Scribd Logo
Upload

Welcome to Scribd!

  • Vdocuments - MX Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto

    Uploaded by

    andersonvallejosflores
    5 views26 pages

    Original Title

    Vdocuments.mx Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    5 views26 pages

    Vdocuments - MX Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto

    Uploaded by

    andersonvallejosflores

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 26

    Palo Alto Networks

    Modern Malware
    Cory Grant
    Regional Sales Manager
    Palo Alto Networks
    What are we seeing
    Key Facts and Figures - Americas

    • 2,200+ networks analyzed


    • 1,600 applications detected
    • 31 petabytes of bandwidth
    • 4,600+ unique threats
    • Billions of threat logs

    3 | ©2014 Palo Alto Networks. Confidential and Proprietary.


    Common Sharing Applications are Heavily Used

    Application Variants

     How many video and filesharing


    applications are needed to run the
    business?

    Bandwidth Consumed

     20% of all bandwidth consumed by file-


    sharing and video alone

    4 | ©2014 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
    High in Threat Delivery; Low in Activity

     11% of all threats observed are code execution exploits within common
    sharing applications

     Most commonly used applications: email (SMTP, Outlook Web, Yahoo! Mail),
    social media (Facebook, Twitter) and file-sharing (FTP)

    5 | ©2014 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
    Low Activity? Effective Security or Something Else?

    6 | ©2014, Palo Alto Networks. Confidential and Proprietary.


    Low Activity: Effective Security or Something Else?
    SMTP
    IMAP POP3 Smoke.loader botnet controller Twitter
    Web browsing  Delivers and manages payload Web browsing
     Steals passwords
    Facebook
     Encrypts payload
    Code execution exploits
    seen in SMTP, POP3, IMAP  Posts to URLs
    and web browsing.
     Anonymizes identity

    7 | ©2014 Palo Alto Networks. Confidential and Proprietary.


    Malware Activity Hiding in Plain Sight: UDP
    ZeroAccess Botnet

    Blackhole Exploit End Point ZeroAccess


    Kit Controlled Delivered

    Bitcoin mining
    SPAM
    ClickFraud $$$

     Distributed computing = resilience


     High number UDP ports mask its use
     Multiple techniques to evade detection
     Robs your network of processing power

    8 | ©2014 Palo Alto Networks. Confidential and Proprietary.


    The Two Faces of SSL

    Good? BlackPOS Bad?

    Citadel
    Aurora
    TDL-4

    Rustock
    Poison IVY

    Ramnit APT1

    Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

    9 | ©2014 Palo Alto Networks. Confidential and Proprietary.


    SSL: Protection, Evasion or Heartbleed Risk?

    32% (539) of the applications found can use SSL. What is your exposure?

    10 | ©2014 Palo Alto Networks. Confidential and Proprietary.


    Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.
    Business Applications = Heaviest Exploit Activity

    11 | ©2014 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.
    Target data breach – APTs in action

    Recon on Spearphishing Breached Target Moved laterally Compromised Exfiltrated data


    companies third-party HVAC network with within Target internal server command-and-
    Target works with contractor stolen payment network and to collect control servers
    system installed POS customer data over FTP
    credentials Malware

    Maintain access
    13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
    Best Practices
    Security from Policy to Application
     What assumptions drive your security policy?

     Does your current security implementation adequately reflect that policy?

     Doss your current security implementation provide the visibility and insight
    needed to shape your policy?

    Assumptions Policy

    Visibility
    Implementation
    &
    Insight
    Security Perimeter Paradigm
    Organized The Enterprise
    Attackers

    Infection

    Command and Control

    Escalation

    Exfiltration Exfiltration
    Is there Malware inside your network today???
    Application Visibility
     Reduce attack surface

     Identify Applications that


    circumvent security policy.

     Full traffic visibility that provides


    insight to drive policy

     Identify and inspect unknown


    traffic
    Identify All Users
     Do NOT Trust, always verify all access

     Base security policy on users and their roles, not IP addresses.

     For groups of users, tie access to specific groups of applications

     Limit the amount of exfiltration via network segmentation

    19 | ©2012, Palo Alto Networks. Confidential and Proprietary.


    SSL/Port 443: The Universal Firewall Bypass

    Gozi Freegate

    Rustock
    Citadel

    TDL-4
    tcp/443

    Aurora Poison IVY


    Ramnit
    Bot APT1

    Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

    20 | ©2013 Palo Alto Networks. Confidential and Proprietary.


    Evolution of Network Segmentation & Datacenter Security

    Packet Filtering, ACL’s, IP/Port-based Port-hopping applications, Malware,


    firewalling for known traffic? Mobile Users – Different entry points into DC?
    Layer 1-4 Stateful Firewall Layer 7 “Next Generation” Appliance
    Platform Solution
    Modern Attacks Are Coordinated

    1 2 3 4 5

    Bait the Exploit Download Establish Explore


    end-user Backdoor Back-Channel & Steal

    End-user Infected Secondary Malware Remote attacker


    lured to a content payload is establishes an has control
    dangerous exploits the downloaded outbound inside the
    application or end-user, in the connection to network and
    website often without background. the attacker escalates the
    containing their Malware for ongoing attack
    malicious knowledge installed control
    content
    Coordinated Threat
    An Integrated Prevention
    Approach to Threat Prevention

    Bait the Download Establish Explore &


    end-user Exploit Backdoor Back-Channel Steal
    App-ID
    Block Reduce Attack Block C&C on
    high-risk apps Surface non-standard ports

    URL Block Block malware,


    known malware fast-flux domains
    sites
    IPS
    THREAT PREVENTION

    Block
    the exploit
    Coordinated
    Spyware intelligence to
    Block spyware, detect and block
    C&C traffic active attacks
    based on
    AV signatures, sources
    Block malware and behaviors

    Files
    Prevent drive-by-
    downloads

    WildFire
    Detect unknown Block new C&C
    malware traffic
    Adapt to Day-0 threats

    Threat Intelligence WildFire Users


    Sources

    WildFire
    Cloud

    On-Prem

    WildFire AV DNS Malware URL Anti-C&C


    Signatures Signatures Signatures Filtering Signatures
    ~30 Minutes Daily Daily Constant 1 Week
    26 | ©2012, Palo Alto Networks. Confidential and Proprietary.

    You might also like