hiding in plain sight - open room in plain sight... · the evolution of your network 3 | ©2014palo...
TRANSCRIPT
Key Facts and Figures
2 | ©2014 Palo Alto Networks. Confidential and Proprietary.
• 5,500 networks analysed
• 2,100 applications detected
• 51 petabytes of bandwidth
• 16,809 unique threats
• Billions of threat logs
The Evolution of Your Network
3 | ©2014 Palo Alto Networks. Confidential and Proprietary.
What’s Hiding In Plain Sight?
VNC
SMB
pop3
snmpdns
telnet
LDAP
ftp
SSL
� Common sharing applications: heavily used, high in threats, low in activity
� 19% of all threats delivered are code execution exploits found within common
sharing applications
� Only 5% of all threat activity was seen within these applications
� A small number of applications exhibited nearly all of all threat activity
� Malware: 99% all malware logs were generated across a single application.
� Vulnerability exploits: 94% of all exploit logs were found in 10 applications.
� Applications that can use SSL – privacy, evasion, or Heartbleed risk?
� 34% of the applications can use SSL – how many are using OpenSSL?
4 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Global Findings
Common Sharing Applications are Heavily Used
5 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Application Variants
� How many video and filesharing applications are needed to run the business?
Bandwidth Consumed
� 20% of all bandwidth consumed by file-sharing and video alone
High in Threat Delivery; Low in Activity – Why?
6 | ©2014 Palo Alto Networks. Confidential and Proprietary.
� 19% of all threats are code execution exploits within common sharing applications
� Most commonly used applications: Email (SMTP, POP3, IMAP) and file-sharing (FTP,
Webdav)
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Low Activity? Effective Security or Something Else?
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Low File Sharing Activity: Effective Security or Something
Else?
8 | ©2014 Palo Alto Networks. Confidential and Proprietary.
(7) Code execution exploits seen in SMTP, POP3, IMAP
and web browsing.
IMAP
SMTP
POP3
Web browsing
Web browsing
Smoke.loader botnet controller
� Delivers and manages payload
� Steals passwords
� Encrypts payload
� Posts to URLs
� Anonymizes identity
Common Sharing Applications: Additional Risks
Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.
� Bandwidth impact on business applications
� Productivity loss from “watching” or “posting”
� Regulatory or copyright violations
� Loss of confidential data
� Videos or posts used as enticement to “click here”
� Downloads infected with malware
9 | ©2012 Palo Alto Networks. Confidential and Proprietary.
Unknown UDP: Malware Hiding Place of Choice
Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.10 | ©2014 Palo Alto Networks. Confidential and Proprietary.
� 1 application delivered nearly all of the malware logs: UDP
� ZeroAccess command & control traffic represented nearly all of the traffic
Malware Activity Hiding in Plain Sight: UDP
11 | ©2014 Palo Alto Networks. Confidential and Proprietary.
End Point Controlled
Blackhole Exploit Kit
ZeroAccessDelivered
$$$
Bitcoin miningSPAM
ClickFraud
� Distributed computing = resilience
� High number UDP ports mask its use
� Multiple techniques to evade detection
� Robs your network of processing power
Business Applications = Heaviest Exploit Activity
12 | ©2014 Palo Alto Networks. Confidential and Proprietary.
� 10 applications transmitted 94% of the exploit logs
� Primary source: Brute force attacks
DNS ANY Query: A Simple Yet High Risk Attack
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
1) Begin attack
2) DNS Query: "any" in example.com domain to open recursive
DNS servers; set SRC to xx.xx.x.x (target IP)
3) Open DNS resolvers: ask example.com nameserver for record “any”
4) example.com responds: “example.com A 93.184.216.119
example.com NS b.iana-servers.net……” Target server: xx.xx.x.x
Name server: example.com
Open DNSServers
Ensure your business infrastructure components are isolated and protected.
DNS server: disabled
14 | ©2014 Palo Alto Networks. Confidential and Proprietary.
The Two Faces of SSL
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
TDL-4
Poison IVYRustock
APT1Ramnit
Citadel
Aurora
BlackPOS
tcp/443
tcp/80
tcp/139
10am-5pm
Trojan.POSRAM
15 | ©2014 Palo Alto Networks. Confidential and Proprietary.
ftp
icmpnetbios
webdav
ssl
16 | ©2014, Palo Alto Networks. Confidential and Proprietary.
� Widely used remote access tool –
found on 75% of your networks
� Uses SSL, hops ports, is digitally
signed
� “Free” for non-commercial use,
supported on many devices
� TeamSpy: Background installation
and full end point control
� Enabled theft of 85 pieces of
system (end point) info
� Utilized a range of evasion
techniques to remain hidden
SSL: Protection, Evasion or Heartbleed Risk?
34% (539) of the applications found can use SSL. What is your exposure?
17 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Dealing with the Heartbleed Risk
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Heartbleed will be with us for some time
� Exert tighter control over those applications that can use SSL
� Identify and patch your affected systems
� Work with your cloud application providers to expedite cleanup
� Get new keys
� Change your passwords
� Beware of the inevitable phishing campaigns
Recommendations and Actions
� Common sharing applications
� User education: “Say Yes to the Update” and “Think Before You Click!”
� Gain agreement on business use case for each category
� Document the policy; educate users; enforce with technology, review and adjust
� Unknown applications
� Determine what they are; where they are going
� Identify and isolate internal applications
� Apply strict policies for unknown applications
� Internal, business applications and SSL
� Reduce the volume of traffic and associated risks
� Identify and isolate internal applications
� Determine the applications that are using SSL to assess your Heartbleed exposure
19 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks Enterprise Security Platform
20 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Next-Generation Firewall
� Inspects all traffic
� Blocks known threats
� Sends unknown to cloud
� Extensible to mobile & virtual networks
� Inspects all processes and files
� Prevents both known & unknown exploits
� Integrates with cloud to prevent known & unknown malware
Next-Generation Endpoint Protection
Threat Intelligence Cloud
� Gathers potential threats from network and endpoints
� Analyzes and correlates threat intelligence
� Disseminates threat intelligence to network and endpoints
22 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Unit 42 – Application Usage and Threat Report