection rates, sometimes for several days. Heavy use of packers.
Malware Analysis
Malware Analysis
Malware Analysis
Case Study - Enterprise Phishing
• Shipping and Security are common topics for enterprise phishing- Fake DHL, USPS, UPS and FedEx
delivery messages- Fake CERT notifications
• Ongoing Phishing Operations- Large volumes of malware –
commonly in the top 3 of daily unknown malware seen in enterprises
- Correlate new malware talking back to the same malware servers
- Refreshed daily to avoid traditional AV signatures
USPS Report
DHL-international-shipping-ID
DHL-international-shipping-notification
DHL-Express-Notification-JAN
United-Parcel-Service-Invoice
US-CERT Operations Center Report
USPS-Failed-Delivery_NotificationMalw
are
Trusted Sources
CNET/Download.com• Strong reputation for providing
safe downloads of shareware and freeware that are verified to be malware free.
• In early December 2011 WildFire began identifying files from Download.com as containing spyware.
• CNET had begun providing software downloads in a wrapper that installed subtle spyware designed to track shopping habits
• Changed a variety of client and browser security settings
Changed security settings
Changed proxy settings
Changed Internet Explorer settings
Installed a service to leak advertising and shopping data over HTTP POSTs.
An Integrated Approach to Threat Prevention
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 22 |
Applications
• All traffic, all ports, all the time
• Application signatures
• Heuristics
• Decryption
• Reduce the attack surface
• Remove the ability to hide
• Prevents known threats
• Exploits, malware, C&C traffic
Exploits & Malware
•Block threats on all ports
•NSS Labs Recommended IPS
•Millions of malware samples
Dangerous URLs
• Malware hosting URLs
• Newly registered domains
• SSL decryption of high-risk sites
Unknown & Targeted Threats
•WildFire control of unknown and targeted malware
•Unknown traffic analysis
•Anomalous network behaviors
• Block known sources of threats
• Be wary of unclassified and new domains
• Pinpointslive infections and targeted attacks
Decreasing Risk
Roundtable Discussion