Security: Next Generation Topics and
advertisement
Security: Next Generation Topics and Best Practices John Petersen Systems Engineer January 2016 Agenda Introductions Evolving Threat Landscape Challenges with Legacy Security Architecture Modern Prevention – Disrupting the Attack Chain Next Steps Q & A / Open Discussion / Comments 2 | © 2015, Palo Alto Networks. Confidential and Proprietary. The Evolving Threat Landscape Unit 42 Mission Resources Mission: Analyze the data available to Palo Alto Networks to identify adversaries, their motivations, resources, and tactics to better understand the threats our customers face. Tactics Motivations Key Perspectives Who is the Adversary? Understanding the Cyber Attack Lifecycle How Attacks Happen 5 | ©2014, Palo Alto Networks. Confidential and Proprietary. What’s Changed? Attack Evolution, Automation! $3.5 million CYBER CRIME & WARFARE Mobile Threats SSL Encryption Changing Application Environment Zero-Day Exploits/Vulnerabilities Unknown & Polymorphic Malware Lateral Movement Evasive Command-and-Control Known Threats Organizational Risk $1+ Trillion Industry 100+ Nations Average Breach - 2015 Highlights XcodeGhost - Unit 42 analyzed XcodeGhost, which modifies Xcode and infects Apple iOS Apps, and its behavior. The team found that many popular iOS apps were infected, including WeChat, one of the most popular messaging applications in the world, and that the XcodeGhost attacker can phish passwords and open URLs through these infected apps. KeyRaider - In cooperation with WeipTech, Unit 42 identified samples of a new iOS malware family in the wild which they named KeyRaider. This is believed to be the largest known Apple account theft caused by malware, stealing over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. Unit 42 also detailed how to keep yourself safe from KeyRaider. YiSpecter - Unit 42 identified a new Apple iOS malware, dubbed YiSpecter. YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors. Specifically, it was the first malware seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities. Android Installer Hijacking - Unit 42 discovered a widespread vulnerability in Google’s Android OS they called “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users, which allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge, only affecting applications downloaded from third-party app stores. Operation Lotus Blossom - Unit 42 published new research identifying a persistent cyber espionage campaign targeting government and military organizations in Southeast Asia by adversary group they named “Lotus Blossom.” The campaign has been in operation for some time; Unit 42 identified over 50 different attacks taking place over the past three years. Recently, Unit 42 found that a targeted attack directed at an individual working for the French Ministry of Foreign Affairs was linked to Operation Lotus Blossom. BackStab - Unit 42 found the new “BackStab” attack, used to steal private information from mobile device backup files stored on a victim’s computer 7 | © 2015, Palo Alto Networks. Confidential and Proprietary. Exploring Actor Motivations These are not mutually exclusive Cyber Espionage Cyber Crime Cyber Hacktivism $$$ Cyber Warfare Cyber Terrorism Cyber Mischief The Advanced Adversary Majority of adversaries are just doing their job: Bosses, families, bills to pay. Want to get in, accomplish their task, and get out (un-detected). Goal isn’t making your life hard. = CYBER THREATS ARE GETTING MORE ADVANCED Advanced Persistent • Uses a broad spectrum of exploits • Goal-oriented rather than opportunistic • Both well-known and zero-day exploits • Highly targeted, methodical attacks • Crosses multiple vectors; uses crypting • Re-encodes or uses polymorphism Threat • Organized, wellfunded criminal adversaries • Nation-states, cyberespionage groups • Thousands of off-theshelf tools available WildFire Threat Cloud Total Files Scanned Volume of files scanned by Wildfire continues to grow As high as 1.4M/day during the week About 500K/day on the weekends Peaking at 16.2 samples per second investigated in the cloud Finding one new piece of actual malware about every 3 seconds Overall Malware Found Zero Day Malware found per day in Wildfire 80000 Very interesting trends for Malware 70,000 a day = 490,000 weekly!! over the past 3 months Highnearly activityhalf around US That’s a million Thanksgiving zero day malware files every week Continued high activity through (155 times increase since Sept 2013) Christmas 70000 60000 50000 Slow start to the new year 40000 30000 20000 10000 0 5/1/14 Averaging around 31K new zero day Malware files per day 6/1/14 7/1/14 8/1/14 9/1/14 10/1/14 11/1/14 12/1/14 1/1/15 2/1/15 Trending up 50% in the past 9 months Requires 312 new AV signatures every 15 minutes How do other malware detection models break down? Percent Malware delivered not via port 25 or port 80 45.00% Most other Malware tools only find port 25/80 – only ~85% of the malware 40.00% Miss over 4600 files/day Secondary download? 35.00% 30.00% Growing trend for non-25/80 delivery of Malware No way for others to detect malware in the network…why stop looking internally? 25.00% 20.00% 15.00% 10.00% 0.00% Date 5/7/14 5/14/14 5/21/14 5/28/14 6/4/14 6/11/14 6/18/14 6/25/14 7/2/14 7/9/14 7/16/14 7/23/14 7/30/14 8/6/14 8/13/14 8/20/14 8/27/14 9/3/14 9/10/14 9/17/14 9/24/14 10/1/14 10/8/14 10/15/14 10/22/14 10/29/14 11/5/14 11/12/14 11/19/14 11/26/14 12/3/14 12/10/14 12/17/14 12/24/14 12/31/14 1/7/15 1/14/15 1/21/15 1/28/15 2/4/15 2/11/15 2/18/15 2/25/15 5.00% ~85% of Malware is via port 25/80! Lateral Movement Data Center Perimeter Internal Data Center WF DNS/Day 30 31 31 30 31 30 31 /1 4 /1 4 /1 4 /1 4 /1 4 /1 4 /1 4 / 10 14 /3 1/ 11 14 /3 0/ 12 14 /3 1/ 1 1/ 4 31 /1 5 9/ 8/ 7/ 6/ 5/ 4/ 3/ Including 600 learned malicious DNS sites/day via Passive DNS /1 4 28 Also delivering about 150 new DNS rules every 15 minutes 29 Required 460 new URL rules every 30 minutes in December DNS Updates per Day 2014.05.01.001 2014.05.08.001 2014.05.15.001 2014.05.22.001 2014.05.29.001 2014.06.05.001 2014.06.12.001 2014.06.19.001 2014.06.26.001 2014.07.03.001 2014.07.10.001 2014.07.17.001 2014.07.24.001 2014.07.31.001 2014.08.07.001 2014.08.14.001 2014.08.21.001 2014.08.28.001 2014.09.04.001 2014.09.11.001 2014.09.18.001 2014.09.25.001 2014.10.02.001 2014.10.09.001 2014.10.16.001 2014.10.23.001 2014.10.30.001 2014.11.06.001 2014.11.13.001 2014.11.20.001 2014.11.27.001 2014.12.04.001 2014.12.11.001 2014.12.18.001 2014.12.25.001 2015.01.01.001 2015.01.08.001 2015.01.15.001 2015.01.22.001 2015.01.29.001 2015.02.05.001 2015.02.12.001 2015.02.19.001 0 2/ Seems to imply a growth in the number of players developing Malware /1 3 C&C traffic growing after a quiet summer—massive jump in December 1/ 12 /2 9 Growth of Command & Control Traffic 1600000 Total Malware URLs Blocked 1400000 1200000 1000000 800000 600000 400000 200000 35000 30000 25000 20000 15000 10000 5000 0 pDNS/Day Challenges With Legacy Security Architecture Applications Get Through the Firewall Network security policy is enforced at the firewall • • • Sees all traffic Defines boundary Enables access Traditional firewalls don’t work any more 16 | ©2012, Palo Alto Networks. Confidential and Proprietary. Security has Evolved from what we have known it to be Legacy security and architectures based on manual reactions and log management are failing today Proxies are limited Stateful firewalls are failing (Port / Protocol) SSL Traffic is not being inspected Lack of security with VLANs Every breach today has several things in common: A port based Firewall A simple IPS Desktop A/V (Signature Based) Must have a solution that prevents attacks from known and unknown threats Must have an architecture focused on prevention—keep the network safe at all times Internet To protect the network, the solution must Automated Integrated Simple All security functions, one platform, fully integrated DNS Alert SMTP Alert Web Alert AV Alert Endpoint Alert DNS Alert SMTP Alert AV Alert Endpoint Alert Web Alert AV Alert DNS Alert Web Alert Enterprise Network Common traits for breached networks 1. A port based firewall 2. A static IPS 3. Exploits and Zero Day Malware used to manipulate platforms in the network (Traditional A/V fails) 4. Identity credentials hijacked Modern Prevention – Disrupting the Attack Chain Detect & Prevent Threats at Every Point Cloud At the Mobile Device At the Internet Edge Between Employees and Devices within the LAN At the Data Center Edge and between VMs Prevent attacks, both known and unknown Protect all users and applications, in the cloud or virtualized Integrate network and endpoint security Analytics that correlate across the cloud 20 | ©2014, Palo Alto Networks. Confidential and Proprietary. Within Private, Public and Hybrid Clouds Preventing Across the Cyber Attack Lifecycle 1 Breach the Perimeter Reconnaissance 2 Deliver the Malware Weaponization and Delivery Unauthorized Access 21 | ©2014, Palo Alto Networks. Confidential and Proprietary. Exploitation 3 Lateral Movement Installation 4 Exfiltrate Data Command-and-Control Unauthorized Use Actions on the Objective HOT TOPICS Port Based Firewalls, proxies, VLANs, and ACLs are not enough Safely Enabling Applications “Zero Trust” Security Posture Reducing the attack surface Limiting Data Loss SSL Decryption Dealing with Unknowns Traffic / Applications Malware Vulnerabilities / Exploits Network and Micro Segmentation 22 | © 2015, Palo Alto Networks. Confidential and Proprietary. NGFW Requirements Safely Enable Applications Secure Remote Users Content and User Aware Systematically Manage Unknown Traffic & Threats SSL Decryption / SSH Control Inline Prevention Integration Automation Reliable Performance 23 | © 2015, Palo Alto Networks. Confidential and Proprietary. ZERO TRUST Forrester Research “Never trust, always verify” VLANs / ACLs are not enough Inspect ALL traffic User and Content Aware Threat Prevention 24 | © 2015, Palo Alto Networks. Confidential and Proprietary. SEGMENTATION VLANs / ACLs are not enough Reduce attack surface East – West Datacenter (App, Web, Dev) Network DMZ, PCI, Users, Data Center Sensitive Resources Datacenter Virtual Micro-Segmentation Firewall as a Service Advanced inspection Threats Applications User Identity Content Identity 25 | © 2015, Palo Alto Networks. Confidential and Proprietary. Vulnerabilities & Exploits Greatest Threat! Can disable anti-malware solutions Drive-by-downloads Unknown / Zero Day Block via exploit techniques Whitelisting does not help Good applications can behave badly Patching Only covers known Can be cumbersome, difficult on servers Reduce Attack Surface Zero Trust Cyber Attack Chain Disruption 26 | © 2015, Palo Alto Networks. Confidential and Proprietary. MALWARE Known Threats Signatures URLs / IPs DNS Problem with signatures… Unknown Threats STAP (Specialized Threat Analysis Protection) AKA Virtual Sandboxing Reduce Attack Surface Automation Cloud Intelligence Reputation & Behavior Advanced Persistent Threats Whitelisting Essential Patch Mitigation DNS Sinkhole Creation Date 20160112-001-v5i32.exe 01/12/2016 436.39 MB File Size Not perfect but great start Anti-exploit SEP Definitions File Name Anti-spyware 27 | © 2015, Palo Alto Networks. Confidential and Proprietary. Preventing Command-and-Control URL Filtering Dynamic DNS DNS Sinkholing Detect and Block Proactively Block Unnecessary URLs Dynamic DNS category Identify source of malicious DNS queries. Common RAT C2 signatures DNS Spyware The problem: the DNS server appears to be the infected device Auth DNS Server Internal DNS Server ??? DNS query for malicioussite.com? Infected host DNS response for malicioussite.com 122.45.23.26 malicioussite.com 122.45.23.26 29 | ©2012, Palo Alto Networks. Confidential and Proprietary. DNS “Sinkhole” DNS sinkhole option to help pinpoint infected hosts on the network Passive DNS request monitoring to identify new malicious websites or command and control activity Internal DNS Server ??? Auth DNS Server DNS query for malicioussite.com? Infected host Forged DNS response for malicioussite to 10.10.10.10. Sinkhole IP 10.10.10.10 30 | ©2012, Palo Alto Networks. Confidential and Proprietary. SSL Decryption Required on outbound traffic Man-in-the-Middle Data Loss Prevention Advanced Threats Application Sub-Control Known challenges Facebook Google Dropbox / Box Performance Cipher support Application pinning Selective decryption Health Care, Banking Applications – Backups Destination 31 | © 2015, Palo Alto Networks. Confidential and Proprietary. Data Loss Prevention DLP to monitor all stages of data – 90% of DLP solution is remediation At Rest, In Use, and In Motion Visible (educate) Finding sensitive content is easy Data ownership is challenge Data Classification Keep it simple “Zero Trust” SaaS & Mobile Encryption Often highly political Reduce attack surface Automation / Watermarking Need stakeholders to support Public, Internal, Confidential At Rest & In Motion Authentication 32 | © 2015, Palo Alto Networks. Confidential and Proprietary. Threat Prevention Best Practices Create Protections 1 Reduce the attack surface 2 Whitelist applications or block high-risk apps Block known bad IPs and regions Block dangerous file types Visibility into encrypted traffic – SSL Decryption Block dangerous websites – URL Filtering Network Segmentation 33 | ©2012, Palo Alto Networks. Confidential and Proprietary. Prevent Known Threats 3 Detect/Prevent Unknown Threats Prevent 0-day malware w/ Dynamic Sandboxing Prevent 0-day exploits w/Advanced Endpoint Protection Prevent C&C traffic (anti-spyware) Discover infected systems – Botnet Report Prevent DNS C&C traffic (anti-spyware) Blocking unknown traffic (TCP/UDP) Pinpoint infected users with User-ID Detect data exfiltration Block known vulnerabilities, malware & exploits with Threat Prevention PREVENTING ATTACKS AT EVERY STAGE OF THE KILL-CHAIN 1 Breach the perimeter Next-Generation Firewall / VPN Visibility into all traffic, including SSL Enable business-critical applications Block high-risk applications Block commonly exploited file types Threat Prevention Block known exploits, malware and inbound command-andcontrol communications URL Filtering Prevent use of social engineering Block known malicious URLs and IP addresses Dynamic Sandboxing Send specific incoming files and email links from the internet to public or private cloud for inspection Detect unknown threats Automatically deliver protections globally 2 Deliver the malware Next-Generation Endpoint / Dynamic Sandboxing Block known and unknown vulnerability exploits Block known and unknown malware Provide detailed forensics on attacks 3 Lateral movement Next-Generation Firewall / VPN 4 Exfiltrate data Threat Prevention Provide ongoing monitoring and inspection of all traffic between zones Block outbound commandand-control communications Block file and data pattern uploads DNS monitoring and sinkholing Dynamic Sandboxing URL Filtering Establish secure zones with strictly enforced access control Detecting unknown threats pervasively throughout the network Block outbound communication to known malicious URLs and IP addresses SYSTEMATICALLY REDUCE THE SCOPE OF YOUR SECURITY CHALLENGE Full visibility 0 1 Limit traffic legitimate apps and sources 2 Eliminate known threats 3 Eliminate unknown threats Next Steps Next Steps Safely Enable Applications Gap Analysis Education Start with TAP/SPAN Migrate to an Enterprise Platform Employee Red Team / Blue Team Inspect East – West Traffic Cyber Attack Chain Automation Integration Prevention Risk Assessments Free Security Lifecycle Review from Palo Alto Networks Paid 3rd party assessments and penetration testing 37 | © 2015, Palo Alto Networks. Confidential and Proprietary. Next-Generation Security Platform THREAT INTELLIGENCE CLOUD AUTOMATED NATIVELY INTEGRATED NEXT-GENERATION FIREWALL 39 | ©2014, Palo Alto Networks. Confidential and Proprietary. EXTENSIBLE ADVANCED ENDPOINT PROTECTION Q & A – Open Discussion – Comments
