What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and...
-
Upload
dana-hicks -
Category
Documents
-
view
213 -
download
0
Transcript of What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and...
What Are We Missing?Practical Use of the Next-Generation Firewall:
Controlling Modern Malware and Threats
Jason Wessel – Solutions Architect
Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
900+ employees globally0
2,000
4,000
6,000
8,000
10,000
12,000
1,800
4,700
10,000
Jul-10 Jul-11
FY09 FY10 FY11 FY12$0
$50
$100
$150
$200
$250
$300
$13
$49
$255
$119
Revenue
Enterprise customers
$MM
FYE July
Oct-12
2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Page 3 |
Data Sources for Today’s Talk
• Application Usage and Risk
Report (evaluation
networks)
• Taken from 1,636 live
enterprise networks
• 30% North America
• 30% Asia
• 40% Europe
• 9.5 Petabytes of data
• WildFire Malware Analysis
(production networks)
• 26,000 unknown
malware samples
• Collected from 1,000+
production enterprise
networks at the firewall
• 3 months of data
Application Data Malware Data
The Lifecycle of Network Attacks
Bait theend-user
1
End-user lured to a dangerous application or website containing malicious content
Exploit
2
Infected content exploits the end-user, often without their knowledge
DownloadBackdoor
3
Secondary payload is downloaded in the background. Malware installed
EstablishBack-Channel
4
Malware establishes an outbound connection to the attacker for ongoing control
Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
In Malware, Both Sides Are Malicious
5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Attacks are blended and patient Exploits, malware and traffic Long-term time scale
Malware is the strategic enabler Provides a persistent point of
control inside the target network
Malware enables evasion When both ends of a connection
are malicious, new evasions become available.
Encryption, strange ports, tunneling, polymorphic malware, etc.
Solving Modern Malware and Targeted Threats
1. Full Visibility of Traffic Equal analysis of all traffic across
all ports (no assumptions) Control the applications that
attackers use to hide Decrypt, decompress and
decode
2. Control the full attack lifecycle Exploits, malware, and malicious
traffic Maintain context across
disciplines Maintain predictable performance
3. Expect the Unknown Detect and stop unknown
malware Automatically manage unknown
or anomalous traffic6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Requirement 1: Visibility Into All Traffic
“Got To See It to Prevent It”
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 8 |
Applications and Malware Evade Security
• Port-Based Evasion- Traditional security enforces
rules and signatures based on port
• Tunneling- Hide inside allowed traffic
• Custom Protocols- Unique TCP, UDP and
encryption
• Custom Malware- Targeted attacks- Polymorphic malware
Evasion is Common in Applications
Non-Standard Ports- Evasive Applications – Standard application
behavior - Security Best Practices – Moving Internet facing
protocols off of standard ports (e.g. RDP)
Tunneling Within Allowed Protocols- SSL and SSH - HTTP- DNS
Circumventors- Proxies- Anonymizers (Tor)- Custom Encrypted Tunnels (e.g. Freegate,
Ultrasurf)
568Applications that can dynamically use non-standard ports.
260Applications that can tunnel other apps and protocols
82Applications designed to avoid security
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
How Evasive is “Evasive”
SSL- 4,740 ports
Skype- 1,802 ports
Skype Probe- 27,749 ports
BitTorrent- 21,222 ports
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 10 |
3%
3%
9%
13%
15%
14%
15%
27%
30%
30%
42%
53%
62%
76%
80%
00% 20% 40% 60% 80%
RDP
SSH
telnet
LogMeIn
TeamViewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Hamachi
UltraSurf
Gbridge
Gpass
Remote Access 27 variants found 95%
of the time APT1 remote access
External Proxies 22 variants found 76%
of the time TDL-4 paid proxy service
Encrypted Tunnels Non-VPN related – found
30% of the time Ultrasurf observed as
malware C2
Circumventing Applications in Networks
Next Generation Firewall – The Right Place• The Rule of All
- All traffic, all ports, all the time- Mobile and roaming users
• Progressive Inspection- Decode – 190+ application
and protocol decoders- Decrypt – based on policy- Decompress
• Stop the methods that attackers use to hide- Proxies- Encrypted tunnels- Peer-to-peer
Any Traffic Not Fully Inspected = Threats Missed
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Unknown traffic traversing the DNS port
HTTP using random high ports
Proof: Evasion in Action
What Was In That Non-Standard Stream?
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 14 |
Requirement 2: Threat Prevention That Performs
“Protecting Against the Known”
App-ID
URL
IPS Threat License
Spyware
AV
Files
WildFire
Block high-risk apps
Block known malware sites
Block the exploit
Prevent drive-by-downloads
Detect unknown malware
Block malware
Bait theend-user
Exploit DownloadBackdoor
EstablishBack-Channel
Explore &Steal
Block spyware, C&C traffic
Block C&C on non-standard ports
Block malware, fast-flux domains
Block new C&C traffic
Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors
Coordinated Threat PreventionAn Integrated Approach to Threat Prevention
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Traditional Security
Each security box or blade robs the network of performance
Threat prevention technologies are often the worst offenders
Leads to the classic friction between network and security
Traditionally, More Security = Poor Performance
Best Case Performance
Firewall
Anti-Malware
IPS
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Single-Pass Pattern Match
Single-pass pattern match engine can provide multiple matches with one pass through the engine. Look once, get many answers.
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Stream-Based Malware Analysis
In-line threat prevention is stream based, because it’s the only method that maintains performance.
Only Palo Alto Networks and Fortinet have stream-based malware analysis (requires specialized processors).
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Validated in 3rd Party Testing
“Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost…”
-NetworkWorld, 2012
20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Requirement 3: Expect the Unknowns
“Where the Real Risk Lurks”
Unknown Traffic and Domains Used by Malware
Use unknowns as correlating factors for policy enforcement:
• No file downloads from unknown domains
• No HTTP posts to unknown domains
• Investigate and classify any unknown traffic
Systematically Classify the Unknowns
Look for large numbers of sessions relative to bytes
Look for concentrations of unknown traffic in one user or device
Page 24 |
• “Unknown” traffic is found in significantly high rates in malware as opposed to valid network traffic
• Application Usage and Threat Report – Over 50% of custom UDP sessions triggered known malware logs
• Modern Malware Review– Custom TCP/UDP was the 3rd most common traffic type generated by unknown malware
• Enterprises can progressively reduce the amount of unknown traffic
• Create custom App-IDs for internally developed or custom applications
• Continually improved baselines to see what does not belong
Unknown Does Not Mean Unmanageable
Unknown Malware is An Everyday Problem
True Targeted Attacks APT1, Stuxnet Nation-state operators Highly sophisticated Comparatively Rare
Polymorphic Malware Zeus, Kelihos Organized crime Heavily web driven Malware package is
re-encoded to avoid signatures25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Both categories are critical risks
• Classic 80/20 Problem
• We MUST do better at proactively blocking polymorphic malware
• At least 40% of malware are variants that can be blocked
Active Testing to Find Unknown Malware
• 10 Gbps Threat Prevention and file scanning
• All traffic, all ports• Web, email, FTP and
SMB
• Running in the cloud lets the malware do things that you wouldn’t allow in your network.
• Updates to sandbox logic without impacting the customer
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Malware signatures developed and tested based on malware payload.
• Stream-based malware engine to perform true inline enforcement.
Daily Coverage of Top AV VendorsM
alw
are
Sam
ple
Coun
t
New Malware Coverage Rate by Top 5 AV Vendors
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Daily AV Coverage Rates for Newly Released Malware (50 Samples)
Real-World Spread of 0-Day Malware
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Analysis of 50 0-Day malware samples
• Captured by WildFire in live customer networks
• Tracked the spread and number of infections by hour following the initial infection
Att
empt
ed M
alw
are
Infe
ctio
ns
Hours
Real-World Spread of 0-Day Malware
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Subscription
Hours
Att
empt
ed M
alw
are
Infe
ctio
ns
In the 1st two days malware is released, 95% of infections occur in the first 24 hours
95%
5%
Validate All Traffic – Control any method that can hide traffic
All traffic, all ports, all the time
Decode, decrypt and decompress
Establish a Clean Baseline
Classify any unknown traffic
Learn what is normal for the network and users
Get Proactive
Active analysis of unknown files
Block
Re-establishing Visibility and Control
Sustainable Visibility and ControlApplications
• Visibility and control of all traffic, across all ports, all the time
Sources
• Control traffic sources and destinations based on risk
Known Threats
• Stop exploits, malware, spying tools, and dangerous files
Unknown Threats
• Automatically identify and block new and evolving threats
• Reduce the attack surface
• Control the threat vector
• Control the methods that threats use to hide
• Sites known to host malware
• Find traffic to command and control servers
• SSL decrypt high-risk sites
• NSS tested and Recommended IPS
• Stream-based anti-malware based on millions of samples
• Control threats across any port
• WildFire analysis of unknown files
• Visibility and automated management of unknown traffic
• Anomalous behaviors
R e d u c i n g R i s k
31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Thank You