Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks
What are we seeing
Key Facts and Figures - Americas 3 | ©2014 Palo Alto Networks. Confidential and Proprietary. 2,200+ networks analyzed 1,600 applications detected 31 petabytes of bandwidth 4,600+ unique threats Billions of threat logs
Common Sharing Applications are Heavily Used 4 | ©2014 Palo Alto Networks. Confidential and Proprietary. Application Variants How many video and filesharing applications are needed to run the business? Source: Palo Alto Networks, Application Usage and Threat Report. May Bandwidth Consumed 20% of all bandwidth consumed by file- sharing and video alone
High in Threat Delivery; Low in Activity 5 | ©2014 Palo Alto Networks. Confidential and Proprietary. 11% of all threats observed are code execution exploits within common sharing applications Most commonly used applications: (SMTP, Outlook Web, Yahoo! Mail), social media (Facebook, Twitter) and file-sharing (FTP) Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Low Activity? Effective Security or Something Else? 6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Low Activity: Effective Security or Something Else? 7 | ©2014 Palo Alto Networks. Confidential and Proprietary. Code execution exploits seen in SMTP, POP3, IMAP and web browsing. IMAPSMTPPOP3 Web browsing Twitter Facebook Smoke.loader botnet controller Delivers and manages payload Steals passwords Encrypts payload Posts to URLs Anonymizes identity
Malware Activity Hiding in Plain Sight: UDP ZeroAccess Botnet 8 | ©2014 Palo Alto Networks. Confidential and Proprietary. End Point Controlled Blackhole Exploit Kit ZeroAccess Delivered $$$ Bitcoin mining SPAM ClickFraud Distributed computing = resilience High number UDP ports mask its use Multiple techniques to evade detection Robs your network of processing power
9 | ©2014 Palo Alto Networks. Confidential and Proprietary. The Two Faces of SSL Challenge: Is SSL used to protect data and privacy, or to mask malicious actions? TDL-4 Poison IVY Rustock APT1 Ramnit Citadel Aurora BlackPOS
SSL: Protection, Evasion or Heartbleed Risk? Source: Palo Alto Networks, Application Usage and Threat Report. Jan % (539) of the applications found can use SSL. What is your exposure? 10 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Business Applications = Heaviest Exploit Activity 11 | ©2014 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Target data breach – APTs in action Maintain access Spearphishing third-party HVAC contractor Moved laterally within Target network and installed POS Malware Exfiltrated data command-and- control servers over FTP Recon on companies Target works with Breached Target network with stolen payment system credentials
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Best Practices
Security from Policy to Application What assumptions drive your security policy? Does your current security implementation adequately reflect that policy? Doss your current security implementation provide the visibility and insight needed to shape your policy? Assumptions Policy Implementation Visibility & Insight
Security Perimeter Paradigm The Enterprise Infection Command and Control Escalation Exfiltration Organized Attackers
Is there Malware inside your network today???
Application Visibility Reduce attack surface Identify Applications that circumvent security policy. Full traffic visibility that provides insight to drive policy Identify and inspect unknown traffic
Identify All Users Do NOT Trust, always verify all access Base security policy on users and their roles, not IP addresses. For groups of users, tie access to specific groups of applications Limit the amount of exfiltration via network segmentation 19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Freegate SSL/Port 443: The Universal Firewall Bypass 20 | ©2013 Palo Alto Networks. Confidential and Proprietary. Challenge: Is SSL used to protect data and privacy, or to mask malicious actions? TDL-4 Poison IVY Rustock APT1 Ramnit Bot Citadel Aurora Gozi tcp/443
Evolution of Network Segmentation & Datacenter Security Port-hopping applications, Malware, Mobile Users – Different entry points into DC? Layer 7 “Next Generation” Appliance Packet Filtering, ACL’s, IP/Port-based firewalling for known traffic? Layer 1-4 Stateful Firewall
Platform Solution
Modern Attacks Are Coordinated Bait the end-user 1 End-user lured to a dangerous application or website containing malicious content Exploit 2 Infected content exploits the end-user, often without their knowledge Download Backdoor 3 Secondary payload is downloaded in the background. Malware installed Establish Back-Channel 4 Malware establishes an outbound connection to the attacker for ongoing control Explore & Steal 5 Remote attacker has control inside the network and escalates the attack
App-ID URL IPS THREAT PREVENTION Spyware AV Files WildFire Block high-risk apps Block known malware sites Block the exploit Prevent drive-by- downloads Detect unknown malware Block malware Bait the end-user Exploit Download Backdoor Establish Back-Channel Explore & Steal Block spyware, C&C traffic Block C&C on non-standard ports Block malware, fast-flux domains Block new C&C traffic Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors Coordinated Threat Prevention An Integrated Approach to Threat Prevention Reduce Attack Surface
Adapt to Day-0 threats Threat Intelligence Sources WildFire Users Anti-C&C Signatures Malware URL Filtering DNS Signatures AV Signatures Cloud On-Prem WildFire Signatures ~30 Minutes Daily Constant 1 Week
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.