Cyber Threats: Industry Trends
and Actionable Advice
Presented by: Elton Fontaine
Palo Alto Networks
Modern Malware
Elton Fontaine: CCIE, CNSE
SE Manager – West Territory
Palo Alto Networks
What are we seeing
Key Facts and Figures - Americas
• 2,200+ networks analyzed
• 1,600 applications detected
• 31 petabytes of bandwidth
• 4,600+ unique threats
• Billions of threat logs
4 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Common Sharing Applications are Heavily Used
Application Variants

How many video and filesharing
applications are needed to run the
business?
Bandwidth Consumed

5 | ©2014 Palo Alto Networks. Confidential and Proprietary.
20% of all bandwidth consumed by filesharing and video alone
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
High in Threat Delivery; Low in Activity
 11% of all threats observed are code execution exploits within common
sharing applications
 Most commonly used applications: email (SMTP, Outlook Web, Yahoo! Mail),
social media (Facebook, Twitter) and file-sharing (FTP)
6 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Low Activity? Effective Security or Something Else?
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Low Activity: Effective Security or Something Else?
SMTP
IMAP
POP3
Web browsing
Smoke.loader botnet controller
 Delivers and manages payload
 Steals passwords
 Encrypts payload
(7) Code execution exploits
seen in SMTP, POP3, IMAP
and web browsing.
8 | ©2014 Palo Alto Networks. Confidential and Proprietary.
 Posts to URLs
 Anonymizes identity
Twitter
Web browsing
Facebook
Malware Activity Hiding in Plain Sight: UDP
Blackhole Exploit
Kit
End Point
Controlled
Bitcoin mining
SPAM
ClickFraud
9 | ©2014 Palo Alto Networks. Confidential and Proprietary.
ZeroAccess
Delivered
$$$

Distributed computing = resilience

High number UDP ports mask its use

Multiple techniques to evade detection

Robs your network of processing power
Unknown UDP Hides Significant Threat Activity

1 application = 96% of all malware logs

ZeroAccess.Gen command & control traffic represents nearly all malware activity
10 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Business Applications = Heaviest Exploit Activity
 90% of the exploit activity was found in 10 applications
 Primary source: Brute force attacks
11 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Target data breach – APTs in action
Recon on
companies
Target works with
Spearphishing
third-party HVAC
contractor
Breached Target
network with
stolen payment
system
credentials
Moved laterally
within Target
network and
installed POS
Malware
Maintain access
Compromised
internal server
to collect
customer data
Exfiltrated data
command-andcontrol servers
over FTP
Best Practices
Security from Policy to Application

What assumptions drive your security policy?

Does your current security implementation adequately reflect that policy?

Doss your current security implementation provide the visibility and insight
needed to shape your policy?
Assumptions
Visibility
&
Insight
Policy
Implementation
Security Perimeter Paradigm
Organized
Attackers
The Enterprise
Infection
Command and Control
Escalation
Exfiltration
Exfiltration
Is there Malware inside your network today???
Applications provide exfiltration
•
•
Threat communication
Confidential data
Application Visibility

Reduce attack surface

Identify Applications that
circumvent security policy.

Full traffic visibility that provides
insight to drive policy

Identify and inspect unknown
traffic
Identify All Users

Do NOT Trust, always verify all access

Base security policy on users and their roles, not IP addresses.

For groups of users, tie access to specific groups of applications

Limit the amount of exfiltration via network segmentation
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
SSL/Port 443: The Universal Firewall Bypass
Gozi
Freegate
Rustock
Citadel
TDL-4
Aurora
Ramnit
Bot
tcp/443
Poison IVY
APT1
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
19 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Evolution of Network Segmentation &
Datacenter Security
Packet Filtering, ACL’s, IP/Port-based
firewalling for known traffic?
Layer 1-4 Stateful Firewall
Port-hopping applications, Malware,
Mobile Users – Different entry points into DC?
Layer 7 “Next Generation” Appliance
Platform Solution
Modern Attacks Are Coordinated
1
Bait the
end-user
End-user
lured to a
dangerous
application or
website
containing
malicious
content
2
3
4
5
Exploit
Download
Backdoor
Establish
Back-Channel
Explore
& Steal
Infected
content
exploits the
end-user,
often without
their
knowledge
Secondary
payload is
downloaded
in the
background.
Malware
installed
Malware
establishes an
outbound
connection to
the attacker
for ongoing
control
Remote attacker
has control
inside the
network and
escalates the
attack
An Integrated
Approach
to Threat Prevention
Coordinated
Threat
Prevention
Bait the
end-user
Block
high-risk apps
URL
Block
known malware
sites
IPS
Spyware
AV
Files
WildFire
THREAT PREVENTION
App-ID
Exploit
Download
Backdoor
Establish
Back-Channel
Explore &
Steal
Block C&C on
non-standard
ports
Reduce Attack
Surface
Block malware,
fast-flux domains
Block
the exploit
Block spyware,
C&C traffic
Block malware
Prevent drive-bydownloads
Detect unknown
malware
Block new C&C
traffic
Coordinated
intelligence to
detect and block
active attacks
based on
signatures,
sources and
behaviors
Adapt to Day-0 threats
Threat Intelligence
Sources
WildFire Users
Cloud
On-Prem
WildFire
Signatures
~30 Minutes
AV
Signatures
Daily
DNS
Signatures
Daily
Malware URL
Filtering
Constant
Anti-C&C
Signatures
1 Week
Contextual Awareness
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.