Cyber Threats: Industry Trends and Actionable Advice
Presented by: Elton Fontaine
Palo Alto Networks Modern Malware
Elton Fontaine: CCIE, CNSESE Manager – West Territory
Palo Alto Networks
What are we seeing
Key Facts and Figures - Americas
4 | ©2014 Palo Alto Networks. Confidential and Proprietary.
• 2,200+ networks analyzed
• 1,600 applications detected
• 31 petabytes of bandwidth
• 4,600+ unique threats
• Billions of threat logs
Common Sharing Applications are Heavily Used
5 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Application Variants
How many video and filesharing applications are needed to run the business?
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Bandwidth Consumed
20% of all bandwidth consumed by file-sharing and video alone
High in Threat Delivery; Low in Activity
6 | ©2014 Palo Alto Networks. Confidential and Proprietary.
11% of all threats observed are code execution exploits within common sharing applications
Most commonly used applications: email (SMTP, Outlook Web, Yahoo! Mail), social media (Facebook, Twitter) and file-sharing (FTP)
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Low Activity? Effective Security or Something Else?
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Low Activity: Effective Security or Something Else?
8 | ©2014 Palo Alto Networks. Confidential and Proprietary.
(7) Code execution exploits seen in SMTP, POP3, IMAP
and web browsing.
IMAPSMTP
POP3Web browsing
Web browsing
Smoke.loader botnet controller Delivers and manages payload Steals passwords Encrypts payload Posts to URLs Anonymizes identity
Malware Activity Hiding in Plain Sight: UDP
9 | ©2014 Palo Alto Networks. Confidential and Proprietary.
End Point Controlled
Blackhole Exploit Kit
ZeroAccess Delivered
$$$
Bitcoin miningSPAM
ClickFraud
Distributed computing = resilience
High number UDP ports mask its use
Multiple techniques to evade detection
Robs your network of processing power
Unknown UDP Hides Significant Threat Activity
10 | ©2014 Palo Alto Networks. Confidential and Proprietary.
1 application = 96% of all malware logs
ZeroAccess.Gen command & control traffic represents nearly all malware activity
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Business Applications = Heaviest Exploit Activity
11 | ©2014 Palo Alto Networks. Confidential and Proprietary.
90% of the exploit activity was found in 10 applications
Primary source: Brute force attacks
Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
Target data breach – APTs in action
Maintain access
Spearphishing third-party HVAC
contractor
Moved laterally within Target network and
installed POS Malware
Exfiltrated data command-and-control servers
over FTP
Recon on companies
Target works with
Compromised internal server
to collect customer data
Breached Target network with
stolen payment system
credentials
Best Practices
Security from Policy to Application What assumptions drive your security policy?
Does your current security implementation adequately reflect that policy?
Doss your current security implementation provide the visibility and insight needed to shape your policy?
Assumptions Policy
ImplementationVisibility
&Insight
Security Perimeter Paradigm
The Enterprise
Infection
Command and Control
Escalation
Exfiltration Exfiltration
Organized Attackers
Is there Malware inside your network today???
Applications provide exfiltration• Threat communication• Confidential data
Application Visibility
Reduce attack surface
Identify Applications that circumvent security policy.
Full traffic visibility that provides insight to drive policy
Identify and inspect unknown traffic
Identify All Users
Do NOT Trust, always verify all access
Base security policy on users and their roles, not IP addresses.
For groups of users, tie access to specific groups of applications
Limit the amount of exfiltration via network segmentation
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Freegate
SSL/Port 443: The Universal Firewall Bypass
19 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
TDL-4
Poison IVY
Rustock
APT1Ramnit
Bot
Citadel
Aurora
Gozi
tcp/443
Evolution of Network Segmentation & Datacenter Security
Port-hopping applications, Malware, Mobile Users – Different entry points into DC?
Layer 7 “Next Generation” Appliance
Packet Filtering, ACL’s, IP/Port-based firewalling for known traffic?
Layer 1-4 Stateful Firewall
Platform Solution
Modern Attacks Are Coordinated
Bait theend-user
1
End-user lured to a dangerous application or website containing malicious content
Exploit
2
Infected content exploits the end-user, often without their knowledge
DownloadBackdoor
3
Secondary payload is downloaded in the background. Malware installed
EstablishBack-Channel
4
Malware establishes an outbound connection to the attacker for ongoing control
Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
App-ID
URL
IPS THREAT PREVENTION
Spyware
AV
Files
WildFire
Block high-risk apps
Block known malware sites
Block the exploit
Prevent drive-by-downloads
Detect unknown malware
Block malware
Bait theend-user Exploit
DownloadBackdoor
EstablishBack-Channel
Explore &Steal
Block spyware, C&C traffic
Block C&C on non-standard ports
Block malware, fast-flux domains
Block new C&C traffic
Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors
Coordinated Threat PreventionAn Integrated Approach to Threat Prevention
Reduce Attack Surface
Adapt to Day-0 threats
Threat Intelligence Sources
WildFire Users
WildFire
Anti-C&CSignatures
Malware URLFiltering
DNSSignatures
AVSignatures
Cloud
On-Prem
WildFireSignatures
~30 Minutes Daily Daily Constant 1 Week
Contextual Awareness
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.