Expose The Underground Advanced Persistent Threats Jeff Baker

The problem Today’s cyber attackers are utilizing an increasingly sophisticated set of evasion tactics Disjointed techniques rely on a “whack-a-mole” approach for detection and prevention, leaving enterprises prone to risk Volume of attacks is rapidly accelerating, applying strain on a limited population of security specialists Use this slide to setup the reason Palo Alto Networks has, and will continue to invest in advanced threat protections sucn

What is an APT? Human entity Targeted Persistent

Modern Attacks are changing... Target Date Motive Nov 27, 2013 Financial NY Times Jan 31, 2013 State-sponsored CIA Feb 10, 2012 Hacktivism Symantec Feb 8, 2012 Extortion Zappos Jan 15, 2012 Cybercrime Danish Government Aug 22, 2011 Government practices Sony PSN April 19, 2011 Epsilon April 1, 2011 RSA March 17, 2011 Attackers: Nation-states Organized Crime Political groups Easier IT Targets: New Vectors Extended IT Access Escalating Tactics Concealment: Evasion Techniques Polymorphic Attacks High Analysis Volume We’ve seen a big change over the last year in who is behind modern attacks. Hacktivists, organized crime and even nation-states are behind many of the intrusions that happening now, which leads to a qualitative difference in how the attackers operate. These groups have more time, resources and a higher level of motivation, which allows them to mount more complex, long-term operations against bigger targets. In short, this means any organization can be a target at any time. Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? The change in attackers has led to a change in targets. Often, they’re going after the most important data in an organization and they have a plan for how they will profit from it.   Finally, because of the change in targets, the attack strategy has changed as well. We’re seeing a wide array of tactics being used, from targeted malware and spyware to phishing attacks and social engineering, in addition to exploits. Often, organizations with a complex and extended IT environment are an easy target because there are multiple ways to breach their network (via internal users, extended business partners, mobile users). This requires a greater commitment to securing sensitive data. Examples from AVR reports – compliance officer playing crossword puzzles, Xbox in data center. RDP left wide open. Unpatched servers “The biggest problem with that older technology, some say, is that it reacts to threats rather than anticipating them.” – Austin American Statesman Jan 19th, 2014

Why we’re all here We all want the same - Avoid making the headlines. Retail has been particularly targeted. The distributed nature of their business and the fact that they are one of the primary touch point for credit card data make them specifically vulnerable to cybercriminals.

Example: Modern Malware Attack Targeted malicious email sent to user 1 5 Steal Control Relay Signature Detection 3 Malicious website exploits client-side vulnerability The first opportunity is when the user clicks on a link to an unknown or malicious domain within the email. URL filtering enables administrators to block known malicious domains and control other high-risk domain categories.   The second opportunity is when the malicious website attempts to exploit a client-side vulnerability in the web browser or helper application. Security policies with a vulnerability protection profile can inspect all traffic, regardless of port or protocol, for malicious traffic, and blocks these types of exploits. The next opportunity is at the time of file download, whether it be a drive-by download like in this scenario, or an intentional download via email attachment, web download, or file sharing application download. If the malware has never been seen before, this is where WildFire steps in. The file is executed in the virtual sandbox environment and analyzed for malicious activity. The administrator is immediately alerted, and the endpoint can be quickly identified and remediated. The final opportunity is when the whole cycle attempts to repeat. Except now, WildFire has automatically created a signature for the malware and included it within the malware signature database, and future downloads of the malware are blocked at the firewall. Modern malware is a network problem, not just a host problem, and Palo Alto Networks next-generation firewalls are uniquely positioned to counter the modern malware threat throughout its lifecycle. Behavioral Analysis IPS URL Filtering 4 2 Drive-by download of malicious payload User clicks on link to a malicious website

Understanding the Cyber Attack Kill Chain 1 2 3 4 5 Bait the end-user Download Backdoor Back Channel Explore & Steal Here is a classic example of a multi-staged advanced attack (which is really more a project or a campaign) each of which - on their own - would potentially not be detected in a siloed security architecture and therefore the ‘attack’ could go undetected for a long time Exploit Need to break it at different points in the chain! Best-of-breed, disparate solutions or integrated intelligence? Infiltrate Lateral Movement Remove Data End-user lured to a dangerous application or website containing malicious content Infected content exploits the end-user, often without their knowledge Secondary payload is downloaded in the background. Malware installed Malware establishes an outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack

Goal: Break the Kill Chain at Every Possible Step (Automatically) 1 2 3 4 5 Bait the end-user Exploit Download Backdoor Command/Control App-ID URL IPS Spyware AV Files Unknown Threats Block high-risk apps Block C2 on open ports Block known malware sites Block fast-flux, bad domains Block the exploit We bring multiple security disciplines into a single context / single threat prevention engine. See beyond individual security events and recognize the full extent of a threat. In a uniform context, you can see the interconnection of: Applications, Exploits, Malware, URLs, DNS queries, Anomalous network behaviors, Targeted malware It is the unique value of our integrated solution that allows us to see this interconnection. This should be our main talking point to customers… and have them realize that their strategy should not be based on ‘best of breed products’ any longer. Block spyware, C2 traffic Block malware Prevent drive-by-downloads Detect 0-day malware Block new C2 traffic

When the world was simple Port 80 Port 25 www Stateful inspection addresses: Two applications: browsing and email With predictable application behavior In a basic threat environment

Challenge, More Security = Poor Performance Traditional Security Each security box, blade, or software module robs the network of performance Threat prevention technologies are often the worst offenders Leads to the classic friction between network and security Best Case Performance Firewall Kelvin/Chris Network Performance IPS Anti-Malware Increased Complexity/Cost

Technology sprawl and creep aren’t the answer “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain Doesn’t address applications and new cyber threats APT Internet Enterprise Network

UTM’s and blades aren’t the answer either “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain Doesn’t address applications and cyber threats UTM or blades Internet Enterprise Network

Multi-Step Scanning Ramifications 300+ applications allowed* Facebook allowed…what about the other 299 apps? Policy Decision #1 Firewall Allow port 80 Open ports to allow the application Policy Decision #2 App-Control Add-on Applications Allow Facebook There are some fundamental differences in competitive offerings that that cannot be overlooked, starting with their foundation. They are all based on stateful inspection – and stateful inspection is making all access control decisions based on port and protocol. This cannot be changed, yet it is easily bypassed by many of today’s applications. Existing firewall vendors try to address application enablement by adding application control features to their Stateful inspection firewall, much like they have done with IPS. There are several significant ramifications to this add-on approach. Multiple policies with duplicate information increases management effort. A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies. Port-based ‘allow’ rule + app ctrl rule weakens the FW ‘deny all else’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the Application Usage and Risk Report, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a default deny all policy is significantly weakened. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.   Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Common competitive responses to unknonw traffic is to block it, which may cripple the business by blocking a critical internal app. We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy. Key Difference Ramifications Two separate policies More Work. Two policies = double the admin effort (data entry, mgmt, etc) Possible security holes. No policy reconciliation tools to find potential holes Two separate policy decisions Weakens the FW deny all else premise. Applications allowed by port-based FW decision. Two separate log databases Less visibility with more effort. informed policy decisions require more effort , slows reaction time No concept of unknown traffic Increased risk. Unknown is found on every network = low volume, high risk More work, less flexible. Significant effort to investigate; limited ability to manage if it is found. *Based on Palo Alto Networks Application Usage and Risk Report

Tectonic shifts create the perfect storm Cloud + SaaS Social + consumerization Massive opportunity for cyber criminals Mobile + BYOD Cloud + virtualization

All These Challenges! Where do I Start? Good News - Adaptations of things we have seen before A lot that can be done Some new thinking is required TK Personal example – 4G Telco build We will talk about the baseline things you should be doing in this day and age shortly.

Our fundamentally new approach to enterprise security App-ID Identify the application Content-ID Scan the content User-ID Identify the user 16 16

Architectural Differences Palo Alto Networks Operations Once per packet App-ID, User-ID, Content-ID Parallel Processing (Single Pass-Through) Single Policy Includes App-ID, User-ID and Content-ID Single Log Entry for one session Competitor Products Several Operations per packet introduce performance degradation Serial Processing (Switching between Modules) Multiple Policies Firewall(Ports), IPS, App-Control, AV… Separate Log entries for on session

How do we reduce risk with this platform approach How do we reduce risk with this platform approach? Achieve 100% Visibility into Network Traffic (at speed) Todays Network Limit network traffic to business-relevant applications based on actual usage (App-ID) “Safely enable is the new Block” 1 Full Visibility Eliminate all types of known threats/vectors (AV, AS, IPS, URL) 2 RISK LEVEL Eliminate unknown threats (WildFire) 3 Single Security Policy

Safely Enabling Applications, Users & Content Applications: Safe enablement begins with application classification by App-ID Users: Tying users and devices, regardless of location, to applications with User-ID Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID

The Benefits of Classifying Traffic in the Firewall Allow Facebook X Firewall App-ID Policy Decision We believe application enablement belongs in the FW, not in a secondary scanning process. Recall that a firewall uses a positive control security model – meaning, allow what you define, block all else. Using that as the premise, here is how we might enable facebook. Single policy to allow it, [CLICK} and all else is blocked. The benefits of the application enablement in the FW are significant Single rule base means less work – competitive offerings require multiple policies with duplicate data entry. Better security with a single policy – eliminates possible traffic gaps, reconciliation holes left open by the two policies. Positive security – means new apps that uses may want to try are block implicitly (or explicitly depending on the practices followed). Single log db means a single view into whats happening on the network. Most importantly, FW based enablement gives you more control over unknown traffic. Unknown traffic represents 5-8% on every network. We knew from day 1 unknowns would exist – it can be an internal app, a commercial off-the-shelf (COTS) app, or a threat. Any traffic not IDed by our mechanisms falls into unknown udp or unknown tcp. From there, you can quickly analyze it, set policy on it categorically, and systematically manage it. For unknown Commercial Applications, using visibility tools, you can quickly determine if the traffic is a commercial off-the-shelf (COTS) application or not. If it is a COTS application, then you can use the packet capture feature you can then record the traffic and submit it for App-ID development. The new App-ID is developed, tested, then added to the database for all users in our scheduled updates. Internal or Custom Applications: Next, you can determine if the application is internal or custom using the visibility tools or the log viewer. If the traffic is an internal application, you can create a custom App-ID using the exposed protocol and application decoders. Once the custom App-ID is developed, your internal application is classified and inspected in the same manner as applications with standard App-IDs. You can enable the internal application via policy, inspect it for threats, shape it using QoS and so on. Custom App-IDs are managed in a separate database on the device, ensuring they are not impacted by the weekly App-ID updates. Custom traffic as a threat: Once the internal or COTS applications have been addressed, the third possible identity of the unknown traffic is that it is a threat. Here too, you can quickly determine the risk levels using the behavioral botnet report or other forensics tools to isolate the characteristics and apply appropriate policy control. Key Difference Benefit Single firewall policy Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated. Positive control model Allow by policy, all else is denied. It’s a firewall. Single log database Less work, more visibility. Policy decisions based on complete information. Systematic management of unknowns Less work, more secure. Quickly identify high risk traffic and systematically manage it.

NGFW vs. Legacy Firewalls App-ID Legacy Firewalls Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25 Firewall Firewall SMTP ✔ SMTP SMTP ✔ SMTP ✗ ✔ Bittorrent Bittorrent Bittorrent SMTP=SMTP: Allow Packet on Port 25: Allow Bittorrent≠SMTP: Deny Packet on Port 25: Allow Visibility: Bittorrent detected and blocked Visibility: Port 25 allowed

NGFW vs. Legacy Firewall + App IPS App-ID Legacy Firewalls Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25 Application IPS Rule: Block Bittorrent Firewall Firewall App IPS SMTP ✔ SMTP SMTP ✔ ✔ SMTP SMTP ✗ ✔ Bittorrent Bittorrent Bittorrent ✗ SMTP=SMTP: Allow Packet on Port 25: Allow Bittorrent ≠ SMTP: Deny Bittorrent: Deny Visibility: Bittorrent detected and blocked Visibility: Bittorrent detected and blocked

NGFW vs. Legacy Firewall + App IPS App-ID Legacy Firewalls Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25 Application IPS Rule: Block Bittorrent Firewall Firewall App IPS ✔ ✔ ✔ SMTP SMTP SMTP SMTP SMTP Not only does the 0-day malware gets through, but there are no logs generated that identify this problem! ✗ ✔ ✗ Bittorrent Bittorrent Bittorrent SSH, Skype, Ultrasurf ✗ SSH, Skype, Ultrasurf ✔ SSH, Skype, Ultrasurf ✔ SSH, Skype, Ultrasurf SMTP=SMTP: Allow Packet on Port 25: Allow Skype≠SMTP: Deny Packet ≠ Bittorrent: Allow SSH≠SMTP: Deny Ultrasurf≠SMTP: Deny Visibility: Packets on Port 25 allowed Visibility: each app detected and blocked

NGFW vs. Legacy Firewall + App IPS App-ID Legacy Firewalls Firewall Rule: ALLOW SMTP Firewall Rule: ALLOW Port 25 Application IPS Rule: Block Bittorrent Firewall Firewall App IPS ✔ ✔ ✔ SMTP SMTP SMTP SMTP SMTP Not only does the 0-day malware gets through, but there are no logs generated that identify this problem! ✗ ✔ ✗ Bittorrent Bittorrent Bittorrent ✗ ✔ ✔ C & C C & C C & C C & C SMTP=SMTP: Allow Packet on Port 25: Allow Command & Control ≠ SMTP: Deny C & C ≠ Bittorrent: Allow Visibility: Unknown traffic detected and blocked Visibility: Packet on Port 25 allowed

We safely enable the business and manage the risks User Safely enable Prohibited use Post info to a prospect’s wall Chatting Clicking on infected links Financial advisor Sharing opportunities with channel partner Sharing customer lists externally Sales rep Exchange of Photoshop files with agencies Downloading malware Marketing specialist Communication with candidates Exposing lists of employees and their salaries HR recruiter

Security Context from Integration Allowing 10.1.2.4 to 148.62.45.6 on port 80  does not provide context. Allowing Sales Users on Corporate LAN to access Salesforce.com but look for threats and malware inside the decrypted SSL tunnel, and easily seeing you have done so  is context. Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware sites  no context. Seeing Dave Smith visited a malware site, downloaded 0-day Malware, and his device is visiting other known malware sites, and using tunneling apps  that is context.

COMPROMISED CREDIT CARDS – APTs IN ACTION Spearphishing third-party HVAC contractor Breached Target network with stolen payment system credentials Moved laterally within Target network and installed POS Malware Compromised internal server to collect customer data Exfiltrated data command-and- control servers over FTP Here’s an example of the sophistication and advanced nature of today’s threat: Let’s get into the details of how the Target data breach happened, which is a great archetype for the type of multi-staged and complex attack APTs typically use: First the attacker did sophisticated Recon activity, understand all the third-party contractors who worked with Target, and may have been a potential pivot point into their network. They scoured public records, corporate websites, social media, and could have gone so far as calling in and pretending to be a representative of one of the companies to get further information. There is a wealth of freely available information online if you just look for it. They then identified their “target” – a third-party HVAC contractor who had an ongoing relationship with Target. They breached this contractor with a Spearphishing email and gained access to their network, and all the information they had on their clients – including credentials to Target’s systems. The attackers used this stolen credential information to log into a third-party payment system within Target’s network, which gave them an initial foothold to begin their persistent movement throughout the network. With this foothold, they are able to take that lateral movement and install the “BlackPOS” malware on POS systems. The malware was able to read customer credit card data, which it was held in memory on the POS systems, before it was encrypted. At the same time the attackers also took control of an internal server that acted as a repository for all the stolen customer information, being fed from each compromised POS system All this time, the malware and compromised systems were reaching out and communicating with the attackers with sophisticated command-and-control traffic to receive additional instruction. Once enough data had been collected on the internal server, it was exfiltrated out using FTP to those same CnC servers all around the world. With this in mind a few key pieces of information bubble to the surface: The attack was complex, and multi-threaded. Attackers always think of new ways to get in – and this requires the ability to do prevention at all key points in the network, and look at all the traffic as it comes in or goes out. Third-party tools and applications, such as the payment processing software, were used by the attackers to gain access to the Target network. Think about what could have happened if they have enabled only the applications their business needed, with specific users or “security zones” only able to use them. Segmentation of critical resources is critical, such as segmenting the “POS zone” so only finance employees, using approved applications could traverse it Common protocols, over standard ports were used, such as FTP, SSL and Netbios – which can make the attack hard to spot when it is blending into normal traffic Recon on companies Target works with Maintain access

Palo Alto Networks at a Glance Company highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Addressing the entire $10B+ network security market Enterprise leadership position & rapid customer growth Experienced team of 1,900+ employees Over 21,000 Enterprise customers Revenues $MM FYE July Enterprise customers Jul-11 Jul-12 Jul-13

Gartner -- Enterprise Firewall Magic Quadrant December 2011 February 2013 We pushed the competitors back

Gartner -- Enterprise Firewall Magic Quadrant

Next-generation enterprise security platform Palo Alto Networks Threat Intelligence Cloud Automated Inspects all traffic Blocks known threats Sends unknown to cloud Extensible to mobile & virtual networks Next-Generation Firewall Gathers potential threats from network and endpoints Analyzes and correlates threat intelligence Disseminates threat intelligence to network and endpoints Threat Intelligence Cloud Endpoint Network Cloud Natively integrated Extensible Inspects all processes and files Prevents both known & unknown exploits Integrates with cloud to prevent known & unknown malware Advanced Endpoint Protection Palo Alto Networks Next-Generation Firewall Palo Alto Networks Advanced Endpoint Protection

Detect and Defend: Turning the Unknown into Known Rapid, global sharing Identify & control Prevent known threats Detect unknown threats All applications -Reduce the attack surface - -We use information learned while running files through WildFire to improve our signature-based threat prevention capabilities. E.g. We can harvest bad domains, malicious URLs, Command & Control information, etc. to build new DNS signatures, C&C signatures, and add to the malware category in PAN-DB. Our unique approach makes us the only solution that… Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures Detects zero day malware & exploits using public/private cloud and automatically creates signatures to defend our global customer base

We have pioneered the next generation of security Safely enable all applications Prevent all cyber threats Legacy: Allow or block some apps Detect some malware Allow Block Mid 1990’s – today Today+

Palo Alto Networks Next Generation Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment We believe the firewall should be the traffic cop for your network. Identify applications regardless of port, protocol, evasive tactic, or SSL encryption. The firewall needs to be able to decrypt SSL traffic across all ports, all the time. Next, it needs to identify and control users, regardless of IP address, so that policies can be built around those users, and groups of users, by name. Protect in real-time against known and unknown application-borne threats… all while providing fine-grained visibility and policy control over application access and functionality. And lastly, do all this with multi-gigabit, in-line deployment with no performance degradation and low latency. These are the criteria we feel needs to be met in order for the firewall to be effective and practical today. 34 34 34

Covering the entire enterprise Network location Data center/cloud Enterprise perimeter Distributed/BYOD Endpoint Next-Generation Firewall Cybersecurity: IDS / IPS / APT Web gateway VPN Panorama, M-100 appliance, GP-100 appliance PAN-OS™ Next-generation appliances Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050 WildFire: WF-500 Virtual: VM-Series & VM-Series-HV for NSX Subscriptions URL Filtering GlobalProtect™ WildFire™ Threat Prevention Endpoint (Traps) Use cases Management system Operating system

Our core value proposition An enterprise security platform that safely enables all applications through granular use control and prevention of known and unknown cyber threats for all users on any device across any network. Superior security with superior TCO

Thank You © 2012 Palo Alto Networks. Proprietary and Confidential.