AdvancedPersistentThreat and Modern Malware. Technical Manager Palo Alto Networks

Transcription

1 AdvancedPersistentThreat and Modern Malware Jones Leung Technical Manager Palo Alto Networks

2 What are the APTs? Definition (WikiPedia): Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack. Other recognised attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target. Page 2

3 Some recent examples Page 3

4 The 5 steps of APT bait the end user exploit download back channel steal Malware download is still the most important step, but it is not alone anymore! Page 4

5 Attack Stages of APT and Modern Malware Targeted malicious sent to user Malicious website exploits client-side vulnerability User clicks on link to a malicious website Drive-by download of malicious payload Page 5

6 Why Existing Solutions cannot help? Page 6

7 Layer4 Control is Outdated! Traditional Firewall is too easy to be bypassed! Ports Applications IP Addresses Users Packets Content Page Palo Alto Networks. Proprietary and Confidential.

8 And most of the Security Protections are for Datacenter side Page 8

9 Traditional Products rely too much on Honeypots Page 9

10 Or Network Sensors Page 10

11 Or even a Lovely Cloud Page 11 Which is a cluster of incumbent solutions, feeding expired or useless information to you (e.g. URL filtering solutions, firewall solutions)

12 And the result is 3 months Page 12

13 Hackers have changed Hackers are increasingly shifting focus from infecting large numbers of endpoints to infecting targeted hosts to steal valuable data Hackers are targeting end users instead of attacking the data center directly Hackers are using client side vulnerabilities to bypass traditional anti-malware protections A new breed of security infrastructure needed! Page 13

14 How can Palo Alto Networks Help you? bait the end user exploit download back channel steal App-ID High Performance, Purpose-built Platform Page 14

15 App-ID Visibility and Control What is the traffic and should it be allowed? SSL decrypted based on policy HTTP Tunnel decode Google Talk - signature All Palo Alto Networks security begins with an integrated full-stack App-ID File Transfer (BLOCKED) analysis of all traffic regardless of port, protocol or evasion Always the 1 st task performed All traffic, all ports Always on Page Palo Alto Networks. Proprietary and Confidential.

16 Our Research Team Discover Threat Our Research Team is active - Many of the IPS vendors have big research team for writing signatures - Our research team also discover vulnerabilities for zero day protection Palo Alto Networks Discovering Microsoft Vulnerabilities in the past 4 years IPS Vendor A IPS Vendor B FW Vendor A IPS Vendor C FW Vendor B Palo Alto Networks IPS Vendor A IPS Vendor B FW Vendor A FW Vendor C Source: OSVDB; as of June 15th 2011 Discovering Adobe Vulnerabilities in the past 4 years IPS Vendor C FW Vendor B FW Vendor C Source: OSVDB; as of August 15th Palo Alto Networks. Proprietary and Confidential.

17 A Primer on Palo Alto Networks Visibility and Control Integrated Threat Prevention What is the traffic and should it be allowed? Stop threats within allowed traffic App-ID SSL HTTP Tunnel Google Talk File Transfer Threat Preven ntion IPS Proven 93.4% block rate and performance URL Filtering Malware sites, unknown and newly registered sites Anti-Malware Millions of samples, 50k analyzed per day Content Control file types, downloads, specific content Always the 1 st task performed All traffic, all ports Always on Single unified engine (single-pass) Always in application and user context Independent of port or evasion Page Palo Alto Networks. Proprietary and Confidential.

18 That s NOT Enough for Targeted Malware and Botnet! Page 18

19 Wildfire: Another Innovation of Palo Alto Networks WildFire Analysis Center Sandbox-based analysis looks for over 80 malicious behaviors Generates detailed forensics report Creates antivirus and C&C signatures Protection delivered to all customer firewalls Policy-based forwarding to WildFire for analysis Potentially malicious files from Internet Page Palo Alto Networks. Proprietary and Confidential.

20 You can choose what files to forward WildFire Cloud Signatures Files Page 20

21 WildFire Portal Dashboard shows the number of malicious, benign, and pending files today and also during last 7 days: Page 21

22 WildFire Portal (cont.) Reports provide a more detailed view, where it s possible to filter by device, type of verdict and also make searches: Page 22

23 WildFire Portal (cont.) You can get a detailed view on the activity detected for a particular file in the sandbox, by clicking on the magnifying glass: Page 23

24 WildFire Portal (cont.) There s also a link to VirusTotal( with extra information on anti-malware vendors detection capabilities: Page 24

25

26 Case Study: Re-emergence of Waledac Originally a spamming botnet, taken down by Microsoft in 2010 when the C2 servers were taken over On Feb 2 nd 2012, WildFire detected new variant of Waledac code on customer networks Botnet has been enhanced to obtain credentials for FTP, SMTP, POP3, and more with full packet capture on the host Since initial discovery, WildFire has seen hundreds of unique samples of the botnet malware across 78 customer networks Antivirus signature distributed to Palo Alto Networks customers within 24 hours Sample went undetected by all major AV products for 2 weeks Page Palo Alto Networks. Proprietary and Confidential.

27 Case Study: CNET Download Wrapper Incident CNET was trusted source for malware-free downloads since Shortly after launch, WildFire detected malware from CNET domain. WildFire was one of the first responders to detect malicious behavior from adware attached to downloads from CNET. Adware was found to: - Alter the security settings, proxy settings, and network connection settings of Internet Explorer - and also made changes to the Windows Firewall policy. Adware was found to leak out information surreptitiously via HTTP POST messages. Turned out CNET was bundling software with adware and browser helpers with little warning to user Page Palo Alto Networks. Proprietary and Confidential.

28 It is Integrated Threat Prevention by Multi-vectors approach Palo Alto Networks coordinates multiple types of threat prevention to detect and prevent all types of risks Lifecycle: From reducing exposure to blocking threats Known and Unknown Threats Context: Tie users, URLs and applications to any event 2009 Palo Alto Networks. Proprietary and Confidential.

29 Attack Stages of Modern Malware Targeted malicious sent to user Signature Detection Malicious website exploits client-side vulnerability App Control/UR L Filtering IPS Behavioral Analysis User clicks on link to a malicious website Drive-by download of malicious payload Page 29

30 2011 Magic Quadrant for Enterprise Network Firewalls Source: Gartner Page Palo Alto Networks. Proprietary and Confidential.

31 About Palo Alto Networks We are the network security company World-class team with strong security and networking experience - Founded in 2005, first customer July 2007 We offer next-generation firewalls that safely enable 1,400+ applications - Restores the firewall as the core of the enterprise network security infrastructure - Innovations: App-ID, User-ID, Content-ID, GlobalProtect, WildFire Global footprint: 6,600+ customers in 80+ countries, 40 of whom deployed more than $1M of our solution $200M in bookings run rate*; 7 consecutive quarters of positive cashflow from operations (*) Reported on August 1, Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks fiscal year runs from August 1st until July 31st. Page 31

32 Page 32