Transcript Document
A Practical Approach to Advanced Threat Detection and Prevention Title Agenda The Palo Alto Networks approach to threat prevention Zero-day exploit detection with WildFire and PAN-OS 6.0 The rise of mobile malware and attacks on virtualized infrastructure WildFire Appliance (WF-500) sizing and deployment 3rd party integration with WildFire Passive DNS and DNS sinkholing Advanced threat requires a solution, not point products Protections 1 • Reduce the attack surface Whitelist applications or block high-risk apps • • Block known viruses, exploits • Block commonly exploited file types Known viruses and exploits EXE, Java, .LNK, DLL High-risk applications Failed attempts Detect the unknown 2 3 Create protections Analysis of all application traffic Detection and blocking of C&C via: • Bad domains in DNS traffic • SSL decryption • URLs (PAN-DB) • WildFire sandboxing of exploitive files • C&C signatures (anti-spyware) Client Exploit Command/Control HTTP SSL Successful spearphishing email DNS URL / C&C Post-compromise activity Using application control against advanced threats Example 1: Self-updating malware Repeated pattern of DNS, HTTP, and unknown traffic The unknown proved to be the most important traffic A closer look at the unknown session… Unknown traffic is frequently caused by malware using custom encryption, proprietary protocols or file transfers over raw sockets Example 2: Data exfiltration over DNS Unknown traffic traversing the DNS port HTTP using registered/ephemeral ports Well, Wireshark thinks it’s DNS, so… It is essential to control by application, rather than by port Other examples of DNS tunneling tcp-over-dns dns2tcp Iodine Heyoka OzymanDNS NSTX Takes advantage of recursive queries to pass encapsulated TCP messages to/from a remote DNS server What’s new in WildFire™ What’s new in WildFire Support for additional file types and zero-day exploit detection 0-day Windows malware 0-day exploits Support for multi-OS analysis Reporting improvements • PAN-OS embedded reports • Report incorrect verdict • Manual malware submission (WF-500) • Static analysis, mutexes, services, register key values, etc. 0-day Android malware WildFire Subscription in PAN-OS 6.0 WildFire WildFire analysis of PE analysis Daily signature feed (TP subscription required) WildFire logs integrated within PAN-OS WildFire analysis of all other file types (PDF, Office, APK*, Java) 30-min signature feed WildFire API* key Use of WF-500 *APK analysis and WildFire API not yet available on WF-500 WildFire Subscription Malware discovered by WildFire per week PDF/Office/Java are lower in numbers compared to EXE, but when they hit, it is bad news! EXE extremely high in count due to lower barrier to entry and ease of use of packers PDF/Office commonly used in targeted spear-phishing emails Java commonly used in drive-by download exploits File type Malware/wk EXE/DLL 221,000 APK 300 Office 110 Java 50 PDF 50 The emerging mobile malware landscape The mobile malware problem Soft target Many vulnerabilities on older versions of Android (“Beware of employees’ cheap Android phones”, NW 2/21/14) “Users are 3 times more likely to succumb to phishing attacks on their phones than desktop computes” (Aberdeen Group), and “90% of respondents would not open a suspicious file on a PC, whereas only 60% of tablet and 56% of smartphone users would exercise the same caution” (Symantec study) Powerful platform Data on handset at risk, but so is the rest of the corporate network Mobile devices are PCs on the network – any attack launched from a compromised PC can theoretically be launched from an Android Mobile malware in use by APT First known use of APK attachments in APT spear-phishing emails from Chinese actor groups Email sent March 24th 2013 to Uyghur activists Click the app and… This is what you see… While this is stolen… Contacts (stored both on the phone and the SIM card) Call logs SMS messages Geo-location Phone data (phone number, OS version, phone model, SDK version) Attacker’s C2 server Web-based C2 Control Panel Remote Desktop Why focus on APK? Nearly 100% of all new mobile malware targets Android Contributing factors: Large global market share Slow rate of OS updates on existing platforms Very easy to run arbitrary software on Android (no jailbreak required) Many Android app stores with little- to-no quality control Source: forbes.com (3/24/2014) Current popular mobile malware techniques Coaxing the download Mobile malware attached to spear-phishing emails to lure an installation Masquerading as popular apps (sometimes as “free” versions of non-free software) Abusing user ignorance Mobile malware asks for many permissions, knowing user will quickly click-through (similar to SSL clickthrough problem) Mobile malware asks for the ability to install additional applications, which is equivalent to giving near-total permission to the malware Causing mayhem Data theft (contacts, email, data) Espionage (audio/video recording, location) Financial fraud (banking credential theft, SMS scams) Detect mobile malware on the network and the endpoint Palo Alto Networks solution offers three opportunities to detect mobile malware Antivirus APK signatures detects the download of known Android malware over the network WildFire detects the download of unknown Android malware over the network GlobalProtect MSM detects presence of known malware already on the device Content WildFire TM GlobalProtect MSM Unknown APK upload to WildFire Detect presence of known malware on endpoint Detect download of known malware GlobalProtect Gateway Detect download of unknown malware WildFire Appliance (WF-500) Enables a private cloud deployment of WildFire Preferred choice for sensitive networks where files cannot leave the local network for dynamic analysis Architecturally equivalent to public cloud deployment APT Add-on Approach WildFire Approach Web Sandbox WildFire Manual analysis Central manager Email Sandbox TM File share Sandbox WildFire cloud or appliance WF-500 Sizing WildFire Appliance (WF-500) is sized to meet analysis demands of large networks Firewalls analyze millions of sessions Ingress traffic Millions WF-500 statically prescreens most files Remainder of files are dynamically analyzed Tip for accurate sizing prediction – use the file blocking profile All executables, Java, and APK files are sandboxed PDF and Office documents are “prescreened” using static analysis About 10-20% make it to dynamic analysis All sessions carrying file transfers Known malware blocked Unknown files sent to WildFire Hundreds Requires dynamic analysis Threats facing virtualized environments New Passive DNS Monitoring Passive DNS sensors collect non-recursive DNS queries performed by local DNS Anonymous (no client IPs) Low data rate (usually up to 1 MB per minute at most) Builds large database of domain resolution history, including all resource record types (A, AAAA, MX, NS, TXT, etc) Malicious domains can be “predicted” based on variety of signals: NX A or A NX Shared known bad IP Shared known bad NS Name heuristics such as character randomness, domain within a domain, etc. Malicious domains added daily to DNS signature set in Anti-spyware profile Configuring Passive DNS Passive DNS is enabled via the anti-spyware profile: New local DNS sinkholing Discover and confirm compromised hosts via DNS Trace back to the actual machine without client DNS visibility Safely block malicious DNS queries and redirect to sinkhole for intel collection Where is badguy.com? Compromised host Malicious DNS / C2 Local DNS badguy.com = 10.0.1.201 Command-and-control traffic Sinkhole 10.0.1.20 1 Integrating network and host indicators How it works Clients running agents WildFire Samples TM WildFire forensics (via WildFire API) 4 1 WildFire logs 2 WildFire logs (via device mgmt API) 3 Bit9 Central Manager 5 • Interrogations using host-based indicators of compromise • Whitelist/blacklisting by file hash Splunk App for Palo Alto Networks Integrating network and host indicators