Presentation on theme: "Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc."— Presentation transcript:
Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.
About Palo Alto Networks Palo Alto Networks is the Network Security Company World-class team with strong security and networking experience - Founded in 2005, first customer July 2007 - Top-tier investors Builds next-generation firewalls that identify / control 1400+ applications - Restores the firewall as the core of the enterprise network security infrastructure - Innovations: App-ID™, User-ID™, Content-ID™ Global footprint: 6,000+ customers in 70+ countries, 24/7 support
What Has Changed / What is the Same The attacker changed - Nation-states - Criminal organizations - Political groups Attack strategy evolved - Patient, multi-step process - Compromise user, then expand Attack techniques evolved - New ways of delivering malware - Hiding malware communications - Signature avoidance The Sky is Not Falling - Not new, just more common - Solutions exist - Don’t fall into “the APT ate my homework” trap
Strategy: Patient Multi-Step Intrusions The Enterprise Infection Command and Control Escalation Exfiltration Organized Attackers
Challenges to Traditional Security Threats coordinate multiple techniques, while security is segmented into silos - Exploits, malware, spyware, obfuscation all part of a patient, multi-step intrusion Threats take advantage of security blind spots to keep from being seen - Patient attacks must repeatedly cross the perimeter without being detected Targeted and custom malware can bypass traditional signatures - The leading edge of an attack is increasingly malware that has never been seen before.
Visibility Visibility is Fundamental - You can’t stop what you can’t see - Virtually all threats other than DoS depend on avoiding security Full Stack Inspection of All Traffic - All traffic, on all ports, all the time - Progressive decoding of traffic to find hidden, tunneled streams - Contextual decryption of SSL Control the Applications That Hide Traffic - Limit traffic to approved proxies, remote desktop applications - Block bad applications like encrypted tunnels, circumventors
Block the Applications That Hide Traffic Block Unneeded and High- Risk Applications - Block (or limit) peer-to-peer applications - Block unneeded applications that can tunnel other applications - Review the need for applications known to be used by malware - Block anonymizers such as Tor - Block encrypted tunnel applications such as UltraSurf - Limit use to approved proxies - Limit use of remote desktop
Control Known Threats Modern attacks are patient and use multiple techniques - Threats are more than exploits - Malware - Dangerous URLs - Spyware - Command and Control Traffic - Circumvention Techniques Context is Key - Clear visibility into all URLs, users, applications and files connected to a particular threat
The Malware Window of Opportunity Time required to capture 1 st sample of malware in the wild Time required to create and verify malware signature Time before antivirus definitions are updated Total Time Exposed Days and weeks until users are protected by traditional signatures
Case Study - Enterprise Phishing Shipping and Security are common topics for enterprise phishing - Fake DHL, USPS, UPS and FedEx delivery messages - Fake CERT notifications Ongoing Phishing Operations - Large volumes of malware – commonly in the top 3 of daily unknown malware seen in enterprises - Correlate new malware talking back to the same malware servers - Refreshed daily to avoid traditional AV signatures USPS Report DHL-international-shipping-ID DHL-international-shipping- notification DHL-Express-Notification-JAN United-Parcel-Service-Invoice US-CERT Operations Center Report USPS-Failed-Delivery_Notification
Trusted Sources CNET/Download.com Strong reputation for providing safe downloads of shareware and freeware that are verified to be malware free. In early December 2011 WildFire began identifying files from Download.com as containing spyware. CNET had begun providing software downloads in a wrapper that installed subtle spyware designed to track shopping habits Changed a variety of client and browser security settings