Building Next-Gen Security

Framework and Architecture for Preventing Cyber Attacks

Cyber Attack Life Cycle

Know Your Enemy

Cyber Kill Chain (2010)

Source:http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

Reconnaissance Weaponization

andDelivery

Exploitation Command-and-Control Actionson

theObjective

UnauthorizedAccess UnauthorizedUse

Installation

Cyber Attack Life Cycle

Exfiltrate Intellectual Property

Steal Credit Card Information

Destroy critical infrastructure

Deface your website

CYBER HACKTIVISM

CYBERMISCHIEF

CYBERWARFARE

CYBER CRIME

CYBER ESPIONAGE

CYBER TERRORISM Create fear by threatening employees

Dox embarrassing email messages

Wanacrypt Ransomware

1. ReconnaissanceAttackerresearch,identify,andselecttargets,oftentimesusingphishingtacticsorextracting

publicinformationfromanemployeecsLinkedInprofileorcorporatewebsites.Thesecriminals

alsoscanfornetworkvulnerabilitiesandservicesorapplicationstheycanexploit

• Email Harvesting

• Person profile,

Credential

• Server & Application profile

2. Weaponization & Delivery

Exploit

§ Malformed data file that

is processed by a

legitimate app

§ Takes advantage of a vulnerability

in the legitimate app which allows

the attacker to run code

§ ‘Tricks’ the legitimate application into

running the attacker’s code

§ Small payload

Malware

§ Malicious code that comes

in an executable file form

§ Does not rely on any

application vulnerability

§ Already executes code – aims to control

the machine

§ Large payload

Exploit vs. Malware – What’s the DifferenceE

Weaponization

andDelivery

Type of Exploit

1. Known Exploit• Announced publicly

• Patch is available

• Everyone knows

• Signature available

2. Unknown (0-Day) Exploits• No patch available

• Vendor is not aware of

• Found by hacker, Surveillance

• Sell in black market

Type of Malware

• Worms: These programs have the ability to replicate themselves. Their sole objective is to

increase their population and transfer themselves to another computers via the internet or

through storage media.• Viruses: Theyalsohavetheabilitytoreplicatethemselves,buttheydodamagefilesonthecomputer

theyattack.Theirmainweaknessliesinthefact,theycangetintoactiononlyiftheyhavethesupport

ofahostprogram,otherwisetheycrejustlikeadefeatedwarrior.

• Trojans: Basically,TrojansarenoViruses,andarenotmeanttodamageordeletefilesonyoursystem.

Theirsoletaskistoprovidetoabackdoorgatewayformaliciousprogramsormalevolentusersto

enteryoursystemandstealyourvaluabledatawithoutyourknowledgeandpermission.

• Adware: Adwareareusedtodisplayadvertisementsintheprograms

• Spyware: Theseprogramsalsocomeattachedwithotherfreewaresoftware,trackyourbrowsingand

otherpersonaldetailsandsendittoaremoteuser.Theycanalsofacilitateinstallation.

• Bots: BotsorRobotsareautomatedprocessesthataredesignedtointeractovertheinternetwithout

theneedofhumaninteraction.

• Ransomware: Thesetypeofmalwarealterthenormaloperationofyourmachine,thusbarringyouto

useitproperly.

+

Make use of software vulnerability for delivery

Carrier Files

Common File Types

Exploit

Unknown

Malware

open

Victim

Wanacryt make use of Exploit & Worm & Ransomware

Cloud & Virtualization

Wanacrypt

Exploit

Malware

Exploit

MS17-010

Exploit

MS17-010

Wanacrypt

Wanacrypt WanacryptWanacrypt

Wanacrypt

Exploit

MS17-010

WanacryptWanacrypt

Wanacrypt

Wanacrypt

Exploit

MS17-010

Wanacrypt

Malware Delivery methods

Applications

Email

File Transfer

Evasive, Encrypted

Http, Https

Social media,

SaaS, AD, etc

Ultrasurf, Bittorent,

Tor, VPN etc.

USB

Web, Social, SaaS

Wanacrypt

N. Exploitation

Exploit

4. Installation (Malware)

☣Targeted and custom malware

☣Polymorphic malware

☣Newly released malware

Highly variable time to protection

Advanced malware is increasingly able to:

- Targeted malware avoids traditional AV honey-pots

- Evolve before protection can be delivered via polymorphism, re-encoding, and changing URLs

Wanacrypt

5. Command and Control

Wanacrypt

C2 Server

6. Action on Objectives CYBER CRIME

Lesson Learned

2. Detection, response and remidiation is 2nd priority

3. Zero-Trust architecture is a must

4. Kill-Switch is not solution

7. Backup and test recovery is important

1. Prevention is 1’st priority

6. Patching is important

5. Breaking every stage of life cycle is the best

Building Next-Gen Security Framework and Architecture

Know Yourself

PWC & PANW Security Framework White Paper

Source:https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/white-papers/pwc-executive-summary.pdf

Security Framework: A Guide for Business Leaders

Business

Priorities

IDENTIFY

Governance

Risk Strategy

Asset

Management

Incident Response

Planning

DETECT & RESPOND

Detection

Notifications

Mitigate Incident

Enhance

Protection

Observe All

Network Traffic

MONITOR & ANALYZE

Visibility of

All Applications,

Users and Content

Define Information

Security Policies

Prevent Unknown

Threats

PROTECT & PREVENT

Prevent Known

Threats

Enforce Policy to

Reduce Attack

Surface

Source:https://www.paloaltonetworks.com/resources/whitepapers/pwc-security-framework-guide-for-business-leaders

PALO ALTO NETWORKS:

SECURITY FRAMEWORK

• All applications

• All users

• All content

• Encrypted traffic

• Private Cloud

• Public Cloud

• Mobile

• Enable business

apps

• Block “bad” apps

• Limit app

functions

• Limit file types

• Block websites

• Exploits

• Malware

• Command &

control

• Malicious websites

• Bad domains

• Credentials Theft

and abuse

• Dynamic analysis

• Static analysis

• Bare metal

analysis

• Anomaly

detection

• Analytics

Automated

Conversion

REDUCE

ATTACK

SURFACE

COMPLETE

VISIBILITY

PREVENT

KNOWN

THREAT

PREVENT

UNKNOWN

THREAT

PREVENTION SECURITY FRAMEWORK

24 | © 2017, Palo Alto Networks. Confidential and Proprietary.

SECURITY FRAMEWORK: COMPLETE VISIBILITY

COMPLETE

VISIBILITY

344 KBfile-sharing

URL category

PowerPointfile type

“Confidential and Proprietary”

content

Jasonuser

prodmgmtgroup

canadadestination country

172.16.1.10source IP

64.81.2.23destination IP

TCP/443destination port

SSLprotocol

HTTPprotocol

slideshareapplication

slideshare-uploadingapplication function

70% Encrypted Internet Traffic in 2016

26 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.

Application Visibility COMPLETE

VISIBILITY

User Visibility COMPLETE

VISIBILITY

COMPLETE

VISIBILITYContent Visibility (URL, Filename, FileType)

Marketing

IT Admin

Type: Doc, Office

Name: ABC.doc

URL Category

30 | © 2017, Palo Alto Networks. Confidential and Proprietary.

SECURITY FRAMEWORK: REDUCE ATTACK SURFACE

REDUCE

ATTACK

SURFACE

OnlyallowtheApps,User,Content

Blockallunknown

MarketingDB Admin

REDUCE

ATTACK

SURFACE

Apply “Least Privilege” Policy

AccountingIT Admin

SECURITY FRAMEWORK: PREVENT KNOWN THREATS

PREVENT

KNOWN

THREAT

vulnerabilitiesCnC

viruses

malware

drive-by downloadsmalicious DNS

Trojan

WormBotnet Spyware

Credential Theft

malicious URL

Source Code

ERP

Intranet

1

Phishing

email sent to

victim

2

Credentials

sent to phishing

page

N

Adversary navigates

through network to

access critical

applications with stolen

credentials

CREDENTIAL THEFT AND ABUSE PREVENTION

33 | © 2017, Palo Alto Networks. Confidential and Proprietary.

Email link Inspection

and Phishing URL

prevention

Suspicious credential

submission blocked

Policy-based MFA enforced at

network layer

RADIUS

PREVENT

KNOWN

THREAT

34 | © 2017, Palo Alto Networks. Confidential and Proprietary.

SECURITY FRAMEWORK: PREVENT UNKNOWN THREAT

PREVENT

UNKNOWN

THREAT

Detonation reveals

zero-day exploitation

& malware

Detection of known

exploits, malware,

and new variants

Dynamically steers

highly evasive,

suspicious files to

bare metal

Detonates malware

on real hardware,

detecting all

VM-aware malware

Static Analysis

Dynamic Analysis

Bare MetalAnalysis

Heuristic engine

Final frontier for anti-VM detection

New machine learning

The only custom-built anti-evasion malware analysis environment

Unknown Threat Analysis Engine

36 | © 2017, Palo Alto Networks. Confidential and Proprietary.

SECURITY FRAMEWORK: AUTOMATED CONVERSION

Automated

Conversion

Indicator of Compromise

Malware payload

C2 payload

C2 Domain & URL

Malicious url link

IP Connectivity

37 | © 2017, Palo Alto Networks. Confidential and Proprietary.

PREVENTION SECURITY FRAMEWORK

REDUCE

ATTACK

SURFACE

COMPLETE

VISIBILITY

PREVENT

KNOWN

THREAT

PREVENT

UNKNOWN

THREAT

Automated

Conversion

+ GLOBAL SHARING

How Global Threat Intelligence sharing works

ContentMalicious URL

C&C domain

Malware Signature

5 Min updated

ContentMalicious URL

C&C domain

Malware Signature

5 Min updated

ContentMalicious URL

C&C domain

Malware Signature

5 Min updated

Threat Intel Big Data

• 150M sample/month

• 100,000 new protection/day

• More than 2B files

• More than 500B artifacts

App

ID

User

ID

Content

ID

Global

ProtectIPS

Exploit

WildfireUnknown

URL

FilteringTRAPS

End-point

ApertureSaaS

AutoFocusThreat Intel

Recon X X

Delivery X X X X X X X X X X

Establish

Beachhead

(Exploit&

Malware)

X X X X X

Command

&ControlX X X X X X X X

Actionson

the

Objective

X X X X X X X X X X

AttackLifeCycle

Palo Alto Networks’ Platform – Prevention Down the Kill Chain

Zero-Trust Model Architecture

Zero-Trust Model

All resources are accessed in a secure manner regardless of location.

Access control is on a “need-to-know” basis and is strictly enforced.

Verify and never trust.

Inspect and log all traffic.

The network is designed from the inside out.

Source: Forrester Research

41 |©2015, PaloAltoNetworks

Break all stages of Life Cycle all Locations

Cloud & Virtualization

Wanacrypt

Exploit

Malware

Exploit

MS17-010

Exploit

MS17-010

Wanacrypt

Wanacrypt WanacryptWanacrypt

Wanacrypt

Exploit

MS17-010

WanacryptWanacrypt

Wanacrypt

43 | © 2015, Palo Alto Networks. Confidential and Proprietary.