Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Copyright © 2013 Splunk Inc.
Marc Benoit Technical Director, Palo Alto Networks #splunkconf
MiFgaFng Cybersecurity Risk with Palo Alto Networks and Splunk
Agenda
! Key Findings From the Cyber Security Review
! CoevoluFon of Malware and ApplicaFons
! How AOackers Leverage ApplicaFons
! Best PracFces for MiFgaFng Threats
! Using Splunk to Triage Cyber Security Events
2
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications and preventing cyber threats
13,000+ customers globally
1,150+ employees globally
§ Next-‐generaFon security plaVorm
§ Designed from the ground up to analyze all traffic and perform all security funcFons in full applicaFon context
§ Firewall, IPS, anF-‐malware, advanced threat prevenFon, URL filtering, content inspecFon
§ Perimeter, data-‐center, cloud and virtual, and mobile
3
Key Findings of Cyber Security Review
Large Scale Analysis of Unknown Malware ! 3 months of WildFire Data
! 1,000+ parFcipaFng networks
! 26,000+ malware samples that had no coverage from any of the top 6 AV vendors at the Fme of detecFon
! Full lifecycle analysis of the malware – InfecFon session – Behaviors on the target host – Malware generated traffic
! Focus on acFonable advice
5
InfecFon Vectors by ApplicaFon The web is where the acFons is for unknown malware
68,000+ malware samples detected by WildFire
26,000+ malware samples that were fully undetected by AV
3% of malware delivered by email evaded all vendors vs.
More than 50% of malware delivered by the web
6
Average Time to DetecFon by AnFvirus On average, it took traditional antivirus 4x as long to provide coverage for malware
delivered in applications other than email
0 2 4 6 8
10 12 14 16 18 20
Web Browsing Other Web Applications File Sharing Email
20 19.7 19.3
5.3
Source: Palo Alto Networks, Modern Mallware Review
Average Time to Coverage (days) by Application Vector
Days
7
Time to DetecFon by Specific ApplicaFon
0
5
10
15
20
25
30
35
4shared
facebook-postin
g
blog-posting
dropbox
facebook-file-
naver-ndrive
netload rss
sharepoint soap
teachertube
ftp
glype-proxy
web-crawler
depositfiles
web-browsing
http-proxy
mail.ru-base
rapidshare
google-app-engine
hotmail
sendspace
outlook-web
yahoo-mail
smtp
hotfile pop3
imap
aim-mail
comcast-webmail
31 31 31 31 31 31 31 31 31 31 31 31 30 28
26
22 20 19
17 17 16 15
14 11
9
5 3 3 3
1 1
Source: Palo Alto Networks, WildFire Malware Report
Web-applications and social media were relatively rare sources, but had extremely low detection rates
8
Time to DetecFon by Specific ApplicaFon
0
5
10
15
20
25
30
35
4shared
facebook-p
osting
blog-posting
dropbox
facebook-f
ile-
naver-n
drive
netload
rss
sharepoint
soap
teachertu
be ftp
glype-proxy
web-crawler
depositfiles
web-browsing
http-proxy
mail.ru-base
rapidshare
google-app-engine
hotmail
sendsp
ace
outlook-w
eb
yahoo-m
ail sm
tp
hotfile pop3
imap
aim-m
ail
comca
st-webmail
31 31 31 31 31 31 31 31 31 31 31 31 30 28
26
22 20 19
17 17 16 15
14 11
9
5 3 3 3
1 1
Source: Palo Alto Networks, WildFire Malware Report
1 2
3
4
5
Top 5 sources of unknown malware highlighted. FTP was a leading source and rarely detected
9
40% of Unknown Malware Files Were Variants
§ Opportunity to Block Malware § In 40% of cases, a single signatures matched mulFple samples (variants)
§ 1 signature hit 1,500+ unique SHA values
§ Provides a way to block malware even when it is repackaged to avoid signatures
§ WildFire SubscripFon § Delivers signatures in 30 to 60 minutes of new malware being detected anywhere in the world
40% of Malware Samples Were Related
10
40% of Unknown Malware Files Were Blockable
40% of unknown samples were identifiable as sister samples that shared specific identifiers in the file header and payload
0.00% 10.00% 20.00% 30.00%
Contained unknown TCP/UDP traffic
Visited an unregistered domain
Sent out emails
Used the POST method in HTTP
Triggered known IPS signature
IP country different from HTTP host TLD
Communicated with new DNS server
Downloaded files with an incorrect file extension
Connected to a non standard HTTP port
Produced unknown traffic over the HTTP port
Visited a recently registered domain
Visited a known dynamic DNS domain
Visited a fast-flux domain
29.39%
24.38%
20.46%
12.38%
7.10%
6.92%
5.56%
4.53%
4.01%
2.33%
1.87%
0.56%
0.47%
Source: Palo Alto Networks, WildFire Malware Report
Most Commonly Observed Malware Behaviors on the Network
• InvesFgate and classify any unknown traffic
• No file downloads from unknown domains
• No HTTP posts to unknown domains
• No email traffic not to the corp email server
11
Evasive Behaviors Varied Heavily by ApplicaFon
237
19 29
90
97%
43%
17% 10%
0%
20%
40%
60%
80%
100%
120%
0
50
100
150
200
250
FTP Custom-TCP HTTP-Proxy Web Browsing
Number of Non-Standard Ports Percent Non-Standard Sessions
Source: Palo Alto Networks, WildFire Malware Report
12
Malware Behaviors on the Host Lots of effort spent on evading security and analysis
Source: Palo Alto Networks, WildFire Malware Report
analysis'avoidance'
19%'
data'the2'10%'
hacking'5%'
persistence'33%'
outbound'traffic'33%'
analysis'avoidance'
data'the/'
hacking'
persistence'
outbound'traffic'
Most Commonly Observed Malware Behaviors
13
Analysis Avoidance
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00%
long_sleep
delete_itself
code_inject
Attempted to determine external IP address
56.92%
20.42%
13.52%
0.09%
Source: Palo Alto Networks, WildFire Malware Report
14
CoevoluFon of Malware and ApplicaFons
Malware ARE ApplicaFons Applications
Malw
are
16
Co-‐evoluFon of ApplicaFons and Threats ! For an aOacker, applicaFons are:
Target
VulnerabiliFes known and unknown
(e.g. browser, JRE)
Vector
Delivery of malware, social engineering
(e.g. Social media, web-‐mail)
Disguise
Blend-‐in, evade, and circumvent
(e.g. DNS tunneling, C2 over social media)
InspiraFon
Command and control,
persistence strategies
(e.g. Peer-‐to-‐Peer)
17
Case Study: ParasiFsm in Mobile Malware
Mobility Being Adopted Faster than Any Technology in History
New plaVorms mean new aOack surface
19
Mobile Ad Networks and Malware ! Mobile ad networks present a novel security challenge – App developers need to use them in order to
make money – They oken require the developer to embed
sokware from the ad network within the applicaFon
– Structurally akin to a botnet
! Palo Alto Networks researchers observed previously unknown malware being distributed by one of these ad networks
Mobile ad networks are uniquely engrained in mobile apps
20
21
App SDK
App Store
1
2
Ad network Ads
How Mobile Ad Networks Work
22
App SDK
App Store
1
2
Malicious ad network
Malware
Ready-‐made Botnet
23
Analysis of Parasites Malware
! Discovered by WildFire malware behavioral analysis ! Delivered via mobile ad network ! Malicious code repackaged within a benign host applicaFon
! Triggered to execute independent of the host app based on local events on the device – A user unlocks the device – Device connects to WiFi network – New app is installed
! Able to add new malware into any app on the host
So many choices…
24
Appending an APK to another APK
25
A Simple, but Powerful Botnet
! Building a botnet out many different infected applicaFons
! The malware can infect any app on the host, providing many places to hide
! Uses SMS to build a command and control channel – Sends SMS to aOacker controlled numbers – Intercepts incoming SMS messages – Uses both the device ID and infected app to
idenFfy hosts a build a botnet
Device: #1 App B
Device: #2 App C
Device: #3 App D
26
How AOackers Leverage ApplicaFons in Advanced AOacks
File Transfer ApplicaFons – Good or Bad?
The Enterprise The User The Bad Guy
Good • P2P applicaFons for transferring
large distros • CollaboraFon applicaFons
(Sharepoint) • Asset management (Dropbox)
Unknown • Dropbox and Sharepoint to do work
• P2P and MEGA for downloading illegal movies (and malware)
Bad • Delivery of secondary payloads (FTP, HTTP, IM, etc)
• Heavy use of non-‐standard ports • Thek of data
28
Mandiant’s Analysis of APT1
Phase of A;ack A;ack Tools
IniFal InfecFon Email
Backdoor HTTP, custom protocols, Poison Ivy
Covert CommunicaFons Customized use of MSN Messenger, Jabber, and Gmail Calendar
SSL encrypFon of backdoor traffic
HTRAN used to proxy traffic
Ongoing Management RDP
ExfiltraFon FTP
“The programs acIng as APT1 servers have mainly been: (1) FTP, for transferring files; (2) web, primarily for WEBC2; (3) RDP, for remote graphical control of a system; (4) HTRAN, for proxying; and (5) C2 servers associated with various backdoor families.”
-‐Mandiant APT1 Report
29
Example: Custom C2 Built from P2P • Customized malware communicaFon based on qvod (P2P protocol)
• Customized TCP used to connect to a variety of sockets
30
Unknown Traffic = 55% of Malware Logs, <2% Bandwidth
Unknown traffic is frequently caused by malware
using custom encrypIon, proprietary protocols or
file transfers over raw sockets
31
Example: Custom Traffic ! Repeated paOern of DNS, HTTP, and unknown traffic
! The unknown proved to be the most important traffic
32
A Closer Look at the Unknown Session…
33
Malware Enabling ApplicaFons What to Do Why Do It
InvesFgate unknown or custom traffic
Malware infecIon vector, malware C2 channel, data the[
Limit peer-‐to-‐peer applicaFons Malware infecIon vector, malware C2 channel, data the[
Block anonymizers Malware C2, APT tool, evasion tool
Standardize on approved proxies Malware C2, APT Tool, Evasion Tool
Limit remote desktop APT tool, evasion tool
Block encrypted tunnel applicaFons such as UltraSurf Evasion tool, malware C2
Decrypt SSL and block custom encrypFon Used by malware to avoid inspecIon
34
Port-‐Based Evasion: Good for applicaIons Good for malware Bad for security
35
Challenges to Port-‐Based ClassificaFon Non-‐Standard Ports - Evasive ApplicaFons – Standard applicaFon behavior
- Security Best PracFces – Moving internet facing protocols off of standard ports (e.g. RDP)
Tunneling Within Allowed Protocols - SSL and SSH
- HTTP
- DNS
Circumventors - Proxies
- Anonymizers (Tor)
- Custom Encrypted Tunnels (e.g. Freegate, Ultrasurf)
ApplicaFons that can use non-‐standard ports.
ApplicaFons that can tunnel other apps and protocols
ApplicaFons designed to avoid security
36
Evasive ApplicaFons by Type
37
Malware Example: Use of Non-‐standard Ports ! Unknown traffic traversing the DNS port ! HTTP using registered/ephemeral ports
38
Tunneling InformaFon over Fake DNS
It is essenIal to control by
applicaIon, rather than by
port
39
Other Examples of DNS Tunneling ! tcp-‐over-‐dns ! dns2tcp ! Iodine ! Heyoka ! OzymanDNS ! NSTX Takes advantage of recursive queries to pass encapsulated TCP messages to/from a remote DNS server
40
Example: Non-‐standard Ports ! Unknown traffic traversing the DNS port ! HTTP using registered/ephemeral ports
41
Largest Session Contains a Secondary Payload
42
FTP was the most evasive applicaIon observed in a recent 3 month study of 0-‐day malware
– 95% of unknown samples delivered via FTP were never covered by anFvirus
– 97% of malware FTP sessions used non-‐standard ports, and used 237 different non-‐standard ports
Non-‐standard Ports and Targeted Malware
43
Prevalence of Port Evasion by ApplicaFon
237
19 29
90
97%
43%
17% 10%
0%
20%
40%
60%
80%
100%
120%
0
50
100
150
200
250
FTP Custom-TCP HTTP-Proxy Web Browsing
Number of Non-Standard Ports Percent Non-Standard Sessions
Source: Palo Alto Networks, WildFire Malware Report
Varies by applicaFon, but not at all unusual ! FTP – 97% ! Custom TCP – 43% ! HTTP-‐Proxy – 17% ! Web Browsing – 10%
44
Summary ! ApplicaFons and malware evolve in lockstep ! The need for persistence and stealth leads to increased cross-‐over between apps and threats
! Fine grained applicaFon visibility and control is increasingly criFcal for detecFng both threats and anomalies
45
Best PracFces for MiFgaFng Threats
Any Traffic Not Fully Inspected = Threats Missed • The Rule of All
- All traffic must be inspected equally
- Full-‐stack analysis must be the 1st step
- All traffic, all ports, all the Fme
• Progressive InspecIon - Decode – applicaFon and protocol decoders must be used to progressively open tunnels
- Decrypt – Targeted based on policy
- Decompress – Files (e.g. ZIP) and traffic (gzip)
• Stop the Methods Threats Use to Hide - Encrypted Tunnels
- Anonymizers
- Malicious proxies
47
An Integrated Approach to Threat PrevenFon ApplicaIons • Visibility and control of all
traffic, across all ports, all the Fme
Sources • Control traffic sources and
desFnaFons based on risk
Known Threats • Stop exploits, malware,
spying tools, and dangerous files
Unknown Threats • AutomaFcally idenFfy and block
new and evolving threats
• Reduce the aOack surface
• Control the threat vector
• Control the methods that threats use to hide
• Sites known to host malware
• Find traffic to command and control servers
• SSL decrypt high-‐risk sites
• NSS tested and Recommended IPS
• Stream-‐based anF-‐malware based on millions of samples
• Control threats across any port
• WildFire analysis of unknown files
• Visibility and automated management of unknown traffic
• Anomalous behaviors
R e d u c i n g R i s k
48
Wildfire Public Cloud
49 49
Wildfire with WF-500
50
WildFire Cloud
All unknown files
Confirmed Malware (optional)
Signatures
Customer Firewalls
Local Customer Network
Log link to analysis sent to PA to be added to the wildfire log
50
Wildfire Private Cloud
51
WildFire license
required
51
Reduce the Exposure • Block Unneeded and High-‐Risk ApplicaIons – Block (or limit) peer-‐to-‐peer applicaFons – Block unneeded applicaFons that can tunnel other applicaFons
– Review the need for applicaFons known to be used by malware
– Block anonymizers such as Tor – Block encrypted tunnel applicaFons such as UltraSurf
– Limit use to approved proxies – Limit use of remote desktop
52
Policy Example
53
Policy Example
PotenIal URL Categories for CorrelaIonnets • Not-resolved • Proxy-avoidance and anonymizers • Open-http-proxies • Peer-to-peer • Spyware/Unknown
54
Policy Example – Limit Permissions for Unknowns
55
Policy Example – Sevng ApplicaFon Default Ports
56
Controlling Remote Desktop and Instant Messaging
57
Analyzing and CorrelaFng the Data AKA SPLUNKTASTICNESS
Splunk for Palo Alto Networks
59
Splunk for Palo Alto Networks
60
Demo
Next Steps
62
Download the .conf2013 Mobile App If not iPhone, iPad or Android, use the Web App
Take the survey & WIN A PASS FOR .CONF2014… Or one of these bags!
1
2
THANK YOU