The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Transcription

1 The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud

2 The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery and execution of zero day malware. The adversary effectively utilizes technology and has enhanced their ability to create and deliver highly effective unknown or zero day malware through advanced persistent threats (APTs). To date, it is estimated that 100 nations are building cyber military commands. Of those approximately 20 are serious players and a smaller number of those could carry out a complete cyber war campaign. 1 Current detect and remediate technologies that can detect zero day malware require multiple appliances positioned at edge, data center and internal traffic locations. This approach makes scalability very difficult and very expensive. There are coverage gaps for traffic and devices that create blind spots. In addition, the approach lacks a significant component in the kill chain 2 methodology: they only detect the zero day malware without automatically blocking the attacks. The adversary will attack with new exploits and malware, and will do significant damage in a very short period of time, sometimes less than 24 hours. A detect and remediate methodology lags behind this threat vector and will result in a threat to mission assurance. To improve defense and resilience, governments are creating their own private threat intelligence clouds based on Palo Alto Networks WildFire. This architecture enables immediate analysis of the unknown threats and swiftly pushes prevention to all of the physical and virtual Palo Alto Networks platforms from data center to endpoint within the network. Basic Steps to Build an Effective Private Threat Intelligence Cloud Classify Your Network Traffic for Protection and Whitelisting Using the edge to data center to endpoint security in Palo Alto Networks next-generation security platform with the WildFire advanced threat detection service, governments can effectively shorten the time to detection and prevention of advanced attacks. The following steps outline the building blocks to a successful advanced threat solution. Step 1: To build an effective threat intelligence cloud, awareness of what is on your network is paramount. At the heart of any effective network security function s ability to detect threats, it must understand the network traffic Figure 1: The Palo Alto Networks single pass software checks your policies for the allowed applications, content, and the users associated with those and quickly identifies anomalies. 1 Peter W. Singer, Director of the Center for 21 st Century Security and Intelligence, Brookings Institution 2 Lockheed Martin PAGE 2

3 and classify that traffic. Once classified, network and security administrators can then create effective policies to protect the network and whitelist the applications approved for use. Today, your security must start by identifying the applications not just the ports and protocols. Attackers easily bypass port- and protocol-based security by: Hopping ports Using SSL and SSH Sneaking across port 80 Using non-standard ports Palo Alto Networks App-ID traffic classification system instantly applies multiple classification mechanisms to the network traffic stream, as soon as the device sees it, to accurately identify applications. (See figure 1.) Detect the Known Threats Step 2: Once applications are understood and policies are established, Palo Alto Networks next generation security platform can detect and block all known threats. Palo Alto Networks Content-ID blocks the known threats on the network using threat detection signatures for known attacks including AV, file analysis, pattern-matching and URL filtering. Detect Zero Day and Advanced Threats in Your Private Threat Intelligence Cloud Step 3: Files not recognized as known threats are then submitted by any of the Palo Alto Networks platforms on the government network to the WildFire service for analysis in your own private threat intelligence cloud. Running on a WF-500 platform, the WildFire virtual malware execution engine or advanced threat sandbox service becomes a point of malware detection and prevention at the following locations: Internet edge (Next-generation firewall platforms) Data center edge (PA-7050) Between virtual-machines (s) in the datacenter (-series) Mobile devices & endpoints (GlobalProtect & Traps ) All points of segmentation Files are forwarded from your currently deployed physical and virtual Palo Alto Networks devices, mobile security managers (GlobalProtect), and/or endpoints with advanced endpoint protection (Traps), or from the WildFire API. It is the communications to the WF-500 appliance placed within the government s network that makes your threat intelligence private. No files need to be analyzed outside of the confines of the government network. Or you can selectively choose which files can be forwarded to the Palo Alto Networks Threat Intelligence Cloud and which remain within your own environment. For every file analyzed, the WF-500 renders one of two potential decisions: Malicious payload for which a signature must be generated to prevent future infiltrations Benign payload for which all future instances can be identified and allowed For example, if botnet malware is inadvertently hosted on a well-known website to fool victims to download malware in a drive-by download, the platform still knows to evaluate the content of the file to be delivered. The behavior and payload of the file can tell the platform if it is re-used malware code seen previously, such as with script kiddies who re-use existing code. If, however, the file has no previous insight associated with it, it will be sent straight to the WF-500 for full analysis. PAGE 3

4 Figure 2: The WildFire report indicates the analysis results of the suspect file including the behaviors which led to its rating as malicious. From detection to prevention: auto-generation of signatures for zero day For discovered zero day and advanced threats, the WF-500 generates a signature for the malicious payloads. The platform generates the following types of signatures that block both the malicious files as well as associated command and control traffic: Antivirus signatures: Detect and block malicious files. These signatures are added to WildFire and antivirus content updates. DNS signatures: Detect and block callback domains for command and control traffic associated with malware. These signatures are added to WildFire and Antivirus updates. URL Categorization: Categorizes callback domains as malware and updates the URL category in the URL filtering service. Detailed malware forensics In addition to the signature, WF-500 generates a detailed forensics report showing >100 characteristics of the file, including those in Figure 2 as Behavior. For example, characteristics include but are not limited to the following: It attempted to sleep for a long period It created and modified files It changed the security settings of Internet Explorer Government Private Threat Intelligence cloud implementation A government organization can establish a private threat intelligence cloud to extract files and executables from across its network or act as the consolidation point for threat intelligence across Agencies or Ministries. Detect and prevent threats at each point in kill chain or in network Palo Alto Networks platforms in virtual or physical instance can monitor all network traffic at the perimeter and across all network segments wherever they are deployed (see Figure 3). When the devices reside logically across the network, they can block files and executables at all internal and external perimeter points data centers, endpoints, mobile devices, and other logical perimeters. This enables detection and prevention of threats at every point across the organization, or any point in the kill chain 3. In order for an advanced attack to work, every point in the kill chain must succeed. Only one part of the kill chain has to fail for the advanced attack to fail. 3 Lockheed Martin PAGE 4

5 NSX Network Service Insertion NSX Network Service Insertion Palo Alto Networks: The Advanced Attack Challenge Zero Days Unknown Malware Known Malware Evasive Applications Threat Protection (URL/C2/Etc) Government Threat Intelligence Cloud Automated File Analysis Immediate Intelligence Conversion WildFire Automated Global Dissemination Active Networks Traffic - Plaform Devices Mobility Devices - GlobalProtect VPN Internet GlobalProtect VPN Coalition Internet Access Points Mobile Traps Teleport Deployed Other Premise/DMZ Core Data Center WEB APP ware ESXi Virtual Platform Devices DB HV Integrated Partners ware Splunk Citrix AWS WEB APP ware ESXi Virtual Platform Devices DB HV Data Center Figure 3: Government architecture example using WF-500-based Government Threat Intelligence Cloud to protect the network from advanced threats. Cyber security functions learn from one another, turn unknown into known All the while, cyber security functions within the platforms can learn from one another. For example, zero day malware detected by one function informs the other to prevent all future instances of the malware. This brings an entirely new way to convert intelligence on the fly to turn unknown zero day malware into known malware. The known malware indicators get automatically distributed to all Palo Alto Networks platform devices to prevent additional advanced attacks. Timing is everything and no one does it faster and in more places on the network than Palo Alto Networks. Threat prevention updates The platforms can receive content updates from the WF-500 WildFire appliance as frequently as every five minutes. Administrators can optionally send the malware sample file analysis data (or just the XML report if they do not wish to send the sample) to the WildFire public cloud to enable signature generation for distribution through the Palo Alto Networks update server. To generate signatures on the local WF-500, daily content updates equip the appliance with the most up-to-date threat information for accurate malware detection and improve the appliance s ability to differentiate the malicious from the benign. The Palo Alto Networks differentiated approach to advanced threat prevention The Palo Alto Networks advanced threat approach is differentiated in several ways: Architecture: An all-in-one platform enables a singular platform, physical or virtual, to have visibility to all traffic on the network. Other solutions necessitate one device per application type; Simplified deployment, improved cost: Deploy one WildFire environment, WF-500, for the analysis of threats that is shared across all firewalls, rather than deploy single-use hardware at every ingress/egress point and network point of presence; Full visibility: By seeing all of the applications used by adversaries not just web and and selectively decrypting SSL communications often used to hide attacker communications. The platform uncovers more ways the adversary can compromise the network and move laterally than most other solutions for the advanced threat. Other solutions limit visibility to only two or a few applications, leaving the network vulnerable to attacks through other vectors; PAGE 5

6 Network-widesecurity correlation: Cyber security functions within the platform can learn from one another for example, zero day malware detected by one function informs the other to prevent all future instances of the malware. The known malware indicators get automatically distributed to all Palo Alto Networks platform devices to prevent additional advanced attacks. Timing is everything and no one does it faster and in more places on the network than Palo Alto Networks. Unlike disparate security functions or UTM capabilities which cannot learn from one another, Palo Alto Networks unique platform approach enables WildFire in combination with the other platform security features including IPS, URL Filtering, network antivirus, next generation firewall and advanced endpoint attack prevention to greatly reduce the attack surface. Detection and prevention on your network not relying on remediation positions your network to deal with advanced threats. With logical location and visibility, Palo Alto Networks advanced threat layered platform approach has: More scalability: Discrete additional appliances at each location are unnecessary Greater manageability: Update one service instead of multiple appliances around the world Detection, prevention and resilience that extends far beyond the network perimeters Less cost Full extensibility: To easily expand this capability to other government agencies SUMMARY Governments can create effective threat intelligence private clouds for their own singular agency or for a group of Agencies, Ministries or Departments who wish to share their threat intelligence. The platform protects every part of the mission network, addressing vulnerabilities and malware arriving at the endpoint, mobile device, network perimeter and within the data center. This provides new defense and resilience to prevent attackers at every point of the kill chain 4. In addition to the resilience and prevention against today s most sophisticated attacks, Palo Alto Networks provides the government with: less reliance on manual operations, consolidation of point tools, and extensibility wherever Palo Alto Networks is within the network, the resiliency and prevention extends: across zero trust segments, into data centers, to defense mobility. All of this reduces OpEx and CapEx costs, and is provided at a lower price point than alternative approaches to the APT problem. The Palo Alto Networks enterprise security platform with WildFire provides the ability to evolve and be agile to today s adversaries and their evolving sophisticated techniques. For more information: Defeating APTs in Government Networks Government APT Video series: Part 1: The Anatomy Of An Advanced Threat Part 2: Wildfire Vs. Standalone Sandboxing Part 3: Multi-layered Advanced Threat Approach Enterprise security platform for Government WildFire Datasheet WildFire 500 on the web 4 Lockheed Martin 4401 Great America Parkway Santa Clara, CA Main: Sales: Support: Copyright 2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_PTCG_033115