Breaking the Lifecycle of the Modern Threat

Santiago Polo
Sr. Systems Engineer
Palo Alto Networks, Inc.
About Palo Alto Networks

• Palo Alto Networks is the Network Security Company

• World-class team with strong security and networking experience
- Founded in 2005, first customer July 2007
- Top-tier investors

• Builds next-generation firewalls that identify / control 1400+ applications

- Restores the firewall as the core of the enterprise network security infrastructure
- Innovations: App-ID™, User-ID™, Content-ID™

• Global footprint: 6,000+ customers in 70+ countries, 24/7 support

What Has Changed / What is the Same
• The attacker changed
- Nation-states
- Criminal organizations
- Political groups

• Attack strategy evolved

- Patient, multi-step process
The Sky is Not Falling
- Compromise user, then expand
- Not new, just more
common
• Attack techniques evolved
- Solutions exist
- New ways of delivering malware
- Don’t fall into “the APT
- Hiding malware communications ate my homework” trap
- Signature avoidance
Strategy: Patient Multi-Step Intrusions
Organized •The Enterprise
Attackers

Infection

Command and Control

Escalation

Exfiltration Exfiltration
Challenges to Traditional Security
• Threats coordinate multiple techniques,
while security is segmented into silos
- Exploits, malware, spyware, obfuscation all part of a
patient, multi-step intrusion

• Threats take advantage of security

blind spots to keep from being seen
- Patient attacks must repeatedly cross the perimeter
without being detected

• Targeted and custom malware can

bypass traditional signatures
- The leading edge of an attack is increasingly malware
that has never been seen before.
Regaining Control Over Modern Threats

New Requirements for

Threat Prevention Fast Flux

1. Full Visibility - all traffic regardless of

Vulnerabilities
port, protocol, evasive tactic or SSL
Denial of Service
SQL Injection
2. Stop all known network threats
Malware Sites
Dangerous
- (IPS, Anti-malware, URL, etc.) while
maintaining multi-gigabit performance URLs
Malware Botnets
3. Find and stop new and unknown Cross-Site Key Loggers
threats Scripting
- even without a pre-existing signature

Page 6 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Visibility
• Visibility is Fundamental
- You can’t stop what you can’t see
- Virtually all threats other than DoS depend on avoiding security

• Full Stack Inspection of All Traffic

- All traffic, on all ports, all the time
- Progressive decoding of traffic to find hidden, tunneled streams
- Contextual decryption of SSL

• Control the Applications That Hide Traffic

- Limit traffic to approved proxies, remote desktop applications
- Block bad applications like encrypted tunnels, circumventors
Control the Methods Threats Use to Hide
If you can’t see it, you can’t stop it

• Encrypted Traffic
• SSL is the new standard
Circumventors and Tunnels
• Proxies
Encryption (e.g. SSL) • Reverse proxies are hacker favorites

• Remote Desktop
• Increasingly standard

• Compressed Content
• ZIP files, compressed HTTP

Proxies (e.g CGIProxy)

• Encrypted Tunnels
Compression (e.g. GZIP) • Hamachi, Ultrasurf, Tor
 Outbound C&C Traffic • Purpose-built to avoid security

Page 8 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Block the Applications That Hide Traffic
• Block Unneeded and High-
Risk Applications
- Block (or limit) peer-to-peer
applications
- Block unneeded applications that
can tunnel other applications
- Review the need for applications
known to be used by malware
- Block anonymizers such as Tor
- Block encrypted tunnel
applications such as UltraSurf
- Limit use to approved proxies
- Limit use of remote desktop
Control Known Threats
• Modern attacks are patient and
use multiple techniques
- Threats are more than exploits
- Malware
- Dangerous URLs
- Spyware
- Command and Control Traffic
- Circumvention Techniques

• Context is Key
- Clear visibility into all URLs, users,
applications and files connected to a
particular threat
 “Okay, but what about unknown and
targeted malware?”

Page 11 | © 2011 Palo Alto Networks. Proprietary and Confidential.

The Malware Window of Opportunity

Time required to
capture 1st sample of
malware in the wild
Total Time
Exposed
Time required to
create and verify
malware signature

Time before antivirus

definitions are updated

Days and weeks until users are protected by

traditional signatures
Attackers Target the Window of Opportunity
Targeted Attacks Malware Construction Kits

Refreshed Malware
Page 13 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Controlling Unknown Malware Using the
Next-Generation Firewall
• Introducing WildFire
- New feature of the Palo Alto Networks NGFW
- Captures unknown inbound files and analyzes them
for 70+ malicious behaviors
- Analysis performed in a cloud-based, virtual sandbox

• Automatically generates signatures for

identified malware
- Infecting files and command-and-control
- Distributes signatures to all firewalls
via regular threat updates

• Provides forensics and insight into malware behavior

- Actions on the target machine
- Applications, users and URLs involved with the malware

Page 14 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Case Study - Password Stealing Botnets

Overview
Threat Type Botnet, similar to the notorious ZeuS banking
botnet

Target Targets end-users with the goal of stealing

passwords

Transmission Methods Heavy use of email, Some use of HTTP

Key Actions • Steals email and FTP credentials

• Steals cookies from browsers
• Decrypts and sniffs SSL sessions
• Uses anti-VM techniques
File Name(s) • American_Airlines_E-Ticket-printing-copy
• DHL-express-tracking-delivery-notification
Initial Detection Rates Very low detection rates, sometimes for
several days. Heavy use of packers.

© 2010 Palo Alto Networks. Proprietary and Confidential.

Malware Analysis
Malware Analysis
Malware Analysis
Case Study - Enterprise Phishing

• Shipping and Security are DHL-international-shipping-ID

common topics for enterprise
phishing DHL-international-shipping-
notification
- Fake DHL, USPS, UPS and FedEx
delivery messages DHL-Express-Notification-JAN
- Fake CERT notifications
United-Parcel-Service-Invoice

• Ongoing Phishing Operations USPS-Failed-Delivery_Notification

- Large volumes of malware – commonly in
the top 3 of daily unknown malware seen US-CERT Operations Center
in enterprises Report
- Correlate new malware talking back to the USPS Report
same malware servers
- Refreshed daily to avoid traditional AV
signatures
Trusted Sources

CNET/Download.com
• Strong reputation for providing safe
downloads of shareware and freeware
that are verified to be malware free.
• In early December 2011 WildFire
began identifying files from
Download.com as containing spyware.
• CNET had begun providing software
downloads in a wrapper that installed
subtle spyware designed to track
shopping habits Changed security settings
• Changed a variety of client and Changed proxy settings
browser security settings
Changed Internet Explorer settings
Installed a service to leak
advertising and shopping data over
HTTP POSTs.
An Integrated Approach to Threat Prevention

Applications Exploits & Dangerous Unknown &

Malware URLs Targeted Threats
• All traffic, all
ports, •Block threats on all • Malware hosting •WildFire control of
all the time ports URLs unknown and
targeted malware
• Application •NSS Labs • Newly registered
signatures Recommended IPS domains •Unknown traffic
analysis
• Heuristics •Millions of malware • SSL decryption of
samples high-risk sites •Anomalous network
• Decryption behaviors

• Reduce the • Prevents known • Block known • Pinpoints

attack surface threats sources of threats live infections and
targeted attacks
• Remove the • Exploits, • Be wary of
ability to hide malware, C&C unclassified and
traffic new domains

Decreasing Risk

Page 22 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Roundtable Discussion