Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine

Palo Alto Networks Modern Malware Elton Fontaine: CCIE, CNSE SE Manager – West Territory Palo Alto Networks

What are we seeing

Key Facts and Figures - Americas 4 | ©2014 Palo Alto Networks. Confidential and Proprietary. 2,200+ networks analyzed 1,600 applications detected 31 petabytes of bandwidth 4,600+ unique threats Billions of threat logs

Common Sharing Applications are Heavily Used 5 | ©2014 Palo Alto Networks. Confidential and Proprietary. Application Variants  How many video and filesharing applications are needed to run the business? Source: Palo Alto Networks, Application Usage and Threat Report. May Bandwidth Consumed  20% of all bandwidth consumed by file- sharing and video alone

High in Threat Delivery; Low in Activity 6 | ©2014 Palo Alto Networks. Confidential and Proprietary.  11% of all threats observed are code execution exploits within common sharing applications  Most commonly used applications: (SMTP, Outlook Web, Yahoo! Mail), social media (Facebook, Twitter) and file-sharing (FTP) Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

Low Activity? Effective Security or Something Else? 7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Low Activity: Effective Security or Something Else? 8 | ©2014 Palo Alto Networks. Confidential and Proprietary. (7) Code execution exploits seen in SMTP, POP3, IMAP and web browsing. IMAPSMTPPOP3 Web browsing Twitter Facebook Smoke.loader botnet controller  Delivers and manages payload  Steals passwords  Encrypts payload  Posts to URLs  Anonymizes identity

Malware Activity Hiding in Plain Sight: UDP 9 | ©2014 Palo Alto Networks. Confidential and Proprietary. End Point Controlled Blackhole Exploit Kit ZeroAccess Delivered $$$ Bitcoin mining SPAM ClickFraud  Distributed computing = resilience  High number UDP ports mask its use  Multiple techniques to evade detection  Robs your network of processing power

Unknown UDP Hides Significant Threat Activity 10 | ©2014 Palo Alto Networks. Confidential and Proprietary.  1 application = 96% of all malware logs  ZeroAccess.Gen command & control traffic represents nearly all malware activity Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

Business Applications = Heaviest Exploit Activity 11 | ©2014 Palo Alto Networks. Confidential and Proprietary.  90% of the exploit activity was found in 10 applications  Primary source: Brute force attacks Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

Target data breach – APTs in action Maintain access Spearphishing third-party HVAC contractor Moved laterally within Target network and installed POS Malware Exfiltrated data command-and- control servers over FTP Recon on companies Target works with Breached Target network with stolen payment system credentials

Best Practices

Security from Policy to Application  What assumptions drive your security policy?  Does your current security implementation adequately reflect that policy?  Doss your current security implementation provide the visibility and insight needed to shape your policy? Assumptions Policy Implementation Visibility & Insight

Security Perimeter Paradigm The Enterprise Infection Command and Control Escalation Exfiltration Organized Attackers

Is there Malware inside your network today??? Applications provide exfiltration Threat communication Confidential data

Application Visibility  Reduce attack surface  Identify Applications that circumvent security policy.  Full traffic visibility that provides insight to drive policy  Identify and inspect unknown traffic

Identify All Users  Do NOT Trust, always verify all access  Base security policy on users and their roles, not IP addresses.  For groups of users, tie access to specific groups of applications  Limit the amount of exfiltration via network segmentation 18 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Freegate SSL/Port 443: The Universal Firewall Bypass 19 | ©2013 Palo Alto Networks. Confidential and Proprietary. Challenge: Is SSL used to protect data and privacy, or to mask malicious actions? TDL-4 Poison IVY Rustock APT1 Ramnit Bot Citadel Aurora Gozi tcp/443

Evolution of Network Segmentation & Datacenter Security Port-hopping applications, Malware, Mobile Users – Different entry points into DC? Layer 7 “Next Generation” Appliance Packet Filtering, ACL’s, IP/Port-based firewalling for known traffic? Layer 1-4 Stateful Firewall

Platform Solution

Modern Attacks Are Coordinated Bait the end-user 1 End-user lured to a dangerous application or website containing malicious content Exploit 2 Infected content exploits the end-user, often without their knowledge Download Backdoor 3 Secondary payload is downloaded in the background. Malware installed Establish Back-Channel 4 Malware establishes an outbound connection to the attacker for ongoing control Explore & Steal 5 Remote attacker has control inside the network and escalates the attack

App-ID URL IPS THREAT PREVENTION Spyware AV Files WildFire Block high-risk apps Block known malware sites Block the exploit Prevent drive-by- downloads Detect unknown malware Block malware Bait the end-user Exploit Download Backdoor Establish Back-Channel Explore & Steal Block spyware, C&C traffic Block C&C on non-standard ports Block malware, fast-flux domains Block new C&C traffic Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors Coordinated Threat Prevention An Integrated Approach to Threat Prevention Reduce Attack Surface

Adapt to Day-0 threats Threat Intelligence Sources WildFire Users Anti-C&C Signatures Malware URL Filtering DNS Signatures AV Signatures Cloud On-Prem WildFire Signatures ~30 Minutes Daily Constant 1 Week

Contextual Awareness

26 | ©2012, Palo Alto Networks. Confidential and Proprietary.