1. Expose The Underground Advanced Persistent Threats
Jeff Baker

2. The problem
Today’s cyber attackers are utilizing an increasingly sophisticated set of evasion tactics
Disjointed techniques rely on a “whack-a-mole” approach for detection and prevention, leaving enterprises prone to risk
Volume of attacks is rapidly accelerating, applying strain on a limited population of security specialists
Use this slide to setup the reason Palo Alto Networks has, and will continue to invest in advanced threat protections sucn

3. What is an APT?
Human entity
Targeted
Persistent

4. Modern Attacks are changing...
Target
Date
Motive
Nov 27, 2013
Financial
NY Times
Jan 31, 2013
State-sponsored
CIA
Feb 10, 2012
Hacktivism
Symantec
Feb 8, 2012
Extortion
Zappos
Jan 15, 2012
Cybercrime
Danish Government
Aug 22, 2011
Government practices
Sony PSN
April 19, 2011
Epsilon
April 1, 2011
RSA
March 17, 2011
Attackers:
Nation-states
Organized Crime
Political groups
Easier IT Targets:
New Vectors
Extended IT Access
Escalating Tactics
Concealment:
Evasion Techniques
Polymorphic Attacks
High Analysis Volume
We’ve seen a big change over the last year in who is behind modern attacks. Hacktivists, organized crime and even nation-states are behind many of the intrusions that happening now, which leads to a qualitative difference in how the attackers operate. These groups have more time, resources and a higher level of motivation, which allows them to mount more complex, long-term operations against bigger targets. In short, this means any organization can be a target at any time.
Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?
The change in attackers has led to a change in targets. Often, they’re going after the most important data in an organization and they have a plan for how they will profit from it.
Finally, because of the change in targets, the attack strategy has changed as well. We’re seeing a wide array of tactics being used, from targeted malware and spyware to phishing attacks and social engineering, in addition to exploits. Often, organizations with a complex and extended IT environment are an easy target because there are multiple ways to breach their network (via internal users, extended business partners, mobile users). This requires a greater commitment to securing sensitive data.
Examples from AVR reports – compliance officer playing crossword puzzles, Xbox in data center. RDP left wide open. Unpatched servers
“The biggest problem with that older technology, some say, is that it reacts to threats rather than anticipating them.”
– Austin American Statesman Jan 19th, 2014

5. Why we’re all here
We all want the same - Avoid making the headlines. Retail has been particularly targeted. The distributed nature of their business and the fact that they are one of the primary touch point for credit card data make them specifically vulnerable to cybercriminals.

6. Example: Modern Malware Attack
Targeted malicious sent to user 1 5
Steal
Control
Relay
Signature Detection 3
Malicious website exploits client-side vulnerability
The first opportunity is when the user clicks on a link to an unknown or malicious domain within the . URL filtering enables administrators to block known malicious domains and control other high-risk domain categories.
The second opportunity is when the malicious website attempts to exploit a client-side vulnerability in the web browser or helper application. Security policies with a vulnerability protection profile can inspect all traffic, regardless of port or protocol, for malicious traffic, and blocks these types of exploits.
The next opportunity is at the time of file download, whether it be a drive-by download like in this scenario, or an intentional download via attachment, web download, or file sharing application download. If the malware has never been seen before, this is where WildFire steps in. The file is executed in the virtual sandbox environment and analyzed for malicious activity. The administrator is immediately alerted, and the endpoint can be quickly identified and remediated.
The final opportunity is when the whole cycle attempts to repeat. Except now, WildFire has automatically created a signature for the malware and included it within the malware signature database, and future downloads of the malware are blocked at the firewall.
Modern malware is a network problem, not just a host problem, and Palo Alto Networks next-generation firewalls are uniquely positioned to counter the modern malware threat throughout its lifecycle.
Behavioral Analysis
IPS
URL Filtering 4 2
Drive-by download of malicious payload
User clicks on link to a malicious website

7. Understanding the Cyber Attack Kill Chain1 2 3 4 5
Bait the end-user
Download Backdoor
Back
Channel
Explore & Steal
Here is a classic example of a multi-staged advanced attack
(which is really more a project or a campaign)
each of which - on their own - would potentially not be detected in a siloed security architecture
and therefore the ‘attack’ could go undetected for a long time
Exploit
Need to break it at different points in the chain!
Best-of-breed, disparate solutions or integrated intelligence?
Infiltrate
Lateral Movement
Remove Data
End-user lured to a dangerous application or website containing malicious content
Infected content exploits the end-user, often without their knowledge
Secondary payload is downloaded in the background. Malware installed
Malware establishes an outbound connection to the attacker for ongoing control
Remote attacker has control inside the network and escalates the attack

8. Goal: Break the Kill Chain at Every Possible Step (Automatically)1 2 3 4 5
Bait the end-user
Exploit
Download Backdoor
Command/Control
App-ID
URL
IPS
Spyware AV
Files
Unknown Threats
Block high-risk apps
Block C2 on open ports
Block known malware sites
Block fast-flux, bad domains
Block the exploit
We bring multiple security disciplines into a single context / single threat prevention engine.
See beyond individual security events and recognize the full extent of a threat.
In a uniform context, you can see the interconnection of: Applications, Exploits, Malware, URLs, DNS queries, Anomalous network behaviors, Targeted malware
It is the unique value of our integrated solution that allows us to see this interconnection.
This should be our main talking point to customers… and have them realize that their strategy should not be based on ‘best of breed products’ any longer.
Block spyware, C2 traffic
Block malware
Prevent drive-by-downloads
Detect 0-day malware
Block new C2 traffic

9. When the world was simple
Port 80
Port 25
www
Stateful inspection addresses:
Two applications: browsing and
With predictable application behavior
In a basic threat environment

10. Challenge, More Security = Poor Performance
Traditional Security
Each security box, blade, or software module robs the network of performance
Threat prevention technologies are often the worst offenders
Leads to the classic friction between network and security
Best Case Performance
Firewall
Kelvin/Chris
Network Performance
IPS
Anti-Malware
Increased Complexity/Cost

11. Technology sprawl and creep aren’t the answer
“More stuff” doesn’t solve the problem
Firewall “helpers” have limited view of traffic
Complex and costly to buy and maintain
Doesn’t address applications and new cyber threats
APT
Internet
Enterprise Network

12. UTM’s and blades aren’t the answer either
“More stuff” doesn’t solve the problem
Firewall “helpers” have limited view of traffic
Complex and costly to buy and maintain
Doesn’t address applications and cyber threats
UTM or blades
Internet
Enterprise Network

13. Multi-Step Scanning Ramifications
300+ applications allowed*
Facebook allowed…what about the other 299 apps?
Policy Decision #1
Firewall
Allow port 80
Open ports to
allow the application
Policy Decision #2
App-Control Add-on
Applications
Allow Facebook
There are some fundamental differences in competitive offerings that that cannot be overlooked, starting with their foundation. They are all based on stateful inspection – and stateful inspection is making all access control decisions based on port and protocol. This cannot be changed, yet it is easily bypassed by many of today’s applications. Existing firewall vendors try to address application enablement by adding application control features to their Stateful inspection firewall, much like they have done with IPS. There are several significant ramifications to this add-on approach.
Multiple policies with duplicate information increases management effort. A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies.
Port-based ‘allow’ rule + app ctrl rule weakens the FW ‘deny all else’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the Application Usage and Risk Report, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a default deny all policy is significantly weakened. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.
Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Common competitive responses to unknonw traffic is to block it, which may cripple the business by blocking a critical internal app.
We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy.
Key Difference
Ramifications
Two separate policies
More Work. Two policies = double the admin effort (data entry, mgmt, etc)
Possible security holes. No policy reconciliation tools to find potential holes
Two separate policy decisions
Weakens the FW deny all else premise. Applications allowed by port-based FW decision.
Two separate log databases
Less visibility with more effort. informed policy decisions require more effort , slows reaction time
No concept of unknown traffic
Increased risk. Unknown is found on every network = low volume, high risk
More work, less flexible. Significant effort to investigate; limited ability to manage if it is found.
*Based on Palo Alto Networks Application Usage and Risk Report

14. Tectonic shifts create the perfect storm
Cloud + SaaS
Social + consumerization
Massive opportunity for cyber criminals
Mobile + BYOD
Cloud + virtualization

15. All These Challenges! Where do I Start?
Good News - Adaptations of things we have seen before
A lot that can be done
Some new thinking is required
TK Personal example – 4G Telco build
We will talk about the baseline things you should be doing in this day and age shortly.

16. Our fundamentally new approach to enterprise security
App-ID
Identify the application
Content-ID
Scan the content
User-ID
Identify the user 16 16

17. Architectural Differences
Palo Alto Networks
Operations Once per packet
App-ID, User-ID, Content-ID
Parallel Processing (Single Pass-Through)
Single Policy
Includes App-ID, User-ID and Content-ID
Single Log Entry for one session
Competitor Products
Several Operations per packet introduce performance degradation
Serial Processing (Switching between Modules)
Multiple Policies
Firewall(Ports), IPS, App-Control, AV…
Separate Log entries for on session

18. How do we reduce risk with this platform approach
How do we reduce risk with this platform approach? Achieve 100% Visibility into Network Traffic (at speed)
Todays Network
Limit network traffic to business-relevant applications based on actual usage (App-ID)
“Safely enable is the new Block” 1
Full Visibility
Eliminate all types of known threats/vectors
(AV, AS, IPS, URL) 2
RISK
LEVEL
Eliminate unknown
threats
(WildFire) 3
Single Security Policy

19. Safely Enabling Applications, Users & Content
Applications: Safe enablement begins with application classification by App-ID
Users: Tying users and devices, regardless of location, to applications with User-ID
Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID

20. The Benefits of Classifying Traffic in the Firewall
Allow Facebook X
Firewall
App-ID
Policy Decision
We believe application enablement belongs in the FW, not in a secondary scanning process.
Recall that a firewall uses a positive control security model – meaning, allow what you define, block all else.
Using that as the premise, here is how we might enable facebook. Single policy to allow it, [CLICK} and all else is blocked.
The benefits of the application enablement in the FW are significant
Single rule base means less work – competitive offerings require multiple policies with duplicate data entry. Better security with a single policy – eliminates possible traffic gaps, reconciliation holes left open by the two policies.
Positive security – means new apps that uses may want to try are block implicitly (or explicitly depending on the practices followed).
Single log db means a single view into whats happening on the network.
Most importantly, FW based enablement gives you more control over unknown traffic. Unknown traffic represents 5-8% on every network. We knew from day 1 unknowns would exist – it can be an internal app, a commercial off-the-shelf (COTS) app, or a threat. Any traffic not IDed by our mechanisms falls into unknown udp or unknown tcp. From there, you can quickly analyze it, set policy on it categorically, and systematically manage it.
For unknown Commercial Applications, using visibility tools, you can quickly determine if the traffic is a commercial off-the-shelf (COTS) application or not. If it is a COTS application, then you can use the packet capture feature you can then record the traffic and submit it for App-ID development. The new App-ID is developed, tested, then added to the database for all users in our scheduled updates.
Internal or Custom Applications: Next, you can determine if the application is internal or custom using the visibility tools or the log viewer. If the traffic is an internal application, you can create a custom App-ID using the exposed protocol and application decoders. Once the custom App-ID is developed, your internal application is classified and inspected in the same manner as applications with standard App-IDs. You can enable the internal application via policy, inspect it for threats, shape it using QoS and so on. Custom App-IDs are managed in a separate database on the device, ensuring they are not impacted by the weekly App-ID updates.
Custom traffic as a threat: Once the internal or COTS applications have been addressed, the third possible identity of the unknown traffic is that it is a threat. Here too, you can quickly determine the risk levels using the behavioral botnet report or other forensics tools to isolate the characteristics and apply appropriate policy control.
Key Difference
Benefit
Single firewall policy
Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated.
Positive control model
Allow by policy, all else is denied. It’s a firewall.
Single log database
Less work, more visibility. Policy decisions based on complete information.
Systematic management of unknowns
Less work, more secure. Quickly identify high risk traffic and systematically manage it.

21. NGFW vs. Legacy Firewalls
App-ID
Legacy Firewalls
Firewall Rule: ALLOW SMTP
Firewall Rule: ALLOW Port 25
Firewall
Firewall
SMTP ✔
SMTP
SMTP ✔
SMTP ✗ ✔
Bittorrent
Bittorrent
Bittorrent
SMTP=SMTP:
Allow
Packet on Port 25:
Allow
Bittorrent≠SMTP:
Deny
Packet on Port 25:
Allow
Visibility: Bittorrent detected and blocked
Visibility: Port 25 allowed

22. NGFW vs. Legacy Firewall + App IPS
App-ID
Legacy Firewalls
Firewall Rule: ALLOW SMTP
Firewall Rule: ALLOW Port 25
Application IPS Rule: Block Bittorrent
Firewall
Firewall
App IPS
SMTP ✔
SMTP
SMTP ✔ ✔
SMTP
SMTP ✗ ✔
Bittorrent
Bittorrent
Bittorrent ✗
SMTP=SMTP:
Allow
Packet on Port 25:
Allow
Bittorrent ≠ SMTP:
Deny
Bittorrent:
Deny
Visibility: Bittorrent detected and blocked
Visibility: Bittorrent detected and blocked

23. NGFW vs. Legacy Firewall + App IPS
App-ID
Legacy Firewalls
Firewall Rule: ALLOW SMTP
Firewall Rule: ALLOW Port 25
Application IPS Rule: Block Bittorrent
Firewall
Firewall
App IPS ✔ ✔ ✔
SMTP
SMTP
SMTP
SMTP
SMTP
Not only does the 0-day malware gets through, but there are no logs generated that identify this problem! ✗ ✔ ✗
Bittorrent
Bittorrent
Bittorrent
SSH, Skype, Ultrasurf ✗
SSH, Skype, Ultrasurf ✔
SSH, Skype, Ultrasurf ✔
SSH, Skype, Ultrasurf
SMTP=SMTP:
Allow
Packet on Port 25:
Allow
Skype≠SMTP:
Deny
Packet ≠ Bittorrent:
Allow
SSH≠SMTP:
Deny
Ultrasurf≠SMTP:
Deny
Visibility: Packets on Port 25 allowed
Visibility: each app detected and blocked

24. NGFW vs. Legacy Firewall + App IPS
App-ID
Legacy Firewalls
Firewall Rule: ALLOW SMTP
Firewall Rule: ALLOW Port 25
Application IPS Rule: Block Bittorrent
Firewall
Firewall
App IPS ✔ ✔ ✔
SMTP
SMTP
SMTP
SMTP
SMTP
Not only does the 0-day malware gets through, but there are no logs generated that identify this problem! ✗ ✔ ✗
Bittorrent
Bittorrent
Bittorrent ✗ ✔ ✔
C & C
C & C
C & C
C & C
SMTP=SMTP:
Allow
Packet on Port 25:
Allow
Command & Control ≠ SMTP:
Deny
C & C ≠ Bittorrent:
Allow
Visibility: Unknown traffic detected and blocked
Visibility: Packet on Port 25 allowed

25. We safely enable the business and manage the risks
User
Safely enable
Prohibited use
Post info to a prospect’s wall
Chatting
Clicking on infected links
Financial advisor
Sharing opportunities with channel partner
Sharing customer lists externally
Sales rep
Exchange of Photoshop files with agencies
Downloading malware
Marketing specialist
Communication with candidates
Exposing lists of employees and their salaries
HR recruiter

26. Security Context from Integration
Allowing to on port 80  does not provide context.
Allowing Sales Users on Corporate LAN to access Salesforce.com but look for threats and malware inside the decrypted SSL tunnel, and easily seeing you have done so  is context.
Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware sites  no context.
Seeing Dave Smith visited a malware site, downloaded 0-day Malware, and his device is visiting other known malware sites, and using tunneling apps  that is context.

27. COMPROMISED CREDIT CARDS – APTs IN ACTION
Spearphishing third-party HVAC contractor
Breached Target network with stolen payment system credentials
Moved laterally within Target network and installed POS Malware
Compromised internal server to collect customer data
Exfiltrated data command-and- control servers over FTP
Here’s an example of the sophistication and advanced nature of today’s threat:
Let’s get into the details of how the Target data breach happened, which is a great archetype for the type of multi-staged and complex attack APTs typically use:
First the attacker did sophisticated Recon activity, understand all the third-party contractors who worked with Target, and may have been a potential pivot point into their network. They scoured public records, corporate websites, social media, and could have gone so far as calling in and pretending to be a representative of one of the companies to get further information. There is a wealth of freely available information online if you just look for it.
They then identified their “target” – a third-party HVAC contractor who had an ongoing relationship with Target. They breached this contractor with a Spearphishing and gained access to their network, and all the information they had on their clients – including credentials to Target’s systems.
The attackers used this stolen credential information to log into a third-party payment system within Target’s network, which gave them an initial foothold to begin their persistent movement throughout the network.
With this foothold, they are able to take that lateral movement and install the “BlackPOS” malware on POS systems.
The malware was able to read customer credit card data, which it was held in memory on the POS systems, before it was encrypted.
At the same time the attackers also took control of an internal server that acted as a repository for all the stolen customer information, being fed from each compromised POS system
All this time, the malware and compromised systems were reaching out and communicating with the attackers with sophisticated command-and-control traffic to receive additional instruction.
Once enough data had been collected on the internal server, it was exfiltrated out using FTP to those same CnC servers all around the world.
With this in mind a few key pieces of information bubble to the surface:
The attack was complex, and multi-threaded. Attackers always think of new ways to get in – and this requires the ability to do prevention at all key points in the network, and look at all the traffic as it comes in or goes out.
Third-party tools and applications, such as the payment processing software, were used by the attackers to gain access to the Target network. Think about what could have happened if they have enabled only the applications their business needed, with specific users or “security zones” only able to use them.
Segmentation of critical resources is critical, such as segmenting the “POS zone” so only finance employees, using approved applications could traverse it
Common protocols, over standard ports were used, such as FTP, SSL and Netbios – which can make the attack hard to spot when it is blending into normal traffic
Recon on companies Target works with
Maintain access

28. Palo Alto Networks at a Glance
Company highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Addressing the entire $10B+ network security market
Enterprise leadership position & rapid customer growth
Experienced team of 1,900+ employees
Over 21,000 Enterprise customers
Revenues
$MM
FYE July
Enterprise customers
Jul-11
Jul-12
Jul-13

29. Gartner -- Enterprise Firewall Magic Quadrant
December 2011
February 2013
We pushed the competitors back

30. Gartner -- Enterprise Firewall Magic Quadrant

31. Next-generation enterprise security platform
Palo Alto Networks Threat Intelligence Cloud
Automated
Inspects all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile & virtual networks
Next-Generation Firewall
Gathers potential threats from network and endpoints
Analyzes and correlates threat intelligence
Disseminates threat intelligence to network and endpoints
Threat Intelligence Cloud
Endpoint
Network
Cloud
Natively integrated
Extensible
Inspects all processes and files
Prevents both known & unknown exploits
Integrates with cloud to prevent known & unknown malware
Advanced Endpoint Protection
Palo Alto Networks
Next-Generation Firewall
Palo Alto Networks
Advanced Endpoint Protection

32. Detect and Defend: Turning the Unknown into Known
Rapid, global sharing
Identify & control
Prevent known threats
Detect unknown threats
All applications
-Reduce the attack surface -
-We use information learned while running files through WildFire to improve our signature-based threat prevention capabilities. E.g. We can harvest bad domains, malicious URLs, Command & Control information, etc. to build new DNS signatures, C&C signatures, and add to the malware category in PAN-DB.
Our unique approach makes us the only solution that…
Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics
Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures
Detects zero day malware & exploits using public/private cloud and automatically creates signatures to defend our global customer base

33. We have pioneered the next generation of security
Safely enable all applications
Prevent all cyber threats
Legacy:
Allow or block some apps
Detect some malware
Allow
Block
Mid 1990’s – today
Today+

34. Palo Alto Networks Next Generation Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
We believe the firewall should be the traffic cop for your network.
Identify applications regardless of port, protocol, evasive tactic, or SSL encryption. The firewall needs to be able to decrypt SSL traffic across all ports, all the time.
Next, it needs to identify and control users, regardless of IP address, so that policies can be built around those users, and groups of users, by name.
Protect in real-time against known and unknown application-borne threats…
all while providing fine-grained visibility and policy control over application access and functionality.
And lastly, do all this with multi-gigabit, in-line deployment with no performance degradation and low latency.
These are the criteria we feel needs to be met in order for the firewall to be effective and practical today. 34 34 34

35. Covering the entire enterprise
Network location
Data center/cloud
Enterprise perimeter
Distributed/BYOD
Endpoint
Next-Generation Firewall
Cybersecurity: IDS / IPS / APT
Web gateway
VPN
Panorama, M-100 appliance, GP-100 appliance
PAN-OS™
Next-generation appliances
Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050 WildFire: WF-500
Virtual: VM-Series & VM-Series-HV for NSX
Subscriptions
URL Filtering
GlobalProtect™
WildFire™
Threat Prevention
Endpoint (Traps)
Use cases
Management system
Operating system

36. Our core value proposition
An enterprise security platform
that safely enables all applications through granular use control and prevention of known and unknown cyber threats for all users on any device across any network.
Superior security with superior TCO

37. Thank You
© 2012 Palo Alto Networks. Proprietary and Confidential.