Extending Zero Trust To The Endpoint
Kevin Harvey & Jon Bosche
Cyber Security Specialist Team
Palo Alto Networks
Agenda
Harsh Reality – We are at more risk than ever
Why we are still getting infected
Zero Trust Model – Network Security
Extending the Zero Trust model to the endpoint
Recent APT Campaigns
Summary
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
We All Know The Risks
J.P Morgan~80M RecordsTarget
40M CC70M Records$200M Cost
Carbanak~1B in stolen funds
SONY40M CC
70M Records$100M Cost
Harsh Reality -We Are More at Risk than Ever
91%
78%
71%
Increase in targetedattacks in 2013
Of exploit kits utilize vulnerabilities less than two years old
Of breaches involvea targeted user device
Attackers are well funded and more sophisticated
Launching Zero-Day attacks is more accessible and common
Targeted attacks can onlybe solved on the endpoint
$$
Understanding the ThreatExploit vs. Malware – What’s the difference?
All pieces of software contain bugs
Some bugs may be security vulnerabilities
Some security vulnerabilities can be exploited to achieve (remote) code execution (RCE)
Exploit Malware
Malformed data file that is processed by a legit app
Malicious code that comes in an executable file form
Aims to achieve code execution abilities
Already executes code - Aims to control the machine
Small payload Large payload
“(…) threat is orchestration of the overall attack, not necessarily the sophistication of the individual components…”
Jayce Nichols, Manager of Cybercrime Analysis Team iSight
A Typical Cyber Security Attack Life Cycle
Plan theAttack
GatherIntelligence
SilentInfection
LeverageExploit
MalwareCommunicateswith Attacker
ControlChannel
Malicious FileDelivered
DeliverMalware
Data Theft,Sabotage,
Destruction
Steal Data
Why Do We Still Get Infected?
Requires prior knowledge Scanning vs. activity-focused Can be reverse engineered
Malicious activity can disable detection Remediation takes a great effort Too much noise – detection is ignored
Can’t see all content No visibility to endpoint infections Hard to block malicious activity on legit protocols
Can’t simulate all environments Threat emulation can be identified by the malware Can’t enforce actions on the endpoint
TraditionalDetection
Detectionand
Remediation
Network-LayerSecurity
Cloud-BasedEmulation
84%Attacks
Discovered viaThird Party
225Average Days
to Detect aTargeted Attack
Today's Harsh Reality
Detection Alone isNot a Strategy
The Patch Race
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The inevitable delays in deploying patches and the ubiquity of unknown vulnerabilities make patching a losing battle.
It’s time for a new approach
Demand Zero Trust on the Endpoint
Access control on a “need-to-know” basis should be strictly enforced.
All resources are accessed in a secure manner regardless of location.
Inspect and log all traffic
Zero Trust Model – Network Security
Trust “Never TrustAlways Verify”
Extending Zero Trust to the Endpoint
Don’t trust known applications-Exploit Prevention
-Child Process Blocking -Block injection of malicious code
Don’t trust unknown executables -Static Whitelisting-Dynamic Analysis
Don’t trust unknown locations-Removable Media
-Invalid folder locations
Trust “Never TrustAlways Verify”
Whitelisting alone is not enough
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Trusted applications can be exploited
Malware can run in memory without creating a new .exe
Signing certificates can be compromised
Whitelisting can be difficult to manage in dynamic environments
Source: The Register
COMP
Source: Malware Don’t Need Coffee
Don’t trust known applicationsExploit Prevention
Exploit Attack
BeginMaliciousActivitiy
Normal ApplicationExecution
ExploitTechnique
1
ExploitTechnique
2
ExploitTechnique
3
Gaps AreVulnerabilities
Activate key logger Steal critical data More…
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Normal ApplicationExecutionTraps Exploit Prevention
Modules (EPM)1. Exploit attempt blocked. Traps requires no
prior knowledge of the vulnerability.
ExploitTechnique
Blocked
TrapsEPM
Exploit Attack
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Don’t trust known applicationsExploit Prevention
Normal ApplicationExecution
ExploitTechnique
1
ExploitTechnique
Blocked
No MaliciousActivity
TrapsEPM
Exploit Attack
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps requires no
prior knowledge of the vulnerability.
2. If you turn off EPM #1, the first technique will succeed but the next one will be blocked, still preventing malicious activity.
Don’t trust known applicationsExploit Prevention
Exploit Prevention Case Study – Clandestine Fox
Prevention of One Technique in the Chain will Block the Entire Attack
OSFunctionsShielding
MemoryCorruptionMitigation
Logic-FlawsReal-Time
Intervention
AlgorithmicMemory Traps
Placement
Preparation Triggering PostCircumvention
1
Heap Spray
2
UseAfter Free
3
ROP
4
UtilizingOS Function
Do not trust unknown executables or locations
Static WhitelistingPrevent Unknown Executables Whitelisting for static environments
Dynamic WhitelistingPrevent Malicious Executableswith cloud-based threat intelligenceand dynamic analysis
Device and Location Restrictions Prevent Malicious ExecutablesAttempting to run from unauthorizeddevices or folder locations
Malicious Executable Prevention
User Tries to OpenExecutable File
Policy-Based Restrictions Applied
HASH CheckedAgainst WildFire
File is Allowed to Execute
Malware TechniquePrevention Employed
ExamplesExamples
Child Process?Thread Injection?
Indicated asMalicious?
Restricted Folderor Device?
Forensics Collected
Safe!
WildFire
Spear Phishing - Individual Users
HR
Finance
CEO
Watering Hole: Mass Users
Advanced Threats Attack Vectors
Email Attachment Website
Spear Phishing Case Study: Anunak Campaign
Anunak campaign was targeting financial institutions and managed to access banking systems servers and working stations.
January 2013 Present
CVE-2012-2539
CVE-2012-0158
CVE-2014-4113
win32k.sys
Spear Phishing Case Study: NetTraveler Campaign
NetTraveler campaign was targeting different sectors such as governmental institutions, embassies, the oil and gas industry, research centers, military contractors and activists.
June 2013 Present
CVE-2012-0158
CVE-2010-3333
Spear Phishing Case Study: ICeFog Campaign
IceFog campaign targeted the chain supply of major defense vendors, including government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media.
September 2013 Present
CVE-2012-0158
CVE-2013-0422
CVE-2012-1723
JRE
JRE
Spear Phishing Case Study: Carbanak Campaign
Carbanak campaign hit more than 100 banks and financial organizations Causing losses estimated at $1b.
December 2013 Present
CVE-2012-0158
CVE-2013-3906
CVE-2014-1761
Heap SprayDEP Circumvention
ROP JIT Spray
Utilize OS Functions
DLL Security
ROP Mitigation
DLL Security
DLL Security
UASLR ROP Mitigation
Memory Limit Heap Spray Check
CVE-2012-1058
CVE- 2013-3906
CVE-2014-1761
Traps Protection Against Carbanak Campaign Exploits
Memory Limit Heap Spray Check
UASLR ROP Mitigation
Tibet.Net
CVE-2013-1347
May 2013 Present
A Zero day vulnerability inMicrosoft Internet Explorer 8.
The CVE was exploited in the wildas part of some of most familiar campaign (Dragonfly).
Watering Hole Case Study: Department of Labor
This vulnerability was later incorporated in common exploit kits like LightsOuts, Private EK and Infinity.
Tibet.Net
CVE-2012-4681
August 2013 Present
The attacks used Trojan.Win32.Swisyn.cyxf
A site providing informationabout the parliament, cabinet, administrative departments and public offices
CVE-2012-4681 was exposed as a zero day after being seenexploited in-the-wild in 2012 and was detected and blocked by TRAPS.
Watering Hole Case Study: Central Tibetan administration website
Watering Hole Case Study: LightsOut Exploit Kit
39essex[.]com
CVE-2012-1723
CVE-2013-1347
CVE-2013-1690
CVE-2013-2465
September 2013 Present
Compromise energy related
law firm site.
Users visiting the site wereredirected to a third party sitehosting the exploit kit
The kit checks for Java, IEand Adobe reader.
Following the check variousexploits are triggered.
Firms in the energy sector
vfw.org
CVE-2014-0322
February 2014 Present
The vulnerability allows the Attacker to by pass DEP and ASLR.
Targeted websites in Franceand USA using Internet Explorer Zero-Day
Watering Hole Case Study: ‘Operation Snowman’
Main targeted site:U.S. Veterans of ForeignWars website
Traps Protection Against LightsOut Exploit Kit
Heap SprayDEP Circumvention
ROP JIT SprayUtilize OS Functions
ROP Mitigation
DLL Security
DLL Security
UASLR
ROP Mitigation
Shellcode Preallocaiton
CVE-2013-1347
CVE- 2013-1690
Memory Limit Heap Spray Check
Java Sandbox Escape
CVE-2012-1723
CVE-2013-1465
Java
Java
Java Vulnerabilities Memory Corruption Vulnerabilities
Summary
Traditional security solutions are not equipped to deal with today’s threats
Whitelisting provides basic protection but is not sufficient to prevent advanced threats
Extending Zero Trust to the endpoint Don’t trust even the known applications - prevent exploits Don’t trust unknown executables Don’t trust external media or unauthorized folder locations
31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Learn about Traps Advanced Endpoint Protection on our websitewww.paloaltonetworks.com/products/endpoint-security.html