MiFgang* Cybersecurity*Risk*with** Palo*Alto*Networks*and ......Palo*Alto*Networks*ataGlance* Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling

Copyright  ©  2013  Splunk  Inc.  

Marc  Benoit  Technical  Director,  Palo  Alto  Networks  #splunkconf  

MiFgaFng  Cybersecurity  Risk  with    Palo  Alto  Networks  and  Splunk  

Agenda

!   Key  Findings  From  the  Cyber  Security  Review  

!   CoevoluFon  of  Malware  and  ApplicaFons  

!   How  AOackers  Leverage  ApplicaFons  

!   Best  PracFces  for  MiFgaFng  Threats  

!   Using  Splunk  to  Triage  Cyber  Security  Events  

2  

Palo  Alto  Networks  at  a  Glance  

Corporate highlights

Founded in 2005; first customer shipment in 2007

Safely enabling applications and preventing cyber threats

13,000+ customers globally

1,150+ employees globally

§  Next-­‐generaFon  security  plaVorm  

§  Designed  from  the  ground  up  to  analyze  all  traffic  and  perform  all  security  funcFons  in  full  applicaFon  context  

§  Firewall,  IPS,  anF-­‐malware,  advanced  threat  prevenFon,  URL  filtering,  content  inspecFon  

§  Perimeter,  data-­‐center,  cloud  and  virtual,  and  mobile  

3  

Key  Findings  of  Cyber  Security  Review  

Large  Scale  Analysis  of  Unknown  Malware  !   3  months  of  WildFire  Data  

!   1,000+  parFcipaFng  networks  

!   26,000+  malware  samples  that  had  no  coverage  from  any  of  the  top  6  AV  vendors  at  the  Fme  of  detecFon  

!   Full  lifecycle  analysis  of  the  malware  –  InfecFon  session  –  Behaviors  on  the  target  host  –  Malware  generated  traffic    

!   Focus  on  acFonable  advice  

5  

InfecFon  Vectors  by  ApplicaFon  The  web  is  where  the  acFons  is  for  unknown  malware  

68,000+ malware samples detected by WildFire

26,000+ malware samples that were fully undetected by AV

3% of malware delivered by email evaded all vendors vs.

More than 50% of malware delivered by the web

6  

Average  Time  to  DetecFon  by  AnFvirus  On average, it took traditional antivirus 4x as long to provide coverage for malware

delivered in applications other than email

0 2 4 6 8

10 12 14 16 18 20

Web Browsing Other Web Applications File Sharing Email

20 19.7 19.3

5.3

Source: Palo Alto Networks, Modern Mallware Review

Average Time to Coverage (days) by Application Vector  

Days  

7  

Time  to  DetecFon  by  Specific  ApplicaFon  

0

5

10

15

20

25

30

35

4shared

facebook-postin

g

blog-posting

dropbox

facebook-file-

instagram

naver-ndrive

netload rss

sharepoint soap

teachertube

ftp

glype-proxy

web-crawler

depositfiles

web-browsing

http-proxy

mail.ru-base

rapidshare

google-app-engine

hotmail

sendspace

outlook-web

yahoo-mail

smtp

hotfile pop3

imap

aim-mail

comcast-webmail

31 31 31 31 31 31 31 31 31 31 31 31 30 28

26

22 20 19

17 17 16 15

14 11

9

5 3 3 3

1 1

Source: Palo Alto Networks, WildFire Malware Report

Web-applications and social media were relatively rare sources, but had extremely low detection rates

8  

Time  to  DetecFon  by  Specific  ApplicaFon  

0

5

10

15

20

25

30

35

4shared

facebook-p

osting

blog-posting

dropbox

facebook-f

ile-

instagram

naver-n

drive

netload

rss

sharepoint

soap

teachertu

be ftp

glype-proxy

web-crawler

depositfiles

web-browsing

http-proxy

mail.ru-base

rapidshare

google-app-engine

hotmail

sendsp

ace

outlook-w

eb

yahoo-m

ail sm

tp

hotfile pop3

imap

aim-m

ail

comca

st-webmail

31 31 31 31 31 31 31 31 31 31 31 31 30 28

26

22 20 19

17 17 16 15

14 11

9

5 3 3 3

1 1

Source: Palo Alto Networks, WildFire Malware Report

1 2

3

4

5

Top 5 sources of unknown malware highlighted. FTP was a leading source and rarely detected

9  

40%  of  Unknown  Malware  Files  Were  Variants  

§ Opportunity  to  Block  Malware  §  In  40%  of  cases,  a  single  signatures  matched  mulFple  samples  (variants)  

§ 1  signature  hit  1,500+  unique    SHA  values  

§ Provides  a  way  to  block  malware  even  when  it  is  repackaged  to    avoid  signatures  

§ WildFire  SubscripFon  § Delivers  signatures  in  30  to  60  minutes  of  new  malware  being  detected  anywhere  in  the  world  

40% of Malware Samples Were Related

10  

40% of Unknown Malware Files Were Blockable

40% of unknown samples were identifiable as sister samples that shared specific identifiers in the file header and payload

0.00% 10.00% 20.00% 30.00%

Contained unknown TCP/UDP traffic

Visited an unregistered domain

Sent out emails

Used the POST method in HTTP

Triggered known IPS signature

IP country different from HTTP host TLD

Communicated with new DNS server

Downloaded files with an incorrect file extension

Connected to a non standard HTTP port

Produced unknown traffic over the HTTP port

Visited a recently registered domain

Visited a known dynamic DNS domain

Visited a fast-flux domain

29.39%

24.38%

20.46%

12.38%

7.10%

6.92%

5.56%

4.53%

4.01%

2.33%

1.87%

0.56%

0.47%

Source: Palo Alto Networks, WildFire Malware Report

Most Commonly Observed Malware Behaviors on the Network  

•  InvesFgate  and  classify  any  unknown  traffic  

•  No  file  downloads  from  unknown  domains  

•  No  HTTP  posts  to  unknown  domains  

•  No  email  traffic  not  to  the  corp  email  server  

11  

Evasive  Behaviors  Varied  Heavily  by  ApplicaFon  

237

19 29

90

97%

43%

17% 10%

0%

20%

40%

60%

80%

100%

120%

0

50

100

150

200

250

FTP Custom-TCP HTTP-Proxy Web Browsing

Number of Non-Standard Ports Percent Non-Standard Sessions

Source: Palo Alto Networks, WildFire Malware Report

12  

Malware  Behaviors  on  the  Host  Lots  of  effort  spent  on  evading  security  and  analysis  

Source: Palo Alto Networks, WildFire Malware Report

analysis'avoidance'

19%'

data'the2'10%'

hacking'5%'

persistence'33%'

outbound'traffic'33%'

analysis'avoidance'

data'the/'

hacking'

persistence'

outbound'traffic'

Most Commonly Observed Malware Behaviors  

13  

Analysis  Avoidance  

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00%

long_sleep

delete_itself

code_inject

Attempted to determine external IP address

56.92%

20.42%

13.52%

0.09%

Source: Palo Alto Networks, WildFire Malware Report

14  

CoevoluFon  of  Malware  and  ApplicaFons  

Malware  ARE  ApplicaFons  Applications

Malw

are

16  

Co-­‐evoluFon  of  ApplicaFons  and  Threats  !   For  an  aOacker,  applicaFons  are:    

Target  

VulnerabiliFes  known  and  unknown  

(e.g.  browser,  JRE)  

Vector  

Delivery  of  malware,  social  engineering  

(e.g.  Social  media,  web-­‐mail)  

Disguise  

Blend-­‐in,  evade,  and  circumvent    

(e.g.  DNS  tunneling,  C2  over  social  media)  

InspiraFon  

Command  and  control,  

persistence  strategies  

(e.g.  Peer-­‐to-­‐Peer)  

17  

Case  Study:  ParasiFsm  in  Mobile  Malware  

Mobility  Being  Adopted  Faster  than  Any  Technology  in  History  

New  plaVorms  mean    new  aOack  surface  

19  

Mobile  Ad  Networks  and  Malware  !   Mobile  ad  networks  present  a  novel  security  challenge  –  App  developers  need  to  use  them  in  order  to  

make  money  –  They  oken  require  the  developer  to  embed  

sokware  from  the  ad  network  within  the  applicaFon  

–  Structurally  akin  to  a  botnet  

!   Palo  Alto  Networks  researchers  observed  previously  unknown  malware  being  distributed  by  one  of  these  ad  networks  

Mobile  ad  networks  are  uniquely  engrained  in  mobile  apps  

20  

21  

App   SDK  

App  Store  

1  

2  

Ad  network  Ads  

How  Mobile  Ad  Networks  Work  

22  

App   SDK  

App  Store  

1  

2  

Malicious  ad  network  

Malware  

Ready-­‐made  Botnet  

23  

Analysis  of  Parasites  Malware  

!   Discovered  by  WildFire  malware  behavioral  analysis    !   Delivered  via  mobile  ad  network  !   Malicious  code  repackaged  within  a  benign  host  applicaFon  

!   Triggered  to  execute  independent  of  the  host  app  based  on  local  events  on  the  device  –  A  user  unlocks  the  device  –  Device  connects  to  WiFi  network  –  New  app  is  installed  

!   Able  to  add  new  malware  into  any  app  on  the  host  

So  many  choices…  

24  

Appending  an  APK  to  another  APK    

25  

A  Simple,  but  Powerful  Botnet  

!   Building  a  botnet  out  many  different  infected  applicaFons  

!   The  malware  can  infect  any  app  on  the  host,  providing  many  places  to  hide  

!   Uses  SMS  to  build  a  command  and  control  channel  –  Sends  SMS  to  aOacker  controlled  numbers  –  Intercepts  incoming  SMS  messages  –  Uses  both  the  device  ID  and  infected  app  to  

idenFfy  hosts  a  build  a  botnet  

Device: #1 App B

Device: #2 App C

Device: #3 App D

26  

How  AOackers  Leverage  ApplicaFons  in  Advanced  AOacks  

File  Transfer  ApplicaFons  –  Good  or  Bad?  

The  Enterprise   The  User   The  Bad  Guy  

Good    •  P2P  applicaFons  for  transferring  

large  distros  •  CollaboraFon  applicaFons  

(Sharepoint)  •  Asset  management  (Dropbox)  

Unknown  •  Dropbox  and  Sharepoint  to  do  work  

•  P2P  and  MEGA  for  downloading  illegal  movies  (and  malware)  

Bad  •  Delivery  of  secondary  payloads  (FTP,  HTTP,  IM,  etc)  

•  Heavy  use  of  non-­‐standard  ports  •  Thek  of  data  

28  

Mandiant’s  Analysis  of  APT1  

Phase  of  A;ack   A;ack  Tools  

IniFal  InfecFon   Email  

Backdoor   HTTP,  custom  protocols,  Poison  Ivy  

Covert  CommunicaFons   Customized  use  of  MSN  Messenger,  Jabber,  and  Gmail  Calendar  

SSL  encrypFon  of  backdoor  traffic  

HTRAN  used  to  proxy  traffic  

Ongoing  Management   RDP    

ExfiltraFon   FTP  

“The  programs  acIng  as  APT1  servers  have  mainly  been:  (1)  FTP,  for  transferring  files;  (2)  web,  primarily  for  WEBC2;  (3)  RDP,  for  remote  graphical  control  of  a  system;  (4)  HTRAN,  for  proxying;  and  (5)  C2  servers  associated  with  various  backdoor  families.”                      

 -­‐Mandiant  APT1  Report  

29  

Example:  Custom  C2  Built  from  P2P    • Customized  malware  communicaFon  based  on  qvod  (P2P  protocol)  

• Customized  TCP  used  to  connect  to  a  variety  of  sockets  

30  

Unknown  Traffic  =  55%  of  Malware  Logs,  <2%  Bandwidth  

Unknown  traffic  is  frequently  caused  by    malware  

using  custom  encrypIon,  proprietary  protocols  or  

file  transfers  over  raw  sockets    

31  

Example:  Custom  Traffic  !   Repeated  paOern  of  DNS,  HTTP,  and  unknown  traffic  

!   The  unknown  proved  to  be  the  most  important  traffic  

32  

A  Closer  Look  at  the  Unknown  Session…  

33  

Malware  Enabling  ApplicaFons  What  to  Do   Why  Do  It  

InvesFgate  unknown  or  custom  traffic    

Malware  infecIon  vector,  malware  C2  channel,  data  the[  

Limit  peer-­‐to-­‐peer  applicaFons   Malware  infecIon  vector,  malware  C2  channel,  data  the[  

Block  anonymizers   Malware  C2,  APT  tool,  evasion  tool  

Standardize  on  approved  proxies   Malware  C2,  APT  Tool,  Evasion  Tool  

Limit  remote  desktop   APT  tool,  evasion  tool  

Block  encrypted  tunnel  applicaFons  such  as  UltraSurf   Evasion  tool,  malware  C2  

Decrypt  SSL  and  block  custom  encrypFon   Used  by  malware  to  avoid  inspecIon  

34  

Port-­‐Based  Evasion:  Good  for  applicaIons  Good  for  malware  Bad  for  security  

35  

Challenges  to  Port-­‐Based  ClassificaFon  Non-­‐Standard  Ports  -  Evasive  ApplicaFons  –  Standard  applicaFon  behavior    

-  Security  Best  PracFces  –  Moving  internet  facing  protocols  off  of  standard  ports  (e.g.  RDP)  

Tunneling  Within  Allowed  Protocols  -  SSL  and  SSH    

-  HTTP  

-  DNS  

Circumventors  -  Proxies  

-  Anonymizers  (Tor)  

-  Custom  Encrypted  Tunnels  (e.g.  Freegate,  Ultrasurf)  

ApplicaFons  that  can  use    non-­‐standard  ports.  

ApplicaFons  that  can  tunnel  other  apps  and  protocols  

ApplicaFons  designed    to  avoid  security  

36  

Evasive  ApplicaFons  by  Type  

37  

Malware  Example:  Use  of  Non-­‐standard  Ports  !   Unknown  traffic  traversing  the  DNS  port  !   HTTP  using  registered/ephemeral  ports  

38  

Tunneling  InformaFon  over  Fake  DNS  

It  is  essenIal  to  control  by  

applicaIon,  rather  than  by  

port  

39  

Other  Examples  of  DNS  Tunneling  ! tcp-­‐over-­‐dns  !   dns2tcp  !   Iodine  ! Heyoka  ! OzymanDNS  !   NSTX  Takes  advantage  of  recursive  queries  to  pass  encapsulated  TCP  messages  to/from  a  remote  DNS  server  

40  

Example:  Non-­‐standard  Ports  !   Unknown  traffic  traversing  the  DNS  port  !   HTTP  using  registered/ephemeral  ports  

41  

Largest  Session  Contains  a  Secondary  Payload  

42  

FTP  was  the  most  evasive  applicaIon  observed  in  a  recent  3  month  study  of    0-­‐day  malware  

–  95%  of  unknown  samples  delivered  via  FTP  were  never  covered  by  anFvirus  

–  97%  of  malware  FTP  sessions  used  non-­‐standard  ports,  and  used  237  different  non-­‐standard  ports  

Non-­‐standard  Ports  and  Targeted  Malware  

43  

Prevalence  of  Port  Evasion  by  ApplicaFon  

237

19 29

90

97%

43%

17% 10%

0%

20%

40%

60%

80%

100%

120%

0

50

100

150

200

250

FTP Custom-TCP HTTP-Proxy Web Browsing

Number of Non-Standard Ports Percent Non-Standard Sessions

Source: Palo Alto Networks, WildFire Malware Report

Varies  by  applicaFon,  but  not  at  all  unusual  !   FTP  –  97%  !   Custom  TCP  –  43%  !   HTTP-­‐Proxy  –  17%  !   Web  Browsing  –  10%  

44  

Summary  !   ApplicaFons  and  malware  evolve  in  lockstep  !   The  need  for  persistence  and  stealth  leads  to  increased  cross-­‐over  between  apps  and  threats  

!   Fine  grained  applicaFon  visibility  and  control  is  increasingly  criFcal  for  detecFng  both  threats  and  anomalies  

45  

Best  PracFces  for  MiFgaFng  Threats  

Any Traffic Not Fully Inspected = Threats Missed •  The  Rule  of  All  

-  All  traffic  must  be  inspected  equally  

-  Full-­‐stack  analysis  must  be  the  1st  step  

-  All  traffic,  all  ports,  all  the  Fme    

•  Progressive  InspecIon  -  Decode  –  applicaFon  and  protocol  decoders  must  be  used  to  progressively  open  tunnels  

-  Decrypt  –  Targeted  based  on  policy  

-  Decompress  –  Files  (e.g.  ZIP)  and  traffic  (gzip)    

•  Stop  the  Methods  Threats  Use  to  Hide  -  Encrypted  Tunnels  

-  Anonymizers  

-  Malicious  proxies  

47  

An  Integrated  Approach  to  Threat  PrevenFon  ApplicaIons      •  Visibility  and  control  of  all  

traffic,  across  all  ports,  all  the  Fme  

Sources        •  Control    traffic  sources  and  

desFnaFons  based  on  risk  

Known  Threats        •  Stop  exploits,  malware,  

spying  tools,  and  dangerous  files  

Unknown  Threats        •  AutomaFcally  idenFfy  and  block  

new  and  evolving  threats  

•  Reduce  the  aOack  surface  

•  Control  the  threat  vector  

•  Control  the  methods  that  threats  use  to  hide  

•  Sites  known  to  host  malware  

•  Find  traffic  to  command  and  control  servers  

•  SSL  decrypt  high-­‐risk  sites  

•  NSS  tested  and  Recommended  IPS  

•  Stream-­‐based    anF-­‐malware  based  on  millions  of  samples  

•  Control  threats  across  any  port  

•  WildFire  analysis  of  unknown  files  

•  Visibility  and  automated  management  of  unknown  traffic  

•  Anomalous  behaviors  

R e d u c i n g   R i s k  

48  

Wildfire Public Cloud    

49   49  

Wildfire with WF-500

50  

WildFire Cloud

All unknown files

Confirmed Malware (optional)

Signatures

Customer Firewalls

Local Customer Network

Log  link  to  analysis  sent  to  PA  to  be  added  to  the  wildfire  log  

50  

Wildfire Private Cloud    

51  

WildFire license

required

51  

Reduce the Exposure •  Block  Unneeded  and  High-­‐Risk  ApplicaIons  –  Block  (or  limit)  peer-­‐to-­‐peer  applicaFons  –  Block  unneeded  applicaFons  that  can  tunnel  other  applicaFons  

–  Review  the  need  for  applicaFons  known  to  be  used  by  malware  

–  Block  anonymizers  such  as  Tor  –  Block  encrypted  tunnel  applicaFons  such  as  UltraSurf  

–  Limit  use  to  approved  proxies  –  Limit  use  of  remote  desktop  

52  

Policy  Example  

53  

Policy  Example  

PotenIal  URL  Categories  for  CorrelaIonnets •  Not-resolved •  Proxy-avoidance and anonymizers •  Open-http-proxies •  Peer-to-peer •  Spyware/Unknown

54  

Policy Example – Limit Permissions for Unknowns

55  

Policy  Example  –  Sevng  ApplicaFon  Default  Ports  

56  

Controlling  Remote  Desktop  and  Instant  Messaging  

57  

Analyzing  and  CorrelaFng  the  Data  AKA  SPLUNKTASTICNESS  

Splunk  for  Palo  Alto  Networks  

59  

Splunk  for  Palo  Alto  Networks  

60  

Demo  

Next  Steps  

62  

Download  the  .conf2013  Mobile  App  If  not  iPhone,  iPad  or  Android,  use  the  Web  App    

Take  the  survey  &  WIN  A  PASS  FOR  .CONF2014…  Or  one  of  these  bags!    

1  

2  

THANK  YOU