Breaking the lifecycle of the modern threat
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Breaking the Lifecycle of the Modern Threat PowerPoint PPT Presentation


  • 150 Views
  • Uploaded on
  • Presentation posted in: General

Breaking the Lifecycle of the Modern Threat. Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc. About Palo Alto Networks. Palo Alto Networks is the Network Security Company World-class team with strong security and networking experience

Download Presentation

Breaking the Lifecycle of the Modern Threat

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Breaking the lifecycle of the modern threat

Breaking the Lifecycle of the Modern Threat

Santiago Polo

Sr. Systems Engineer

Palo Alto Networks, Inc.


About palo alto networks

About Palo Alto Networks

  • Palo Alto Networks is the Network Security Company

  • World-class team with strong security and networking experience

    • Founded in 2005, first customer July 2007

    • Top-tier investors

  • Builds next-generation firewalls that identify / control 1400+ applications

    • Restores the firewall as the core of the enterprise network security infrastructure

    • Innovations: App-ID™, User-ID™, Content-ID™

  • Global footprint:6,000+ customers in 70+ countries, 24/7 support


What has changed what is the same

What Has Changed / What is the Same

The Sky is Not Falling

  • Not new, just more common

  • Solutions exist

  • Don’t fall into “the APT ate my homework” trap

The attacker changed

  • Nation-states

  • Criminal organizations

  • Political groups

    Attack strategy evolved

  • Patient, multi-step process

  • Compromise user, then expand

    Attack techniques evolved

  • New ways of delivering malware

  • Hiding malware communications

  • Signature avoidance


Strategy patient multi step intrusions

Strategy: Patient Multi-Step Intrusions

Organized Attackers

The Enterprise

Infection

Command and Control

Escalation

Exfiltration

Exfiltration


Challenges to traditional security

Challenges to Traditional Security

  • Threats coordinate multiple techniques, while security is segmented into silos

    • Exploits, malware, spyware, obfuscation all part of a patient, multi-step intrusion

  • Threats take advantage of security blind spots to keep from being seen

    • Patient attacks must repeatedly cross the perimeter without being detected

  • Targeted and custom malware can bypass traditional signatures

    • The leading edge of an attack is increasingly malware that has never been seen before.


Regaining control over modern threats

Regaining Control Over Modern Threats

Fast Flux

Vulnerabilities

Denial of Service

SQL Injection

DangerousURLs

Malware Sites

Malware

Botnets

Key Loggers

Cross-SiteScripting

© 2011 Palo Alto Networks. Proprietary and Confidential.


Visibility

Visibility

  • Visibility is Fundamental

    • You can’t stop what you can’t see

    • Virtually all threats other than DoS depend on avoiding security

  • Full Stack Inspection of All Traffic

    • All traffic, on all ports, all the time

    • Progressive decoding of traffic to find hidden, tunneled streams

    • Contextual decryption of SSL

  • Control the Applications That Hide Traffic

    • Limit traffic to approved proxies, remote desktop applications

    • Block bad applications like encrypted tunnels, circumventors


Control the methods threats use to hide

Control the Methods Threats Use to Hide

If you can’t see it, you can’t stop it

  • Encrypted Traffic

    • SSLis the new standard

  • Proxies

    • Reverse proxiesare hacker favorites

  • Remote Desktop

    • Increasingly standard

  • Compressed Content

    • ZIP files, compressed HTTP

  • Encrypted Tunnels

    • Hamachi, Ultrasurf, Tor

    • Purpose-built to avoid security

Circumventors and Tunnels

Encryption (e.g. SSL)

Proxies (e.g CGIProxy)

Compression (e.g. GZIP)

 Outbound C&C Traffic

© 2011 Palo Alto Networks. Proprietary and Confidential.


Block the applications that hide traffic

Block the Applications That Hide Traffic

Block Unneeded and High-Risk Applications

  • Block (or limit) peer-to-peer applications

  • Block unneeded applications that can tunnel other applications

  • Review the need for applications known to be used by malware

  • Block anonymizerssuch as Tor

  • Block encrypted tunnel applications such as UltraSurf

  • Limit use to approved proxies

  • Limit use of remote desktop


Control known threats

Control Known Threats

• Brute Force

• Code-Execution

• Denial of Service

• Data Leakage

• Overflows

• Scanning

• SQL Injection

• Botnets

• Browser Hijacks

• Adware

• Backdoors

• Keyloggers

• Net-Worms

• Peer-to-Peer

  • Modern attacks are patient and use multiple techniques

    • Threats are more than exploits

    • Malware

    • Dangerous URLs

    • Spyware

    • Command and Control Traffic

    • Circumvention Techniques

  • Context is Key

    • Clear visibility into all URLs, users, applications and files connected to a particular threat


Breaking the lifecycle of the modern threat

“Okay, but what about unknown and targeted malware?”

© 2011 Palo Alto Networks. Proprietary and Confidential.


The malware window of opportunity

The Malware Window of Opportunity

Time required to capture 1st sample of malware in the wild

Total Time Exposed

Time required to create and verify malware signature

Time before antivirus definitions are updated

Days and weeks until users are protected by traditional signatures


Attackers target the window of opportunity

Attackers Target the Window of Opportunity

Targeted Attacks

Malware Construction Kits

Refreshed Malware

© 2011 Palo Alto Networks. Proprietary and Confidential.


Controlling unknown malware using the next generation firewall

Controlling Unknown Malware Using the Next-Generation Firewall

  • Introducing WildFire

    • New feature of the Palo Alto Networks NGFW

    • Captures unknown inbound files and analyzes them for 70+ malicious behaviors

    • Analysis performed in a cloud-based, virtual sandbox

  • Automatically generates signatures for identified malware

    • Infecting files and command-and-control

    • Distributes signatures to all firewalls via regular threat updates

  • Provides forensics and insight into malware behavior

    • Actions on the target machine

    • Applications, users and URLs involved with the malware

© 2011 Palo Alto Networks. Proprietary and Confidential.


Case study password stealing botnets

Case Study - Password Stealing Botnets

© 2010 Palo Alto Networks. Proprietary and Confidential.


Malware analysis

Malware Analysis


Malware analysis1

Malware Analysis


Malware analysis2

Malware Analysis


Case study enterprise phishing

Case Study - Enterprise Phishing

DHL-international-shipping-ID

DHL-international-shipping-notification

Malware

DHL-Express-Notification-JAN

United-Parcel-Service-Invoice

USPS-Failed-Delivery_Notification

US-CERT Operations Center Report

USPS Report

Shipping and Security are common topics for enterprise phishing

  • Fake DHL, USPS, UPS and FedEx delivery messages

  • Fake CERT notifications

    Ongoing Phishing Operations

  • Large volumes of malware – commonly in the top 3 of daily unknown malware seen in enterprises

  • Correlate new malware talking back to the same malware servers

  • Refreshed daily to avoid traditional AV signatures


Trusted sources

Trusted Sources

CNET/Download.com

  • Strong reputation for providing safe downloads of shareware and freeware that are verified to be malware free.

  • In early December 2011 WildFire began identifying files from Download.com as containing spyware.

  • CNET had begun providing software downloads in a wrapper that installed subtle spyware designed to track shopping habits

  • Changed a variety of client and browser security settings

Changed security settings

Changed proxy settings

Changed Internet Explorer settings

Installed a service to leak advertising and shopping data over HTTP POSTs.


An integrated approach to threat prevention

An Integrated Approach to Threat Prevention

Unknown & Targeted Threats

WildFire control of unknown and targeted malware

Unknown traffic analysis

Anomalous network behaviors

Dangerous URLs

Malware hosting URLs

Newly registered domains

SSL decryption of high-risk sites

Applications

All traffic, all ports, all the time

Application signatures

Heuristics

Decryption

Exploits&Malware

Block threats on all ports

NSS Labs Recommended IPS

Millions of malware samples

Reduce the attack surface

Remove the ability to hide

Prevents known threats

Exploits, malware, C&C traffic

Block known sources of threats

Be wary of unclassified and new domains

Pinpointslive infections and targeted attacks

Decreasing Risk

© 2011 Palo Alto Networks. Proprietary and Confidential.


Roundtable discussion

Roundtable Discussion


  • Login