Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Traps – Advanced Endpoint Protection Jakub Jiricek, CISSP, CNSE

Systems Engineer, Eastern Europe


Harsh Reality

Targeted attacks can only be solved on the endpoint

Attackers are more sophisticated and well funded

Launching Zero-Day attacks is more accessible and common

of breaches involve a targeted user device 71%

of exploit kits utilize vulnerabilities less than 2 years old 78%

increase in targeted attacks in 2013 91%


Laterally hop into the data center for ini1al infec1on there

ENTER THE DATA CENTER

Lateral Data Center mo1on for a foothold on the target VM

REACH THE TARGET

Understanding the Attack Kill-chain Attack kill-chain

Prevent attacks by stopping one step in the kill-chain

Steal intellectual property

STEAL DATA

Move laterally and infect addi1onal hosts

ENDPOINT OPERATIONS

Ini1al compromise

BREACH PERIMETER

Deliver malware and communicate with a>acker

DELIVER MALWARE


Platform approach

Next-Generation Firewall

§  Inspects all traffic

§  Blocks known threats

§  Sends unknown to cloud

§  Extensible to mobile & virtual networks


Application Prevention vs. Safe Enablement

Application Prevention

Legacy security approaches force organizations to either completely

block or unsafely allow modern applications.

Application Enablement

The Palo Alto Networks platform safely enables applications, ensuring full

business benefits while minimizing the security risks.

Allow All Block All

Allow & scan for threats

Allow & limit access time

Allow only certain

functions

Allow for specific users

Allow & scan for confidential data

Allow & shape (QoS)

Block All

Allow All


Platform approach

Next-Generation Threat Cloud §  Gathers potential threats from

network and endpoints §  Analyzes and correlates threat

intelligence §  Disseminates threat intelligence to

network and endpoints


Next-generation threat cloud

WildFire TM

WF-500

Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures

Soak sites, sinkholes, 3rd party sources

WildFire Users

§  Highly scalable cloud-based approach to analyzing unknowns from many sources

§  Leverages highly customized and tuned virtual “sandboxes” to analyze files

§  Constantly evolving analytics engine to detect the latest threats

§  Significantly expanded to include PDF, Office, Java, and Android APK files


Scaling the threat cloud §  On a typical day, WildFire receives

over 280,000 unique files •  11,600 every hour •  195 every minute •  3 every second

§  From those unknowns, about 30,000 are new malware •  >70% not detected by any of the

leading AV software

§  On average, each file is processed in less than 6 minutes §  Even as the number of files has

quadrupled

-

350,000

700,000

1,050,000

1,400,000

1,750,000

11/19/

13

12/3/1

3

12/17/

13

12/31/

13

1/14/1

4

1/28/1

4

2/11/1

4

2/25/1

4

3/11/1

4

3/25/1

4

Unique'Samples/Week'

On average, each NGFW is detec4ng 2.5 new unknown threats a day

Number of registered devices in last 30 days = 17,223


Platform approach

§  Inspects all processes and files §  Prevents both known & unknown exploits §  Integrates with cloud to prevent known &

unknown malware

Next-Generation Endpoint


The failures of traditional approaches

EXE

Legacy Endpoint Protection

Known signature? NO

Known strings? NO

Previously seen behavior?

NO PDF

Malware direct execution

Exploit vulnerability

to run any code

Targeted Evasive Advanced


Introducing Traps The right way to deal with advanced cyber threats

Prevent Exploits Including zero-day exploits

Prevent Malware Including advanced & unknown malware

Collect Attempted-Attack Forensics For further analysis

Scalable & Lightweight Must be user-friendly and cover complete enterprise

Integrate with Network and Cloud Security For data exchange and crossed-organization protection


Block the core techniques – not the individual attacks

Software Vulnerability Exploits Exploitation Techniques

Thousands of new vulnerabilities and exploits a year

Only 2-4 new exploit techniques a year

Malware Malware Techniques

Millions of new malware every year 10’s – 100’s of new malware

sub-techniques every year


Exploit prevention – how it works

Document is opened by user

Traps seamlessly injected into processes

Process is protected as exploit attempt is

trapped

CPU <0.1%

When an exploitation attempt is made, the exploit hits a “trap” and fails before any malicious activity is initiated.

Attack is blocked before any successful

malicious activity

Safe! Process is terminated

Forensic data is collected

User\admin is notified

Traps triggers immediate actions

Reported to ESM


Malware prevention

Policy-Based Restrictions

WildFire Inspection

Malware Techniques Mitigation

Limit surface area of attack control source of file installation

Prevent known malware with cloud-based integration

Prevent unknown malware with technique-based mitigation


User tries to open executable file

Policy-based Restrictions Applied

HASH checked against WildFire

File is allowed to

execute

Malware technique prevention employed

Malware prevention – how it works

Safe! Reported to ESM


Ongoing attack-triggered forensics

Ongoing recording

-  Any files execution -  Time of execution -  File name -  File HASH -  User name -  Computer name -  IP address -  OS version -  File’s malicious history

-  Any interference with Traps service

-  Traps Process shutdown attempt -  Traps Service shutdown attempt -  Related system logs

Exploit or malware hits a “trap” and triggers real-time collection

-  Attack-related forensics -  Time stamp -  Triggering File (non executable) -  File source -  Involved URLs\URI -  Prevented exploitation technique -  IP address -  OS version -  Version of attempted vulnerable software -  All components loaded to memory under attacked process -  Full memory dump -  Indications of further memory corruption activity -  User name and computer name


Endpoint Security Manager (ESM)

3-tier management structure •  ESM platform •  Database •  Connection server

(each supports ~10,000 endpoints -scales horizontally)

All-in-one management center •  Configuration management •  Logging and DB query •  Admin dashboard and security overview •  Forensics captures •  Integration configuration

Database -‐ Designated or integra4on with exis4ng

Connec4on server

PCs, servers, VMs, VDI, Citrix session, thin client, embedded

ESM Syslog

SCCM

Connec4on server

Connec4on server


Coverage and system requirements

Supported operating systems Workstations •  Windows XP SP3 •  Windows 7 •  Windows 8.1

Servers •  Windows Server 2003 •  Windows Server 2008 (+R2) •  Windows Server 2012 (+R2)

Footprint •  25 MB •  0.1% CPU •  Very Low I\O


Benefits

Business

§ Prevent breaches, not just detect

§ Increases business continuity

§ Lowers TCO

Operations

§ Save time and money on Forensics and remediation

§ Easy to manage, does not require frequent updates

§ Zero-day coverage

IT

§ Install patches on your own schedule

§ Compatible with existing solutions

§ Minimal performance impact

Intelligence

§ Access to threat intel through WildFire integration

§ Attack-triggered forensics collection



Traditional Detection

“Detection & Remediation”

•  Requires Prior Knowledge •  Scanning vs activity-focused •  Can be reverse engineered

•  The sensor is the vulnerability •  Malicious activity can disable

detection •  Remediation takes a great effort •  Too much noise – detection is

ignored

Network-layer security •  Can’t see all content •  No visibility to endpoint infections •  Hard to block malicious activity

on legit protocols

Cloud-based emulation •  Can’t simulate all environments •  Threat emulation can be identified

by the malware •  Cant’ enforce actions on the endpoint

Why advanced endpoint protection

Documents

Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown