Extending Zero Trust To The Endpoint Kevin Harvey & Jon Bosche Cyber Security Specialist Team Palo Alto Networks.

Extending Zero Trust To The Endpoint

Kevin Harvey & Jon Bosche

Cyber Security Specialist Team

Palo Alto Networks

Agenda

Harsh Reality – We are at more risk than ever

Why we are still getting infected

Zero Trust Model – Network Security

Extending the Zero Trust model to the endpoint

Recent APT Campaigns

Summary

2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

We All Know The Risks

J.P Morgan~80M RecordsTarget

40M CC70M Records$200M Cost

Carbanak~1B in stolen funds

SONY40M CC

70M Records$100M Cost

Harsh Reality -We Are More at Risk than Ever

91%

78%

71%

Increase in targetedattacks in 2013

Of exploit kits utilize vulnerabilities less than two years old

Of breaches involvea targeted user device

Attackers are well funded and more sophisticated

Launching Zero-Day attacks is more accessible and common

Targeted attacks can onlybe solved on the endpoint

$$

Understanding the ThreatExploit vs. Malware – What’s the difference?

All pieces of software contain bugs

Some bugs may be security vulnerabilities

Some security vulnerabilities can be exploited to achieve (remote) code execution (RCE)

Exploit Malware

Malformed data file that is processed by a legit app

Malicious code that comes in an executable file form

Aims to achieve code execution abilities

Already executes code - Aims to control the machine

Small payload Large payload

“(…) threat is orchestration of the overall attack, not necessarily the sophistication of the individual components…”

Jayce Nichols, Manager of Cybercrime Analysis Team iSight

A Typical Cyber Security Attack Life Cycle

Plan theAttack

GatherIntelligence

SilentInfection

LeverageExploit

MalwareCommunicateswith Attacker

ControlChannel

Malicious FileDelivered

DeliverMalware

Data Theft,Sabotage,

Destruction

Steal Data

Why Do We Still Get Infected?

Requires prior knowledge Scanning vs. activity-focused Can be reverse engineered

Malicious activity can disable detection Remediation takes a great effort Too much noise – detection is ignored

Can’t see all content No visibility to endpoint infections Hard to block malicious activity on legit protocols

Can’t simulate all environments Threat emulation can be identified by the malware Can’t enforce actions on the endpoint

TraditionalDetection

Detectionand

Remediation

Network-LayerSecurity

Cloud-BasedEmulation

84%Attacks

Discovered viaThird Party

225Average Days

to Detect aTargeted Attack

Today's Harsh Reality

Detection Alone isNot a Strategy

The Patch Race


The inevitable delays in deploying patches and the ubiquity of unknown vulnerabilities make patching a losing battle.

It’s time for a new approach

Demand Zero Trust on the Endpoint

Access control on a “need-to-know” basis should be strictly enforced.

All resources are accessed in a secure manner regardless of location.

Inspect and log all traffic

Zero Trust Model – Network Security

Trust “Never TrustAlways Verify”

Extending Zero Trust to the Endpoint

Don’t trust known applications-Exploit Prevention

-Child Process Blocking -Block injection of malicious code

Don’t trust unknown executables -Static Whitelisting-Dynamic Analysis

Don’t trust unknown locations-Removable Media

-Invalid folder locations

Trust “Never TrustAlways Verify”

Whitelisting alone is not enough


Trusted applications can be exploited

Malware can run in memory without creating a new .exe

Signing certificates can be compromised

Whitelisting can be difficult to manage in dynamic environments

Source: The Register

COMP

Source: Malware Don’t Need Coffee

Don’t trust known applicationsExploit Prevention

Exploit Attack

BeginMaliciousActivitiy

Normal ApplicationExecution

ExploitTechnique

1

ExploitTechnique

2

ExploitTechnique

3

Gaps AreVulnerabilities

Activate key logger Steal critical data More…

2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.

1. Exploit attempt contained in a PDF sent by “known” entity.

3. Exploit evades AV and drops a malware payload onto the target.

4. Malware evades AV, runs in memory.

Normal ApplicationExecutionTraps Exploit Prevention

Modules (EPM)1. Exploit attempt blocked. Traps requires no

prior knowledge of the vulnerability.

ExploitTechnique

Blocked

TrapsEPM

Exploit Attack






Normal ApplicationExecution

ExploitTechnique

1

ExploitTechnique

Blocked

No MaliciousActivity

TrapsEPM

Exploit Attack





Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps requires no

prior knowledge of the vulnerability.

2. If you turn off EPM #1, the first technique will succeed but the next one will be blocked, still preventing malicious activity.


Exploit Prevention Case Study – Clandestine Fox

Prevention of One Technique in the Chain will Block the Entire Attack

OSFunctionsShielding

MemoryCorruptionMitigation

Logic-FlawsReal-Time

Intervention

AlgorithmicMemory Traps

Placement

Preparation Triggering PostCircumvention

1

Heap Spray

2

UseAfter Free

3

ROP

4

UtilizingOS Function

Do not trust unknown executables or locations

Static WhitelistingPrevent Unknown Executables Whitelisting for static environments

Dynamic WhitelistingPrevent Malicious Executableswith cloud-based threat intelligenceand dynamic analysis

Device and Location Restrictions Prevent Malicious ExecutablesAttempting to run from unauthorizeddevices or folder locations

Malicious Executable Prevention

User Tries to OpenExecutable File

Policy-Based Restrictions Applied

HASH CheckedAgainst WildFire

File is Allowed to Execute

Malware TechniquePrevention Employed

ExamplesExamples

Child Process?Thread Injection?

Indicated asMalicious?

Restricted Folderor Device?

Forensics Collected

Safe!

WildFire

Spear Phishing - Individual Users

HR

Finance

CEO

Watering Hole: Mass Users

Advanced Threats Attack Vectors

Email Attachment Website

Spear Phishing Case Study: Anunak Campaign

Anunak campaign was targeting financial institutions and managed to access banking systems servers and working stations.

January 2013 Present

CVE-2012-2539

CVE-2012-0158

CVE-2014-4113

win32k.sys

Spear Phishing Case Study: NetTraveler Campaign

NetTraveler campaign was targeting different sectors such as governmental institutions, embassies, the oil and gas industry, research centers, military contractors and activists.

June 2013 Present

CVE-2012-0158

CVE-2010-3333

Spear Phishing Case Study: ICeFog Campaign

IceFog campaign targeted the chain supply of major defense vendors, including government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media.

September 2013 Present

CVE-2012-0158

CVE-2013-0422

CVE-2012-1723

JRE

JRE

Spear Phishing Case Study: Carbanak Campaign

Carbanak campaign hit more than 100 banks and financial organizations Causing losses estimated at $1b.

December 2013 Present

CVE-2012-0158

CVE-2013-3906

CVE-2014-1761

Heap SprayDEP Circumvention

ROP JIT Spray

Utilize OS Functions

DLL Security

ROP Mitigation

DLL Security

DLL Security

UASLR ROP Mitigation

Memory Limit Heap Spray Check

CVE-2012-1058

CVE- 2013-3906

CVE-2014-1761

Traps Protection Against Carbanak Campaign Exploits


UASLR ROP Mitigation

Tibet.Net

CVE-2013-1347

May 2013 Present

A Zero day vulnerability inMicrosoft Internet Explorer 8.

The CVE was exploited in the wildas part of some of most familiar campaign (Dragonfly).

Watering Hole Case Study: Department of Labor

This vulnerability was later incorporated in common exploit kits like LightsOuts, Private EK and Infinity.

Tibet.Net

CVE-2012-4681

August 2013 Present

The attacks used Trojan.Win32.Swisyn.cyxf

A site providing informationabout the parliament, cabinet, administrative departments and public offices

CVE-2012-4681 was exposed as a zero day after being seenexploited in-the-wild in 2012 and was detected and blocked by TRAPS.

Watering Hole Case Study: Central Tibetan administration website

Watering Hole Case Study: LightsOut Exploit Kit

39essex[.]com

CVE-2012-1723

CVE-2013-1347

CVE-2013-1690

CVE-2013-2465

September 2013 Present

Compromise energy related

law firm site.

Users visiting the site wereredirected to a third party sitehosting the exploit kit

The kit checks for Java, IEand Adobe reader.

Following the check variousexploits are triggered.

Firms in the energy sector

vfw.org

CVE-2014-0322

February 2014 Present

The vulnerability allows the Attacker to by pass DEP and ASLR.

Targeted websites in Franceand USA using Internet Explorer Zero-Day

Watering Hole Case Study: ‘Operation Snowman’

Main targeted site:U.S. Veterans of ForeignWars website

Traps Protection Against LightsOut Exploit Kit

Heap SprayDEP Circumvention

ROP JIT SprayUtilize OS Functions

ROP Mitigation

DLL Security

DLL Security

UASLR

ROP Mitigation

Shellcode Preallocaiton

CVE-2013-1347

CVE- 2013-1690


Java Sandbox Escape

CVE-2012-1723

CVE-2013-1465

Java

Java

Java Vulnerabilities Memory Corruption Vulnerabilities

Summary

Traditional security solutions are not equipped to deal with today’s threats

Whitelisting provides basic protection but is not sufficient to prevent advanced threats

Extending Zero Trust to the endpoint Don’t trust even the known applications - prevent exploits Don’t trust unknown executables Don’t trust external media or unauthorized folder locations


Learn about Traps Advanced Endpoint Protection on our websitewww.paloaltonetworks.com/products/endpoint-security.html

http://www.paloaltonetworks.com/products/endpoint-security.html

Extending Zero Trust To The Endpoint Kevin Harvey & Jon Bosche Cyber Security Specialist Team Palo Alto Networks.

Documents

endpoint slide

cost slide

endpoint dont trust

strategy slide

security vulnerabilities

destruction steal data

detection remediation

threat exploit