Modern Malware Mixer. Jul-10Jul-11 Palo Alto Networks at a Glance Corporate Highlights Disruptive...

Modern Malware Mixer

0

2,000

4,000

6,000

8,000

10,000

1,800

4,700

9,000

Jul-10 Jul-11

FY09 FY10 FY11 FY12$0

$50

$100

$150

$200

$250

$300

$13

$49

$255

$119

Palo Alto Networks at a Glance

Corporate Highlights

Disruptive Network Security Platform

Safely Enabling Applications

Able to Address All Network Security Needs

Exceptional Growth and Global Presence

Experienced Technology and Management Team

800+ Employees

Revenue

Enterprise Customers

• $MM

• FYE July

| • © 2012 Palo Alto Networks. Proprietary and Confidential.

Jul-12

Leading the Way in Next-Generation Firewalls

© 2012 Palo Alto Networks. Proprietary and Confidential. |

• Gartner Enterprise Network Firewall Magic Quadrant- Palo Alto Networks recognized as a Leader

• Forrester IPS Market Overview- Strong IPS solution; demonstrates effective consolidation

• NetworkWorld Test- Most stringent NGFW test to date; validated sustained

performance

• NSS Tests- IPS: Palo Alto Networks NGFW tested against competitors’

standalone IPS devices; NSS Recommended

- Firewall: traditional port-based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended

- NGFW: Palo Alto Networks best combination of protection, performance, and value; NSS Recommended (1 of only 3)

What Has Changed / What Is the Same

• The attacker changed- Nation-states- Criminal organizations- Political groups

• Attack strategy evolved- Patient, multi-step process- Compromise user, then expand

• Attack techniques evolved- New ways of delivering malware- Hiding malware communications- Signature avoidance

The Sky is Not Falling

- Not new, just more common

- Solutions exist

- Don’t fall into “the APT ate my homework” trap

| © 2012 Palo Alto Networks. Proprietary and Confidential.

Strategy: Patient Multi-Step Intrusions• The Enterprise

Infection

Command and Control

Escalation

Exfiltration Exfiltration

Organized Attackers


Challenges to Traditional Security

• Threats coordinate multiple techniques, while security is segmented into silos- Social Engineering, Exploits, malware, spyware,

obfuscation all part of a patient, multi-step intrusion

• Threats take advantage of security blind spots to keep from being seen- Patient attacks must repeatedly cross the perimeter

without being detected

• Targeted and custom malware can bypass traditional signatures- The leading edge of an attack is increasingly

malware that has never been seen before


Regaining Control over Modern Threats

New Requirements for Threat Prevention

1. Visibility into all traffic regardless of port, protocol, evasive tactic or SSL

2. Stop all types of known network threats (IPS, Anti-malware, URL, etc.) while maintaining multi-gigabit performance

3. Find and stop new and unknown threats even without a pre-existing signature


© 2012 Palo Alto Networks. Proprietary and Confidential.

Visibility

|

• Visibility is fundamental- You can’t stop what you can’t see- Virtually all threats other than DoS depend on avoiding security

• Full stack inspection of all traffic- All traffic, on all ports, all the time- Progressive decoding of traffic to find hidden, tunneled streams- Contextual decryption of SSL

• Control the applications that hide traffic- Limit traffic to approved proxies, remote desktop applications- Block bad applications like encrypted tunnels, circumventors

Control the Methods Threats Use to Hide

• Encrypted traffic‒ SSL is the new standard

• Proxies‒ Reverse proxies are hacker

favorites

• Remote desktop‒ Increasingly standard

• Compressed content‒ ZIP files, compressed HTTP

• Encrypted tunnels‒ Hamachi, Ultrasurf, Tor‒ Purpose-built to avoid security

Encryption (e.g. SSL)

Compression (e.g. GZIP)

Proxies (e.g. CGIProxy)

Circumventors and Tunnels

Outbound C&C Traffic

If you can’t see it, you can’t stop it


Block the Applications That Hide Traffic

Block unneeded and high-risk applications

• Block (or limit) peer-to-peer applications

• Block unneeded applications that can tunnel other applications

• Review the need for applications known to be used by malware

• Block anonymizers such as Tor

• Block encrypted tunnelapplications such as UltraSurf

• Limit use to approved proxies

• Limit use of remote desktop

|


Control Known Threats

• Validated and proven IPS- 93.4% Block Rate at NSS Labs while

maintaining data sheet performance

• Stream-based anti-malware- Millions of malware samples, 50,000

new samples analyzed daily

- Stream-based analysis enables in-line analysis at line speeds

• Full context- Clear visibility into all URLs, users,

applications and files connected to a particular threat

• Brute Force

• Code-Execution

• Denial of Service

• Data Leakage

• Overflow

• Scanning

• SQL Injection

• Botnets

• Browser Hijacks

• Adware

• Backdoors

• Keyloggers

• Net-Worms

• Peer-to-Peer

|


Add Protections without Sacrificing Performance

|


Firewall + IPS

Firewall + anti-spyware + antivirus

Firewall + anti-spyware + antivirus + IPS

7000

6000

5000

4000

3000

2000

1000

0

Mixes HTTP 10KB HTTP 512KB HTTP

Source: Network World, August 2011

Single-Pass Parallel Processing™ (SP3) Architecture

Single Pass• Operations once per packet

- Traffic classification (app identification)

- User / group mapping

- Content scanning – threats, URLs, confidential data

• One policy

Parallel Processing• Function-specific parallel

processing hardware engines

• Separate data / control planes

Up to 20Gbps, Low Latency



“Okay, but what about unknown and targeted malware?”

The Malware Window of Opportunity

Time required to capture 1st sample of malware in the wild

Time required to create and verify malware signature

Time before antivirus definitions are updated

Days and weeks until users are protected by traditional signatures

Total Time Exposed


Attackers Target the Window of Opportunity


Refreshed Malware

Malware Construction KitsTargeted Attacks

Controlling Unknown Malware Using the Next-Generation Firewall

• Introducing WildFire- New feature of the Palo Alto Networks NGFW- Captures unknown inbound files and analyzes them

for 70+ malicious behaviors- Analysis performed in a cloud-based, virtual sandbox

• Automatically generates signatures for identified malware- Infecting files and command-and-control- Distributes signatures to all firewalls

via regular threat updates

• Provides forensics and insight into malware behavior- Actions on the target machine- Applications, users and URLs involved with the malware


WildFire Architecture


✓ ✓

✓

• WildFire Analysis Center

• Potentially malicious files from

Internet

• Protection delivered to all

customer firewalls

• Policy-based forwarding to WildFire

for analysis

• Sandbox-based analysis looks for over 80 malicious behaviors

• Generates detailed forensics report

• Creates antivirus and C&C signatures

Case Study - Password Stealing Botnets

Overview

Threat Type Botnet, similar to the notorious ZeuS banking botnet

Target Targets end-users with the goal of stealing passwords

Transmission Methods Heavy use of email, Some use of HTTP

Key Actions

• Steals email and FTP credentials• Steals cookies from browsers• Decrypts and sniffs SSL sessions• Uses anti-VM techniques

File Name(s) • American_Airlines_E-Ticket-printing-copy• DHL-express-tracking-delivery-notification

Initial Detection Rates Very low detection rates, sometimes for several days. Heavy use of packers.


Case Study: Re-emergence of Waledac

• Originally a spamming botnet, taken down by Microsoft in 2010 when the C2 servers were taken over

• On Feb 2nd 2012, WildFire detected new variant of Waledac code on customer networks

• Botnet has been enhanced to obtain credentials for FTP, SMTP, POP3, and more with full packet capture on the host

• Since initial discovery, WildFire has seen hundreds of unique samples of the botnet malware across 78 customer networks


• Antivirus signature distributed to Palo Alto Networks customers within 24 hours

• Sample went undetected by all major AV products for 2 weeks

Malware Analysis



Case Study - Enterprise Phishing

• Shipping and security are common topics for enterprise phishing

- Fake DHL, USPS, UPS and FedEx delivery messages

- Fake CERT notifications

• Ongoing phishing operations

- Large volumes of malware – commonly in the top 3 of daily unknown malware seen in enterprises

- Correlate new malware talking back to the same malware servers

- Refreshed daily to avoid traditional AV signatures

|

USPS Report

DHL-international-shipping-ID

DHL-international-shipping-notification

DHL-Express-Notification-JAN

United-Parcel-Service-Invoice

US-CERT Operations Center Report

USPS-Failed-Delivery_NotificationMalwa

re

Trusted Sources

CNET / Download.com

• Strong reputation for providingsafe downloads of shareware and freeware that are verified to be malware free

• In early December 2011 WildFire began identifying files from Download.com as containing spyware

• CNET had begun providing software downloads in a wrapper that installed subtle spyware designed to track shopping habits

• Changed a variety of client and browser security settings

• Changed security settings

• Changed proxy settings

• Changed Internet Explorer settings

• Installed a service to leak advertising and shopping data over HTTP POSTs


An Integrated Approach to Threat Prevention


• Reduce the attack surface

• Remove the ability to hide

• Prevent known threats

• Exploits, malware, C&C traffic

• Block known sources of threats

• Be wary of unclassified and new domains

• Pinpointlive infections and targeted attacks

Decreasing Risk

Applications

• All traffic, all ports,

all the time• Application

signatures• Heuristics• Decryption

Exploits & Malware

• Block threats on all ports

• NSS Labs Recommended IPS

• Millions of malware samples

Dangerous URLs

• Malware hosting URLs

• Newly registered domains

• SSL decryption of high-risk sites

Unknown & Targeted Threats

• WildFire controlof unknown and targeted malware

• Unknown traffic analysis

• Anomalous network behaviors

Grand Prize Drawing – Ignite User Conference


• Winners Selected Oct 15 – Fill out Survey to Qualify

Application Visibility Report (AVR)

• Report will include:- Top Applications and High Risk

processes on your network

- Applications that can use HTTP / Port 80 to communicate

- Top URL destination categories being visited by your employees

- Geographic distribution of your internet traffic – both inbound and outbound – sorted by country

- Use of non-standard ports by ANY application – FTP, SSH, RDP, Telnet, etc…

- Top Exploits – Intrusions, Virus, Spyware, Botnets, etc.

- Top Attackers and Top Victims

- Sensitive data leaving your network

- Top File Types being transmitted on your network


See Flyer in Modern Malware for Dummies book for details

Roundtable Discussion

Modern Malware Mixer. Jul-10Jul-11 Palo Alto Networks at a Glance Corporate Highlights Disruptive...

Documents

Transcript of Modern Malware Mixer. Jul-10Jul-11 Palo Alto Networks at a Glance Corporate Highlights Disruptive...