expose the underground advanced persistent threats jeff baker

Expose The UndergroundAdvanced Persistent Threats

Jeff Baker

The problem

• Today’s cyber attackers are utilizing an increasingly sophisticated set of evasion tactics

• Disjointed techniques rely on a“whack-a-mole” approach for detection and prevention, leaving enterprises prone to risk

• Volume of attacks is rapidly accelerating, applying strain on a limited population of security specialists

• 2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

What is an APT?

Human entity

Targeted

Persistent


Modern Attacks are changing...Target Date Motive

Target Nov 27, 2013 Financial

NY Times Jan 31, 2013 State-sponsored

CIA Feb 10, 2012 Hacktivism

Symantec Feb 8, 2012 Extortion

Zappos Jan 15, 2012 Cybercrime

Danish Government

Aug 22, 2011 Government practices

Sony PSN April 19, 2011 Hacktivism

Epsilon April 1, 2011 Financial

RSA March 17, 2011 State-sponsored

• “The biggest problem with that older technology, some say, is that it reacts to threats rather than anticipating them.”

• – Austin American Statesman Jan 19th, 2014

• Attackers:• Nation-states

• Organized Crime• Political groups

• Easier IT Targets:• New Vectors

• Extended IT Access

• Escalating Tactics

• Concealment:• Evasion Techniques

• Polymorphic Attacks

• High Analysis Volume

Example: Modern Malware Attack

Targeted malicious email sent to user1

2User clicks on link to a

malicious website

3Malicious website exploits

client-side vulnerability

4Drive-by download of

malicious payload

URL Filtering

IPS

Behavioral Analysis

Signature Detection

StealControlRelay5


Understanding the Cyber Attack Kill Chain


Bait theend-user

1

End-user lured to a dangerous application or website containing malicious content

• Exploit

2

Infected content exploits the end-user, often without their knowledge

• DownloadBackdoor

3

Secondary payload is downloaded in the background. Malware installed

Back

Channel

4

Malware establishes an outbound connection to the attacker for ongoing control

• Explore & Steal

5

Remote attacker has control inside the network and escalates the attack

Need to break it at different points in the chain!

Best-of-breed, disparate solutions or integrated intelligence?

• Infiltrate

• Lateral Movement• Remove Data

Goal: Break the Kill Chain at Every Possible Step (Automatically)


App-ID

URL

IPS

Spyware

AV

Files

Unknown Threats

Bait the end-user

• Exploit • Download Backdoor

Command/Control

• Block high-risk apps

• Block known

malware sites

• Block the exploit

• Block malware

• Prevent drive-by-

downloads

• Detect 0-day

malware

• Block new C2 traffic

• Block spyware, C2

traffic

• Block fast-flux, bad domains

• Block C2 on open ports

1 2 3 4 5

When the world was simple

• Two applications: browsing and email

• With predictable application behavior

• In a basic threat environment

• Stateful inspection addresses:

• Port80

• Port25

9 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.

Challenge, More Security = Poor Performance

Traditional Security

Each security box, blade, or software module robs the network of performance

Threat prevention technologies are often the worst offenders

Leads to the classic friction between network and security

Best Case Performance

Firewall

Anti-Malware

IPS


• Increased Complexity/Cost

•N

etw

ork

Perf

orm

ance

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address applications and new cyber threats

Technology sprawl and creep aren’t the answer

Internet

Enterprise Network

APT

• 11 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.

UTM’s and blades aren’t the answer either

Internet

UTM orblades

Enterprise Network

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address applications and cyber threats


Multi-Step Scanning Ramifications

• 300+ applications allowed*

• *Based on Palo Alto Networks Application Usage and Risk Report

• Facebook allowed…what about the other 299 apps?

• PolicyDecision #2

App-ControlAdd-on

Applications

• Allow Facebook

• PolicyDecision #1

Firewall Allow port 80

• Open ports to

• allow the application

Key Difference Ramifications

Two separate policies • More Work. Two policies = double the admin effort (data entry, mgmt, etc)• Possible security holes. No policy reconciliation tools to find potential holes

Two separate policy decisions • Weakens the FW deny all else premise. Applications allowed by port-based FW decision.

Two separate log databases • Less visibility with more effort. informed policy decisions require more effort , slows reaction time

No concept of unknown traffic • Increased risk. Unknown is found on every network = low volume, high risk• More work, less flexible. Significant effort to investigate; limited ability to

manage if it is found.


• Cloud + SaaS

• Mobile + BYOD • Cloud + virtualization

• Social + consumerization

Tectonic shifts create the perfect storm

• Massive opportunityfor cyber criminals

15 | ©2014, Palo Alto Networks. Confidential and Proprietary.

•All These Challenges! Where

do I Start?

Our fundamentally new approach to enterprise security

•App-ID• Identify the application

•User-ID• Identify the user

•Content-ID• Scan the content


Architectural Differences

Palo Alto Networks

Operations Once per packet App-ID, User-ID, Content-ID

Parallel Processing (Single Pass-Through)

Single Policy Includes App-ID, User-ID and Content-ID

Single Log Entry for one session

Competitor Products

Several Operations per packet introduce performance degradation

Serial Processing (Switching between Modules)

Multiple Policies Firewall(Ports), IPS, App-Control, AV…

Separate Log entries for on session

How do we reduce risk with this platform approach? Achieve 100% Visibility into Network Traffic (at speed)

Eliminate unknown

threats

(WildFire)

Eliminate all types of known threats/vectors

(AV, AS, IPS, URL)


• 1

• 2

• 3

• 0 Full VisibilityLimit network traffic to business-relevant

applications based on actual usage (App-ID)

“Safely enable is the new Block”

• RISK • LEVEL

Todays Network

• Single Security Policy

Safely Enabling Applications, Users & Content

Applications: Safe enablement begins with application classification by App-ID

Users: Tying users and devices, regardless of location, to applications with User-ID

Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID

The Benefits of Classifying Traffic in the Firewall

• Policy Decision

Firewall

App-ID

Allow Facebook•XKey Difference Benefit

Single firewall policy • Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated.

Positive control model • Allow by policy, all else is denied. It’s a firewall.

Single log database • Less work, more visibility. Policy decisions based on complete information.

Systematic management of unknowns

• Less work, more secure. Quickly identify high risk traffic and systematically manage it.


FirewallFirewall

NGFW vs. Legacy Firewalls

• App-ID • Legacy Firewalls

• Firewall Rule: ALLOW SMTP • Firewall Rule: ALLOW Port 25

• SMTP=SMTP: • Packet on Port 25: • Allow • Allow

✔ ✔SMTP SMTP SMTP SMTP

Bittorrent ✗

• Bittorrent≠SMTP:

• Visibility: Bittorrent detected and blocked

• Deny

Bittorrent ✔

• Packet on Port 25: • Allow

• Visibility: Port 25 allowed

Bittorrent

App IPSFirewallFirewall

NGFW vs. Legacy Firewall + App IPS





Bittorrent ✗

• Bittorrent ≠ SMTP:


• Deny

Bittorrent ✔

• Bittorrent: • Deny


✔ SMTP

Bittorrent ✗

• Application IPS Rule: Block Bittorrent

App IPSFirewallFirewall






✗Bittorrent ✔

• Visibility: Packets on Port 25 allowed

✔ SMTP

Bittorrent ✗


Bittorrent ✗✔ ✔

• Packet ≠ Bittorrent: • Allow

• Visibility: each app detected and blocked

• Deny• Skype≠SMTP:• SSH≠SMTP:

Ultrasurf≠SMTP:• Deny• Deny

SSH, Skype, Ultrasurf




FirewallFirewall






C & C ✗

• Command & Control ≠ SMTP:

• Visibility: Unknown traffic detected and blocked

• Deny

Bittorrent ✔

• Visibility: Packet on Port 25 allowed

✔ SMTP

Bittorrent ✗


Bittorrent ✗C & C ✔ C & C ✔ C & C

• C & C ≠ Bittorrent: • Allow

App IPS

We safely enable the business and manage the risks

Safely enable Prohibited useUser

Post info to a prospect’s wall

Chatting

Clicking on infected links

Financial advisor

Exchange ofPhotoshop files with agencies

Downloading malware

Marketingspecialist

Communication with candidates

Exposing lists of employees and their salaries

HR recruiter

Sharing opportunities with channel partner

Sharing customer lists externally

Salesrep


Security Context from Integration

• Allowing 10.1.2.4 to 148.62.45.6 on port 80 does not provide context.

• Allowing Sales Users on Corporate LAN to access Salesforce.com but look for threats and

malware inside the decrypted SSL tunnel, and easily seeing you have done so is context.

• Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware sites no context.

• Seeing Dave Smith visited a malware site, downloaded 0-day Malware, and his device is

visiting other known malware sites, and using tunneling apps that is context.

COMPROMISED CREDIT CARDS – APTs IN ACTION

• Maintain access

• Spearphishing third-party

HVAC contractor

• Moved laterally within Target network and

installed POS Malware

• Exfiltrated data

command-and-control servers over

FTP

• Recon on companies

Target works with

• Compromised internal server to collect

customer data

• Breached Target network

with stolen payment system

credentials

Palo Alto Networks at a Glance

Company highlights

Founded in 2005; first customer shipment in 2007

Safely enabling applications

Addressing the entire $10B+ network security market

Enterprise leadership position & rapid customer growth

Experienced team of 1,900+ employees

Over 21,000 Enterprise customers0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

4,700

9,000

13,500

Jul-11 Jul-12

FY09 FY10 FY11 FY12 FY13$0

$50$100$150$200$250$300$350$400

$13$49

$255

$396

$119

Revenues

Enterprise customers

$MM

FYE July

Jul-13

28 | ©2014, Palo Alto Networks. Confidential and Proprietary.

• February 2013• December 2011

• We pushed the competitors back

Gartner -- Enterprise Firewall Magic Quadrant

Gartner -- Enterprise Firewall Magic Quadrant

Next-generation enterprise security platform

Gathers potential threats from network and endpoints

Analyzes and correlates threat intelligence

Disseminates threat intelligence to network and endpoints

• Threat Intelligence Cloud

• Inspects all traffic

• Blocks known threats

• Sends unknown to cloud

• Extensible to mobile & virtual networks

• Next-Generation Firewall

Palo Alto Networks

AdvancedEndpoint Protection

Palo Alto Networks

Next-GenerationFirewall

Palo Alto Networks Threat Intelligence Cloud

Inspects all processes and files

Prevents both known & unknown exploits

Integrates with cloud to prevent known & unknown malware

• Advanced Endpoint Protection


Detect and Defend: Turning the Unknown into Known

Our unique approach makes us the only solution that…

Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics

Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures

Detects zero day malware & exploits using public/private cloud and automatically creates signatures to defend our global customer base

• Identify & control• Prevent known

threats• Detect unknown

threats

• Rapid, global sharing

• All applications


We have pioneered the next generation of security

• Today+

• Legacy:

• Allow or block some apps

• Detect some malware

• Allow

• Block

• Next generation:

• Safely enable all applications• Prevent all cyber threats

• Mid 1990’s – today


1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

Palo Alto Networks Next Generation Firewall


Covering the entire enterprise

Data center/cloud Enterprise perimeter Distributed/BYOD Endpoint

Next-Generation Firewall

Cybersecurity:IDS / IPS / APT

Web gateway VPN

Panorama, M-100 appliance, GP-100 appliance

PAN-OS™

Network location

Next-generation appliances

Subscriptions

Use cases

Management system

• Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050WildFire: WF-500

• Virtual: VM-Series & VM-Series-HV for NSX

URL Filtering

GlobalProtect™

WildFire™

Threat Prevention

Endpoint (Traps)

Operating system


Jennifer Jasper-Smith

Our core value proposition

An enterprise security platform

that safely enables all applicationsthrough granular use control

and prevention of known and unknown cyber threatsfor all users on any device across any network.

Superior security with superior TCO


expose the underground advanced persistent threats jeff baker

Documents

palo alto networks

exploit block malware

data slide

modern malware attack

malicious email

malware sites

malicious content exploit

bad domains block c2