What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect.
Download ReportTranscript What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect.
What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect Palo Alto Networks at a glance Corporate highlights Revenue $MM Founded in 2005; first customer shipment in 2007 $300 $255 $250 $200 Safely enabling applications $119 $150 $100 $49 $50 $13 $0 Able to address all network security needs FYE July FY09 FY10 FY11 FY12 Enterprise customers Exceptional ability to support global customers 12,000 10,000 10,000 Experienced technology and management team 8,000 6,000 4,700 4,000 900+ employees globally 2,000 1,800 0 Jul-10 2 | ©2013, Palo Alto Networks. Confidential and Proprietary. Jul-11 Oct-12 Data Sources for Today’s Talk Application Data Malware Data • Application Usage and Risk • WildFire Malware Analysis Report (evaluation networks) • Taken from 1,636 live enterprise networks • 30% North America • 26,000 unknown malware samples • Collected from 1,000+ • 30% Asia production enterprise • 40% Europe networks at the firewall • 9.5 Petabytes of data Page 3 | (production networks) • 3 months of data The Lifecycle of Network Attacks 1 Bait the end-user End-user lured to a dangerous application or website containing malicious content 4 | ©2012, Palo Alto Networks. Confidential and Proprietary. 2 3 4 5 Exploit Download Backdoor Establish Back-Channel Explore & Steal Infected content exploits the end-user, often without their knowledge Secondary payload is downloaded in the background. Malware installed Malware establishes an outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack In Malware, Both Sides Are Malicious Attacks are blended and patient Exploits, malware and traffic Long-term time scale Malware is the strategic enabler Provides a persistent point of control inside the target network Malware enables evasion When both ends of a connection are malicious, new evasions become available. Encryption, strange ports, tunneling, polymorphic malware, etc. 5 | ©2012, Palo Alto Networks. Confidential and Proprietary. Exploits Malware Spyware, C&C Exploits are delivered over the network Malware is delivered over the network Malware communicates over the network Encryp on, fragmenta on Re-encoded and targeted malware Proxies, tunneling, encryp on, custom traffic Solving Modern Malware and Targeted Threats 1. Full Visibility of Traffic Equal analysis of all traffic across all ports (no assumptions) Control the applications that attackers use to hide Decrypt, decompress and decode 2. Control the full attack lifecycle Exploits, malware, and malicious traffic Maintain context across disciplines Maintain predictable performance 3. Expect the Unknown Detect and stop unknown malware Automatically manage unknown or anomalous traffic 6 | ©2012, Palo Alto Networks. Confidential and Proprietary. Exploits Malware Spyware, C&C Exploits are delivered over the network Malware is delivered over the network Malware communicates over the network Encryp on, fragmenta on Re-encoded and targeted malware Proxies, tunneling, encryp on, custom traffic Requirement 1: Visibility Into All Traffic “Got To See It to Prevent It” Applications and Malware Evade Security • Port-Based Evasion - Traditional security enforces rules and signatures based on port • Tunneling - Hide inside allowed traffic • Custom Protocols - Unique TCP, UDP and encryption • Custom Malware - Targeted attacks - Polymorphic malware © 2010 Palo Alto Networks. Proprietary and Confidential. Page 8 | Evasion is Common in Applications Non-Standard Ports Applications that can dynamically use non-standard ports. - Evasive Applications – Standard application behavior - Security Best Practices – Moving Internet facing protocols off of standard ports (e.g. RDP) Tunneling Within Allowed Protocols Applications that can tunnel other apps and protocols - SSL and SSH - HTTP - DNS Circumventors Applications designed to avoid security 9 | ©2012, Palo Alto Networks. Confidential and Proprietary. - Proxies - Anonymizers (Tor) - Custom Encrypted Tunnels (e.g. Freegate, Ultrasurf) How Evasive is “Evasive” SSL - Skype - Skype Probe 27,749 ports BitTorrent - Skype 1,802 ports Skype Probe - SSL 4,740 ports BitTorrent 21,222 ports 0 Page 10 | © 2012 Palo Alto Networks. Proprietary and Confidential. 5,000 10,000 15,000 20,000 25,000 30,000 Circumventing Applications in Networks 80% RDP Remote Access 27 variants found 95% of the time APT1 remote access External Proxies 22 variants found 76% of the time TDL-4 paid proxy service Encrypted Tunnels Non-VPN related – found 30% of the time Ultrasurf observed as malware C2 76% SSH 62% telnet 53% LogM eIn 42% Team View er CGIProxy 30% PHProxy 30% 27% CoralCDN 15% FreeGate 14% Glype Proxy Tor 15% Ham achi 13% 9% UltraSurf Gbridge 3% Gpass 3% 00% 20% 40% 60% 80% Next Generation Firewall – The Right Place • The Rule of All - All traffic, all ports, all the time - Mobile and roaming users • Progressive Inspection - Decode – 190+ application and protocol decoders - Decrypt – based on policy - Decompress • Stop the methods that attackers use to hide - Proxies - Encrypted tunnels - Peer-to-peer Any Traffic Not Fully Inspected = Threats Missed 12 | ©2012, Palo Alto Networks. Confidential and Proprietary. Proof: Evasion in Action Unknown traffic traversing the DNS port HTTP using random high ports What Was In That Non-Standard Stream? Page 14 | © 2012 Palo Alto Networks. Proprietary and Confidential. Requirement 2: Threat Prevention That Performs “Protecting Against the Known” An Integrated Approach to Threat Prevention Coordinated Threat Prevention Bait the end-user Exploit Download Backdoor Establish Back-Channel App-ID Block high-risk apps Block C&C on non-standard ports URL Block known malware sites Block malware, fast-flux domains Spyware AV Threat License IPS Block the exploit Block spyware, C&C traffic Block malware Files WildFire 16 | ©2012, Palo Alto Networks. Confidential and Proprietary. Prevent drive-bydownloads Detect unknown malware Block new C&C traffic Explore & Steal Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors Traditionally, More Security = Poor Performance Traditional Security Each security box or blade robs the network of performance Best Case Performance Threat prevention technologies are often the worst offenders Firewall Leads to the classic friction between network and security IPS Anti-Malware 17 | ©2012, Palo Alto Networks. Confidential and Proprietary. Single-Pass Pattern Match Single-pass pattern match engine can provide multiple matches with one pass through the engine. Look once, get many answers. 18 | ©2012, Palo Alto Networks. Confidential and Proprietary. Stream-Based Malware Analysis In-line threat prevention is stream based, because it’s the only method that maintains performance. Only Palo Alto Networks and Fortinet have stream-based malware analysis (requires specialized processors). 19 | ©2012, Palo Alto Networks. Confidential and Proprietary. Validated in 3rd Party Testing Threat Preven on Performance (Mbps) 6000 5000 5372 5318 5265 4000 “Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost…” 3000 -NetworkWorld, 2012 2000 1000 0 Firewall + IPS 20 | ©2012, Palo Alto Networks. Confidential and Proprietary. Firewall + IPS +AV Firewall + IPS + AV + Spyware Requirement 3: Expect the Unknowns “Where the Real Risk Lurks” Unknown Traffic and Domains Used by Malware 0.00% 10.00% 24.38% Visited an unregistered domain 20.46% Sent out emails 12.38% Used the POST method in HTTP Triggered known IPS signature 7.10% IP country different from HTTP host TLD 6.92% Downloaded files with an incorrect file extension Connected to a non standard HTTP port Produced unknown traffic over the HTTP port Visited a recently registered domain 30.00% 29.39% Contained unknown TCP/UDP traffic Communicated with new DNS server 20.00% 5.56% 4.53% 4.01% 2.33% 1.87% Visited a known dynamic DNS domain 0.56% Visited a fast-flux domain 0.47% Use unknowns as correlating factors for policy enforcement: • No file downloads from unknown domains • No HTTP posts to unknown domains • Investigate and classify any unknown traffic Systematically Classify the Unknowns Look for concentrations of unknown traffic in one user or device Look for large numbers of sessions relative to bytes Unknown Does Not Mean Unmanageable • “Unknown” traffic is found in significantly high rates in malware as opposed to valid network traffic • Application Usage and Threat Report – Over 50% of custom UDP sessions triggered known malware logs • Modern Malware Review– Custom TCP/UDP was the 3rd most common traffic type generated by unknown malware • Enterprises can progressively reduce the amount of unknown traffic • Create custom App-IDs for internally developed or custom applications • Continually improved baselines to see what does not belong Page 24 | Unknown Malware is An Everyday Problem True Targeted Attacks APT1, Stuxnet Nation-state operators Highly sophisticated Comparatively Rare Polymorphic Malware • Both categories are critical risks • Classic 80/20 Problem • We MUST do better at proactively blocking polymorphic malware Zeus, Kelihos Organized crime Heavily web driven • At least 40% of malware are Malware package is re-encoded to avoid signatures variants that can be blocked 25 | ©2012, Palo Alto Networks. Confidential and Proprietary. Active Testing to Find Unknown Malware • 10 Gbps Threat Prevention and file scanning • All traffic, all ports • Web, email, FTP and SMB 26 | ©2012, Palo Alto Networks. Confidential and Proprietary. • Running in the cloud lets the malware do things that • Malware signatures you wouldn’t developed andallow testedin your network. based on malware • payload. Updates to sandbox logic without impacting the customer • Stream-based malware engine to perform true inline enforcement. Daily Coverage of Top AV Vendors Daily AV Coverage Rates for Newly Released Malware (50 Samples) 100% 90% Malware Sample Count 80% 70% 5 vendors 60% 4 vendors 3 vendors 50% 2 vendors 40% 1 vendor 0 vendors 30% 20% 10% 0% Day-0 Day-1 Day-2 Day-3 Day-4 Day-5 Day-6 New Malware Coverage Rate by Top 5 AV Vendors 27 | ©2012, Palo Alto Networks. Confidential and Proprietary. Real-World Spread of 0-Day Malware 10000 9000 Attempted Malware Infections 8000 7000 6000 • Analysis of 50 0-Day malware samples 5000 4000 • Captured by WildFire in live customer networks 3000 • Tracked the spread and number of infections by hour following the initial infection 2000 1000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 28 | ©2012, Palo Alto Networks. Confidential and Proprietary. Hours Real-World Spread of 0-Day Malware 10000 9000 Attempted Malware Infections 8000 WildFire Subscription 7000 6000 5000 4000 3000 In the 1st two days malware is released, 95% of infections occur in the first 24 hours 2000 1000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 29 | ©2012, Palo Alto Networks. Confidential and Proprietary. Hours Re-establishing Visibility and Control Validate All Traffic – Control any method that can hide traffic All traffic, all ports, all the time Decode, decrypt and decompress Establish a Clean Baseline Classify any unknown traffic Learn what is normal for the network and users Get Proactive Active analysis of unknown files Block Sustainable Visibility and Control Applications • Sources Visibility and • control of all traffic, across all ports, all the time Control traffic sources and destinations based on risk Known Threats Unknown Threats • Stop exploits, malware, spying tools, and dangerous files • Automatically identify and block new and evolving threats Reducing Risk • Reduce the attack surface • Sites known to host malware • NSS tested and Recommended IPS • WildFire analysis of unknown files • Control the threat vector • • Control the methods that threats use to hide • SSL decrypt high-risk sites Stream-based anti-malware based on millions of samples • • Find traffic to command and control servers Visibility and automated management of unknown traffic • Control threats across any port • Anomalous behaviors 31 | ©2012, Palo Alto Networks. Confidential and Proprietary. Thank You