Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These...
Transcript of Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These...
Building Next-Gen Security
Framework and Architecture for Preventing Cyber Attacks
Cyber Attack Life Cycle
Know Your Enemy
Cyber Kill Chain (2010)
Source:http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Reconnaissance Weaponization
andDelivery
Exploitation Command-and-Control Actionson
theObjective
UnauthorizedAccess UnauthorizedUse
Installation
Cyber Attack Life Cycle
Exfiltrate Intellectual Property
Steal Credit Card Information
Destroy critical infrastructure
Deface your website
CYBER HACKTIVISM
CYBERMISCHIEF
CYBERWARFARE
CYBER CRIME
CYBER ESPIONAGE
CYBER TERRORISM Create fear by threatening employees
Dox embarrassing email messages
Wanacrypt Ransomware
1. ReconnaissanceAttackerresearch,identify,andselecttargets,oftentimesusingphishingtacticsorextracting
publicinformationfromanemployeecsLinkedInprofileorcorporatewebsites.Thesecriminals
alsoscanfornetworkvulnerabilitiesandservicesorapplicationstheycanexploit
• Email Harvesting
• Person profile,
Credential
• Server & Application profile
2. Weaponization & Delivery
Exploit
§ Malformed data file that
is processed by a
legitimate app
§ Takes advantage of a vulnerability
in the legitimate app which allows
the attacker to run code
§ ‘Tricks’ the legitimate application into
running the attacker’s code
§ Small payload
Malware
§ Malicious code that comes
in an executable file form
§ Does not rely on any
application vulnerability
§ Already executes code – aims to control
the machine
§ Large payload
Exploit vs. Malware – What’s the DifferenceE
Weaponization
andDelivery
Type of Exploit
1. Known Exploit• Announced publicly
• Patch is available
• Everyone knows
• Signature available
2. Unknown (0-Day) Exploits• No patch available
• Vendor is not aware of
• Found by hacker, Surveillance
• Sell in black market
Type of Malware
• Worms: These programs have the ability to replicate themselves. Their sole objective is to
increase their population and transfer themselves to another computers via the internet or
through storage media.• Viruses: Theyalsohavetheabilitytoreplicatethemselves,buttheydodamagefilesonthecomputer
theyattack.Theirmainweaknessliesinthefact,theycangetintoactiononlyiftheyhavethesupport
ofahostprogram,otherwisetheycrejustlikeadefeatedwarrior.
• Trojans: Basically,TrojansarenoViruses,andarenotmeanttodamageordeletefilesonyoursystem.
Theirsoletaskistoprovidetoabackdoorgatewayformaliciousprogramsormalevolentusersto
enteryoursystemandstealyourvaluabledatawithoutyourknowledgeandpermission.
• Adware: Adwareareusedtodisplayadvertisementsintheprograms
• Spyware: Theseprogramsalsocomeattachedwithotherfreewaresoftware,trackyourbrowsingand
otherpersonaldetailsandsendittoaremoteuser.Theycanalsofacilitateinstallation.
• Bots: BotsorRobotsareautomatedprocessesthataredesignedtointeractovertheinternetwithout
theneedofhumaninteraction.
• Ransomware: Thesetypeofmalwarealterthenormaloperationofyourmachine,thusbarringyouto
useitproperly.
+
Make use of software vulnerability for delivery
Carrier Files
Common File Types
Exploit
Unknown
Malware
open
Victim
Wanacryt make use of Exploit & Worm & Ransomware
Cloud & Virtualization
Wanacrypt
Exploit
Malware
Exploit
MS17-010
Exploit
MS17-010
Wanacrypt
Wanacrypt WanacryptWanacrypt
Wanacrypt
Exploit
MS17-010
WanacryptWanacrypt
Wanacrypt
Wanacrypt
Exploit
MS17-010
Wanacrypt
Malware Delivery methods
Applications
File Transfer
Evasive, Encrypted
Http, Https
Social media,
SaaS, AD, etc
Ultrasurf, Bittorent,
Tor, VPN etc.
USB
Web, Social, SaaS
Wanacrypt
N. Exploitation
Exploit
4. Installation (Malware)
☣Targeted and custom malware
☣Polymorphic malware
☣Newly released malware
Highly variable time to protection
Advanced malware is increasingly able to:
- Targeted malware avoids traditional AV honey-pots
- Evolve before protection can be delivered via polymorphism, re-encoding, and changing URLs
Wanacrypt
5. Command and Control
Wanacrypt
C2 Server
6. Action on Objectives CYBER CRIME
Lesson Learned
2. Detection, response and remidiation is 2nd priority
3. Zero-Trust architecture is a must
4. Kill-Switch is not solution
7. Backup and test recovery is important
1. Prevention is 1’st priority
6. Patching is important
5. Breaking every stage of life cycle is the best
Building Next-Gen Security Framework and Architecture
Know Yourself
PWC & PANW Security Framework White Paper
Source:https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/white-papers/pwc-executive-summary.pdf
Security Framework: A Guide for Business Leaders
Business
Priorities
IDENTIFY
Governance
Risk Strategy
Asset
Management
Incident Response
Planning
DETECT & RESPOND
Detection
Notifications
Mitigate Incident
Enhance
Protection
Observe All
Network Traffic
MONITOR & ANALYZE
Visibility of
All Applications,
Users and Content
Define Information
Security Policies
Prevent Unknown
Threats
PROTECT & PREVENT
Prevent Known
Threats
Enforce Policy to
Reduce Attack
Surface
Source:https://www.paloaltonetworks.com/resources/whitepapers/pwc-security-framework-guide-for-business-leaders
PALO ALTO NETWORKS:
SECURITY FRAMEWORK
• All applications
• All users
• All content
• Encrypted traffic
• Private Cloud
• Public Cloud
• Mobile
• Enable business
apps
• Block “bad” apps
• Limit app
functions
• Limit file types
• Block websites
• Exploits
• Malware
• Command &
control
• Malicious websites
• Bad domains
• Credentials Theft
and abuse
• Dynamic analysis
• Static analysis
• Bare metal
analysis
• Anomaly
detection
• Analytics
Automated
Conversion
REDUCE
ATTACK
SURFACE
COMPLETE
VISIBILITY
PREVENT
KNOWN
THREAT
PREVENT
UNKNOWN
THREAT
PREVENTION SECURITY FRAMEWORK
24 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SECURITY FRAMEWORK: COMPLETE VISIBILITY
COMPLETE
VISIBILITY
344 KBfile-sharing
URL category
PowerPointfile type
“Confidential and Proprietary”
content
Jasonuser
prodmgmtgroup
canadadestination country
172.16.1.10source IP
64.81.2.23destination IP
TCP/443destination port
SSLprotocol
HTTPprotocol
slideshareapplication
slideshare-uploadingapplication function
70% Encrypted Internet Traffic in 2016
26 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Application Visibility COMPLETE
VISIBILITY
User Visibility COMPLETE
VISIBILITY
COMPLETE
VISIBILITYContent Visibility (URL, Filename, FileType)
Marketing
IT Admin
Type: Doc, Office
Name: ABC.doc
URL Category
30 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SECURITY FRAMEWORK: REDUCE ATTACK SURFACE
REDUCE
ATTACK
SURFACE
OnlyallowtheApps,User,Content
Blockallunknown
MarketingDB Admin
REDUCE
ATTACK
SURFACE
Apply “Least Privilege” Policy
AccountingIT Admin
SECURITY FRAMEWORK: PREVENT KNOWN THREATS
PREVENT
KNOWN
THREAT
vulnerabilitiesCnC
viruses
malware
drive-by downloadsmalicious DNS
Trojan
WormBotnet Spyware
Credential Theft
malicious URL
Source Code
ERP
Intranet
1
Phishing
email sent to
victim
2
Credentials
sent to phishing
page
N
Adversary navigates
through network to
access critical
applications with stolen
credentials
CREDENTIAL THEFT AND ABUSE PREVENTION
33 | © 2017, Palo Alto Networks. Confidential and Proprietary.
Email link Inspection
and Phishing URL
prevention
Suspicious credential
submission blocked
Policy-based MFA enforced at
network layer
RADIUS
PREVENT
KNOWN
THREAT
34 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SECURITY FRAMEWORK: PREVENT UNKNOWN THREAT
PREVENT
UNKNOWN
THREAT
Detonation reveals
zero-day exploitation
& malware
Detection of known
exploits, malware,
and new variants
Dynamically steers
highly evasive,
suspicious files to
bare metal
Detonates malware
on real hardware,
detecting all
VM-aware malware
Static Analysis
Dynamic Analysis
Bare MetalAnalysis
Heuristic engine
Final frontier for anti-VM detection
New machine learning
The only custom-built anti-evasion malware analysis environment
Unknown Threat Analysis Engine
36 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SECURITY FRAMEWORK: AUTOMATED CONVERSION
Automated
Conversion
Indicator of Compromise
Malware payload
C2 payload
C2 Domain & URL
Malicious url link
IP Connectivity
37 | © 2017, Palo Alto Networks. Confidential and Proprietary.
PREVENTION SECURITY FRAMEWORK
REDUCE
ATTACK
SURFACE
COMPLETE
VISIBILITY
PREVENT
KNOWN
THREAT
PREVENT
UNKNOWN
THREAT
Automated
Conversion
+ GLOBAL SHARING
How Global Threat Intelligence sharing works
ContentMalicious URL
C&C domain
Malware Signature
5 Min updated
ContentMalicious URL
C&C domain
Malware Signature
5 Min updated
ContentMalicious URL
C&C domain
Malware Signature
5 Min updated
Threat Intel Big Data
• 150M sample/month
• 100,000 new protection/day
• More than 2B files
• More than 500B artifacts
App
ID
User
ID
Content
ID
Global
ProtectIPS
Exploit
WildfireUnknown
URL
FilteringTRAPS
End-point
ApertureSaaS
AutoFocusThreat Intel
Recon X X
Delivery X X X X X X X X X X
Establish
Beachhead
(Exploit&
Malware)
X X X X X
Command
&ControlX X X X X X X X
Actionson
the
Objective
X X X X X X X X X X
AttackLifeCycle
Palo Alto Networks’ Platform – Prevention Down the Kill Chain
Zero-Trust Model Architecture
Zero-Trust Model
All resources are accessed in a secure manner regardless of location.
Access control is on a “need-to-know” basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
The network is designed from the inside out.
Source: Forrester Research
41 |©2015, PaloAltoNetworks
Break all stages of Life Cycle all Locations
Cloud & Virtualization
Wanacrypt
Exploit
Malware
Exploit
MS17-010
Exploit
MS17-010
Wanacrypt
Wanacrypt WanacryptWanacrypt
Wanacrypt
Exploit
MS17-010
WanacryptWanacrypt
Wanacrypt
43 | © 2015, Palo Alto Networks. Confidential and Proprietary.