Security: Next Generation Topics and
Download
Report
Transcript Security: Next Generation Topics and
Security: Next Generation Topics
and Best Practices
John Petersen
Systems Engineer
January 2016
Agenda
Introductions
Evolving Threat Landscape
Challenges with Legacy Security Architecture
Modern Prevention – Disrupting the Attack Chain
Next Steps
Q & A / Open Discussion / Comments
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
The Evolving Threat Landscape
Unit 42 Mission
Resources
Mission: Analyze the data
available to Palo Alto
Networks to identify
adversaries, their
motivations, resources, and
tactics to better understand
the threats our customers
face.
Tactics
Motivations
Key Perspectives
Who is the Adversary?
Understanding the Cyber Attack Lifecycle
How Attacks Happen
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
What’s Changed? Attack Evolution, Automation!
$3.5
million
CYBER CRIME & WARFARE
Mobile Threats
SSL Encryption
Changing Application Environment
Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware
Lateral Movement
Evasive Command-and-Control
Known Threats
Organizational Risk
$1+ Trillion Industry
100+ Nations
Average Breach
- 2015 Highlights
XcodeGhost - Unit 42 analyzed XcodeGhost, which modifies Xcode and infects Apple iOS Apps, and its
behavior. The team found that many popular iOS apps were infected, including WeChat, one of the most
popular messaging applications in the world, and that the XcodeGhost attacker can phish passwords and open
URLs through these infected apps.
KeyRaider - In cooperation with WeipTech, Unit 42 identified samples of a new iOS malware family in the wild
which they named KeyRaider. This is believed to be the largest known Apple account theft caused by malware,
stealing over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing
receipts. Unit 42 also detailed how to keep yourself safe from KeyRaider.
YiSpecter - Unit 42 identified a new Apple iOS malware, dubbed YiSpecter. YiSpecter is different from
previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique
and harmful malicious behaviors. Specifically, it was the first malware seen in the wild that abuses private APIs
in the iOS system to implement malicious functionalities.
Android Installer Hijacking - Unit 42 discovered a widespread vulnerability in Google’s Android OS
they called “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users,
which allows an attacker to modify or replace a seemingly benign Android app with malware, without user
knowledge, only affecting applications downloaded from third-party app stores.
Operation Lotus Blossom - Unit 42 published new research identifying a persistent cyber espionage
campaign targeting government and military organizations in Southeast Asia by adversary group they named
“Lotus Blossom.” The campaign has been in operation for some time; Unit 42 identified over 50 different
attacks taking place over the past three years. Recently, Unit 42 found that a targeted attack directed at an
individual working for the French Ministry of Foreign Affairs was linked to Operation Lotus Blossom.
BackStab - Unit 42 found the new “BackStab” attack, used to steal private information from mobile device
backup files stored on a victim’s computer
7 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Exploring Actor Motivations
These are not mutually exclusive
Cyber
Espionage
Cyber
Crime
Cyber
Hacktivism
$$$
Cyber
Warfare
Cyber
Terrorism
Cyber
Mischief
The Advanced Adversary
Majority of adversaries are just
doing their job:
Bosses, families, bills to pay.
Want to get in, accomplish their task, and get out (un-detected).
Goal isn’t making your life hard.
=
CYBER THREATS ARE GETTING MORE ADVANCED
Advanced
Persistent
• Uses a broad
spectrum of exploits
• Goal-oriented rather
than opportunistic
• Both well-known and
zero-day exploits
• Highly targeted,
methodical attacks
• Crosses multiple
vectors; uses crypting
• Re-encodes or uses
polymorphism
Threat
• Organized, wellfunded criminal
adversaries
• Nation-states, cyberespionage groups
• Thousands of off-theshelf tools available
WildFire Threat Cloud Total Files Scanned
Volume of files scanned by
Wildfire continues to grow
As high as 1.4M/day during the
week
About 500K/day on the weekends
Peaking at 16.2 samples per
second investigated in the cloud
Finding one new piece of actual
malware about every 3 seconds
Overall Malware Found
Zero Day Malware found per day in Wildfire
80000
Very interesting trends for Malware
70,000
a day
= 490,000
weekly!!
over the
past
3 months
Highnearly
activityhalf
around
US
That’s
a million
Thanksgiving
zero day malware files every week
Continued high activity through
(155 times
increase since Sept 2013)
Christmas
70000
60000
50000
Slow start to the new year
40000
30000
20000
10000
0
5/1/14
Averaging around 31K new zero
day Malware files per day
6/1/14
7/1/14
8/1/14
9/1/14
10/1/14
11/1/14
12/1/14
1/1/15
2/1/15
Trending up 50% in the past 9
months
Requires 312 new AV signatures
every 15 minutes
How do other malware detection models break down?
Percent Malware delivered not via port 25 or port 80
45.00%
Most other Malware tools
only find port 25/80 – only
~85% of the malware
40.00%
Miss over 4600 files/day
Secondary download?
35.00%
30.00%
Growing trend for non-25/80
delivery of Malware
No way for others to detect
malware in the
network…why stop looking
internally?
25.00%
20.00%
15.00%
10.00%
0.00%
Date
5/7/14
5/14/14
5/21/14
5/28/14
6/4/14
6/11/14
6/18/14
6/25/14
7/2/14
7/9/14
7/16/14
7/23/14
7/30/14
8/6/14
8/13/14
8/20/14
8/27/14
9/3/14
9/10/14
9/17/14
9/24/14
10/1/14
10/8/14
10/15/14
10/22/14
10/29/14
11/5/14
11/12/14
11/19/14
11/26/14
12/3/14
12/10/14
12/17/14
12/24/14
12/31/14
1/7/15
1/14/15
1/21/15
1/28/15
2/4/15
2/11/15
2/18/15
2/25/15
5.00%
~85% of Malware is via port 25/80!
Lateral Movement
Data Center Perimeter
Internal Data Center
WF DNS/Day
30
31
31
30
31
30
31
/1
4
/1
4
/1
4
/1
4
/1
4
/1
4
/1
4
/
10 14
/3
1/
11 14
/3
0/
12 14
/3
1/
1
1/ 4
31
/1
5
9/
8/
7/
6/
5/
4/
3/
Including 600 learned malicious
DNS sites/day via Passive DNS
/1
4
28
Also delivering about 150 new
DNS rules every 15 minutes
29
Required 460 new URL rules
every 30 minutes in December
DNS Updates per Day
2014.05.01.001
2014.05.08.001
2014.05.15.001
2014.05.22.001
2014.05.29.001
2014.06.05.001
2014.06.12.001
2014.06.19.001
2014.06.26.001
2014.07.03.001
2014.07.10.001
2014.07.17.001
2014.07.24.001
2014.07.31.001
2014.08.07.001
2014.08.14.001
2014.08.21.001
2014.08.28.001
2014.09.04.001
2014.09.11.001
2014.09.18.001
2014.09.25.001
2014.10.02.001
2014.10.09.001
2014.10.16.001
2014.10.23.001
2014.10.30.001
2014.11.06.001
2014.11.13.001
2014.11.20.001
2014.11.27.001
2014.12.04.001
2014.12.11.001
2014.12.18.001
2014.12.25.001
2015.01.01.001
2015.01.08.001
2015.01.15.001
2015.01.22.001
2015.01.29.001
2015.02.05.001
2015.02.12.001
2015.02.19.001
0
2/
Seems to imply a growth in the
number of players developing
Malware
/1
3
C&C traffic growing after a quiet
summer—massive jump in
December
1/
12
/2
9
Growth of Command & Control Traffic
1600000
Total Malware URLs Blocked
1400000
1200000
1000000
800000
600000
400000
200000
35000
30000
25000
20000
15000
10000
5000
0
pDNS/Day
Challenges With Legacy Security Architecture
Applications Get Through the Firewall
Network security policy is enforced
at the firewall
•
•
•
Sees all traffic
Defines boundary
Enables access
Traditional firewalls don’t work any
more
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Security has Evolved from what we have known it to be
Legacy security and architectures based on manual reactions and log management are failing today
Proxies are limited
Stateful firewalls are failing (Port / Protocol)
SSL Traffic is not being inspected
Lack of security with VLANs
Every breach today has several things in common:
A port based Firewall
A simple IPS
Desktop A/V (Signature Based)
Must have a solution that prevents attacks from known and unknown threats
Must have an architecture focused on prevention—keep the network safe at all times
Internet
To protect the network, the solution must
Automated
Integrated
Simple
All security functions, one platform, fully integrated
DNS Alert
SMTP Alert
Web Alert
AV Alert
Endpoint Alert
DNS Alert
SMTP Alert
AV Alert
Endpoint Alert
Web Alert
AV Alert
DNS Alert
Web Alert
Enterprise
Network
Common traits for breached networks
1. A port based firewall
2. A static IPS
3. Exploits and Zero Day Malware used to manipulate platforms in
the network (Traditional A/V fails)
4. Identity credentials hijacked
Modern Prevention – Disrupting the Attack Chain
Detect & Prevent Threats at Every Point
Cloud
At the
Mobile Device
At the
Internet Edge
Between
Employees and
Devices within
the LAN
At the
Data Center
Edge and
between VMs
Prevent attacks, both known and unknown
Protect all users and applications, in the cloud or virtualized
Integrate network and endpoint security
Analytics that correlate across the cloud
20 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Within Private,
Public and
Hybrid Clouds
Preventing Across the Cyber Attack Lifecycle
1 Breach the Perimeter
Reconnaissance
2 Deliver the Malware
Weaponization
and Delivery
Unauthorized Access
21 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Exploitation
3 Lateral Movement
Installation
4 Exfiltrate Data
Command-and-Control
Unauthorized Use
Actions on
the Objective
HOT TOPICS
Port Based Firewalls, proxies,
VLANs, and ACLs are not enough
Safely Enabling Applications
“Zero Trust” Security Posture
Reducing the attack surface
Limiting Data Loss
SSL Decryption
Dealing with Unknowns
Traffic / Applications
Malware
Vulnerabilities / Exploits
Network and Micro Segmentation
22 | © 2015, Palo Alto Networks. Confidential and Proprietary.
NGFW Requirements
Safely Enable Applications
Secure Remote Users
Content and User Aware
Systematically Manage Unknown
Traffic & Threats
SSL Decryption / SSH Control
Inline Prevention
Integration
Automation
Reliable Performance
23 | © 2015, Palo Alto Networks. Confidential and Proprietary.
ZERO TRUST
Forrester Research
“Never trust, always verify”
VLANs / ACLs are not enough
Inspect ALL traffic
User and Content Aware
Threat Prevention
24 | © 2015, Palo Alto Networks. Confidential and Proprietary.
SEGMENTATION
VLANs / ACLs are not enough
Reduce attack surface
East – West
Datacenter (App, Web, Dev)
Network
DMZ, PCI, Users, Data Center
Sensitive Resources
Datacenter
Virtual Micro-Segmentation
Firewall as a Service
Advanced inspection
Threats
Applications
User Identity
Content Identity
25 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Vulnerabilities & Exploits
Greatest Threat!
Can disable anti-malware solutions
Drive-by-downloads
Unknown / Zero Day
Block via exploit techniques
Whitelisting does not help
Good applications can behave badly
Patching
Only covers known
Can be cumbersome, difficult on servers
Reduce Attack Surface
Zero Trust
Cyber Attack Chain Disruption
26 | © 2015, Palo Alto Networks. Confidential and Proprietary.
MALWARE
Known Threats
Signatures
URLs / IPs
DNS
Problem with signatures…
Unknown Threats
STAP (Specialized Threat Analysis Protection) AKA Virtual Sandboxing
Reduce Attack Surface
Automation
Cloud Intelligence
Reputation & Behavior
Advanced Persistent Threats
Whitelisting
Essential
Patch Mitigation
DNS Sinkhole
Creation
Date
20160112-001-v5i32.exe
01/12/2016 436.39 MB
File Size
Not perfect but great start
Anti-exploit
SEP Definitions File Name
Anti-spyware
27 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Preventing Command-and-Control
URL
Filtering
Dynamic
DNS
DNS
Sinkholing
Detect and
Block
Proactively
Block
Unnecessary
URLs
Dynamic DNS
category
Identify source
of malicious
DNS queries.
Common RAT
C2 signatures
DNS Spyware
The problem: the DNS server appears to be the infected device
Auth DNS Server
Internal DNS Server
???
DNS query for
malicioussite.com?
Infected host
DNS response for
malicioussite.com
122.45.23.26
malicioussite.com
122.45.23.26
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
DNS “Sinkhole”
DNS sinkhole option to help pinpoint infected hosts on the network
Passive DNS request monitoring to identify new malicious websites or
command and control activity
Internal DNS Server
???
Auth DNS Server
DNS query for
malicioussite.com?
Infected host
Forged DNS response for
malicioussite to
10.10.10.10.
Sinkhole IP
10.10.10.10
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
SSL Decryption
Required on outbound traffic
Man-in-the-Middle
Data Loss Prevention
Advanced Threats
Application Sub-Control
Known challenges
Facebook
Google
Dropbox / Box
Performance
Cipher support
Application pinning
Selective decryption
Health Care, Banking
Applications – Backups
Destination
31 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Data Loss Prevention
DLP to monitor all stages of data –
90% of DLP solution is remediation
At Rest, In Use, and In Motion
Visible (educate)
Finding sensitive content is easy
Data ownership is challenge
Data Classification
Keep it simple
“Zero Trust”
SaaS & Mobile
Encryption
Often highly political
Reduce attack surface
Automation / Watermarking
Need stakeholders to support
Public, Internal, Confidential
At Rest & In Motion
Authentication
32 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Threat Prevention Best Practices
Create Protections
1
Reduce the
attack surface
2
Whitelist applications or
block high-risk apps
Block known bad IPs
and regions
Block dangerous file
types
Visibility into encrypted
traffic – SSL Decryption
Block dangerous
websites – URL
Filtering
Network Segmentation
33 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Prevent Known
Threats
3
Detect/Prevent
Unknown Threats
Prevent 0-day malware
w/ Dynamic Sandboxing
Prevent 0-day exploits
w/Advanced Endpoint
Protection
Prevent C&C traffic
(anti-spyware)
Discover infected
systems – Botnet Report
Prevent DNS C&C
traffic (anti-spyware)
Blocking unknown traffic
(TCP/UDP)
Pinpoint infected
users with User-ID
Detect data exfiltration
Block known
vulnerabilities,
malware & exploits
with Threat
Prevention
PREVENTING ATTACKS AT EVERY STAGE OF
THE KILL-CHAIN
1
Breach the perimeter
Next-Generation Firewall / VPN
Visibility into all traffic, including
SSL
Enable business-critical
applications
Block high-risk applications
Block commonly exploited file
types
Threat Prevention
Block known exploits, malware
and inbound command-andcontrol communications
URL Filtering
Prevent use of social engineering
Block known malicious URLs and
IP addresses
Dynamic Sandboxing
Send specific incoming files and
email links from the internet to
public or private cloud for
inspection
Detect unknown threats
Automatically deliver protections
globally
2
Deliver the malware
Next-Generation Endpoint /
Dynamic Sandboxing
Block known and unknown
vulnerability exploits
Block known and unknown
malware
Provide detailed forensics on
attacks
3
Lateral movement
Next-Generation Firewall / VPN
4
Exfiltrate data
Threat Prevention
Provide ongoing monitoring and
inspection of all traffic between
zones
Block outbound commandand-control communications
Block file and data pattern
uploads
DNS monitoring and sinkholing
Dynamic Sandboxing
URL Filtering
Establish secure zones with
strictly enforced access control
Detecting unknown threats
pervasively throughout the
network
Block outbound
communication to known
malicious URLs and IP
addresses
SYSTEMATICALLY REDUCE THE SCOPE OF YOUR
SECURITY CHALLENGE
Full visibility
0
1
Limit traffic legitimate
apps and sources
2
Eliminate
known threats
3
Eliminate
unknown
threats
Next Steps
Next Steps
Safely Enable Applications
Gap Analysis
Education
Start with TAP/SPAN
Migrate to an Enterprise Platform
Employee
Red Team / Blue Team
Inspect East – West Traffic
Cyber Attack Chain
Automation
Integration
Prevention
Risk Assessments
Free Security Lifecycle Review from Palo Alto Networks
Paid 3rd party assessments and penetration testing
37 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Next-Generation Security Platform
THREAT
INTELLIGENCE
CLOUD
AUTOMATED
NATIVELY
INTEGRATED
NEXT-GENERATION
FIREWALL
39 | ©2014, Palo Alto Networks. Confidential and Proprietary.
EXTENSIBLE
ADVANCED ENDPOINT
PROTECTION
Q & A – Open Discussion – Comments