What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and...

What Are We Missing?Practical Use of the Next-Generation Firewall:

Controlling Modern Malware and Threats

Jason Wessel – Solutions Architect

Palo Alto Networks at a glance

Corporate highlights

Founded in 2005; first customer shipment in 2007

Safely enabling applications

Able to address all network security needs

Exceptional ability to support global customers

Experienced technology and management team

900+ employees globally0

2,000

4,000

6,000

8,000

10,000

12,000

1,800

4,700

10,000

Jul-10 Jul-11

FY09 FY10 FY11 FY12$0

$50

$100

$150

$200

$250

$300

$13

$49

$255

$119

Revenue

Enterprise customers

$MM

FYE July

Oct-12

2 | ©2013, Palo Alto Networks. Confidential and Proprietary.

|

Data Sources for Today’s Talk

• Application Usage and Risk

Report (evaluation

networks)

• Taken from 1,636 live

enterprise networks

• 30% North America

• 30% Asia

• 40% Europe

• 9.5 Petabytes of data

• WildFire Malware Analysis

(production networks)

• 26,000 unknown

malware samples

• Collected from 1,000+

production enterprise

networks at the firewall

• 3 months of data

Application Data Malware Data

The Lifecycle of Network Attacks

Bait theend-user

1

End-user lured to a dangerous application or website containing malicious content

Exploit

2

Infected content exploits the end-user, often without their knowledge

DownloadBackdoor

3

Secondary payload is downloaded in the background. Malware installed

EstablishBack-Channel

4

Malware establishes an outbound connection to the attacker for ongoing control

Explore & Steal

5

Remote attacker has control inside the network and escalates the attack


In Malware, Both Sides Are Malicious


Attacks are blended and patient Exploits, malware and traffic Long-term time scale

Malware is the strategic enabler Provides a persistent point of

control inside the target network

Malware enables evasion When both ends of a connection

are malicious, new evasions become available.

Encryption, strange ports, tunneling, polymorphic malware, etc.

Solving Modern Malware and Targeted Threats

1. Full Visibility of Traffic Equal analysis of all traffic across

all ports (no assumptions) Control the applications that

attackers use to hide Decrypt, decompress and

decode

2. Control the full attack lifecycle Exploits, malware, and malicious

traffic Maintain context across

disciplines Maintain predictable performance

3. Expect the Unknown Detect and stop unknown

malware Automatically manage unknown

or anomalous traffic6 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Requirement 1: Visibility Into All Traffic

“Got To See It to Prevent It”

© 2010 Palo Alto Networks. Proprietary and Confidential. |

Applications and Malware Evade Security

• Port-Based Evasion- Traditional security enforces

rules and signatures based on port

• Tunneling- Hide inside allowed traffic

• Custom Protocols- Unique TCP, UDP and

encryption

• Custom Malware- Targeted attacks- Polymorphic malware

Evasion is Common in Applications

Non-Standard Ports- Evasive Applications – Standard application

behavior - Security Best Practices – Moving Internet facing

protocols off of standard ports (e.g. RDP)

Tunneling Within Allowed Protocols- SSL and SSH - HTTP- DNS

Circumventors- Proxies- Anonymizers (Tor)- Custom Encrypted Tunnels (e.g. Freegate,

Ultrasurf)

568Applications that can dynamically use non-standard ports.

260Applications that can tunnel other apps and protocols

82Applications designed to avoid security


How Evasive is “Evasive”

SSL- 4,740 ports

Skype- 1,802 ports

Skype Probe- 27,749 ports

BitTorrent- 21,222 ports


3%

3%

9%

13%

15%

14%

15%

27%

30%

30%

42%

53%

62%

76%

80%

00% 20% 40% 60% 80%

RDP

SSH

telnet

LogMeIn

TeamViewer

CGIProxy

PHProxy

CoralCDN

FreeGate

Glype Proxy

Tor

Hamachi

UltraSurf

Gbridge

Gpass

Remote Access 27 variants found 95%

of the time APT1 remote access

External Proxies 22 variants found 76%

of the time TDL-4 paid proxy service

Encrypted Tunnels Non-VPN related – found

30% of the time Ultrasurf observed as

malware C2

Circumventing Applications in Networks

Next Generation Firewall – The Right Place• The Rule of All

- All traffic, all ports, all the time- Mobile and roaming users

• Progressive Inspection- Decode – 190+ application

and protocol decoders- Decrypt – based on policy- Decompress

• Stop the methods that attackers use to hide- Proxies- Encrypted tunnels- Peer-to-peer

Any Traffic Not Fully Inspected = Threats Missed


Unknown traffic traversing the DNS port

HTTP using random high ports

Proof: Evasion in Action

What Was In That Non-Standard Stream?


Requirement 2: Threat Prevention That Performs

“Protecting Against the Known”

App-ID

URL

IPS Threat License

Spyware

AV

Files

WildFire

Block high-risk apps

Block known malware sites

Block the exploit

Prevent drive-by-downloads

Detect unknown malware

Block malware

Bait theend-user

Exploit DownloadBackdoor

EstablishBack-Channel

Explore &Steal

Block spyware, C&C traffic

Block C&C on non-standard ports

Block malware, fast-flux domains

Block new C&C traffic

Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors

Coordinated Threat PreventionAn Integrated Approach to Threat Prevention


Traditional Security

Each security box or blade robs the network of performance

Threat prevention technologies are often the worst offenders

Leads to the classic friction between network and security

Traditionally, More Security = Poor Performance

Best Case Performance

Firewall

Anti-Malware

IPS


Single-Pass Pattern Match

Single-pass pattern match engine can provide multiple matches with one pass through the engine. Look once, get many answers.


Stream-Based Malware Analysis

In-line threat prevention is stream based, because it’s the only method that maintains performance.

Only Palo Alto Networks and Fortinet have stream-based malware analysis (requires specialized processors).


Validated in 3rd Party Testing

“Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost…”

-NetworkWorld, 2012


Requirement 3: Expect the Unknowns

“Where the Real Risk Lurks”

Unknown Traffic and Domains Used by Malware

Use unknowns as correlating factors for policy enforcement:

• No file downloads from unknown domains

• No HTTP posts to unknown domains

• Investigate and classify any unknown traffic

Systematically Classify the Unknowns

Look for large numbers of sessions relative to bytes

Look for concentrations of unknown traffic in one user or device

|

• “Unknown” traffic is found in significantly high rates in malware as opposed to valid network traffic

• Application Usage and Threat Report – Over 50% of custom UDP sessions triggered known malware logs

• Modern Malware Review– Custom TCP/UDP was the 3rd most common traffic type generated by unknown malware

• Enterprises can progressively reduce the amount of unknown traffic

• Create custom App-IDs for internally developed or custom applications

• Continually improved baselines to see what does not belong

Unknown Does Not Mean Unmanageable

Unknown Malware is An Everyday Problem

True Targeted Attacks APT1, Stuxnet Nation-state operators Highly sophisticated Comparatively Rare

Polymorphic Malware Zeus, Kelihos Organized crime Heavily web driven Malware package is

re-encoded to avoid signatures25 | ©2012, Palo Alto Networks. Confidential and Proprietary.

• Both categories are critical risks

• Classic 80/20 Problem

• We MUST do better at proactively blocking polymorphic malware

• At least 40% of malware are variants that can be blocked

Active Testing to Find Unknown Malware

• 10 Gbps Threat Prevention and file scanning

• All traffic, all ports• Web, email, FTP and

SMB

• Running in the cloud lets the malware do things that you wouldn’t allow in your network.

• Updates to sandbox logic without impacting the customer


• Malware signatures developed and tested based on malware payload.

• Stream-based malware engine to perform true inline enforcement.

Daily Coverage of Top AV VendorsM

alw

are

Sam

ple

Coun

t

New Malware Coverage Rate by Top 5 AV Vendors


Daily AV Coverage Rates for Newly Released Malware (50 Samples)

Real-World Spread of 0-Day Malware


• Analysis of 50 0-Day malware samples

• Captured by WildFire in live customer networks

• Tracked the spread and number of infections by hour following the initial infection

Att

empt

ed M

alw

are

Infe

ctio

ns

Hours

Real-World Spread of 0-Day Malware


WildFire Subscription

Hours

Att

empt

ed M

alw

are

Infe

ctio

ns

In the 1st two days malware is released, 95% of infections occur in the first 24 hours

95%

5%

Validate All Traffic – Control any method that can hide traffic

All traffic, all ports, all the time

Decode, decrypt and decompress

Establish a Clean Baseline

Classify any unknown traffic

Learn what is normal for the network and users

Get Proactive

Active analysis of unknown files

Block

Re-establishing Visibility and Control

Sustainable Visibility and ControlApplications

• Visibility and control of all traffic, across all ports, all the time

Sources

• Control traffic sources and destinations based on risk

Known Threats

• Stop exploits, malware, spying tools, and dangerous files

Unknown Threats

• Automatically identify and block new and evolving threats

• Reduce the attack surface

• Control the threat vector

• Control the methods that threats use to hide

• Sites known to host malware

• Find traffic to command and control servers

• SSL decrypt high-risk sites

• NSS tested and Recommended IPS

• Stream-based anti-malware based on millions of samples

• Control threats across any port

• WildFire analysis of unknown files

• Visibility and automated management of unknown traffic

• Anomalous behaviors

R e d u c i n g R i s k


Thank You

What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and...

Documents

Transcript of What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and...