Upload
jaxon-winn
View
229
Download
5
Tags:
Embed Size (px)
Citation preview
Title
A Practical Approach to Advanced Threat Detection and Prevention
Agenda
The Palo Alto Networks approach to threat prevention
Zero-day exploit detection with WildFire and PAN-OS 6.0
The rise of mobile malware and attacks on virtualized infrastructure
WildFire Appliance (WF-500) sizing and deployment
3rd party integration with WildFire
Passive DNS and DNS sinkholing
Command/ControlClient Exploit
Advanced threat requires a solution, not point products
HTTP
SSL
DNS
URL / C&C
EXE, Java,.LNK, DLL
Known viruses and exploits
High-risk applications
1Reduce the attack surface 2
Detect the unknown 3
Create protections
• Whitelist applications or block high-risk apps
• Block known viruses, exploits
• Block commonly exploited file types
• Analysis of all application traffic
• SSL decryption
• WildFire sandboxing of exploitive files
Detection and blocking of C&C via:
• Bad domains in DNS traffic
• URLs (PAN-DB)
• C&C signatures (anti-spyware)
Successful spear-phishing email
Post-compromise activity
Failed attempts
Protections
Using application control against advanced threats
Example 1: Self-updating malware
Repeated pattern of DNS, HTTP, and unknown traffic
The unknown proved to be the most important traffic
A closer look at the unknown session…
Unknown traffic is
frequently caused by
malware using custom
encryption, proprietary
protocols or file transfers
over raw sockets
Example 2: Data exfiltration over DNS
Unknown traffic traversing the DNS port
HTTP using registered/ephemeral ports
Well, Wireshark thinks it’s DNS, so…
It is essential to
control by
application, rather
than by port
Other examples of DNS tunneling
tcp-over-dns
dns2tcp
Iodine
Heyoka
OzymanDNS
NSTX
Takes advantage of recursive queries to pass encapsulated
TCP messages to/from a remote DNS server
What’s new in WildFire™
What’s new in WildFire
Support for additional file types and zero-day exploit detection
Support for multi-OS analysis
Reporting improvements• PAN-OS embedded reports
• Report incorrect verdict
• Manual malware submission (WF-500)
• Static analysis, mutexes, services, register key values, etc.
0-day Windows malware 0-day exploits 0-day Android malware
WildFire Subscription in PAN-OS 6.0
WildFire WildFire Subscription
WildFire analysis of PE analysis
Daily signature feed (TP subscription required)
WildFire logs integrated within PAN-OS
WildFire analysis of all other file types (PDF, Office,
APK*, Java)
30-min signature feed
WildFire API* key
Use of WF-500
*APK analysis and WildFire API not yet available on WF-500
Malware discovered by WildFire per week
PDF/Office/Java are lower in numbers compared to EXE, but when they hit, it is bad news! EXE extremely high in count due to lower barrier to entry and ease of use
of packers PDF/Office commonly used in targeted spear-phishing emails Java commonly used in drive-by download exploits
File type Malware/wk
EXE/DLL 221,000
APK 300
Office 110
Java 50
PDF 50
The emerging mobile malware landscape
The mobile malware problem
Soft target Many vulnerabilities on older versions of Android (“Beware of
employees’ cheap Android phones”, NW 2/21/14) “Users are 3 times more likely to succumb to phishing attacks on
their phones than desktop computes” (Aberdeen Group), and “90% of respondents would not open a suspicious file on a PC, whereas only 60% of tablet and 56% of smartphone users would exercise the same caution” (Symantec study)
Powerful platform Data on handset at risk, but so is the
rest of the corporate network Mobile devices are PCs on the
network – any attack launched from a compromised PC can theoretically be launched from an Android
Mobile malware in use by APT
First known use of APK attachments in APT spear-phishing emails from Chinese actor groups
Email sent March 24th 2013 to Uyghur activists
Click the app and…
Contacts (stored both on the phone and the SIM card)
Call logs
SMS messages
Geo-location
Phone data (phone number, OS version, phone model, SDK version)
This is what you see… While this is stolen…
Attacker’s C2 server
Web-based C2 Control Panel Remote Desktop
Why focus on APK?
Nearly 100% of all new mobile
malware targets Android
Contributing factors:
Large global market share
Slow rate of OS updates on existing
platforms
Very easy to run arbitrary software
on Android (no jailbreak required)
Many Android app stores with little-
to-no quality control
Source: forbes.com (3/24/2014)
Current popular mobile malware techniques
Coaxing the download Mobile malware attached to spear-phishing emails to lure an installation
Masquerading as popular apps (sometimes as “free” versions of non-free software)
Abusing user ignorance Mobile malware asks for many permissions, knowing
user will quickly click-through (similar to SSL click-
through problem)
Mobile malware asks for the ability to install additional
applications, which is equivalent to giving near-total
permission to the malware
Causing mayhem Data theft (contacts, email, data)
Espionage (audio/video recording, location)
Financial fraud (banking credential theft, SMS scams)
Detect mobile malware on the network and the endpoint
Palo Alto Networks solution offers three opportunities to detect mobile malware Antivirus APK signatures detects the download of known Android
malware over the network WildFire detects the download of unknown Android malware over the
network GlobalProtect MSM detects presence of known malware already on the
device
GlobalProtect MSM
GlobalProtect Gateway
Detect download of known malware
Detect presence of known malware on endpoint
WildFireTMContent
Unknown APK upload to WildFire
Detect download of unknown malware
WildFire Appliance (WF-500)
Enables a private cloud deployment of WildFire
Preferred choice for sensitive networks where files cannot leave the local network for dynamic analysis
Architecturally equivalent to public cloud deployment
Web Sandbox
WildFireTM
WildFire cloud or appliance
Email Sandbox File share Sandbox
Central manager
Manual analysis
APT Add-on Approach WildFire Approach
WF-500 Sizing WildFire Appliance (WF-500) is sized
to meet analysis demands of large networks
Firewalls analyze millions of sessions
WF-500 statically prescreens most files
Remainder of files are dynamically analyzed
Tip for accurate sizing prediction – use the file blocking profile All executables, Java, and APK files
are sandboxed PDF and Office documents are “pre-
screened” using static analysis About 10-20% make it to dynamic
analysis
All sessions carrying file transfers
Unknown files sent to WildFire
Requires dynamic analysis
Known malware blocked
Hundreds
Millions
Ingress traffic
Threats facing virtualized environments
New Passive DNS Monitoring
Passive DNS sensors collect non-recursive DNS queries performed by local DNS Anonymous (no client IPs) Low data rate (usually up to 1 MB per minute at most)
Builds large database of domain resolution history, including all resource record types (A, AAAA, MX, NS, TXT, etc)
Malicious domains can be “predicted” based on variety of signals: NX A or A NX Shared known bad IP Shared known bad NS Name heuristics such as character randomness, domain within a domain,
etc.
Malicious domains added daily to DNS signature set in Anti-spyware profile
Configuring Passive DNS
Passive DNS is enabled via the anti-spyware profile:
New local DNS sinkholing
Discover and confirm compromised hosts via DNS
Trace back to the actual machine without client DNS visibility
Safely block malicious DNS queries and redirect to sinkhole for intel collection
Malicious DNS / C2
Compromised host Local DNS
Sinkhole10.0.1.201
Where is badguy.com?
badguy.com = 10.0.1.201
Command-and-control traffic
Integrating network and host indicators
How it works
WildFireTM
Samples
WildFire logs
Bit9 Central Manager
WildFire logs(via device mgmt API)
WildFire forensics(via WildFire API)
Clients running agents
• Interrogations using host-based indicators of compromise
• Whitelist/blacklisting by file hash
1
2
3
4
5
Splunk App for Palo Alto Networks
Integrating network and host indicators