Security: Next Generation Topics and

Download Report

Transcript Security: Next Generation Topics and

Security: Next Generation Topics
and Best Practices
John Petersen
Systems Engineer
January 2016
Agenda

Introductions

Evolving Threat Landscape

Challenges with Legacy Security Architecture

Modern Prevention – Disrupting the Attack Chain

Next Steps

Q & A / Open Discussion / Comments
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
The Evolving Threat Landscape
Unit 42 Mission
Resources
Mission: Analyze the data
available to Palo Alto
Networks to identify
adversaries, their
motivations, resources, and
tactics to better understand
the threats our customers
face.
Tactics
Motivations
Key Perspectives
Who is the Adversary?
Understanding the Cyber Attack Lifecycle
How Attacks Happen
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
What’s Changed? Attack Evolution, Automation!
$3.5
million
CYBER CRIME & WARFARE
Mobile Threats
SSL Encryption
Changing Application Environment
Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware
Lateral Movement
Evasive Command-and-Control
Known Threats
Organizational Risk
$1+ Trillion Industry
100+ Nations
Average Breach
- 2015 Highlights

XcodeGhost - Unit 42 analyzed XcodeGhost, which modifies Xcode and infects Apple iOS Apps, and its
behavior. The team found that many popular iOS apps were infected, including WeChat, one of the most
popular messaging applications in the world, and that the XcodeGhost attacker can phish passwords and open
URLs through these infected apps.

KeyRaider - In cooperation with WeipTech, Unit 42 identified samples of a new iOS malware family in the wild
which they named KeyRaider. This is believed to be the largest known Apple account theft caused by malware,
stealing over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing
receipts. Unit 42 also detailed how to keep yourself safe from KeyRaider.

YiSpecter - Unit 42 identified a new Apple iOS malware, dubbed YiSpecter. YiSpecter is different from
previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique
and harmful malicious behaviors. Specifically, it was the first malware seen in the wild that abuses private APIs
in the iOS system to implement malicious functionalities.

Android Installer Hijacking - Unit 42 discovered a widespread vulnerability in Google’s Android OS
they called “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users,
which allows an attacker to modify or replace a seemingly benign Android app with malware, without user
knowledge, only affecting applications downloaded from third-party app stores.

Operation Lotus Blossom - Unit 42 published new research identifying a persistent cyber espionage
campaign targeting government and military organizations in Southeast Asia by adversary group they named
“Lotus Blossom.” The campaign has been in operation for some time; Unit 42 identified over 50 different
attacks taking place over the past three years. Recently, Unit 42 found that a targeted attack directed at an
individual working for the French Ministry of Foreign Affairs was linked to Operation Lotus Blossom.

BackStab - Unit 42 found the new “BackStab” attack, used to steal private information from mobile device
backup files stored on a victim’s computer
7 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Exploring Actor Motivations
These are not mutually exclusive
Cyber
Espionage
Cyber
Crime
Cyber
Hacktivism
$$$
Cyber
Warfare
Cyber
Terrorism
Cyber
Mischief
The Advanced Adversary
Majority of adversaries are just
doing their job:
 Bosses, families, bills to pay.
 Want to get in, accomplish their task, and get out (un-detected).
 Goal isn’t making your life hard.
=
CYBER THREATS ARE GETTING MORE ADVANCED
Advanced
Persistent
• Uses a broad
spectrum of exploits
• Goal-oriented rather
than opportunistic
• Both well-known and
zero-day exploits
• Highly targeted,
methodical attacks
• Crosses multiple
vectors; uses crypting
• Re-encodes or uses
polymorphism
Threat
• Organized, wellfunded criminal
adversaries
• Nation-states, cyberespionage groups
• Thousands of off-theshelf tools available
WildFire Threat Cloud Total Files Scanned

Volume of files scanned by
Wildfire continues to grow
 As high as 1.4M/day during the
week
 About 500K/day on the weekends
 Peaking at 16.2 samples per
second investigated in the cloud
 Finding one new piece of actual
malware about every 3 seconds
Overall Malware Found

Zero Day Malware found per day in Wildfire
80000
Very interesting trends for Malware
70,000
a day
= 490,000
weekly!!
over the
past
3 months
 Highnearly
activityhalf
around
US
That’s
a million
Thanksgiving
zero day malware files every week
 Continued high activity through
(155 times
increase since Sept 2013)
Christmas
70000
60000
50000

Slow start to the new year
40000

30000
20000

10000
0
5/1/14
Averaging around 31K new zero
day Malware files per day
6/1/14
7/1/14
8/1/14
9/1/14
10/1/14
11/1/14
12/1/14
1/1/15
2/1/15

Trending up 50% in the past 9
months
Requires 312 new AV signatures
every 15 minutes
How do other malware detection models break down?

Percent Malware delivered not via port 25 or port 80
45.00%
Most other Malware tools
only find port 25/80 – only
~85% of the malware


40.00%
Miss over 4600 files/day
Secondary download?
35.00%
30.00%

Growing trend for non-25/80
delivery of Malware

No way for others to detect
malware in the
network…why stop looking
internally?
25.00%
20.00%
15.00%
10.00%
0.00%
Date
5/7/14
5/14/14
5/21/14
5/28/14
6/4/14
6/11/14
6/18/14
6/25/14
7/2/14
7/9/14
7/16/14
7/23/14
7/30/14
8/6/14
8/13/14
8/20/14
8/27/14
9/3/14
9/10/14
9/17/14
9/24/14
10/1/14
10/8/14
10/15/14
10/22/14
10/29/14
11/5/14
11/12/14
11/19/14
11/26/14
12/3/14
12/10/14
12/17/14
12/24/14
12/31/14
1/7/15
1/14/15
1/21/15
1/28/15
2/4/15
2/11/15
2/18/15
2/25/15
5.00%
~85% of Malware is via port 25/80!



Lateral Movement
Data Center Perimeter
Internal Data Center
WF DNS/Day
30
31
31
30
31
30
31
/1
4
/1
4
/1
4
/1
4
/1
4
/1
4
/1
4
/
10 14
/3
1/
11 14
/3
0/
12 14
/3
1/
1
1/ 4
31
/1
5
9/
8/
7/
6/
5/
4/
3/
Including 600 learned malicious
DNS sites/day via Passive DNS
/1
4

28
Also delivering about 150 new
DNS rules every 15 minutes
29

Required 460 new URL rules
every 30 minutes in December
DNS Updates per Day
2014.05.01.001
2014.05.08.001
2014.05.15.001
2014.05.22.001
2014.05.29.001
2014.06.05.001
2014.06.12.001
2014.06.19.001
2014.06.26.001
2014.07.03.001
2014.07.10.001
2014.07.17.001
2014.07.24.001
2014.07.31.001
2014.08.07.001
2014.08.14.001
2014.08.21.001
2014.08.28.001
2014.09.04.001
2014.09.11.001
2014.09.18.001
2014.09.25.001
2014.10.02.001
2014.10.09.001
2014.10.16.001
2014.10.23.001
2014.10.30.001
2014.11.06.001
2014.11.13.001
2014.11.20.001
2014.11.27.001
2014.12.04.001
2014.12.11.001
2014.12.18.001
2014.12.25.001
2015.01.01.001
2015.01.08.001
2015.01.15.001
2015.01.22.001
2015.01.29.001
2015.02.05.001
2015.02.12.001
2015.02.19.001
0
2/

Seems to imply a growth in the
number of players developing
Malware
/1
3

C&C traffic growing after a quiet
summer—massive jump in
December
1/

12
/2
9
Growth of Command & Control Traffic
1600000
Total Malware URLs Blocked
1400000
1200000
1000000
800000
600000
400000
200000
35000
30000
25000
20000
15000
10000
5000
0
pDNS/Day
Challenges With Legacy Security Architecture
Applications Get Through the Firewall
Network security policy is enforced
at the firewall
•
•
•
Sees all traffic
Defines boundary
Enables access
Traditional firewalls don’t work any
more
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Security has Evolved from what we have known it to be

Legacy security and architectures based on manual reactions and log management are failing today





Proxies are limited
Stateful firewalls are failing (Port / Protocol)
SSL Traffic is not being inspected
Lack of security with VLANs
Every breach today has several things in common:



A port based Firewall
A simple IPS
Desktop A/V (Signature Based)

Must have a solution that prevents attacks from known and unknown threats

Must have an architecture focused on prevention—keep the network safe at all times
Internet

To protect the network, the solution must




Automated
Integrated
Simple
All security functions, one platform, fully integrated
DNS Alert
SMTP Alert
Web Alert
AV Alert
Endpoint Alert
DNS Alert
SMTP Alert
AV Alert
Endpoint Alert
Web Alert
AV Alert
DNS Alert
Web Alert
Enterprise
Network
Common traits for breached networks
1. A port based firewall
2. A static IPS
3. Exploits and Zero Day Malware used to manipulate platforms in
the network (Traditional A/V fails)
4. Identity credentials hijacked
Modern Prevention – Disrupting the Attack Chain
Detect & Prevent Threats at Every Point
Cloud
At the
Mobile Device




At the
Internet Edge
Between
Employees and
Devices within
the LAN
At the
Data Center
Edge and
between VMs
Prevent attacks, both known and unknown
Protect all users and applications, in the cloud or virtualized
Integrate network and endpoint security
Analytics that correlate across the cloud
20 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Within Private,
Public and
Hybrid Clouds
Preventing Across the Cyber Attack Lifecycle
1 Breach the Perimeter
Reconnaissance
2 Deliver the Malware
Weaponization
and Delivery
Unauthorized Access
21 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Exploitation
3 Lateral Movement
Installation
4 Exfiltrate Data
Command-and-Control
Unauthorized Use
Actions on
the Objective
HOT TOPICS

Port Based Firewalls, proxies,
VLANs, and ACLs are not enough

Safely Enabling Applications

“Zero Trust” Security Posture
 Reducing the attack surface
 Limiting Data Loss

SSL Decryption

Dealing with Unknowns
 Traffic / Applications
 Malware
 Vulnerabilities / Exploits

Network and Micro Segmentation
22 | © 2015, Palo Alto Networks. Confidential and Proprietary.
NGFW Requirements

Safely Enable Applications

Secure Remote Users

Content and User Aware

Systematically Manage Unknown
Traffic & Threats

SSL Decryption / SSH Control

Inline Prevention

Integration

Automation

Reliable Performance
23 | © 2015, Palo Alto Networks. Confidential and Proprietary.
ZERO TRUST

Forrester Research

“Never trust, always verify”

VLANs / ACLs are not enough

Inspect ALL traffic

User and Content Aware

Threat Prevention
24 | © 2015, Palo Alto Networks. Confidential and Proprietary.
SEGMENTATION

VLANs / ACLs are not enough

Reduce attack surface
 East – West
 Datacenter (App, Web, Dev)

Network
 DMZ, PCI, Users, Data Center
 Sensitive Resources

Datacenter
 Virtual Micro-Segmentation
 Firewall as a Service

Advanced inspection




Threats
Applications
User Identity
Content Identity
25 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Vulnerabilities & Exploits

Greatest Threat!

Can disable anti-malware solutions
 Drive-by-downloads

Unknown / Zero Day
 Block via exploit techniques

Whitelisting does not help
 Good applications can behave badly

Patching
 Only covers known
 Can be cumbersome, difficult on servers

Reduce Attack Surface
 Zero Trust
 Cyber Attack Chain Disruption
26 | © 2015, Palo Alto Networks. Confidential and Proprietary.
MALWARE

Known Threats





Signatures
URLs / IPs
DNS
Problem with signatures…
Unknown Threats





STAP (Specialized Threat Analysis Protection) AKA Virtual Sandboxing
Reduce Attack Surface
Automation
Cloud Intelligence
Reputation & Behavior

Advanced Persistent Threats

Whitelisting



Essential
Patch Mitigation
DNS Sinkhole

Creation
Date
20160112-001-v5i32.exe
01/12/2016 436.39 MB
File Size
Not perfect but great start
Anti-exploit


SEP Definitions File Name
Anti-spyware
27 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Preventing Command-and-Control
URL
Filtering
Dynamic
DNS
DNS
Sinkholing
Detect and
Block
Proactively
Block
Unnecessary
URLs
Dynamic DNS
category
Identify source
of malicious
DNS queries.
Common RAT
C2 signatures
DNS Spyware
The problem: the DNS server appears to be the infected device
Auth DNS Server
Internal DNS Server
???
DNS query for
malicioussite.com?
Infected host
DNS response for
malicioussite.com
122.45.23.26
malicioussite.com
122.45.23.26
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
DNS “Sinkhole”

DNS sinkhole option to help pinpoint infected hosts on the network

Passive DNS request monitoring to identify new malicious websites or
command and control activity
Internal DNS Server
???
Auth DNS Server
DNS query for
malicioussite.com?
Infected host
Forged DNS response for
malicioussite to
10.10.10.10.
Sinkhole IP
10.10.10.10
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
SSL Decryption

Required on outbound traffic

Man-in-the-Middle

Data Loss Prevention

Advanced Threats

Application Sub-Control




Known challenges




Facebook
Google
Dropbox / Box
Performance
Cipher support
Application pinning
Selective decryption



Health Care, Banking
Applications – Backups
Destination
31 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Data Loss Prevention

DLP to monitor all stages of data –



90% of DLP solution is remediation



At Rest, In Use, and In Motion
Visible (educate)
Finding sensitive content is easy
Data ownership is challenge
Data Classification

Keep it simple



“Zero Trust”
SaaS & Mobile
Encryption


Often highly political
Reduce attack surface



Automation / Watermarking
Need stakeholders to support


Public, Internal, Confidential
At Rest & In Motion
Authentication
32 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Threat Prevention Best Practices
Create Protections
1
Reduce the
attack surface
2

Whitelist applications or
block high-risk apps

Block known bad IPs
and regions

Block dangerous file
types

Visibility into encrypted
traffic – SSL Decryption

Block dangerous
websites – URL
Filtering




Network Segmentation
33 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Prevent Known
Threats
3
Detect/Prevent
Unknown Threats

Prevent 0-day malware
w/ Dynamic Sandboxing

Prevent 0-day exploits
w/Advanced Endpoint
Protection
Prevent C&C traffic
(anti-spyware)

Discover infected
systems – Botnet Report
Prevent DNS C&C
traffic (anti-spyware)

Blocking unknown traffic
(TCP/UDP)
Pinpoint infected
users with User-ID

Detect data exfiltration
Block known
vulnerabilities,
malware & exploits
with Threat
Prevention
PREVENTING ATTACKS AT EVERY STAGE OF
THE KILL-CHAIN
1
Breach the perimeter
Next-Generation Firewall / VPN
 Visibility into all traffic, including
SSL
 Enable business-critical
applications
 Block high-risk applications
 Block commonly exploited file
types
Threat Prevention
 Block known exploits, malware
and inbound command-andcontrol communications
URL Filtering
 Prevent use of social engineering
 Block known malicious URLs and
IP addresses
Dynamic Sandboxing
 Send specific incoming files and
email links from the internet to
public or private cloud for
inspection
 Detect unknown threats
 Automatically deliver protections
globally
2
Deliver the malware
Next-Generation Endpoint /
Dynamic Sandboxing
 Block known and unknown
vulnerability exploits
 Block known and unknown
malware
 Provide detailed forensics on
attacks
3
Lateral movement
Next-Generation Firewall / VPN
4
Exfiltrate data
Threat Prevention
 Provide ongoing monitoring and
inspection of all traffic between
zones
 Block outbound commandand-control communications
 Block file and data pattern
uploads
 DNS monitoring and sinkholing
Dynamic Sandboxing
URL Filtering
 Establish secure zones with
strictly enforced access control
 Detecting unknown threats
pervasively throughout the
network
 Block outbound
communication to known
malicious URLs and IP
addresses
SYSTEMATICALLY REDUCE THE SCOPE OF YOUR
SECURITY CHALLENGE
Full visibility
0
1
Limit traffic legitimate
apps and sources
2
Eliminate
known threats
3
Eliminate
unknown
threats
Next Steps
Next Steps

Safely Enable Applications

Gap Analysis


Education



Start with TAP/SPAN
Migrate to an Enterprise Platform




Employee
Red Team / Blue Team
Inspect East – West Traffic


Cyber Attack Chain
Automation
Integration
Prevention
Risk Assessments


Free Security Lifecycle Review from Palo Alto Networks
Paid 3rd party assessments and penetration testing
37 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Next-Generation Security Platform
THREAT
INTELLIGENCE
CLOUD
AUTOMATED
NATIVELY
INTEGRATED
NEXT-GENERATION
FIREWALL
39 | ©2014, Palo Alto Networks. Confidential and Proprietary.
EXTENSIBLE
ADVANCED ENDPOINT
PROTECTION
Q & A – Open Discussion – Comments