Palo Alto Networks Modern Malware

Cory GrantRegional Sales Manager

Palo Alto Networks

What are we seeing

Key Facts and Figures - Americas

3 | ©2014 Palo Alto Networks. Confidential and Proprietary.

• 2,200+ networks analyzed

• 1,600 applications detected

• 31 petabytes of bandwidth

• 4,600+ unique threats

• Billions of threat logs

Common Sharing Applications are Heavily Used

4 | ©2014 Palo Alto Networks. Confidential and Proprietary.

Application Variants

How many video and filesharing applications are needed to run the business?

Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

Bandwidth Consumed

20% of all bandwidth consumed by file-sharing and video alone

High in Threat Delivery; Low in Activity

5 | ©2014 Palo Alto Networks. Confidential and Proprietary.

11% of all threats observed are code execution exploits within common sharing applications

Most commonly used applications: email (SMTP, Outlook Web, Yahoo! Mail), social media (Facebook, Twitter) and file-sharing (FTP)

Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

Low Activity? Effective Security or Something Else?

6 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Low Activity: Effective Security or Something Else?

7 | ©2014 Palo Alto Networks. Confidential and Proprietary.

Code execution exploits seen in SMTP, POP3, IMAP

and web browsing.

IMAPSMTP

POP3Web browsing

Twitter

Facebook

Web browsing

Smoke.loader botnet controller Delivers and manages payload Steals passwords Encrypts payload Posts to URLs Anonymizes identity

Malware Activity Hiding in Plain Sight: UDPZeroAccess Botnet

8 | ©2014 Palo Alto Networks. Confidential and Proprietary.

End Point Controlled

Blackhole Exploit Kit

ZeroAccess Delivered

$$$

Bitcoin miningSPAM

ClickFraud

Distributed computing = resilience

High number UDP ports mask its use

Multiple techniques to evade detection

Robs your network of processing power

Good?

9 | ©2014 Palo Alto Networks. Confidential and Proprietary.

The Two Faces of SSL

Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

Bad?

TDL-4

Poison IVYRustock

APT1Ramnit

CitadelAurora

BlackPOS

SSL: Protection, Evasion or Heartbleed Risk?

Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.

32% (539) of the applications found can use SSL. What is your exposure?

10 | ©2014 Palo Alto Networks. Confidential and Proprietary.

Business Applications = Heaviest Exploit Activity

11 | ©2014 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

Target data breach – APTs in action

Maintain access

Spearphishing third-party HVAC

contractor

Moved laterally within Target network and

installed POS Malware

Exfiltrated data command-and-control servers

over FTP

Recon on companies

Target works with

Compromised internal server

to collect customer data

Breached Target network with

stolen payment system

credentials

13 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Best Practices

Security from Policy to Application What assumptions drive your security policy?

Does your current security implementation adequately reflect that policy?

Doss your current security implementation provide the visibility and insight needed to shape your policy?

Assumptions Policy

ImplementationVisibility

&Insight

Security Perimeter Paradigm

The Enterprise

Infection

Command and Control

Escalation

Exfiltration Exfiltration

Organized Attackers

Is there Malware inside your network today???

Application Visibility

Reduce attack surface

Identify Applications that circumvent security policy.

Full traffic visibility that provides insight to drive policy

Identify and inspect unknown traffic

Identify All Users

Do NOT Trust, always verify all access

Base security policy on users and their roles, not IP addresses.

For groups of users, tie access to specific groups of applications

Limit the amount of exfiltration via network segmentation

19 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Freegate

SSL/Port 443: The Universal Firewall Bypass

20 | ©2013 Palo Alto Networks. Confidential and Proprietary.

Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

TDL-4

Poison IVY

Rustock

APT1Ramnit

Bot

Citadel

Aurora

Gozi

tcp/443

Evolution of Network Segmentation & Datacenter Security

Port-hopping applications, Malware, Mobile Users – Different entry points into DC?

Layer 7 “Next Generation” Appliance

Packet Filtering, ACL’s, IP/Port-based firewalling for known traffic?

Layer 1-4 Stateful Firewall

Platform Solution

Modern Attacks Are Coordinated

Bait theend-user

1

End-user lured to a dangerous application or website containing malicious content

Exploit

2

Infected content exploits the end-user, often without their knowledge

DownloadBackdoor

3

Secondary payload is downloaded in the background. Malware installed

EstablishBack-Channel

4

Malware establishes an outbound connection to the attacker for ongoing control

Explore & Steal

5

Remote attacker has control inside the network and escalates the attack

App-ID

URL

IPS THREAT PREVENTION

Spyware

AV

Files

WildFire

Block high-risk apps

Block known malware sites

Block the exploit

Prevent drive-by-downloads

Detect unknown malware

Block malware

Bait theend-user Exploit

DownloadBackdoor

EstablishBack-Channel

Explore &Steal

Block spyware, C&C traffic

Block C&C on non-standard ports

Block malware, fast-flux domains

Block new C&C traffic

Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors

Coordinated Threat PreventionAn Integrated Approach to Threat Prevention

Reduce Attack Surface

Adapt to Day-0 threats

Threat Intelligence Sources

WildFire Users

WildFire

Anti-C&CSignatures

Malware URLFiltering

DNSSignatures

AVSignatures

Cloud

On-Prem

WildFireSignatures

~30 Minutes Daily Daily Constant 1 Week

26 | ©2012, Palo Alto Networks. Confidential and Proprietary.