Breaking the Lifecycle of the Modern Threat
Santiago Polo
Sr. Systems Engineer
Palo Alto Networks, Inc.
About Palo Alto Networks
• Palo Alto Networks is the Network Security Company
• World-class team with strong security and networking experience
-
Founded in 2005, first customer July 2007
-
Top-tier investors
• Builds next-generation firewalls that identify / control 1400+ applications
-
Restores the firewall as the core of the enterprise network security infrastructure
-
Innovations: App-ID™, User-ID™, Content-ID™
• Global footprint: 6,000+ customers in 70+ countries, 24/7 support
What Has Changed / What is the Same
• The attacker changed
-
Nation-states
-
Criminal organizations
-
Political groups
• Attack strategy evolved
-
Patient, multi-step process
-
Compromise user, then expand
• Attack techniques evolved
-
New ways of delivering malware
-
Hiding malware communications
-
Signature avoidance
The Sky is Not Falling
-
Not new, just more
common
-
Solutions exist
-
Don’t fall into “the APT
ate my homework” trap
Strategy: Patient Multi-Step Intrusions
Organized
Attackers
•The Enterprise
Infection
Command and Control
Escalation
Exfiltration
Exfiltration
Challenges to Traditional Security
• Threats coordinate multiple techniques,
while security is segmented into silos
-
Exploits, malware, spyware, obfuscation all part of a
patient, multi-step intrusion
• Threats take advantage of security
blind spots to keep from being seen
-
Patient attacks must repeatedly cross the perimeter
without being detected
• Targeted and custom malware can
bypass traditional signatures
-
The leading edge of an attack is increasingly malware
that has never been seen before.
Regaining Control Over Modern Threats
New Requirements for
Threat Prevention
1. Full Visibility - all traffic regardless of
Fast Flux
Vulnerabilities
port, protocol, evasive tactic or SSL
SQL Injection
2. Stop all known network threats
- (IPS, Anti-malware, URL, etc.) while
maintaining multi-gigabit performance
3. Find and stop new and unknown
threats
- even without a pre-existing signature
Page 6 |
© 2011 Palo Alto Networks. Proprietary and Confidential.
Denial of Service
Malware Sites
Malware
Dangerous
URLs
Botnets
Cross-Site
Scripting
Key Loggers
Visibility
• Visibility is Fundamental
-
You can’t stop what you can’t see
-
Virtually all threats other than DoS depend on avoiding security
• Full Stack Inspection of All Traffic
-
All traffic, on all ports, all the time
-
Progressive decoding of traffic to find hidden, tunneled streams
-
Contextual decryption of SSL
• Control the Applications That Hide Traffic
-
Limit traffic to approved proxies, remote desktop applications
-
Block bad applications like encrypted tunnels, circumventors
Control the Methods Threats Use to Hide
If you can’t see it, you can’t stop it
• Encrypted Traffic
• SSL is the new standard
Circumventors and Tunnels
Encryption (e.g. SSL)
• Proxies
• Reverse proxies are hacker favorites
• Remote Desktop
• Increasingly standard
• Compressed Content
• ZIP files, compressed HTTP
Proxies (e.g CGIProxy)
Compression (e.g. GZIP)
 Outbound C&C Traffic
Page 8 |
© 2011 Palo Alto Networks. Proprietary and Confidential.
• Encrypted Tunnels
• Hamachi, Ultrasurf, Tor
• Purpose-built to avoid security
Block the Applications That Hide Traffic
• Block Unneeded and High-
Risk Applications
-
Block (or limit) peer-to-peer
applications
-
Block unneeded applications that
can tunnel other applications
-
Review the need for applications
known to be used by malware
-
Block anonymizers such as Tor
-
Block encrypted tunnel
applications such as UltraSurf
-
Limit use to approved proxies
-
Limit use of remote desktop
Control Known Threats
• Modern attacks are patient and
use multiple techniques
-
Threats are more than exploits
-
Malware
-
Dangerous URLs
-
Spyware
-
Command and Control Traffic
-
Circumvention Techniques
• Context is Key
-
Clear visibility into all URLs, users,
applications and files connected to a
particular threat
“Okay, but what about unknown and
targeted malware?”
Page 11 |
© 2011 Palo Alto Networks. Proprietary and Confidential.
The Malware Window of Opportunity
Time required to
capture 1st sample of
malware in the wild
Time required to
create and verify
malware signature
Total Time
Exposed
Time before antivirus
definitions are updated
Days and weeks until users are protected by
traditional signatures
Attackers Target the Window of Opportunity
Targeted Attacks
Malware Construction Kits
Refreshed Malware
Page 13 |
© 2011 Palo Alto Networks. Proprietary and Confidential.
Controlling Unknown Malware Using the
Next-Generation Firewall
• Introducing WildFire
-
New feature of the Palo Alto Networks NGFW
-
Captures unknown inbound files and analyzes them
for 70+ malicious behaviors
-
Analysis performed in a cloud-based, virtual sandbox
• Automatically generates signatures for
identified malware
-
Infecting files and command-and-control
-
Distributes signatures to all firewalls
via regular threat updates
• Provides forensics and insight into malware behavior
-
Actions on the target machine
-
Applications, users and URLs involved with the malware
Page 14 |
© 2011 Palo Alto Networks. Proprietary and Confidential.
Case Study - Password Stealing Botnets
Overview
Threat Type
Botnet, similar to the notorious ZeuS banking
botnet
Target
Targets end-users with the goal of stealing
passwords
Transmission Methods
Heavy use of email, Some use of HTTP
Key Actions
•
•
•
•
File Name(s)
• American_Airlines_E-Ticket-printing-copy
• DHL-express-tracking-delivery-notification
Initial Detection Rates
Very low detection rates, sometimes for
several days. Heavy use of packers.
© 2010 Palo Alto Networks. Proprietary and Confidential.
Steals email and FTP credentials
Steals cookies from browsers
Decrypts and sniffs SSL sessions
Uses anti-VM techniques
Malware Analysis
Malware Analysis
Malware Analysis
Case Study - Enterprise Phishing
• Shipping and Security are
common topics for enterprise
phishing
-
Fake DHL, USPS, UPS and FedEx
delivery messages
Fake CERT notifications
• Ongoing Phishing Operations
-
Large volumes of malware – commonly in
the top 3 of daily unknown malware seen
in enterprises
-
Correlate new malware talking back to the
same malware servers
-
Refreshed daily to avoid traditional AV
signatures
DHL-international-shipping-ID
DHL-international-shippingnotification
DHL-Express-Notification-JAN
United-Parcel-Service-Invoice
USPS-Failed-Delivery_Notification
US-CERT Operations Center
Report
USPS Report
Trusted Sources
CNET/Download.com
• Strong reputation for providing safe
downloads of shareware and freeware
that are verified to be malware free.
• In early December 2011 WildFire
began identifying files from
Download.com as containing spyware.
• CNET had begun providing software
downloads in a wrapper that installed
subtle spyware designed to track
shopping habits
• Changed a variety of client and
browser security settings
Changed security settings
Changed proxy settings
Changed Internet Explorer settings
Installed a service to leak
advertising and shopping data over
HTTP POSTs.
An Integrated Approach to Threat Prevention
Applications
• All traffic, all
ports,
all the time
•Block threats on all
ports
• Malware hosting
URLs
• Application
signatures
•NSS Labs
Recommended IPS
• Newly registered
domains
• Heuristics
•Millions of malware
samples
• SSL decryption of
high-risk sites
• Decryption
•
Reduce the
attack surface
•
Prevents known
threats
•
Block known
sources of threats
•
Remove the
ability to hide
•
Exploits,
malware, C&C
traffic
•
Be wary of
unclassified and
new domains
Decreasing Risk
Page 22 |
© 2011 Palo Alto Networks. Proprietary and Confidential.
Unknown &
Targeted Threats
Dangerous
URLs
Exploits &
Malware
•WildFire control of
unknown and
targeted malware
•Unknown traffic
analysis
•Anomalous network
behaviors
•
Pinpoints
live infections and
targeted attacks
Roundtable Discussion