1| © 2017, Palo Alto Networks, Inc. Confidential and Proprietary. CYBER WEAPONS TRAINING
Cyber Weapons Training Agenda
Today’s Breach Detection Gap
Threats: Malware, Risky Behavior, Insiders & Advanced Attacks
Top Cyber Weapons
Signature vs. Behavior-based Attack Detection
Automated Behavioral Analytics
Breach Detection Gap
99%of post-intrusion attacks such as reconnaissance and lateral movement do not originate from malware.
170 daysIs the median length that attackers are present on a victim’s network before detection
Most Organizations
Focus on Malware
and External Attacks
Most Organizations Cannot Find
Breaches on Their Own
But Cannot Detect
Attackers
in Their Network
Sources: LightCyber Cyber Weapons Report, Ponemon
Threats Analyzed for Cyber
Weapons Research: Targeted Attacks, Insider Attacks, Risky
Behavior, and Malware
Targeted Attacks
Outside the Network
Intrusion
(Seconds – Minutes)
Intrusion
Active Breach
(Hours - Weeks)
Establish
Backdoor
Recon &
Lateral
Movement
Data
Exfiltration
Inside the Network
Attacker compromises a
client or server in the
network
k Attacker performs
reconnaissance and
moves laterally to
find valuable data
l Attacker steals data
by uploading or
transferring files
Insider Attacks
Recon & Lateral
Movement
Abuse of User Rights
Data Exfiltration
Employee is upset by demotion;
decides to steal data and quit job
k Employee accesses many file
shares including rarely
accessed file shares
l Employee uses other user’s
credentials and exfiltrates a
large volume of data
IT Assets at Risk
• Databases and file servers are considered the most vulnerable to insider attacks
SOURCE: LinkedIn Group - Insider Threat Report sponsored by LightCyber
File Server
Insider
Sensitive Data
Risky Behavior
k User credentials for service
account shared by multiple admins
Remote desktop access
from home
l Access to high-risk websitesHigh Risk
Website
Home Desktop
Internet
Data Breach Incidents
SOURCE: 2016 Verizon: Data Breach Investigations Report
User
Remote Desktop
IT Admin
IT Admin
Miscellaneous errors, such as misconfiguration, misdelivery, and other errors, accounted for the highest number of data breaches in 2015
‘With all of the hubris and bravado in the InfoSec world, one proclamation we usually don’t hear is “Our employees NEVER make mistakes.”’
MalwareRansomware Attack
Laptop
File Servers
Malicious
Website
kInfected client contacts
command and control server
and receives a unique
cryptographic key
User downloads ransomware
from a website or opens a
malicious email attachmentlRansomware encrypts
data on the local client
mRansomware encrypts
data on network drivesInfected Email
Command &
Control
Internet
Cyber Weapons Research Findings
Based on Anonymized Alert Data and Network to Process
Association (N2PA) Technology
Top Attack Behaviors
• Reconnaissance
was the most
common attack
behavior
• Reconnaissance is
an iterative process
of trial and error as
attackers search for
valuable assets
Networking and Hacking Tools
• Attackers use well-known
tools to map the network,
probe clients, and monitor
activity
• NCrack, Mimikatz, and
Windows Credential Editor
can be used to steal user
credentials
• Some tools are native OS
utilities
Admin Tools
• Attackers use a variety
of command line
shells, including native
OS utilities
• Admin tools are used
for lateral movement
as well as recon and
exfiltration
Remote Desktop Tools
• Remote desktop
tools are:
• Used for C&C and
lateral movement
• Also indicative
of risky user behavior
Malware
• 28% of suspicious
processes associated
with alerts were
either malware or
riskware
• 1% of east-west
threats originated
from malware
Major Findings
70%+ of malware was only
detected on a single site,
revealing targeted &
polymorphic variants
Attackers often use “benign”
apps, native OS tools and
web browsers to conduct
attacks
Companies that only look
for malware will miss
attackers that are already
in the network
Problems:
• Focuses on known threats
• Cannot easily detect unknown threats or
insider threats or attacks that do not rely on
malware
Agents &
Signatures
19
Traditional Security
Known Bad
Traditional Security
▪ Signatures, IoC’s, Packet Signatures, Domains,
Sandbox Activity
▪ Block, or miss
▪ Necessary, but not sufficient for internal threats
What’s Needed
▪ Learn What is Good [Baseline]
▪ Detect What Isn’t [Anomaly]
▪ Catch What Slips Through the Cracks of
Traditional Security
Learned Good
Benefits:
• Eliminates Zero-Day Exploit Dilemma
• Hundreds of Opportunities to Detect
• Applicable to All Techniques & Stages
Behavioral Analytics
Agentless &
Signature-less
AWARDS
About LightCyber and Palo Alto Networks
21
LightCyber
▪ Founded in 2012 by cyberwarfare experts
▪ Acquired in February 2017 by Palo Alto
Networks
▪ 500+ deployments since Q1/2015
▪ Recognized in Gartner Market Guides for
UEBA and EDR
“We have spent quite some time
evaluating the players in this fast-growing
space and are very impressed with the
capabilities and team at LightCyber.”
– Mark McLaughlin, CEO, Palo Alto Networks
Endpoint
Network
User
LightCyber Magna profiles
network, user and endpoint
behavior to catch threats
across the attack lifecycle.
Endpoint
Network
User
LightCyber
Magna
LightCyber Magna profiles
network, user and endpoint
behavior to catch threats
across the attack lifecycle.
Endpoint
Detection &
Response
Network Traffic
Analysis
User & Entity
Behavior
Analytics
LightCyber
Magna
Profiling, Detection, Investigation and Response
Intelligent nDimensional Profiling
- Continuous Baseline of Network, User, and Endpoint Behavior
Accurate Detection
- Anomalous Attack Behavior Detected Across Attack Lifecycle
Automated Investigation
- Network, User, & Process Association + Cloud (N2PA)
Integrated Response
- Blacklist Attackers or Accounts with NGFW, NAC, Active Directory
25
Magna Detection FrameworkPre-compute Learning Of 1,000+ Behavioral Dimensions
Time Profile• History, per Detector
• Network -> Application
Peer Profile• Peer profile, per
Detector
Entity Profile• Entity Type
• User, admin, workstation,
server, server type
ML T
echniq
ue
Pre-Compute Learning UN
SU
PE
RV
ISE
DS
UP
ER
VIS
ED
MagnaPlatform
HQ / DC
Remote Office
Endpoints
MAGNAPATHFINDER
MAGNAMASTER
TAP / SPAN
Switch
TAP / SPAN
Core Switch
Email & Reports SIEM MAGNA UIRemediation
MAGNAPROBERemote VPN
Users
Network-to-Process
Association (N2PA)
MAGNADETECTOR
MAGNADETECTOR & MAGNAPROBE for AWS
IaaS Cloud
Risky Behavior MalwareInsider Attacks Advanced and
Targeted Attacks
LightCyber Detects the Threats That Lead to Data Loss and Destruction
28
Lower Operating Costs With Accurate, Efficient Alerts
Most IT security teams can’t keep up
with the deluge of security alerts
61%ACROSS
ALL ALERTS
99%ACROSS MAGNA’S
AUTOMATED “CONFIRMED
ATTACK” CATEGORY
LIGHTCYBER
ACCURACY
Source: Ponemon survey of 700 enterprises with average 14,000 endpoints and 16,937 alerts per week
Source: Lockheed Martin Cyber Kill Chain, LightCyber Cyber Weapons Report
Active Attack Phase(Weeks – Months)
Intrusion Attempt Phase(Seconds – Minutes)
Incident Response(Weeks – Months)
Breach Detection Gap
Post Incident
Response
Solutions
Traditional
Network Security
Closing the Gap in Breach Detection
Demonstrate Security Assurance
30
▪ LightCyber Magna Security
Assurance Report:
• Documents that there is no
evidence of compromise to
auditors, partners and the board
• Eliminates the need for costly
third-party assessments
• Provides visibility of security
events
Malware Example
Magna Detects:
• Active Command &
Control channel
• Malware Infection
• No signs of internal
spreading
• Likely opportunistic, not
(yet) targeted
Detection
Pattern:
• C&C
• Malware
• (No East-
West)
Risky Behavior Example
Magna Detects:
• RDP to > 20
Workstations
• Likely non-
malicious Internal
activity since there
is no association
with other
malicious findings
Detection Pattern:
• Credential Abuse
• Not Linked to Exfil
or Other
Insider Attack Example
Detection Pattern:
• Credential Abuse
• Linked to Exfil or Other
Findings
Magna Detects:
• Suspicious access to
file shares
• Exfiltration
• This Correlation
indicates likely Insider
Attack
Targeted Attack Example
Magna Detects:
• Anomalous file with
known Threat
Intelligence
• Recon
• Lateral Movement
• Exfiltration
• This Correlation
Indicates Targeted
Attack
Detection Pattern:
• Multiple Correlated
Findings
• North-South + East-
West
User, Entity; Network + Endpoint
Magna Detects:
• Anomalous Network
Activity
• Anomalous and
Malicious Processes on
the Endpoint
• Anomalous User
Activity
Magna
Correlates:
• User
• Entity
• Network
• Process
• Endpoint
Resources
37 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Contact Palo Alto Networks
to schedule a demo
Request more information about LightCyber
Magna at www.paloaltonetworks.com.
Download Cyber Weapons
Report