Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine Palo Alto Networks Modern Malware Elton Fontaine: CCIE, CNSE SE Manager – West Territory Palo Alto Networks What are we seeing Key Facts and Figures - Americas • 2,200+ networks analyzed • 1,600 applications detected • 31 petabytes of bandwidth • 4,600+ unique threats • Billions of threat logs 4 | ©2014 Palo Alto Networks. Confidential and Proprietary. Common Sharing Applications are Heavily Used Application Variants How many video and filesharing applications are needed to run the business? Bandwidth Consumed 5 | ©2014 Palo Alto Networks. Confidential and Proprietary. 20% of all bandwidth consumed by filesharing and video alone Source: Palo Alto Networks, Application Usage and Threat Report. May 2014. High in Threat Delivery; Low in Activity 11% of all threats observed are code execution exploits within common sharing applications Most commonly used applications: email (SMTP, Outlook Web, Yahoo! Mail), social media (Facebook, Twitter) and file-sharing (FTP) 6 | ©2014 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. May 2014. Low Activity? Effective Security or Something Else? 7 | ©2014, Palo Alto Networks. Confidential and Proprietary. Low Activity: Effective Security or Something Else? SMTP IMAP POP3 Web browsing Smoke.loader botnet controller Delivers and manages payload Steals passwords Encrypts payload (7) Code execution exploits seen in SMTP, POP3, IMAP and web browsing. 8 | ©2014 Palo Alto Networks. Confidential and Proprietary. Posts to URLs Anonymizes identity Twitter Web browsing Facebook Malware Activity Hiding in Plain Sight: UDP Blackhole Exploit Kit End Point Controlled Bitcoin mining SPAM ClickFraud 9 | ©2014 Palo Alto Networks. Confidential and Proprietary. ZeroAccess Delivered $$$ Distributed computing = resilience High number UDP ports mask its use Multiple techniques to evade detection Robs your network of processing power Unknown UDP Hides Significant Threat Activity 1 application = 96% of all malware logs ZeroAccess.Gen command & control traffic represents nearly all malware activity 10 | ©2014 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. May 2014. Business Applications = Heaviest Exploit Activity 90% of the exploit activity was found in 10 applications Primary source: Brute force attacks 11 | ©2014 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. May 2014. Target data breach – APTs in action Recon on companies Target works with Spearphishing third-party HVAC contractor Breached Target network with stolen payment system credentials Moved laterally within Target network and installed POS Malware Maintain access Compromised internal server to collect customer data Exfiltrated data command-andcontrol servers over FTP Best Practices Security from Policy to Application What assumptions drive your security policy? Does your current security implementation adequately reflect that policy? Doss your current security implementation provide the visibility and insight needed to shape your policy? Assumptions Visibility & Insight Policy Implementation Security Perimeter Paradigm Organized Attackers The Enterprise Infection Command and Control Escalation Exfiltration Exfiltration Is there Malware inside your network today??? Applications provide exfiltration • • Threat communication Confidential data Application Visibility Reduce attack surface Identify Applications that circumvent security policy. Full traffic visibility that provides insight to drive policy Identify and inspect unknown traffic Identify All Users Do NOT Trust, always verify all access Base security policy on users and their roles, not IP addresses. For groups of users, tie access to specific groups of applications Limit the amount of exfiltration via network segmentation 18 | ©2012, Palo Alto Networks. Confidential and Proprietary. SSL/Port 443: The Universal Firewall Bypass Gozi Freegate Rustock Citadel TDL-4 Aurora Ramnit Bot tcp/443 Poison IVY APT1 Challenge: Is SSL used to protect data and privacy, or to mask malicious actions? 19 | ©2013 Palo Alto Networks. Confidential and Proprietary. Evolution of Network Segmentation & Datacenter Security Packet Filtering, ACL’s, IP/Port-based firewalling for known traffic? Layer 1-4 Stateful Firewall Port-hopping applications, Malware, Mobile Users – Different entry points into DC? Layer 7 “Next Generation” Appliance Platform Solution Modern Attacks Are Coordinated 1 Bait the end-user End-user lured to a dangerous application or website containing malicious content 2 3 4 5 Exploit Download Backdoor Establish Back-Channel Explore & Steal Infected content exploits the end-user, often without their knowledge Secondary payload is downloaded in the background. Malware installed Malware establishes an outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack An Integrated Approach to Threat Prevention Coordinated Threat Prevention Bait the end-user Block high-risk apps URL Block known malware sites IPS Spyware AV Files WildFire THREAT PREVENTION App-ID Exploit Download Backdoor Establish Back-Channel Explore & Steal Block C&C on non-standard ports Reduce Attack Surface Block malware, fast-flux domains Block the exploit Block spyware, C&C traffic Block malware Prevent drive-bydownloads Detect unknown malware Block new C&C traffic Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors Adapt to Day-0 threats Threat Intelligence Sources WildFire Users Cloud On-Prem WildFire Signatures ~30 Minutes AV Signatures Daily DNS Signatures Daily Malware URL Filtering Constant Anti-C&C Signatures 1 Week Contextual Awareness 26 | ©2012, Palo Alto Networks. Confidential and Proprietary.