1. Barracuda Advanced Threat Detection
Next-Generation Protection against Advanced Persistent Threats, Ransomware, Targeted Attacks and Zero-Day Threats
Welcome

2. What‘s an Advanced Threat?
Zero-Day Exploits and Unknown Malware
No AV/IPS signatures exist yet. No software patches available yet.
Advanced Persistent Threats (APTs)
A cybercrime malware with high degree of stealth over a prolonged duration for successful data extraction
Ransomware
Zero-Day/ Advanced Malware to encrypt or delete files and demand ransom
Let us start off this very important topic with explaining some buzz words.
What are Zero-Day / Zero-Hour Exploits? This describes a vulnerability in an app or an operating system that is not known to the vendor yet.
What is unknown malware? Alike the zero-day exploits, this means viruses or similar that are not listed in the pattern databases yet – and subsequently can‘t be recognized by the antivirus and intrusion prevention solutions.
Even though such threats can be very sophisticated ones when it comes to finding the punch holes in a system, they are quite basic in terms of technology. At the same time, this threats are most-likely distributed via drive-by downloads to compromise and infect as much systems as possible.
This is in contrary to the so-called Advanced Persistent Threats. These software pieces are highly sophisticated and are rather expensive to create. This Ninja-type of threats is very focused when it comes to targeting and it comes with massive stealth capabilities, too. Here, the use case is to infiltrate a network, staying unrecognizable and untrackable, and wait for the command to start the designated task be it pure data exfiltration, or even worse tasks.
Now, the currently hyped Ransomware is a sub-type of zero-day threats. As the name already states, here, the business case is to encrypted files of an organization until ransom is paid – accepting cash, cards, and bitcoins (whatever suits you best).
And if the unlocking link that is sent after the ransom is paid doesn‘t work, they provide 24x7 phone support. And needless to say: paying ransom fixes the situation temporarily only.
Just like in the good old mafia movies: the thugs will come back either way.

3. Ransomware DiscoveriesQ1 Q2 Q3 Q4
TeslaCrypt
BandarChor
Cryptvault
Tox
Troldesh
Encryptor RaaS
CryptoApp
LockDroid
LowLevel404
CryptInfinite
Unix.Ransomcrypt
Radamant
VaultCrypt
XRTN
Cryptolocker2015
Simplocker
Pacman
Pclock
Threat Finder
Hidden Tear
ORX-Locker
Dumb
Maboua OSX POC
Power Worm
DMA-Locker
Gomasom
Chimera Locker
2015
Ransom32 Q1
Ginx
73v3n
CryptoJocker
LeChiffre
Nanolocker
Magic
Locky
Vipasana
Hi Buddy
Job Cryptor
PayCrypt
KeRanger
Umbrecrypt
Hydracrypt
2016
Coinvault
Zerolocker
Cryptowall
TorrentLocker
Gpcoder
Reveton
Urausy
Nymaim
Onion
2005 -
2012
2013
2014 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Kovter
Browlock
Linkup
Slocker
CTB-Locker/Citron
Synclocker
Virlock
This diagram shows at a glance how bad the situation in terms of ransomware is. And it is very unlikely that the „ransomware situtation“ will calm down to a state like in You see, i didn‘t even dare to wish back the early 2000‘s.
So, you can see why it is so important to address these advanced threats like zero-day-exploits, advanced malware, and APTs in your IT security posture immediately.

4. Why you should really care ….
93%
of examined organizations had malware detected on their networks
79%
were exfiltrating data via CnC callbacks
Before we head down to the solution, let‘s talk about a couple of other disturbing numbers. Back in 2014 the auditing firm KPMG did an evaluation among their clients. And the immediate results where that 93% had malicious software floating around in their networks and 79% had successfully established connections to extract data.
Source: ©KPMG 2014

5. Why you should really care ….
49%
Of the detected malware was unknown and thus, not detectable by anti-virus, IPS, and RBL
But even worse, 49% of the detected malware was unknown to antivirus and ips databases and reputation backlists providing information on IP addresses, hosts, and URLs that are known for spreading malware.
As you can see this situation report was created in So, we were eager to know how the situation changed in the last two years.
Source: ©KPMG 2014

6. Many Tools are Not Solving the Problem
Osterman Security Survey
61% say Web-based threats blocked by their security infrastructure not improving or even getting worse
53% say Ransomware blocked by their security infrastructure not improving or even getting worse
Osterman Research created a Security Survey among more than 200 organizations in 2016.
<<CLICK>>
61% of the participating organization stated that the situation has not improved at all or even got worse by the IT security setup.
Furthermore, almost the half was stated that the protection has not improved or even got worse.
Source: Osterman Research, > 200 companies surveyed

7. Why traditional AV Scanning is not enough…
(sample of)
1 Mn files-> ATD
> 30,000 malicious
Taking the results from the Osterman survey made us starting a research on what is entering our solution fighting the advanced threats.
The test sample comprised of 1 million files that were actively scanned in the Barracuda Advanced Threat Detection cloud service.
<< CLICK >>
The file types involved massively office files like excel and word files, but also executables, archives, and pdf files. You might have heard the line „JAVA is dead“ – in fact 1% of the scanned files was JAVA related. So, JAVA is not yet fully dead.
And more than 30,000 files were indicated as malicious ones.
Source: Barracuda Networks Research

8. Why traditional AV Scanning is not enough…
(sample of)
1 Mn files-> ATD
> 30,000 malicious
(at the time) 75% not recognized by any Virustotal AV engine
The next step was to analyze the files in regard to the antivirus and ips solutions in the field.
<< CLICK >>
So, we double checked the files against virustotal which is a Google-service aggregating more than 50 antivirus products and online scan engines.
And we ended up with a not-recognized rate of 75% by any of the AV engines available via virustotal.
Source: Barracuda Networks Research

9. 1 Mn files-> ATD > 30,000 malicious Half a year later…
(sample of)
1 Mn files-> ATD
> 30,000 malicious
(at the time) 75% not recognized by any Virustotal AV engine
(half a year later) 36% still not recognized
Six months later,
<< CLICK >>
we did the very same check again to gain a comparable result.
And the alarming results was that 36% - or in other words for that very sample more than 10,000 (!!!) malicious files - were still not recognizable.
But enough on disturbing and alarming numbers. Let‘s talk about how to fix this uncomfortable situation for your organization.
Source: Barracuda Networks Research

10. Solution: End-to-End Security
Detect
Prevent
Recover
The solution provided by the Barracuda product portfolio is an End-To-End Security protecting your infrastructure with all its different attack surfaces.
Basically, there are three steps to be taken: Detect – Prevent – and Recover.
Of course, everything starts with detecting potentially dangerous content:
<< CLICK >>
Here our portfolio offers 4 distinct products, starting with the Web Security Gateway providing URL filtering, the Security Gateway providing spam protection, the Next Gen Firewall family providing next-generation firewalling and remote access capabilities and/or our newest member - Barracuda Essentials for Office365.
Preventing bad stuff entering your networks is handled by the Web Security Gateway, the Web Application Firewall, the NextGen Firewalls and/or the Security Gateway.
And finally – in the rare case that all other steps fail - the recovering which is done by Barracuda Backup, Message Archiver, Yosemite Backup and/or – again – Barracuda Essentials for Office365.

11. Solution:End-to-end Security
Detect
Prevent
Recover

12. Before we head down the nextgen firewall alley, let’s have a quick look at our newest product called Barracuda Essentials for Office 365 that addresses the shifting of local mail services to the cloud and thus get rid of local infrastructure requirements.

13. Detect: The Barracuda Email Threat Scanner
Cloud service that scans O365 mailboxes
Find advanced sleeping threats
Identifies owners of said threats
Provides detailed reports and recommendations
Free
As part of the essentials package, the Threat Scanner scan Office365 mailboxes.
The threat scanner makes use of the advanced threat detection cloud and, thus, is capable of finding even sleeping threats and informs the O365 mailbox owners if threats are found.
For evaluation, we offer this service for free on scan.barracuda.com.

14. Detect: What We’ve Found So Far
> 10,000 of mailboxes scanned
94% of scans found threats
Average scan finds 10 – 100’s of threats per company
Some customers had at least one threat per employee
Since the product was introduced to the public earlier this year, we scanned more than 10,000 mailboxes and found maliciousness almost everywhere (in numbers 94%), on average different threats per organization and some with at least one threat per employee.
You are already very likely harboring a threat!

15. Now let’s have a deeper look on the NextGen Firewall F and its ATD integration.

16. Prevent: Zero Trust Security
Energize Updates
Advanced Threat Detection
Web Filtering
Botnet and Spyware Definitions
Malware Signatures
DoS / DDoS
Intrusion Prevention (IPS)
Web Filter
Malware Protection (AV)
SSL Interception
File Content & User Agent Filtering
Botnet and Spyware Protection
ATD Sandboxing
First of all, there is – unfortunately - no silver bullet or magical cure against Advanced Persistent Threats – The only thing that works is ATD in combination with a multi-layered zero trust security approach
<< CLICK >>
In other words, you have to make use of all the nextgen firewall features, like DDoS protection, the antivirus engines for HTTP/s, SMTP/s and FTP traffice, the IPS services, the web filtering, the ssl interception capabilities (as more and more traffic enters your networks via SSL encrypted connections), and then put the botnet and spyware protection and nextgen sandboxing of the ATD cloud service on top.

17. Prevent: ATD: Scan First then Deliver
Barracuda NextGen Firewall F
How does the NextGen Firewall scan and deliver content ?
<< CLICK >>
By default, the NextGen Firewall runs the file by the inline antivirus and IPS engines and, if the file is considered to be OK it is sent to the ATD cloud for further inspection.
If the file is found to be benign, it is forwarded to the requesting client.
Bear in mind that this may take a while (especially for signatures unknown to the ATD ecosystem) and, therefore, should not be done for any traffic.

18. Prevent: ATD: Scan First then Deliver
Barracuda NextGen Firewall F
If the file is tagged being malicious, it is dropped and the requesting client is informed accordingly.

19. Prevent: ATD: Deliver and scan (optional)
Barracuda NextGen Firewall F
But there is more…
<< CLICK >>
Optionally, the NextGen Firewall allows to deliver the „unknown“ file simultaneously to the ATD cloud and the downloading user/IP/system which is automatically moved into a quarantine network segment.
If the file is detected to be a malicious one, the user is automatically moved from quarantine to a black list and the administrator is informed to take corresponding actions.
The quarantine blocks any outgoing traffic from the user/IP/system that is potentially at risk.

20. Prevent: The Barracuda ATD Ecosystem
Barracuda NextGen Firewall
Barracuda NextGen Firewall F
Barracuda NextGen Firewall X
Barracuda NextGen Firewall F
Barracuda NextGen Firewall X
Barracuda NextGen Firewall F
Barracuda NextGen Firewall X
Barracuda NextGen Firewall F
Barracuda NextGen Firewall X
Now how does the global ecosystem look like for the ATD service?
<< CLICK >>
All Barracuda NextGen Firewalls and Barracuda Essentials deployments using the ATD features improve the central ATD hash database in the cloud.
This way, if a signature is already known,
the file will be processed without any further delay resulting in a very responsive service.

21. Prevent:Instant Threat Visibility
For each file scanned by the ATD service,
<< CLICK >>
a detailed report on the testing routine and results is available
for download via the NextGen Admin administration tool.

22. Prevent: Instant Threat Visibility
Here you see an example on such a report. An actual report on threats like Cryptolocker has about 100 pages. So, it is quite detailed.
Highlights for drawing the attention to:
Disabling all Security Suites, Disabling all Updates, Disabling system restore, Using obfuscation techniques to evade detection, Establishing and hiding CnC callback traffic, and –last not least- DELETING ITSELF AFTER EXECUTION (!)

23. Detect: Botnet and Spyware Protection
Internal DNS Server
Parent DNS Server
DNS response:
evil.com =
DNS request: evil.com
DNS response: evil.com =
F-Series Firewall
Evil.com ( )
Dst. =
Client
Client =
What we talked about so far is amazing to prevent your systems from being attacked via web traffic coming in via the network perimeter.
But what about USB thumbdrives? What about BYOD scenarios? How to include such setup into an organization’s security posture?
By making use of the „botnet and spyware protection“ or – more geek speak: the DNS sinkhole. This feature ensures that already compromised systems/devices that plug into your network can be filtered out and become visible to the administrator.
<<CLICK>>
The most common use case for a botnet infected client is to connect to his „command and control center“. Therefore, he has to send a DNS request.
Via ATD and barracuda labs we receive hundreds of thousands of „hostile“ domains and IPs.
This enables to intercept the dns response and recognize the hostile destination,
Now we fake the response from to (a virtual ip hosted on the firewall) and obtain the infected client or clients.
Of course, this can be tracked in realtime via the section „recent threats“ via the user interface NextGen Admin.
Here another tool comes very handy: the iOS-based NextGen Remote that can utilize push notifications onto your iPhone or iPads. Define what notification shall trigger such a push notification out of 300 pre-defined events. This tool is available for free in the iTunes App Store.
And of course, it can be put into automated reports. The Report Creator is a tool available for free at barracuda.com

24. Summary: Advanced Threat Detection
Full Next-Generation Firewall and VPN in the data path
Fully integrated solution reduces management overhead
Automatic detection of already infected clients
Built-in auto quarantine feature for infected clients
Cloud-based emulation – small load on device
Install based: only OPEX – no additional equipment needed
For all Barracuda NextGen Firewalls, smallest to largest
As we are reaching the end of todays session, let us quickly summarize what Advanced Threat Detection is capable of and how you benefit:
Using ATD on the NextGen Firewall ensures that any web traffic – be it HTTP, HTTPS, FTP, SMTP, SMTPS – and remote access via VPN is scanned.
The tight integration into the firewall management infrastructure reduces the administrative overhead significantly
If you happen to have compromised client in your network already, you are informed about them and can take countermeasures.
Alternatively, but compromised client into quarantine and/or on black lists automatically
The ATD is a pure cloud solution and, thus, does not cause any additional load on the firewall deployment.
And cloud solutions don’t require additional hardware wasting precious Rackspace
And, this might be very intriguing for CFOs: as there is no hardware required, only OPEX is effected
Last-not-least: ATD is available for all NextGen Firewall, independent of Series or model size. From the smallest one to the largest 2U datacenter unit.

25. Available on ALL NextGen Firewalls
Virtual
Public Cloud
Energize Updates
Malware Protection
Advanced
Threat
Detection
Threat and Malware Bundle
available for HW models F18 and higher as well as for the Secure Access Concentrator
Firmware Version 6.0 and higher
Available for ALL BNG virtual appliances (incl. Public Cloud)
File caps/minute (burst limits) & file caps/month

26. Available on ALL NextGen Firewall F-Series
Virtual
Public Cloud
Energize Updates
Malware Protection
ATD
Advanced Threat Detection
MATD
Advanced Threat and Malware Protection Bundle
available for HW models F18 and higher as well as for the Secure Access Concentrator
Firmware Version 6.0 and higher
Available for ALL BNG virtual appliances (incl. Public Cloud)
File caps/minute (burst limits) & file caps/month

27. Available on ALL NextGen Firewall X-Series
X50 / X51
X100 / X101
X200/ X201
X300
X400
X600
Energize Updates
Web Security
Advanced Threat Detection
available for HW models F18 and higher as well as for the Secure Access Concentrator
Firmware Version 6.0 and higher
Available for ALL BNG virtual appliances (incl. Public Cloud)
File caps/minute (burst limits) & file caps/month

28. Advanced Threat Detection - Rate Limits
F-Series Hardware Deployments
Model
# of files per month
F18
108,000
F80
F180
F280
216,000
F380
260,000
F400
324,000
F600
540,000
F800
750,000
F900
1,000,000
F1000
on request
F-Series Virtual Deployments
Model
# of files per month
VF10
108,000
VF25
VF50
VF100
VF250
216,000
VF500
260,000
VF1000
324,000
VF2000
540,000
VF4000
750,000
VF8000
1,000,000
F-Series Public Cloud Deployments *
Size
# of files per month
Level 2
108,000
Level 4
216,000
Level 6
324,000
Level 8
750,000
X-Series Hardware Deployments
Model
# of files per month
X50/X51
108,000
X100/X101
X200/X201
260,000
X300
540,000
X400
750,000
X600
1,000,000
F1000
on request
* Amazon Web Services / Microsoft Azure
Following “Burst limits” apply.
If a limit is reached, files
File caps/minute (burst limits) & file caps/month apply
A valid malware protection or web security subscription is mandatory

29. Next Steps http://ATD.barracuda.com
Get a free ATD product Trial for 60 Days:
Download the Osterman Research Whitepaper on Phishing, Ransomware and Advanced Persistent Threats