Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Practical Approach to Advanced Threat Detection and Prevention

Similar presentations

Presentation on theme: "A Practical Approach to Advanced Threat Detection and Prevention"— Presentation transcript:

1 A Practical Approach to Advanced Threat Detection and Prevention

2 Agenda The Palo Alto Networks approach to threat prevention
Zero-day exploit detection with WildFire and PAN-OS 6.0 The rise of mobile malware and attacks on virtualized infrastructure WildFire Appliance (WF-500) sizing and deployment 3rd party integration with WildFire Passive DNS and DNS sinkholing


4 Advanced threat requires a solution, not point products
Protections Reduce the attack surface Detect the unknown Create protections 1 2 3 Whitelist applications or block high-risk apps Block known viruses, exploits Block commonly exploited file types Analysis of all application traffic SSL decryption WildFire sandboxing of exploitive files Detection and blocking of C&C via: Bad domains in DNS traffic URLs (PAN-DB) C&C signatures (anti-spyware) Known viruses and exploits Client Exploit Command/Control EXE, Java, .LNK, DLL DNS HTTP High-risk applications SSL URL / C&C Failed attempts Successful spear-phishing Post-compromise activity

5 Using application control against advanced threats

6 Example 1: Self-updating malware
Repeated pattern of DNS, HTTP, and unknown traffic The unknown proved to be the most important traffic

7 A closer look at the unknown session…
Unknown traffic is frequently caused by malware using custom encryption, proprietary protocols or file transfers over raw sockets

8 Example 2: Data exfiltration over DNS
Unknown traffic traversing the DNS port HTTP using registered/ephemeral ports

9 Well, Wireshark thinks it’s DNS, so…
It is essential to control by application, rather than by port

10 Other examples of DNS tunneling
tcp-over-dns dns2tcp Iodine Heyoka OzymanDNS NSTX Takes advantage of recursive queries to pass encapsulated TCP messages to/from a remote DNS server

11 What’s new in WildFire™

12 What’s new in WildFire Support for additional file types and zero-day exploit detection Support for multi-OS analysis Reporting improvements 0-day Windows malware 0-day exploits 0-day Android malware PAN-OS embedded reports Report incorrect verdict Manual malware submission (WF-500) Static analysis, mutexes, services, register key values, etc.

13 WildFire Subscription in PAN-OS 6.0
WildFire analysis of PE analysis Daily signature feed (TP subscription required) WildFire logs integrated within PAN-OS WildFire analysis of all other file types (PDF, Office, APK*, Java) 30-min signature feed WildFire API* key Use of WF-500 *APK analysis and WildFire API not yet available on WF-500

14 Malware discovered by WildFire per week
PDF/Office/Java are lower in numbers compared to EXE, but when they hit, it is bad news! EXE extremely high in count due to lower barrier to entry and ease of use of packers PDF/Office commonly used in targeted spear-phishing s Java commonly used in drive-by download exploits File type Malware/wk EXE/DLL 221,000 APK 300 Office 110 Java 50 PDF

15 The emerging mobile malware landscape

16 The mobile malware problem
Soft target Many vulnerabilities on older versions of Android (“Beware of employees’ cheap Android phones”, NW 2/21/14) “Users are 3 times more likely to succumb to phishing attacks on their phones than desktop computes” (Aberdeen Group), and “90% of respondents would not open a suspicious file on a PC, whereas only 60% of tablet and 56% of smartphone users would exercise the same caution” (Symantec study) Powerful platform Data on handset at risk, but so is the rest of the corporate network Mobile devices are PCs on the network – any attack launched from a compromised PC can theoretically be launched from an Android

17 Mobile malware in use by APT
First known use of APK attachments in APT spear-phishing s from Chinese actor groups sent March 24th 2013 to Uyghur activists

18 Click the app and… This is what you see… While this is stolen… Contacts (stored both on the phone and the SIM card) Call logs SMS messages Geo-location Phone data (phone number, OS version, phone model, SDK version)

19 Web-based C2 Control Panel
Attacker’s C2 server Web-based C2 Control Panel Remote Desktop

20 Why focus on APK? Nearly 100% of all new mobile malware targets Android Contributing factors: Large global market share Slow rate of OS updates on existing platforms Very easy to run arbitrary software on Android (no jailbreak required) Many Android app stores with little-to-no quality control Source: (3/24/2014)

21 Current popular mobile malware techniques
Coaxing the download Mobile malware attached to spear-phishing s to lure an installation Masquerading as popular apps (sometimes as “free” versions of non-free software) Abusing user ignorance Mobile malware asks for many permissions, knowing user will quickly click-through (similar to SSL click-through problem) Mobile malware asks for the ability to install additional applications, which is equivalent to giving near-total permission to the malware Causing mayhem Data theft (contacts, , data) Espionage (audio/video recording, location) Financial fraud (banking credential theft, SMS scams)

22 Detect mobile malware on the network and the endpoint
Palo Alto Networks solution offers three opportunities to detect mobile malware Antivirus APK signatures detects the download of known Android malware over the network WildFire detects the download of unknown Android malware over the network GlobalProtect MSM detects presence of known malware already on the device GlobalProtect MSM GlobalProtect Gateway Detect download of known malware Detect presence of known malware on endpoint WildFire TM Content Unknown APK upload to WildFire Detect download of unknown malware Collecting over 11,000 APKs a week Finding over 300 malicious APKs a week Now have more than 350,000 APK malware samples collected to date

23 WildFire Appliance (WF-500)
Enables a private cloud deployment of WildFire Preferred choice for sensitive networks where files cannot leave the local network for dynamic analysis Architecturally equivalent to public cloud deployment APT Add-on Approach WildFire Approach Web Sandbox WildFire TM WildFire cloud or appliance Sandbox File share Sandbox Manual analysis Central manager

24 WF-500 Sizing WildFire Appliance (WF-500) is sized to meet analysis demands of large networks Firewalls analyze millions of sessions WF-500 statically prescreens most files Remainder of files are dynamically analyzed Tip for accurate sizing prediction – use the file blocking profile All executables, Java, and APK files are sandboxed PDF and Office documents are “pre-screened” using static analysis About 10-20% make it to dynamic analysis Ingress traffic All sessions carrying file transfers Millions  Known malware blocked Unknown files sent to WildFire Hundreds  Requires dynamic analysis

25 Threats facing virtualized environments

26 New Passive DNS Monitoring
Passive DNS sensors collect non-recursive DNS queries performed by local DNS Anonymous (no client IPs) Low data rate (usually up to 1 MB per minute at most) Builds large database of domain resolution history, including all resource record types (A, AAAA, MX, NS, TXT, etc) Malicious domains can be “predicted” based on variety of signals: NX  A or A  NX Shared known bad IP Shared known bad NS Name heuristics such as character randomness, domain within a domain, etc. Malicious domains added daily to DNS signature set in Anti-spyware profile

27 Configuring Passive DNS
Passive DNS is enabled via the anti-spyware profile:

28 New local DNS sinkholing
Discover and confirm compromised hosts via DNS Trace back to the actual machine without client DNS visibility Safely block malicious DNS queries and redirect to sinkhole for intel collection Where is Compromised host Malicious DNS / C2 Local DNS = Sinkhole Command-and-control traffic

29 Integrating network and host indicators
Integration between network-based and host-based sensors is key

30 Clients running agents
How it works Clients running agents WildFire forensics (via WildFire API) WildFire TM Samples 4 1 WildFire logs WildFire logs (via device mgmt API) 2 3 Bit9 or Mandiant central manager queries our firewall for WildFire logs. They use the logs to generate WildFire API queries to pull down the full forensics reports for the malware. They use this forensics data to generate queries to perform on their agents running on the endpoints to confirm compromise based on file hashes on disk, registry activity, process names, etc. Bit9 Central Manager 5 Interrogations using host-based indicators of compromise Whitelist/blacklisting by file hash

31 Splunk App for Palo Alto Networks

32 Integrating network and host indicators
We focus on bridging our zero-day malware detection in the network (WildFire) with a next-gen endpoint presence, such as Bit9 and Mandiant.


Download ppt "A Practical Approach to Advanced Threat Detection and Prevention"

Similar presentations

Ads by Google