Cybercrime: evoluzione del malware e degli attacchi Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com
About Palo Alto Networks We are the network security company World-class team with strong security and networking experience - Founded in 2005, first customer July 2007 We offer next-generation firewalls that safely enable 1,400+ applications - Restores the firewall as the core of the enterprise network security infrastructure - Innovations: App-ID, User-ID, Content-ID, GlobalProtect, WildFire Global footprint: 6,300+ customers in 80+ countries, 40 of whom deployed more than $1M of our solution $200M in bookings run rate*; 7 consecutive quarters of positive cashflow from operations (*) Reported on August 1, 2011. Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks fiscal year runs from August 1st until July 31st. Page 2 2012 Palo Alto Networks. Proprietary and Confidential.
2011 Magic Quadrant for Enterprise Network Firewalls Palo Alto Networks' highperformance NGFW functionality continues to drive competitors to react in the firewall market. It is assessed as a Leader mostly because of its NGFW design, redirection of the market along the NGFW path, consistent displacement of Leaders and Challengers, and market disruption forcing Leaders to react. Magic Quadrant for Enterprise Network Firewalls Gartner, 14 December 2011 Source: Gartner Page 3 2011 Palo Alto Networks. Proprietary and Confidential.
What Has Changed / What is the Same The attacker changed - Nation-states - Criminal organizations - Political groups Attack strategy evolved - Patient, multi-step process - Compromise user, then expand Attack techniques evolved - New ways of delivering malware - Hiding malware communications - Signature avoidance The Sky is Not Falling - Not new, just more common - Solutions exist - Don t fall into the APT ate my homework trap
Strategy: Patient Multi-Step Intrusions Organized Attackers The Enterprise Infection Command and Control Escalation Exfiltration Exfiltration
Challenges to Traditional Security Threats coordinate multiple techniques, while security is segmented into silos - Exploits, malware, spyware, obfuscation all part of a patient, multi-step intrusion Threats take advantage of security blind spots to keep from being seen - Patient attacks must repeatedly cross the perimeter without being detected Targeted and custom malware can bypass traditional signatures - The leading edge of an attack is increasingly malware that has never been seen before.
Regaining Control Over Modern Threats New Requirements for Threat Prevention 1. Visibility into all traffic regardless of port, protocol, evasive tactic or SSL 2. Stop all types of known network threats (IPS, Anti-malware, URL, etc.) while maintaining multi-gigabit performance 3. Find and stop new and unknown threats even without a pre-existing signature Page 7 2011 Palo Alto Networks. Proprietary and Confidential.
Visibility Visibility is Fundamental - You can t stop what you can t see - Virtually all threats other than DoS depend on avoiding security Full Stack Inspection of All Traffic - All traffic, on all ports, all the time - Progressive decoding of traffic to find hidden, tunneled streams - Contextual decryption of SSL Control the Applications That Hide Traffic - Limit traffic to approved proxies, remote desktop applications - Block bad applications like encrypted tunnels, circumventors
Control the Methods Threats Use to Hide If you can t see it, you can t stop it Circumventors and Tunnels Encryption (e.g. SSL) Encrypted Traffic SSL is the new standard Proxies Reverse proxies are hacker favorites Remote Desktop Increasingly standard Proxies (e.g CGIProxy) Compression (e.g. GZIP) Outbound C&C Traffic Compressed Content ZIP files, compressed HTTP Encrypted Tunnels Hamachi, Ultrasurf, Tor Purpose-built to avoid security Page 9 2011 Palo Alto Networks. Proprietary and Confidential.
Block the Applications That Hide Traffic Block Unneeded and High- Risk Applications - Block (or limit) peer-to-peer applications - Block unneeded applications that can tunnel other applications - Review the need for applications known to be used by malware - Block anonymizers such as Tor - Block encrypted tunnel applications such as UltraSurf - Limit use to approved proxies - Limit use of remote desktop
Control Known Threats Validated and Proven IPS - 93.4% Block Rate at NSS Labs while maintaining data sheet performance Stream-based Anti-Malware - Millions of malware samples, 50,000 new samples analyzed daily - Stream-based analysis enables in-line analysis at line speeds Full Context - Clear visibility into all URLs, users, applications and files connected to a particular threat Brute Force Code-Execution Denial of Service Data Leakage Overflow Scanning SQL Injection Botnets Browser Hijacks Adware Backdoors Keyloggers Net-Worms Peer-to-Peer
Add Protections Without Sacrificing Performance 7000 6000 5000 4000 3000 2000 Firewall + IPS Firewall + an -spyware + an virus Firewall + an -spyware + an virus + IPS 1000 0 Mixed HTTP 10 KB HTTP 512 KB HTTP Network World, August 2011 Page 12 2011 Palo Alto Networks. Proprietary and Confidential.
Single-Pass Parallel Processing (SP3) Architecture Single Pass Operations once per packet - Traffic classification (app identification) - User/group mapping - Content scanning threats, URLs, confidential data One policy Parallel Processing Function-specific parallel processing hardware engines Separate data/control planes Up to 20Gbps, Low Latency Page 13 2011 Palo Alto Networks. Proprietary and Confidential.
Okay, but what about unknown and targeted malware? Page 14 2011 Palo Alto Networks. Proprietary and Confidential.
The Malware Window of Opportunity Time required to capture 1 st sample of malware in the wild Time required to create and verify malware signature Total Time Exposed Time before antivirus definitions are updated Days and weeks until users are protected by traditional signatures
Attackers Target the Window of Opportunity Targeted Attacks Malware Construction Kits Refreshed Malware Page 16 2011 Palo Alto Networks. Proprietary and Confidential.
Controlling Unknown Malware Using the Next-Generation Firewall Introducing WildFire - New feature of the Palo Alto Networks NGFW - Captures unknown inbound files and analyzes them for 70+ malicious behaviors - Analysis performed in a cloud-based, virtual sandbox Automatically generates signatures for identified malware - Infecting files and command-and-control - Distributes signatures to all firewalls via regular threat updates Provides forensics and insight into malware behavior - Actions on the target machine - Applications, users and URLs involved with the malware Page 17 2011 Palo Alto Networks. Proprietary and Confidential.
The WildFire Architecture Unknown Files From the Internet Coming into the Enterprise Firewall Submits File to WildFire Cloud Compare to Known Files Sandbox Environment Signature Generator Admin Web Portal Results available in minutes. New Signatures Delivered to ALL Firewalls via regular threat updates. Page 18 2011 Palo Alto Networks. Proprietary and Confidential.
Case Study - Password Stealing Botnets Overview Threat Type Target Transmission Methods Botnet, similar to the notorious ZeuS banking botnet Targets end-users with the goal of stealing passwords Heavy use of email, Some use of HTTP Key Actions Steals email and FTP credentials Steals cookies from browsers Decrypts and sniffs SSL sessions Uses anti-vm techniques File Name(s) American_Airlines_E-Ticket-printing-copy DHL-express-tracking-delivery-notification Initial Detection Rates Very low detection rates, sometimes for several days. Heavy use of packers. 2010 Palo Alto Networks. Proprietary and Confidential.
Malware Analysis
Malware Analysis
Malware Analysis
Trusted Sources CNET/Download.com Strong reputation for providing safe downloads of shareware and freeware that are verified to be malware free. In early December 2011 WildFire began identifying files from Download.com as containing spyware. CNET had begun providing software downloads in a wrapper that installed subtle spyware designed to track shopping habits Changed a variety of client and browser security settings Changed security settings Changed proxy settings Changed Internet Explorer settings Installed a service to leak advertising and shopping data over HTTP POSTs.
An Integrated Approach to Threat Prevention Applications Exploits & Malware Dangerous URLs Unknown & Targeted Threats All traffic, all ports, all the time Application signatures Heuristics Decryption Block threats on all ports NSS Labs Recommended IPS Millions of malware samples Malware hosting URLs Newly registered domains SSL decryption of high-risk sites WildFire control of unknown and targeted malware Unknown traffic analysis Anomalous network behaviors Reduce the attack surface Remove the ability to hide Prevents known threats Exploits, malware, C&C traffic Block known sources of threats Be wary of unclassified and new domains Pinpoints live infections and targeted attacks Decreasing Risk Page 26 2011 Palo Alto Networks. Proprietary and Confidential.
Thank You! Page 27 2010 Palo Alto Networks. Proprietary and Confidential.