Preventing Lateral Movement in Virtualization...Firewall IPS/IDS Anti-Malware Random open ports...

1 | © 2016, Palo Alto Networks. Confidential and Proprietary.

Preventing Lateral Movement in VirtualizationRETHINKING SECURITY ARCHITECTURE

Mr. Pichit TechawisetSystems [email protected]

Changing data center characteristics

§ Shift to dynamic, scalable, self-provisioned compute infrastructure

§ Eliminate compute silos and restrictions of where a workload can run

Today’sDataCenter

Virtualized Compute, Network and Storage

SoftwareDefinedDatacenter

(PrivateCloud)HybridCloud

Virtualized Compute, Network and Storage

Virtualized Compute, Network

and Storage

Public Cloud

Firewall

IPS/IDS

Anti-Malware

Random open ports increase datacenter exposure

1)TCPport88forKerberosAuthentication

2)TCP389forLDAP

3)TCP&UDP445forSMB/CIFS/SMB2

3)TCPandUDPport464forKerberosPasswordChange

4)TCPPort3268&3269forGlobalCatalog

5)TCPandUDPport53forDNS

6)TCPandUDPDynamic- 1025to5000(WindowsServer2003)&startfrom49152to65535(WindowsServer2008)forDCOM,RPC, EPM

Example of Applications in DC

Applications Have Grown More Complex

5

Applications using multiple ports, multiple protocols to communicate

80

443 135

137

139

139

3200 3300 3600 8100

5223

50000 – 59,999

53 3389 42 4424 8 13

15 17 445 1024 123 507 750 88+64 389 636

3268

42424

161

80, 443, 135, 137, 139 3200, 3300, 8000, 3600, 8100, 50013, 50014, 65000

443, 3478, 5223, 50,000-59,999

3389, 53, 42, 8, 13, 15, 17, 137, 138, 139, 445, 1025, 123, 507,

750, 88+464, 389, 636, 3268, 445,

161, 162, 42424, 691, 1024-65535

Datacenter applications are heavily targeted

• Crunchy perimeter, gooey interior?

21% MS-RPC

15%

Web

Browsing

11% SMB

10%MS-SQL

Monitor

10%

MS-Office

Communicator

4%

SIP

3%Other

2%Active

Directory

2%RPC

1% DNS

25%

MS-SQL

10 out of 1395 applications generated

97% of the exploit logs

Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.

9 of these were datacenter

applications

A notional enterprise

7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

User Land

DMZ

Ingress/Egress

Data Center / Infrastructure

Internet

DC Core IS Data Repo

WebmailPartner

PortalWebsit

e

Attacker

Now for the adversary infrastructure


Internet

Adversary Infrastructure

Malware

ServerC2

Server

Exfil

Server

Hi

Direct attack to the server

• Another established C2 channel variant


User Land

DMZ

Ingress/Egress


Internet


WebmailPartner

PortalWebsit

e


Malware

ServerC2

Server

Exfil

Server

Establish

C2

Direct exploitation

loads malware

Threat Prevention

Protections remove threats

from wanted traffic

Visibility into all types of threats

for all traffic & applications

applications

SSL

.zip

URLs

files

SMTP

TCP

features

vulnerabilitiesCnC

viruses

malware

drive-by downloadsmalicious DNS

IPS & ANTI-MALWARE

Landing area

Attack client and move to another zone


User Land

DMZ

Ingress/Egress


Internet


WebmailPartner

PortalWebsit

e


Malware

ServerC2

Server

Exfil

Server

Information

exfiltrationMalware automatically

captures information

WannaCrypt Ransomware



Source: https://www.europol.europa.eu/wannacry-ransomware

Landing area

Attack client and move to another zone


User Land

DMZ

Ingress/Egress


Internet


WebmailPartner

PortalWebsit

e


Malware

ServerC2

Server

Exfil

Server

Information

exfiltrationMalware automatically

captures information

Lateral movement in client zone

Find another computers to compromise


User Land

DMZ

Ingress/Egress


Interne

t


WebmailPartner

PortalWebsit

e


Malware

ServerC2

Server

Exfil

Server

More

malware

Establish

C2Malware compromise

another computer

Lateral movement to server zone

• How an attacker moves through the network – lateral movement


User Land

DMZ

Ingress/Egress


Interne

t


WebmailWebsit

e


Malware

ServerC2

Server

Exfil

Server

Partner

Portal

Command and Control (C2)

• Lateral movement performed until target assets are reached


User Land

DMZ

Ingress/Egress


Internet


WebmailWebsit

e


Malware

ServerC2

Server

Exfil

Server

Lateral

movement

commands

Deepest

compromise

Backup foothold

assets may be set up

Partner

Portal

Compromise all zone

• C2 ultimately enables the attacker’s endgame, Actions on Objectives


User Land

DMZ

Ingress/Egress


Internet


WebmailWebsit

e


Malware

ServerC2

Server

Exfil

Server

FTW

Objective

based

commands

Information

exfiltration

Dump domain

credentials

Steal repository

information

Steal local credentials

Deface or host

malware from siteSteal local

information

Partner

Portal

Security challenge #1

• Firewall placement is based on layer 3 segmentation

• Places physical network constraints on your virtual

network

• Unable to transparently insert security into traffic flow

Physical security device cannot see the East-West traffic

MS-SQL SharePoint Web Front End


• Applications of different trust levels now run on a single server

• Port and protocol-based security is not sufficient

• VM-VM traffic (east-west) may not be inspected

Incomplete security features on existing virtual security solutions

MS-SQL SharePoint Web Front End


• Application provisioning can occur in

minutes; attribute changes are

frequent

• Security approvals and configuration

changes may take weeks

• Removal of old servers is slow or

does not occur

• Dynamic security policies that

understand VM context are needed

Static policies cannot keep pace with dynamic workload deployments

VM-Series Virtual Firewall

Supported Virtualization Platforms

Enable and protect datacenter applications

Traditional segmentation

§ Applications and data isolated by policy

§ Users granted access based on need

§ Traffic is protected from threats (exploits

& malware)

Segmentation with Zero Trust principles

§ VMs and data isolated by policy

§ Users granted access based on need

§ VM-to-VM traffic is protected from threats

(exploits &malware)

Security

Application

Network

Panora

ma

VM-Series for VMware

• VM-SeriesdeployedasguestVMsonVMwareESXi

• Controlandprotecttrafficinto,andacrossthe

virtualnetwork

• ProtectVM-to-VMtrafficfromlateralthreat

movement

VM-Series for VMware vSphere (ESXi)

• VM-SeriesforNSXdeployedasaservicewith

VMwareNSXandPanorama

• Automateddeployment,transparenttraffic

steering,dynamiccontext-sharing

• IdealforEast-Westtrafficinspection

VM-Series for VMware NSX

SophisticatedSecurity

Challenges

Applicationsarenotlinkedtoport&protocols

Distributeduseranddevicepopulation

UnknownMalware,Exploitation,C&C

The Need for a Comprehensive Security Solution

VMware NSX Platform

NSX Distributed Firewall

VM level zoning without

VLAN/VXLAN dependencies

Line rate access control traffic

filtering

Distributed enforcement at

Hypervisor level

Palo Alto Networks Next

Generation Security

Next Generation Firewall

Protection against known and

unknown threats

Visibility and safe application

enablement

User, device, and application

aware policies

Simplified Automation workflows for NSX integration

Advanced Security Policies

API Integration Quarantine

Security GroupsCreation

Traffic Redirection

• Automated Security

policy creation

• Tag configuration and

automated workload

quarantine

NSX Admin

(Performs Step 2)Security Admin

(Performs Steps 1 & 3)

Automated security policy creation workflow

PCI

Define security group

membership within NSX2

Create dynamic address

groups within Panorama

PCI DMZ

PROD DEV

1

Automated update of security groups

information to NSX manager1

Automated creation of redirection policies on NSX manager3

Create security policies in Panorama based on security groups3

VM-Monitoring for Software Define Data Center

Scale In / Scale Out for Elastic Applications


Traps

Advanced Endpoint Protection

Traps Prevents Known & Unknown Threats from Compromising Endpoints


Pursue

Objectives

Conduct

Reconnaissance

Establish

Control Channel

Compromise

Endpoint

Ta

rge

ted

Att

ack S

eq

ue

nce

Execute Malicious

Programs

Exploit Software

Vulnerabilities

Traps prevents both

known and unknown malware

from infecting endpoints.

Traps prevents both

known and unknown exploits,

including zero-day exploits.

Online

Offline

On-Prem

Off-Prem

Key takeaways

PREVENTION IS POSSIBLE…

• PRECISION CONTROL AND IT-LEVEL VISIBILITYReduce attack surface, stop threats

...with the right architecture.

• PLATFORM BREADTH AND INTEGRATIONDisrupt the advanced attack lifecycle (feedback + automation)

integrate with people, processes, and IT architectures

©2016, PaloAltoNetworks

Demo


Attacker

192.168.217.130Firewall

Web

10.100.100.90

App

10.100.100.95

10.100.100.254192.168.217.21

Preventing Lateral Movement in Virtualization...Firewall IPS/IDS Anti-Malware Random open ports...

Documents

Transcript of Preventing Lateral Movement in Virtualization...Firewall IPS/IDS Anti-Malware Random open ports...