Transcript Document
Palo Alto Networks
Modern Malware
Cory Grant
Regional Sales Manager
Palo Alto Networks
What are we seeing
Key Facts and Figures - Americas
• 2,200+ networks analyzed
• 1,600 applications detected
• 31 petabytes of bandwidth
• 4,600+ unique threats
• Billions of threat logs
3 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Common Sharing Applications are Heavily Used
Application Variants
How many video and filesharing
applications are needed to run the
business?
Bandwidth Consumed
4 | ©2014 Palo Alto Networks. Confidential and Proprietary.
20% of all bandwidth consumed by filesharing and video alone
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
High in Threat Delivery; Low in Activity
11% of all threats observed are code execution exploits within common
sharing applications
Most commonly used applications: email (SMTP, Outlook Web, Yahoo! Mail),
social media (Facebook, Twitter) and file-sharing (FTP)
5 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Low Activity? Effective Security or Something Else?
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Low Activity: Effective Security or Something Else?
SMTP
IMAP
POP3
Web browsing
Smoke.loader botnet controller
Delivers and manages payload
Steals passwords
Encrypts payload
Code execution exploits
seen in SMTP, POP3, IMAP
and web browsing.
7 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Posts to URLs
Anonymizes identity
Twitter
Web browsing
Facebook
Malware Activity Hiding in Plain Sight: UDP
ZeroAccess Botnet
Blackhole Exploit
Kit
End Point
Controlled
Bitcoin mining
SPAM
ClickFraud
8 | ©2014 Palo Alto Networks. Confidential and Proprietary.
ZeroAccess
Delivered
$$$
Distributed computing = resilience
High number UDP ports mask its use
Multiple techniques to evade detection
Robs your network of processing power
The Two Faces of SSL
BlackPOS
Citadel
Aurora
TDL-4
Rustock
Ramnit
Poison IVY
APT1
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
9 | ©2014 Palo Alto Networks. Confidential and Proprietary.
SSL: Protection, Evasion or Heartbleed Risk?
32% (539) of the applications found can use SSL. What is your exposure?
10 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.
Business Applications = Heaviest Exploit Activity
11 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Target data breach – APTs in action
Recon on
companies
Target works with
Spearphishing
third-party HVAC
contractor
Breached Target
network with
stolen payment
system
credentials
Moved laterally
within Target
network and
installed POS
Malware
Maintain access
Compromised
internal server
to collect
customer data
Exfiltrated data
command-andcontrol servers
over FTP
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Best Practices
Security from Policy to Application
What assumptions drive your security policy?
Does your current security implementation adequately reflect that policy?
Doss your current security implementation provide the visibility and insight
needed to shape your policy?
Assumptions
Visibility
&
Insight
Policy
Implementation
Security Perimeter Paradigm
Organized
Attackers
The Enterprise
Infection
Command and Control
Escalation
Exfiltration
Exfiltration
Is there Malware inside your network today???
Application Visibility
Reduce attack surface
Identify Applications that
circumvent security policy.
Full traffic visibility that provides
insight to drive policy
Identify and inspect unknown
traffic
Identify All Users
Do NOT Trust, always verify all access
Base security policy on users and their roles, not IP addresses.
For groups of users, tie access to specific groups of applications
Limit the amount of exfiltration via network segmentation
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
SSL/Port 443: The Universal Firewall Bypass
Gozi
Freegate
Rustock
Citadel
TDL-4
Aurora
Ramnit
Bot
tcp/443
Poison IVY
APT1
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
20 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Evolution of Network Segmentation &
Datacenter Security
Packet Filtering, ACL’s, IP/Port-based
firewalling for known traffic?
Layer 1-4 Stateful Firewall
Port-hopping applications, Malware,
Mobile Users – Different entry points into DC?
Layer 7 “Next Generation” Appliance
Platform Solution
Modern Attacks Are Coordinated
1
Bait the
end-user
End-user
lured to a
dangerous
application or
website
containing
malicious
content
2
3
4
5
Exploit
Download
Backdoor
Establish
Back-Channel
Explore
& Steal
Infected
content
exploits the
end-user,
often without
their
knowledge
Secondary
payload is
downloaded
in the
background.
Malware
installed
Malware
establishes an
outbound
connection to
the attacker
for ongoing
control
Remote attacker
has control
inside the
network and
escalates the
attack
An Integrated
Approach
to Threat Prevention
Coordinated
Threat
Prevention
Bait the
end-user
Block
high-risk apps
URL
Block
known malware
sites
IPS
Spyware
AV
Files
WildFire
THREAT PREVENTION
App-ID
Exploit
Download
Backdoor
Establish
Back-Channel
Explore &
Steal
Block C&C on
non-standard
ports
Reduce Attack
Surface
Block malware,
fast-flux domains
Block
the exploit
Block spyware,
C&C traffic
Block malware
Prevent drive-bydownloads
Detect unknown
malware
Block new C&C
traffic
Coordinated
intelligence to
detect and block
active attacks
based on
signatures,
sources and
behaviors
Adapt to Day-0 threats
Threat Intelligence
Sources
WildFire Users
Cloud
On-Prem
WildFire
Signatures
~30 Minutes
AV
Signatures
Daily
DNS
Signatures
Daily
Malware URL
Filtering
Constant
Anti-C&C
Signatures
1 Week
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.