Palo Alto Networks
Transcript
Palo Alto Networks
Cybercrime: evoluzione del malware e degli attacchi Cesare Radaelli Regional Sales Manager, Italy [email protected] About Palo Alto Networks • We are the network security company • World-class team with strong security and networking experience - Founded in 2005, first customer July 2007 • We offer next-generation firewalls that safely enable 1,400+ applications - Restores the firewall as the core of the enterprise network security infrastructure - Innovations: App-ID™, User-ID, Content-ID, GlobalProtect™, WildFire™ • Global footprint: 6,300+ customers in 80+ countries, 40 of whom deployed more than $1M of our solution • $200M in bookings run rate*; 7 consecutive quarters of positive cashflow from operations (*) Reported on August 1, 2011. Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st. Page 2 | © 2012 Palo Alto Networks. Proprietary and Confidential. 2011 Magic Quadrant for Enterprise Network Firewalls “Palo Alto Networks' high- performance NGFW functionality continues to drive competitors to react in the firewall market. It is assessed as a Leader mostly because of its NGFW design, redirection of the market along the NGFW path, consistent displacement of Leaders and Challengers, and market disruption forcing Leaders to react.” Magic Quadrant for Enterprise Network Firewalls Gartner, 14 December 2011 Source: Gartner Page 3 | © 2011 Palo Alto Networks. Proprietary and Confidential. What Has Changed / What is the Same • The attacker changed - Nation-states - Criminal organizations - Political groups • Attack strategy evolved - Patient, multi-step process - Compromise user, then expand • Attack techniques evolved - New ways of delivering malware - Hiding malware communications - Signature avoidance The Sky is Not Falling - Not new, just more common - Solutions exist - Don’t fall into “the APT ate my homework” trap Strategy: Patient Multi-Step Intrusions Organized Attackers •The Enterprise Infection Command and Control Escalation Exfiltration Exfiltration Challenges to Traditional Security • Threats coordinate multiple techniques, while security is segmented into silos - Exploits, malware, spyware, obfuscation all part of a patient, multi-step intrusion • Threats take advantage of security blind spots to keep from being seen - Patient attacks must repeatedly cross the perimeter without being detected • Targeted and custom malware can bypass traditional signatures - The leading edge of an attack is increasingly malware that has never been seen before. Regaining Control Over Modern Threats New Requirements for Threat Prevention 1. Visibility into all traffic regardless of port, protocol, evasive tactic or SSL 2. Stop all types of known network threats (IPS, Anti-malware, URL, etc.) while maintaining multi-gigabit performance 3. Find and stop new and unknown threats even without a pre-existing signature Page 7 | © 2011 Palo Alto Networks. Proprietary and Confidential. Visibility • Visibility is Fundamental - You can’t stop what you can’t see - Virtually all threats other than DoS depend on avoiding security • Full Stack Inspection of All Traffic - All traffic, on all ports, all the time - Progressive decoding of traffic to find hidden, tunneled streams - Contextual decryption of SSL • Control the Applications That Hide Traffic - Limit traffic to approved proxies, remote desktop applications - Block bad applications like encrypted tunnels, circumventors Control the Methods Threats Use to Hide If you can’t see it, you can’t stop it • Encrypted Traffic • SSL is the new standard Circumventors and Tunnels Encryption (e.g. SSL) • Proxies • Reverse proxies are hacker favorites • Remote Desktop • Increasingly standard • Compressed Content • ZIP files, compressed HTTP Proxies (e.g CGIProxy) Compression (e.g. GZIP) Outbound C&C Traffic Page 9 | © 2011 Palo Alto Networks. Proprietary and Confidential. • Encrypted Tunnels • Hamachi, Ultrasurf, Tor • Purpose-built to avoid security Block the Applications That Hide Traffic • Block Unneeded and High- Risk Applications - Block (or limit) peer-to-peer applications - Block unneeded applications that can tunnel other applications - Review the need for applications known to be used by malware - Block anonymizers such as Tor - Block encrypted tunnel applications such as UltraSurf - Limit use to approved proxies - Limit use of remote desktop Control Known Threats • Validated and Proven IPS - 93.4% Block Rate at NSS Labs while maintaining data sheet performance • Stream-based Anti-Malware - Millions of malware samples, 50,000 new samples analyzed daily - Stream-based analysis enables in-line analysis at line speeds • Full Context - Clear visibility into all URLs, users, applications and files connected to a particular threat • Brute Force • Botnets • Code-Execution • Browser Hijacks • Denial of Service • Adware • Data Leakage • Backdoors • Overflow • Keyloggers • Scanning • Net-Worms • SQL Injection • Peer-to-Peer Add Protections Without Sacrificing Performance 7000 6000 5000 Firewall + IPS 4000 3000 Firewall + an -spyware + an virus 2000 Firewall + an -spyware + an virus + IPS 1000 0 Mixed HTTP 10 KB HTTP 512 KB HTTP Network World, August 2011 Page 12 | © 2011 Palo Alto Networks. Proprietary and Confidential. Single-Pass Parallel Processing™ (SP3) Architecture Single Pass • Operations once per packet Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, confidential data • One policy Parallel Processing • Function-specific parallel processing hardware engines • Separate data/control planes Up to 20Gbps, Low Latency Page 13 | © 2011 Palo Alto Networks. Proprietary and Confidential. “Okay, but what about unknown and targeted malware?” Page 14 | © 2011 Palo Alto Networks. Proprietary and Confidential. The Malware Window of Opportunity Time required to capture 1st sample of malware in the wild Time required to create and verify malware signature Total Time Exposed Time before antivirus definitions are updated Days and weeks until users are protected by traditional signatures Attackers Target the Window of Opportunity Targeted Attacks Malware Construction Kits Refreshed Malware Page 16 | © 2011 Palo Alto Networks. Proprietary and Confidential. Controlling Unknown Malware Using the Next-Generation Firewall • Introducing WildFire - New feature of the Palo Alto Networks NGFW - Captures unknown inbound files and analyzes them for 70+ malicious behaviors - Analysis performed in a cloud-based, virtual sandbox • Automatically generates signatures for identified malware - Infecting files and command-and-control - Distributes signatures to all firewalls via regular threat updates • Provides forensics and insight into malware behavior - Actions on the target machine - Applications, users and URLs involved with the malware Page 17 | © 2011 Palo Alto Networks. Proprietary and Confidential. The WildFire Architecture Compare to Known Files Sandbox Environment Signature Generator Admin Web Portal •Unknown Files From the Internet Coming into the Enterprise Page 18 | © 2011 Palo Alto Networks. Proprietary and Confidential. •Firewall Submits File to WildFire Cloud •Results available in minutes. New Signatures Delivered to ALL Firewalls via regular threat updates. Case Study - Password Stealing Botnets Overview Threat Type Botnet, similar to the notorious ZeuS banking botnet Target Targets end-users with the goal of stealing passwords Transmission Methods Heavy use of email, Some use of HTTP Key Actions • • • • File Name(s) • American_Airlines_E-Ticket-printing-copy • DHL-express-tracking-delivery-notification Initial Detection Rates Very low detection rates, sometimes for several days. Heavy use of packers. © 2010 Palo Alto Networks. Proprietary and Confidential. Steals email and FTP credentials Steals cookies from browsers Decrypts and sniffs SSL sessions Uses anti-VM techniques Malware Analysis Malware Analysis Malware Analysis Trusted Sources CNET/Download.com • Strong reputation for providing safe downloads of shareware and freeware that are verified to be malware free. • In early December 2011 WildFire began identifying files from Download.com as containing spyware. • CNET had begun providing software downloads in a wrapper that installed subtle spyware designed to track shopping habits • Changed a variety of client and browser security settings Changed security settings Changed proxy settings Changed Internet Explorer settings Installed a service to leak advertising and shopping data over HTTP POSTs. An Integrated Approach to Threat Prevention Applications • All traffic, all ports, all the time •Block threats on all ports • Malware hosting URLs • Application signatures •NSS Labs Recommended IPS • Newly registered domains • Heuristics •Millions of malware samples • SSL decryption of high-risk sites • Decryption • Reduce the attack surface • Prevents known threats • Block known sources of threats • Remove the ability to hide • Exploits, malware, C&C traffic • Be wary of unclassified and new domains Decreasing Risk Page 26 | © 2011 Palo Alto Networks. Proprietary and Confidential. Unknown & Targeted Threats Dangerous URLs Exploits & Malware •WildFire control of unknown and targeted malware •Unknown traffic analysis •Anomalous network behaviors • Pinpoints live infections and targeted attacks Thank You! Page 27 | © 2010 Palo Alto Networks. Proprietary and Confidential.