• Palo Alto Networks is the Network Security Company
• World-class team with strong security and networking experience
Founded in 2005, first customer July 2007
Top-tier investors
• Builds next-generation firewalls that identify / control 1200+ applications
Restores the firewall as the core of the enterprise network security infrastructure
Innovations: App-
ID™, User-ID™, Content-ID™
• Global footprint: 4,500+ customers in 70+ countries, 24/7 support

1.
2.
Brief review of modern malware and threats
Introduction to how the next-generation firewall can help
3.
Steps and best practices you can take today

• Advanced Malware and Intrusions
Are Here Today
Steady stream of high-profile, sophisticated breaches and intrusions
All types of enterprises and information are being targeted.


Intellectual property – RSA
Customer information – Epsilon



Information to enable further attacks
Business partners – Comodo
Political/hacktivism – US Senate
Breaches are not limited to financial information
 if it is valuable to you, it is likely valuable to someone else

• The attacker changed
Nation-states
Criminal organizations
Political groups
• Attack strategy evolved
Patient, multi-step process
Compromise user, then expand
• Attack techniques evolved
New ways of delivering malware
Hiding malware communications
Signature avoidance
-
-
-
The Sky is Not Falling
Not new, just more common
Solutions exist
Don’t fall into “the APT ate my homework” trap

Organized Crime • The Enterprise
Nation-States
Hacktivists
Infection
Command and Control
Exfiltration
Escalation
Exfiltration

Threats need your network to function
Multiple chances to detect and correlate
Expand security beyond the perimeter

In the physical world
• The mark is lured into trying to follow the pea, when the real game is about sleight of hand.
How it applies to threats:
• Our old habits make us think of malware as the pea
(an executable payload, probably carried in an email).
• In reality, modern malware relies on sleight of hand – how to infect, persist and communicate without being detected.

Organized Crime • The Enterprise
Hacktivists
Infection
Command and Control
Exfiltration
Escalation
Exfiltration

• To understand network attacks, you must understand malware
-
-
Provides a persistent control point inside the network
Malware is the hacker’s application
Infection
• To understand modern malware, you must
Ongoing control of the attack
Escalates the attack
Update and change functions
Exfiltration
Escalation
Exfiltration

• Social engineering
• Drive-by-Downloads
• Obscured traffic
• Unknown malware
Infection Persistence
• Rootkit/Bootkits
• Inject into the OS
• Disable endpoint security
• Backdoors
• Social applications and P2P
• Update configuration
• Download new exe
Command
& Control
Communication
• Encryption
• Proxies
• Tunneling
• Non-standard ports

Infection Persistence
Phishing
(Social)
Hide Transmission
(SSL, IM)
Remote Exploit
(Shell Access)
Malware Delivery
(Drive-by)
Rootkits
Backdoor
(Poison Ivy)
Anti-AV
(Infect MBR)
Communication Command &
Control
Encryption
(SSL, SSH, Custom)
Common Apps
(Social media, P2P)
Update
Configuration
Files
Proxies, RDP,
Application
Tunnels
Port Evasions
(tunnel over open ports)
Fast Flux
(Dynamic DNS)
EXE Updates
Backdoors and Proxies

1.
-
-
Communications are the life-blood of an attack
Modern threats are networked threats
Virtually every phase involves methods to hide and evade from security
2.
-
-
Extensible Framework
If you can infect, persist, communicate and manage, then the threat functionality can be almost anything
Begin to think of threats as a framework, not the functionality of the payload
3.
-
-
-
-
-
Threats exist across multiple disciplines
Applications
– can hide and enable threats
URLs and websites – can host and enable threats
Exploits
– creates shell access to the target
Malware
– controls and uses the compromised target
Files – used to update malware and steal data

1.
-
-
-
-
-
Ensures visibility and control of all traffic
Non-standard use of ports
Tunneling within protocols
Tunneling within SSL
Remote desktop, SSH
Anonymizers, proxies, personal VPNs, encrypted tunnels, etc.
2.
-
-
-
-
-
Integrated approach to threat prevention
Blocks risky applications or application features
IPS and vulnerability protection
Anti-malware
File and content control
Behavioral analysis of unknown threats

What Palo Alto Networks Brings to the Fight
Visibility and Control
What is the traffic and should it be allowed?
SSL
–decrypted based on policy
HTTP Tunnel – decode
Skype - Signature
File Transfer (BLOCKED)
All Palo Alto Networks security begins with an integrated full-stack analysis of all traffic regardless of port, protocol or evasion
Always the 1 st task performed
All traffic, all ports
Always on

The Palo Alto Networks Next-Generation Firewall
Visibility and Control
What is the traffic and should it be allowed?
Integrated Threat Prevention
Stop threats within allowed traffic
SSL
HTTP Tunnel
Skype
File Transfer
IPS
Proven 93.4% block rate and performance
Anti-Malware
Millions of samples, 50k analyzed per day
Always the 1 st task performed
All traffic, all ports
Always on
URL Filtering
Malware sites, unknown and newly registered sites
Content
Control file types, downloads, specific content
Behavioral Analysis
Single unified engine (single-pass)
Always in application and user context
Independent of port or evasion

• TDL-4
-
-
Extension of earlier malware, a.k.a Alureon, TDSS, TDL
Named “ the indestructible botnet ” due to the ability protect itself from takedowns/takeovers
•
•
Infection
Any (outsourced to affiliates)
Drive-by-
Downloads easily the most common
•
•
Persistence
Infects MBR
32/64 bit rootkits
•
•
•
Communication
Proprietary encryption
Tunneled within
SSL
Sells proxy as a service
•
•
•
Command &
Control
Kad P2P network
C&C servers
Proxy through infected hosts
20+ Programs Used
Malicious apps, Fake AV, Spam, Adware, etc
*Derived from analysis by Kaspersky Labs

• Indestructible does not mean indefensible
• How to Use Palo Alto Networks to Control TDL-4
Prevent Infection

Drive-by download protection

Block risky sites

Decrypt social networking
Prevent Communications

Decrypt SSL to unknown sites

Block unknown or proprietary encryption

Limit proxies to select proxies and approved users
Disrupt Command and Control

Block Kad usage

1.
Reduce your exposure
2.
3.
Ensure visibility into traffic
Lock down use of commonly open ports
4.
5.
Prevent infections
Implement full protection from known threats
6.
7.
Analyze events in context
Investigate the unknowns

• Block Unneeded and High-
Risk Applications
Block (or limit) peer-to-peer applications
Block unneeded applications that can tunnel other applications
Review the need for applications known to be used by malware
Block anonymizers such as Tor
Block encrypted tunnel applications such as UltraSurf
Limit use to approved proxies
Limit use of remote desktop

• Classify all traffic on all ports
This is core to a NGFWs job, but most don’t do it
Check protocol decoders
Firewall
• Expand visibility beyond the perimeter
-
Inside the network – remember that much of a modern intrusion happens inside the network
Outside the network – deliver the same application control and threat prevention outside as inside
• Port
21
• Port
22
• Port
23
• Port
80
• Port
531

• Applications and sites are moving to SSL by default
Facebook, Google, etc
36% of applications by bandwidth
• Establish SSL Decryption
Policies
Decrypt policies

Social networking, webmail, IM, message boards, micro-blogging, gaming sites
Do not decrypt policies



Health care sites and applications
Financial sites and applications
Secure channels

• Botnets and malware regularly communicate on ports that are open by default
DNS (port 53) is a favorite
• The next-generation firewall lets you to set policy that only DNS traffic should be allowed on port 53 and block everything else

• Drive-by-Download Protection
Detects downloads in the background even following an unknown exploit
Host browser and OS will not report it
Train users
User visits infected webpage
Crafted image exploits vulnerability on client

• Known Threats are Still the
Majority of Threats Today
Malware and exploit kits are increasingly popular
Vulnerability facing signatures detect common variants
Through 2015, over 90% of malware and exploits will continue to be known threats
- Gartner
• Full Protection With Performance
Palo Alto Networks has shown the ability to meet datasheet speeds with all signatures enabled
Common engine and signature format processes traffic to detect all threats

• Develop Context-Based Visibility

Applications, Patterns, Sources and
Behaviors
• Correlate by User and Application

Known malware

Known exploits

Phone-home detection

Download history

Exploits

URL categories

Treat unknowns as significant

• NGFW classifies all known traffic
Custom App-IDs for internal or custom developed applications
• Any remaining “unknown” traffic can be tracked and investigated
Used in the field to find botnets and unknown threats
• Behavioral Botnet Report
Automatically correlates end-user behavior to find clients that are likely infected by a bot
Unknown TCP and UDP, Dynamic DNS,
Repeated file downloads/attempts,
Contact with recently registered domains, etc
Find specific users that are potentially compromised by a bot
10.1.1.101
10.0.0.24
192.168.1.5
10.1.1.16
192.168.124.5
10.1.1.56
10.1.1.34
10.1.1.277
192.168.1.4
192.168.1.47
Jeff.Martin
Page 28 |
© 2010 Palo Alto Networks. Proprietary and Confidential.

App-ID ™
•
All traffic, all ports, all the time
• Application signatures
• Heuristics
• Decryption
Patterns
•
Block threats on all ports
• 93.4% block rate of known exploits
• 5M+ malware samples
Sources
• Malware hosting
URLs
• Recently registered domains
• SSL decryption of high-risk sites
Behaviors
•
Dynamic DNS, fast flux
• Download patterns
• Unknown traffic
• Reduce the attack surface
• Remove the ability to hide
• Prevents known threats
•
90% of threats through 2015
(Gartner)
• Block known sources of threats
•
Be wary of unclassified and new domains
•
Detects pre-existing or unknown threats
Page 29 |
© 2011 Palo Alto Networks. Proprietary and Confidential.

Modern malware is largely defined by how it addresses
4 key problems:
How does the malware infect the target without triggering traditiona AV and anti-malware
How does the malware persist on the infected host and avoid removal
If malware can survive on the host, communicate securely and update itself, then the payload can be virtually anything
How does the malware securely communicate without being detected
How does the malware establish effective command and control without exposing itself to take-over
Infect Persist Communicate Manage

Modern malware is largely defined by how it addresses
4 key problems:
Drive-by-
Download
• Attack begins with a remote exploit
• Malware is downloaded in the background following the successful exploit
Root Kits
Back doors
Anti-AV
• Infection of master boot record
• Process injection, etc
Customized and polymorphic malware to avoid signature detection
Encryption
Proxies
Fast Flux,
Dynamic DNS
Peer-to-Peer
• Many methods to hide from security
Command and
Control
• Custom app or protocol
• Config files
• EXE download
• P2P, social networks
• More use of fast flux
Infect Persist Communicate Manage

Page 33 |
© 2010 Palo Alto Networks. Proprietary and Confidential.

Infection
• How does the malware infect the target without being detected?
Persistence
• How does the malware remain on the infected host?
Remote
Exploits
Hidden
Traffic
Custom
Malware
Rootkit s
Backdoors Anti-AV
Control
• How does the malware coordinate and control itself without being taken over?
Social
Media
Configuration
Files
EXE
Updates
• How does the malware communicate securely without being detected?
Encryption
Communication
Proxies
&
Evasions
Fast
Flux

Infection
• How does the malware infect the target without being detected?
Persistence
• How does the malware remain on the infected host?
Ensure
Visibility into Traffic
Integrated IPS and Anti-
Malware
Drive-by-
Download
Protection
Rootkit s
Detect and
Block
Backdoors
Integrated
Anti-AV
Control
• How does the malware coordinate and control itself without being taken over?
Control
Social
Media
Detect
Configuration
Files via IPS
Block EXE
Downloads
Communication
• How does the malware communicate securely without being detected?
Decrypt
SSL, Block
Encryption
Control
Proxies
&
Evasions
Track Fast
Flux &
Dynamic
DNS

Applications / Evasions Exploits / Malware
Attackers have learned to use applications and evasions to hide their traffic from security
-
-
-
-
-
-
Travel over non-standard ports
Tunnel within protocols
Tunnel within SSL
Dynamic DNS to cover their tracks
Use circumventing applications ( remote desktop, SSH )
Use anonymizing applications (proxies,
Tor, personal VPNs)
The fusion of exploits and malware allows any connection to deliver malware
Exploit user on a web-page, establish shell access, download malware in background
Malware is no longer simply an exe for a user to click on
Signature avoidance
Polymorphic malware
Zero-Day vulnerabilities

Applications / Evasions Exploits / Malware
Attackers have learned to use applications and evasions to hide their traffic from security
-
-
-
-
-
-
Travel over non-standard ports
Tunnel within protocols
Tunnel within SSL
Dynamic DNS to cover their tracks
Use circumventing applications ( remote desktop, SSH )
Use anonymizing applications (proxies,
Tor, personal VPNs)
The fusion of exploits and malware allows any connection to deliver malware
Exploit user on a web-page, establish shell access, download malware in background
Malware is no longer simply an exe for a user to click on
Signature avoidance
Polymorphic malware
Zero-Day vulnerabilities

Infected host used to investigate network, capture passwords, exploit other users and systems
User visits infected webpage
Crafted image exploits vulnerability on client
Exploit gains shell access and downloads malware in background

Remote Desktop
User visits infected webpage
Crafted image exploits vulnerability on client
Exploit gains shell access and downloads malware in background

SSL
Remote Desktop
User visits infected webpage
Crafted image exploits vulnerability on client
Exploit gains shell access and downloads malware in background