NextGen FW and Malware – Ajay Aggarwal

Report
Practical Use of the
Next-Generation Firewall:
Controlling Modern Malware and Threats
About Palo Alto Networks
• Palo Alto Networks is the Network Security Company
• World-class team with strong security and networking experience
-
Founded in 2005, first customer July 2007
-
Top-tier investors
• Builds next-generation firewalls that identify / control 1200+ applications
-
Restores the firewall as the core of the enterprise network security infrastructure
-
Innovations: App-ID™, User-ID™, Content-ID™
• Global footprint: 4,500+ customers in 70+ countries, 24/7 support
Agenda
1. Brief review of modern malware and
threats
2. Introduction to how the next-generation
firewall can help
3. Steps and best practices you can take
today
The State of Intrusions Today
• Advanced Malware and Intrusions
Are Here Today
-
Steady stream of high-profile, sophisticated
breaches and intrusions
-
All types of enterprises and information
are being targeted.
-

Intellectual property – RSA

Customer information – Epsilon

Information to enable further attacks

Business partners – Comodo

Political/hacktivism – US Senate
Breaches are not limited to financial
information

if it is valuable to you, it is likely valuable to someone else
What Has Changed / What is the Same
• The attacker changed
-
Nation-states
-
Criminal organizations
-
Political groups
• Attack strategy evolved
-
Patient, multi-step process
-
Compromise user, then expand
• Attack techniques evolved
-
New ways of delivering malware
-
Hiding malware communications
-
Signature avoidance
The Sky is Not Falling
-
Not new, just more
common
-
Solutions exist
-
Don’t fall into “the APT
ate my homework” trap
Strategy: Patient Multi-Step Intrusions
Organized Crime •The Enterprise
Nation-States
Hacktivists
Infection
Command and Control
Escalation
Exfiltration
Exfiltration
Opportunities for Security
Threats need your network to function
Multiple chances to detect and correlate
Expand security beyond the perimeter
Recognize the Modern Threat Shell Game
In the physical world
• The mark is lured into trying to follow the pea, when the
real game is about sleight of hand.
How it applies to threats:
• Our old habits make us think of malware as the pea
(an executable payload, probably carried in an email).
• In reality, modern malware relies on sleight of hand – how
to infect, persist and communicate without being detected.
Multi-Step Intrusions
Organized Crime •The Enterprise
Hacktivists
Infection
Command and Control
Escalation
Exfiltration
Exfiltration
Convergence of Malware and Network Security
• To understand network attacks, you must
understand malware
-
Provides a persistent control point inside the network
-
Malware is the hacker’s application
Infection
• To understand modern malware, you must
and Control
understandCommand
the network
-
Ongoing control of the attack
-
Escalates the attack
-
Update and change
functions
Exfiltration
Escalation
Exfiltration
The Lifecycle of Modern Malware
• Rootkit/Bootkits
• Inject into the OS
• Disable endpoint
security
• Backdoors
• Social engineering
• Drive-by-Downloads
• Obscured traffic
• Unknown malware
Infection
Command
& Control
• Social applications
and P2P
• Update configuration
• Download new exe
Persistence
Communication
•
•
•
•
Encryption
Proxies
Tunneling
Non-standard ports
The Threat Lifecycle
Infection
Phishing
Persistence
Rootkits
(Social)
Communication Command &
Control
Encryption
Common Apps
(SSL, SSH, Custom)
(Social media, P2P)
Update
Configuration
Files
EXE Updates
Hide Transmission
Backdoor
(SSL, IM)
(Poison Ivy)
Proxies, RDP,
Application
Tunnels
Remote Exploit
Anti-AV
Port Evasions
(Shell Access)
(Infect MBR)
(tunnel over open
ports)
Malware Delivery
Fast Flux
(Drive-by)
(Dynamic DNS)
Backdoors
and Proxies
Key Observations
1. Communications are the life-blood of an attack
-
Modern threats are networked threats
-
Virtually every phase involves methods to hide and evade from security
2. Extensible Framework
-
If you can infect, persist, communicate and manage, then the threat functionality can
be almost anything
-
Begin to think of threats as a framework, not the functionality of the payload
3. Threats exist across multiple disciplines
-
Applications – can hide and enable threats
-
URLs and websites – can host and enable threats
-
Exploits – creates shell access to the target
-
Malware – controls and uses the compromised target
-
Files – used to update malware and steal data
The Value of the Next-Generation Firewall
1. Ensures visibility and control of all traffic
-
Non-standard use of ports
-
Tunneling within protocols
-
Tunneling within SSL
-
Remote desktop, SSH
-
Anonymizers, proxies, personal VPNs, encrypted tunnels, etc.
2. Integrated approach to threat prevention
-
Blocks risky applications or application features
-
IPS and vulnerability protection
-
Anti-malware
-
File and content control
-
Behavioral analysis of unknown threats
What Palo Alto Networks Brings to the Fight
Visibility and Control
What is the traffic and should it be allowed?
SSL –decrypted based on policy
HTTP Tunnel – decode
App-ID
Skype - Signature
File Transfer (BLOCKED)
All Palo Alto Networks
security begins with
an integrated full-stack
analysis of all traffic
regardless of port,
protocol or evasion
Always the 1st task performed
All traffic, all ports
Always on
Page 15 ©
| 2010 Palo Alto Networks. Proprietary and Confidential.
The Palo Alto Networks Next-Generation Firewall
Visibility and Control
Integrated Threat Prevention
What is the traffic and should it be allowed?
Stop threats within allowed traffic
SSL
App-ID
Skype
File Transfer
Threat Prevention
HTTP Tunnel
IPS
Anti-Malware
Proven 93.4%
block rate and
performance
Millions of
samples, 50k
analyzed per day
URL Filtering
Content
Malware sites,
unknown and
newly registered
sites
Control file types,
downloads, specific
content
Behavioral Analysis
Always the 1st task performed
All traffic, all ports
Always on
Page 16 ©
| 2010 Palo Alto Networks. Proprietary and Confidential.
Single unified engine (single-pass)
Always in application and user context
Independent of port or evasion
Example: TDL-4*
• TDL-4
-
Extension of earlier malware, a.k.a Alureon, TDSS, TDL
-
Named “the indestructible botnet” due to the ability protect itself from
takedowns/takeovers
Infection
Persistence
• Any (outsourced to
• Infects MBR
affiliates)
• Drive-by-
Downloads easily
the most common
• 32/64 bit rootkits
Communication Command &
Control
• Proprietary
encryption
• Tunneled within
SSL
• Sells proxy as a
service
• Kad P2P network
• C&C servers
• Proxy through
infected hosts
20+ Programs Used
Malicious apps, Fake AV, Spam, Adware, etc
*Derived from analysis by Kaspersky Labs
Protecting Against TDL-4
• Indestructible does not mean indefensible
• How to Use Palo Alto Networks to Control TDL-4
-
-
-
Prevent Infection

Drive-by download protection

Block risky sites

Decrypt social networking
Prevent Communications

Decrypt SSL to unknown sites

Block unknown or proprietary encryption

Limit proxies to select proxies and approved users
Disrupt Command and Control

Block Kad usage
Best Practices
NGFW Best Practices
1. Reduce your exposure
2. Ensure visibility into traffic
3. Lock down use of commonly open ports
4. Prevent infections
5. Implement full protection from known threats
6. Analyze events in context
7. Investigate the unknowns
1 - Reduce the Exposure
• Block Unneeded and High-
Risk Applications
-
Block (or limit) peer-to-peer
applications
-
Block unneeded applications that
can tunnel other applications
-
Review the need for applications
known to be used by malware
-
Block anonymizers such as Tor
-
Block encrypted tunnel
applications such as UltraSurf
-
Limit use to approved proxies
-
Limit use of remote desktop
2 - Ensure Visibility into All Traffic
• Classify all traffic on all ports
perimeter
-
Inside the network – remember that
much of a modern intrusion happens
inside the network
-
Outside the network – deliver the
same application control and threat
prevention outside as inside
•Port
22
IM
• Expand visibility beyond the
•Port
21
HTTP
Check protocol decoders
Telnet
-
SSH
This is core to a NGFWs job, but
most don’t do it
FTP
-
Firewall
•Port
23
•Port
80
•Port
531
2b - Ensure Visibility – Control SSL
• Applications and sites are
moving to SSL by default
-
Facebook, Google, etc
-
36% of applications by bandwidth
• Establish SSL Decryption
Policies
-
Decrypt policies

-
Social networking, webmail, IM, message boards,
micro-blogging, gaming sites
Do not decrypt policies

Health care sites and applications

Financial sites and applications

Secure channels
3 - Lock Down Use of Commonly Open Ports
• Botnets and malware
regularly communicate
on ports that are open
by default
-
DNS (port 53) is a favorite
• The next-generation
firewall lets you to set
policy that only DNS
traffic should be
allowed on port 53 and
block everything else
4 - Prevent Infections
• Drive-by-Download Protection
-
Detects downloads in the background even following
an unknown exploit
-
Host browser and OS will not report it
-
Train users
User visits infected webpage
Crafted image exploits
vulnerability on client
5 - Block Known Exploits and Malware
• Known Threats are Still the
Majority of Threats Today
-
Malware and exploit kits are
increasingly popular
-
Vulnerability facing signatures detect
common variants
• Full Protection With Performance
-
Palo Alto Networks has shown the
ability to meet datasheet speeds with all
signatures enabled
-
Common engine and signature format
processes traffic to detect all threats
Through 2015,
over 90% of
malware and
exploits will
continue to be
known threats
- Gartner
6 - Evaluate Events in Context
• Develop Context-Based Visibility

Applications, Patterns, Sources and
Behaviors
• Correlate by User and Application

Known malware

Known exploits

Phone-home detection

Download history

Exploits

URL categories

Treat unknowns as
significant
7 - Aggressively Investigate the Unknowns
• NGFW classifies all known traffic
-
Custom App-IDs for internal or custom
developed applications
• Any remaining “unknown” traffic can
be tracked and investigated
-
Used in the field to find botnets and
unknown threats
• Behavioral Botnet Report
-
Automatically correlates end-user
behavior to find clients that are likely
infected by a bot
-
Unknown TCP and UDP, Dynamic DNS,
Repeated file downloads/attempts,
Contact with recently registered
domains, etc
Page 28 |
© 2010 Palo Alto Networks. Proprietary and Confidential.
Find specific users
that are potentially
compromised by a
bot
10.1.1.101
10.1.1.56
10.0.0.24
192.168.1.5
10.1.1.34
10.1.1.277
10.1.1.16
192.168.1.4
192.168.124.5
192.168.1.47
Jeff.Martin
Summary
App-ID™
• All traffic, all
ports,
all the time
• Application
signatures
•Block threats on
all ports
• Malware hosting
URLs
•Dynamic DNS,
fast flux
•93.4% block rate
of known exploits
• Recently
registered
domains
•Download patterns
•5M+ malware
samples
• Heuristics
Reduce the
attack surface
•
Remove the
ability to hide
Page 29 |
•
•
Prevents known
threats
•
90% of threats
through 2015
(Gartner)
•
© 2011 Palo Alto Networks. Proprietary and Confidential.
•Unknown traffic
• SSL decryption of
high-risk sites
• Decryption
•
Behaviors
Sources
Patterns
Block known
sources of threats
Be wary of
unclassified and
new domains
•
Detects
pre-existing or
unknown threats
Questions
Recognize the Modern Malware Shell Game
Modern malware is largely defined by how it addresses
4 key problems:
How does the
malware infect
the target
without triggering
traditiona AV and
anti-malware
Infect
How does the
malware persist
on the infected
host and avoid
removal
Persist
If malware can
survive on the
host,
communicate
securely and
update itself,
then the payload
can be virtually
anything
How does the
malware securely
communicate
without being
detected
Communicate
How does the
malware establish
effective
command and
control without
exposing itself to
take-over
Manage
Recognize the Modern Malware Shell Game
Modern malware is largely defined by how it addresses
4 key problems:
Drive-byDownload
• Attack begins
with a remote
exploit
• Malware is
downloaded in
the background
following the
successful
exploit
Infect
Root Kits
Back doors
Anti-AV
• Infection of
master boot
record
• Process
injection, etc
Persist
Customized
and
polymorphic
malware to
avoid signature
detection
Encryption
Proxies
Fast Flux,
Dynamic DNS
Peer-to-Peer
• Many methods
to hide from
security
Communicate
Command and
Control
• Custom app or
protocol
• Config files
• EXE download
• P2P, social
networks
• More use of
fast flux
Manage
Page 33 |
© 2010 Palo Alto Networks. Proprietary and Confidential.
4 Qualities of Modern Malware
Infection
Persistence
• How does the malware infect the
target without being detected?
Remote
Exploits
Hidden
Traffic
Custom
Malware
• How does the malware remain on
the infected host?
Rootkit
s
Anti-AV
Communication
Control
• How does the malware coordinate
and control itself without being taken
over?
Social
Media
Backdoors
Configuration
Files
EXE
Updates
• How does the malware
communicate securely without being
detected?
Encryption
Proxies
&
Evasions
Fast
Flux
4 Qualities of Modern Malware
Infection
Persistence
• How does the malware infect the
target without being detected?
Ensure
Visibility
into Traffic
Integrated IPS
and AntiMalware
Drive-byDownload
Protection
• How does the malware remain on
the infected host?
Rootkit
s
Integrated
Anti-AV
Communication
Control
• How does the malware coordinate
and control itself without being taken
over?
Control
Social
Media
Detect and
Block
Backdoors
Detect
Configuration
Files via IPS
Block EXE
Downloads
• How does the malware
communicate securely without being
detected?
Decrypt
SSL, Block
Encryption
Control
Proxies
&
Evasions
Track Fast
Flux &
Dynamic
DNS
Long-Term Attacks Require Multiple Tactics
Applications / Evasions
Exploits / Malware
Attackers have learned to use
applications and evasions to hide
their traffic from security
The fusion of exploits and malware
allows any connection to deliver
malware
-
Travel over non-standard ports
-
Tunnel within protocols
-
Tunnel within SSL
-
Dynamic DNS to cover their tracks
-
Use circumventing applications (remote
desktop, SSH)
-
Use anonymizing applications (proxies,
Tor, personal VPNs)
-
Exploit user on a web-page, establish
shell access, download malware in
background
-
Malware is no longer simply an exe for
a user to click on
Signature avoidance
-
Polymorphic malware
-
Zero-Day vulnerabilities
Long-Term Attacks Require Multiple Tactics
Applications / Evasions
Exploits / Malware
Attackers have learned to use
applications and evasions to hide
their traffic from security
The fusion of exploits and malware
allows any connection to deliver
malware
-
Travel over non-standard ports
-
Tunnel within protocols
-
Tunnel within SSL
-
Dynamic DNS to cover their tracks
-
Use circumventing applications (remote
desktop, SSH)
-
Use anonymizing applications (proxies,
Tor, personal VPNs)
-
Exploit user on a web-page, establish
shell access, download malware in
background
-
Malware is no longer simply an exe for
a user to click on
Signature avoidance
-
Polymorphic malware
-
Zero-Day vulnerabilities
Example
User visits infected webpage
Crafted image exploits
vulnerability on client
Exploit gains shell access and
downloads malware in background
Infected host used to
investigate network,
capture passwords,
exploit other users
and systems
Example
Remote Desktop
User visits infected webpage
Crafted image exploits
vulnerability on client
Exploit gains shell access and
downloads malware in background
Example
SSL
Remote Desktop
User visits infected webpage
Crafted image exploits
vulnerability on client
Exploit gains shell access and
downloads malware in background

similar documents