Cyber Threats: Industry Trends and Actionable Advice

Cyber Threats: Industry Trends and Actionable Advice

Presented by: Elton Fontaine

Palo Alto Networks Modern Malware

Elton Fontaine: CCIE, CNSESE Manager – West Territory

Palo Alto Networks

What are we seeing

Key Facts and Figures - Americas

4 | ©2014 Palo Alto Networks. Confidential and Proprietary.

• 2,200+ networks analyzed• 1,600 applications detected• 31 petabytes of bandwidth • 4,600+ unique threats• Billions of threat logs

Common Sharing Applications are Heavily Used


Application Variants

How many video and filesharing applications are needed to run the business?

Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

Bandwidth Consumed

20% of all bandwidth consumed by file-sharing and video alone

High in Threat Delivery; Low in Activity


11% of all threats observed are code execution exploits within common sharing applications

Most commonly used applications: email (SMTP, Outlook Web, Yahoo! Mail), social media (Facebook, Twitter) and file-sharing (FTP)


Low Activity? Effective Security or Something Else?

7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Low Activity: Effective Security or Something Else?


(7) Code execution exploits seen in SMTP, POP3, IMAP

and web browsing.

IMAPSMTP

POP3Web browsing

Twitter

Facebook

Web browsing

Smoke.loader botnet controller Delivers and manages payload Steals passwords Encrypts payload Posts to URLs Anonymizes identity

Malware Activity Hiding in Plain Sight: UDP


End Point Controlled

Blackhole Exploit Kit

ZeroAccess Delivered

$$$

Bitcoin miningSPAM

ClickFraud

Distributed computing = resilience

High number UDP ports mask its use

Multiple techniques to evade detection

Robs your network of processing power

Unknown UDP Hides Significant Threat Activity


1 application = 96% of all malware logs

ZeroAccess.Gen command & control traffic represents nearly all malware activity


Business Applications = Heaviest Exploit Activity


90% of the exploit activity was found in 10 applications

Primary source: Brute force attacks


Target data breach – APTs in action

Maintain access

Spearphishing third-party HVAC

contractor

Moved laterally within Target network and

installed POS Malware

Exfiltrated data command-and-control servers

over FTP

Recon on companies

Target works with

Compromised internal server

to collect customer data

Breached Target network with

stolen payment system

credentials

Best Practices

Security from Policy to Application What assumptions drive your security policy?

Does your current security implementation adequately reflect that policy?

Doss your current security implementation provide the visibility and insight needed to shape your policy?

Assumptions Policy

ImplementationVisibility&

Insight

Security Perimeter Paradigm The Enterprise

Infection

Command and Control

Escalation

Exfiltration Exfiltration

Organized Attackers

Is there Malware inside your network today???

Applications provide exfiltration• Threat communication• Confidential data

Application Visibility Reduce attack surface

Identify Applications that circumvent security policy.

Full traffic visibility that provides insight to drive policy

Identify and inspect unknown traffic

Identify All Users

Do NOT Trust, always verify all access

Base security policy on users and their roles, not IP addresses.

For groups of users, tie access to specific groups of applications

Limit the amount of exfiltration via network segmentation


Freegate

SSL/Port 443: The Universal Firewall Bypass


Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

TDL-4

Poison IVY

Rustock

APT1Ramnit

Bot

Citadel

Aurora

Gozi

tcp/443

Evolution of Network Segmentation & Datacenter Security

Port-hopping applications, Malware, Mobile Users – Different entry points into DC?

Layer 7 “Next Generation” Appliance

Packet Filtering, ACL’s, IP/Port-based firewalling for known traffic?

Layer 1-4 Stateful Firewall

Platform Solution

Modern Attacks Are Coordinated

Bait theend-user

1

End-user lured to a dangerous application or website containing malicious content

Exploit

2

Infected content exploits the end-user, often without their knowledge

DownloadBackdoor

3

Secondary payload is downloaded in the background. Malware installed

EstablishBack-Channel

4

Malware establishes an outbound connection to the attacker for ongoing control

Explore & Steal

5

Remote attacker has control inside the network and escalates the attack

App-ID

URL

IPS THREAT PREVENTION

Spyware

AV

Files

WildFire

Block high-risk apps

Block known malware sites

Block the exploit

Prevent drive-by-downloads

Detect unknown malware

Block malware

Bait theend-user Exploit

DownloadBackdoor

EstablishBack-Channel

Explore &Steal

Block spyware, C&C traffic

Block C&C on non-standard portsBlock malware, fast-flux domains

Block new C&C traffic

Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors

Coordinated Threat PreventionAn Integrated Approach to Threat Prevention

Reduce Attack Surface

Adapt to Day-0 threats

Threat Intelligence Sources

WildFire Users

WildFire

Anti-C&CSignatures

Malware URLFiltering

DNSSignatures

AVSignatures

Cloud

On-Prem

WildFireSignatures

~30 Minutes Daily Daily Constant 1 Week

Contextual Awareness


Documents

Cyber Threats: Industry Trends and Actionable Advice