Presentation is loading. Please wait.

Presentation is loading. Please wait.

Title A Practical Approach to Advanced Threat Detection and Prevention.

Similar presentations

Presentation on theme: "Title A Practical Approach to Advanced Threat Detection and Prevention."— Presentation transcript:

1 Title A Practical Approach to Advanced Threat Detection and Prevention

2 Agenda The Palo Alto Networks approach to threat prevention Zero-day exploit detection with WildFire and PAN-OS 6.0 The rise of mobile malware and attacks on virtualized infrastructure WildFire Appliance (WF-500) sizing and deployment 3 rd party integration with WildFire Passive DNS and DNS sinkholing


4 Command/ControlClient Exploit Advanced threat requires a solution, not point products HTTP SSL DNS URL / C&C EXE, Java,.LNK, DLL Known viruses and exploits High-risk applications 1 1 Reduce the attack surface 2 2 Detect the unknown 3 3 Create protections Whitelist applications or block high-risk apps Block known viruses, exploits Block commonly exploited file types Analysis of all application traffic SSL decryption WildFire sandboxing of exploitive files Detection and blocking of C&C via: Bad domains in DNS traffic URLs (PAN-DB) C&C signatures (anti-spyware) Successful spear- phishing email Post-compromise activity Failed attempts Protections

5 Using application control against advanced threats

6 Example 1: Self-updating malware Repeated pattern of DNS, HTTP, and unknown traffic The unknown proved to be the most important traffic

7 A closer look at the unknown session… Unknown traffic is frequently caused by malware using custom encryption, proprietary protocols or file transfers over raw sockets

8 Example 2: Data exfiltration over DNS Unknown traffic traversing the DNS port HTTP using registered/ephemeral ports

9 Well, Wireshark thinks its DNS, so… It is essential to control by application, rather than by port

10 Other examples of DNS tunneling tcp-over-dns dns2tcp Iodine Heyoka OzymanDNS NSTX Takes advantage of recursive queries to pass encapsulated TCP messages to/from a remote DNS server

11 Whats new in WildFire

12 Support for additional file types and zero-day exploit detection Support for multi-OS analysis Reporting improvements PAN-OS embedded reports Report incorrect verdict Manual malware submission (WF-500) Static analysis, mutexes, services, register key values, etc. 0-day Windows malware0-day exploits 0-day Android malware

13 WildFire Subscription in PAN-OS 6.0 *APK analysis and WildFire API not yet available on WF-500

14 Malware discovered by WildFire per week PDF/Office/Java are lower in numbers compared to EXE, but when they hit, it is bad news! EXE extremely high in count due to lower barrier to entry and ease of use of packers PDF/Office commonly used in targeted spear-phishing emails Java commonly used in drive-by download exploits

15 The emerging mobile malware landscape

16 The mobile malware problem Soft target Many vulnerabilities on older versions of Android (Beware of employees cheap Android phones, NW 2/21/14) Users are 3 times more likely to succumb to phishing attacks on their phones than desktop computes (Aberdeen Group), and 90% of respondents would not open a suspicious file on a PC, whereas only 60% of tablet and 56% of smartphone users would exercise the same caution (Symantec study) Powerful platform Data on handset at risk, but so is the rest of the corporate network Mobile devices are PCs on the network – any attack launched from a compromised PC can theoretically be launched from an Android

17 Mobile malware in use by APT First known use of APK attachments in APT spear-phishing emails from Chinese actor groups Email sent March 24 th 2013 to Uyghur activists

18 Click the app and… Contacts (stored both on the phone and the SIM card) Call logs SMS messages Geo-location Phone data (phone number, OS version, phone model, SDK version) This is what you see…While this is stolen…

19 Attackers C2 server Web-based C2 Control PanelRemote Desktop

20 Why focus on APK? Nearly 100% of all new mobile malware targets Android Contributing factors: Large global market share Slow rate of OS updates on existing platforms Very easy to run arbitrary software on Android (no jailbreak required) Many Android app stores with little- to-no quality control Source: (3/24/2014)

21 Current popular mobile malware techniques Coaxing the download Mobile malware attached to spear-phishing emails to lure an installation Masquerading as popular apps (sometimes as free versions of non-free software) Abusing user ignorance Mobile malware asks for many permissions, knowing user will quickly click-through (similar to SSL click- through problem) Mobile malware asks for the ability to install additional applications, which is equivalent to giving near-total permission to the malware Causing mayhem Data theft (contacts, email, data) Espionage (audio/video recording, location) Financial fraud (banking credential theft, SMS scams)

22 Detect mobile malware on the network and the endpoint Palo Alto Networks solution offers three opportunities to detect mobile malware Antivirus APK signatures detects the download of known Android malware over the network WildFire detects the download of unknown Android malware over the network GlobalProtect MSM detects presence of known malware already on the device GlobalProtect MSM GlobalProtect Gateway Detect download of known malware Detect presence of known malware on endpoint WildFire TM Content Unknown APK upload to WildFire Detect download of unknown malware

23 WildFire Appliance (WF-500) Enables a private cloud deployment of WildFire Preferred choice for sensitive networks where files cannot leave the local network for dynamic analysis Architecturally equivalent to public cloud deployment Web Sandbox WildFire TM WildFire cloud or appliance Email SandboxFile share Sandbox Central manager Manual analysis APT Add-on Approach WildFire Approach

24 WF-500 Sizing WildFire Appliance (WF-500) is sized to meet analysis demands of large networks Firewalls analyze millions of sessions WF-500 statically prescreens most files Remainder of files are dynamically analyzed Tip for accurate sizing prediction – use the file blocking profile All executables, Java, and APK files are sandboxed PDF and Office documents are pre- screened using static analysis About 10-20% make it to dynamic analysis All sessions carrying file transfers Unknown files sent to WildFire Requires dynamic analysis Known malware blocked Hundreds Millions Ingress traffic

25 Threats facing virtualized environments

26 New Passive DNS Monitoring Passive DNS sensors collect non-recursive DNS queries performed by local DNS Anonymous (no client IPs) Low data rate (usually up to 1 MB per minute at most) Builds large database of domain resolution history, including all resource record types (A, AAAA, MX, NS, TXT, etc) Malicious domains can be predicted based on variety of signals: NX A or A NX Shared known bad IP Shared known bad NS Name heuristics such as character randomness, domain within a domain, etc. Malicious domains added daily to DNS signature set in Anti-spyware profile

27 Configuring Passive DNS Passive DNS is enabled via the anti-spyware profile:

28 New local DNS sinkholing Discover and confirm compromised hosts via DNS Trace back to the actual machine without client DNS visibility Safely block malicious DNS queries and redirect to sinkhole for intel collection Malicious DNS / C2 Compromised host Local DNS Sinkhole 1 Where is = Command-and-control traffic

29 Integrating network and host indicators

30 How it works WildFire TM Samples WildFire logs Bit9 Central Manager WildFire logs (via device mgmt API) WildFire forensics (via WildFire API) Clients running agents Interrogations using host-based indicators of compromise Whitelist/blacklisting by file hash 1 2 3 4 5

31 Splunk App for Palo Alto Networks

32 Integrating network and host indicators


Download ppt "Title A Practical Approach to Advanced Threat Detection and Prevention."

Similar presentations

Ads by Google