Practical Use of the Next-Generation Firewall:

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 6 months ago)

110 views

Practical Use of the

Next
-
Generation Firewall:



Controlling Modern Malware and Threats



About Palo Alto Networks


Palo Alto Networks is the
Network
Security
Company


World
-
class team with strong security and networking experience

-
Founded in
2005, first customer July 2007

-
Top
-
tier investors


Builds next
-
generation firewalls that identify
/
control

1200+
applications

-
Restores the firewall as the core of the enterprise network security infrastructure

-
Innovations: App
-
ID™, User
-
ID™, Content
-
ID™


Global footprint:

4,500+ customers in 70
+ countries, 24/7 support



Agenda

1.
Brief review of modern malware and
threats

2.
Introduction to how the next
-
generation
firewall can help

3.
Steps and best practices you can take
today


The State of Intrusions Today


Advanced Malware and Intrusions

Are Here Today

-
Steady stream of high
-
profile, sophisticated

breaches and intrusions


-
All types of enterprises and information

are being targeted.


Intellectual
property


RSA


Customer information


Epsilon


Information to enable further attacks


Business partners


Comodo


Political/
hacktivism



US Senate


-
Breaches are not limited to financial
information


if
it is valuable to you, it is likely valuable to someone else



What Has Changed / What is the Same


The attacker changed

-
Nation
-
states

-
Criminal organizations

-
Political groups



Attack strategy evolved

-
Patient, multi
-
step process

-
Compromise user, then expand



Attack techniques evolved

-
New ways of delivering malware

-
Hiding malware communications

-
Signature avoidance











The Sky is
No
t Falling

-
Not new, just more
common

-
Solutions exist

-
Don’t fall into “the APT
ate my homework” trap


Strategy: Patient Multi
-
Step Intrusions


The Enterprise

Infection

Command and Control

Escalation

Exfiltration


Exfiltration

Organized Crime

Nation
-
States

Hacktivists

Opportunities for Security

Threats need your network to function

Multiple chances to detect and correlate

Expand security beyond the perimeter

Recognize the Modern Threat Shell Game

In the physical world


The mark is lured into trying to follow the pea, when the
real game is about sleight of hand.


How it applies to threats:


Our old habits make us think of malware as the pea

(an executable payload, probably carried in an email).


In reality, modern malware relies on sleight of hand


how
to infect, persist and communicate without being detected.


Multi
-
Step Intrusions


The Enterprise

Infection

Command and Control

Escalation

Exfiltration


Exfiltration

Organized Crime

Hacktivists

Convergence of Malware and Network Security

Infection

Command and Control

Escalation

Exfiltration


Exfiltration


To understand network attacks, you must
understand malware

-
Provides a persistent control point inside the network

-
Malware is the hacker’s application



To understand modern malware, you must
understand the network

-
Ongoing control of the attack

-
Escalates the attack

-
Update and change functions




The Lifecycle of Modern Malware


Encryption


Proxies


Tunneling


Non
-
standard ports


Social applications
and P2P


Update configuration


Download new exe


Rootkit/
Bootkits


Inject into the OS


Disable endpoint
security


Backdoors


Social engineering


Drive
-
by
-
Downloads


Obscured traffic


Unknown malware

Infection

Persistence

Communication

Command
& Control

Command &

Control

Communication

Persistence

The Threat Lifecycle

Infection

Phishing

(Social)

Hide Transmission

(SSL, IM)

Remote

Exploit

(Shell Access)

Malware Delivery

(Drive
-
by)

Rootkits

Backdoor

(Poison Ivy)

Anti
-
AV

(Infect MBR)

Encryption

(SSL, SSH, Custom)

Proxies, RDP,

Application

Tunnels


Port Evasions

(tunnel over open
ports)

Fast Flux

(Dynamic DNS)

Common Apps

(Social media, P2P)

Update

Configuration

Files

EXE Updates

Backdoors

and Proxies

Key Observations

1.
Communications are the life
-
blood of
an attack

-
Modern threats are networked threats

-
Virtually every phase involves methods to hide and evade from security


2.
Extensible Framework

-
If you can infect, persist, communicate and manage, then the threat functionality can
be almost anything

-
Begin to think of threats as a framework, not the functionality of the payload


3.
Threats exist across multiple disciplines

-
Applications


can hide and enable threats

-
URLs and websites


can host and enable threats

-
Exploits


creates shell access to the target

-
Malware


controls and uses the compromised target

-
Files


used to update malware and steal data



The Value of the Next
-
Generation Firewall

1.
Ensures visibility and control of all traffic

-
Non
-
standard use of ports

-
Tunneling within protocols

-
Tunneling within SSL

-
Remote desktop, SSH

-
Anonymizers
, proxies, personal VPNs, encrypted tunnels, etc.


2.
Integrated approach to threat prevention

-
Blocks risky applications or application features

-
IPS and vulnerability protection

-
Anti
-
malware

-
File and content control

-
Behavioral analysis of unknown threats



© 2010 Palo Alto Networks. Proprietary and Confidential.

Page
15

|

What Palo Alto Networks Brings to the Fight


App
-
ID














SSL

decrypted based on policy

HTTP Tunnel


decode

Skype
-

Signature

File Transfer (BLOCKED)

What is the traffic and should it be allowed?

Always the 1
st

task performed

All traffic, all ports

Always
on

Visibility and Control

All Palo Alto Networks
security begins with
an integrated full
-
stack
analysis of all traffic
regardless of port,
protocol or evasion

© 2010 Palo Alto Networks. Proprietary and Confidential.

Page
16

|

The Palo Alto
Networks
Next
-
Generation Firewall


App
-
ID














SSL

HTTP Tunnel

Skype

File Transfer

What is the traffic and should it be allowed?

Always the 1
st

task performed

All traffic, all ports

Always
on


Threat Prevention














Stop threats within allowed traffic

Single unified engine (single
-
pass)

Always in application and user context

Independent of port or evasion

IPS

Proven 93.4%
block rate and
performance

Anti
-
Malware

Millions of
samples, 50k
analyzed per day

URL Filtering

Malware sites,
unknown and
newly registered
sites

Content

Control file types,
downloads, specific
content

Behavioral Analysis

Visibility and Control

Integrated Threat Prevention

Example: TDL
-
4*


TDL
-
4

-
Extension of earlier malware,
a.k.a

Alureon
, TDSS, TDL

-
Named “
the indestructible botnet
” due to the ability protect itself from
takedowns/takeovers



*Derived from analysis by Kaspersky Labs

Command &

Control


Kad

P2P network


C&C servers


Proxy through
infected hosts

Communication


Proprietary
encryption


Tunneled within
SSL


Sells proxy as a
service

Persistence


Infects MBR


32/64 bit rootkits

Infection


Any (outsourced to
affiliates)


Drive
-
by
-
Downloads easily
the most common

20+ Programs Used


Malicious apps, Fake AV, Spam, Adware,
etc

Protecting Against TDL
-
4


Indestructible does
not

mean indefensible



How to Use Palo Alto Networks to Control TDL
-
4

-
Prevent Infection


Drive
-
by download protection


Block risky sites


Decrypt social networking

-
Prevent Communications


Decrypt SSL to unknown sites


Block unknown or proprietary encryption


Limit proxies to select proxies and approved users

-
Disrupt Command and Control


Block
Kad

usage



Best Practices



NGFW Best Practices

1.
Reduce your exposure

2.
Ensure visibility into traffic

3.
Lock down use of commonly open ports

4.
Prevent infections

5.
Implement full protection from known threats

6.
Analyze events in context

7.
Investigate the unknowns


1
-

Reduce the Exposure


Block Unneeded and High
-
Risk Applications

-
Block (or limit) peer
-
to
-
peer
applications

-
Block unneeded applications that
can tunnel other applications

-
Review the need for applications
known to be used by
malware

-
Block
anonymizers

such as Tor

-
Block encrypted tunnel
applications such as
UltraSurf

-
Limit use to approved proxies

-
Limit use of remote desktop

2
-

Ensure Visibility into All Traffic


Classify all traffic on all ports

-
This is core to a NGFWs job, but
most don’t do it

-
Check protocol decoders



Expand visibility beyond the
perimeter

-
Inside the network


remember that
much of a modern intrusion happens
inside

the network

-
Outside the network


deliver the
same application control and threat
prevention outside as inside


Port

22


Port

23


Port

531

FTP

SSH

Telnet

HTTP

IM


Port

21


Port

80

Firewall

2b
-

Ensure Visibility


Control SSL


A
pplications and sites are
moving to SSL by default

-
Facebook, Google,
etc

-
36% of applications by bandwidth



Establish SSL Decryption
Policies

-
Decrypt policies


Social networking, webmail, IM, message boards,
micro
-
blogging, gaming sites

-
Do not decrypt policies


Health care sites and applications


Financial sites and applications


Secure channels

3
-

Lock Down Use of Commonly Open Ports


Botnets and malware
regularly communicate
on ports that are open
by default

-
DNS (port 53) is a favorite






The next
-
generation
firewall lets you to set
policy that only DNS
traffic should be
allowed on port 53 and
block everything else

4
-

Prevent Infections


Drive
-
by
-
Download Protection

-
Detects downloads in the background even following
an unknown exploit

-
Host browser and OS will not report it

-
Train users

User visits infected webpage

Crafted image exploits

vulnerability on client

5
-

Block Known Exploits and Malware


Known Threats are Still the
Majority of Threats Today

-
Malware and exploit kits are
increasingly popular

-
Vulnerability
facing signatures detect
common
variants



Full Protection With Performance

-
Palo Alto Networks has shown the
ability to meet datasheet speeds with all
signatures enabled

-
Common engine and signature format
processes traffic to detect all threats



Through 2015,
over 90% of
malware and
exploits will
continue to be
known threats

-

Gartner

6
-

Evaluate Events in Context


Develop Context
-
Based Visibility


Applications, Patterns, Sources and
Behaviors


Correlate by User and Application


Known malware


Known exploits


Phone
-
home detection


Download history


Exploits


URL categories


Treat unknowns as

significant

7
-

Aggressively Investigate the Unknowns


NGFW classifies all known traffic

-
C
ustom App
-
IDs for internal or custom
developed applications


Any remaining “unknown” traffic can
be tracked and investigated

-
U
sed in the field to find botnets and
unknown threats


Behavioral Botnet Report

-
Automatically correlates end
-
user
behavior to find clients that are likely
infected by a bot

-
Unknown TCP and UDP, Dynamic DNS,
Repeated file downloads/attempts,
Contact with recently registered
domains, etc

© 2010 Palo Alto Networks. Proprietary and Confidential.

Page
28

|

10.1.1.56

10.1.1.34

10.1.1.277

192.168.1.4

192.168.1.47

10.1.1.101

10.0.0.24

192.168.1.5

10.1.1.16

192.168.124.5












Find specific users
that are potentially
compromised by a
bot




Jeff.Martin

Summary

©
2011
Palo Alto Networks. Proprietary and Confidential.

Page
29

|

App
-
ID





All traffic, all
ports,

all the time



Application
signatures



Heuristics



Decryption



Reduce the
attack surface


Remove the
ability to hide


Prevents known
threats


90% of threats
through 2015
(Gartner)

Patterns



Block threats on
all ports


93.4% block rate
of known exploits


5M+ malware
samples


Sources




Malware hosting
URLs



Recently
registered
domains



SSL decryption of
high
-
risk sites


Behaviors



Dynamic DNS,
fast flux


Download patterns


Unknown traffic



Block known
sources of threats


Be wary of
unclassified and
new domains


Detects

pre
-
existing or
unknown threats

Questions

Recognize the Modern Malware Shell Game

Modern malware is largely defined by how it addresses
4 key problems:


If malware can
survive on the
host,
communicate
securely and
update itself,
then the
payload
can
be virtually
anything

How does the
malware persist
on the infected
host and avoid
removal

How does the
malware infect
the target
without triggering
traditiona AV and
anti
-
malware

How does the
malware establish
effective
command and
control without
exposing itself to
take
-
over

How does the
malware securely
communicate
without being
detected

Communicate

Manage

Persist

Infect

Recognize the Modern Malware Shell Game

Modern malware is largely defined by how it addresses
4 key problems:


Customized
and
polymorphic
malware to
avoid signature
detection

Drive
-
by
-
Download


Attack begins
with a remote
exploit


Malware is
downloaded in
the background
following the
successful
exploit



Communicate

Manage

Persist

Infect

Root Kits

Back doors

Anti
-
AV


Infection of
master boot
record


Process
injection, etc


Encryption

Proxies

Fast Flux,
Dynamic DNS

Peer
-
to
-
Peer


Many methods
to hide from
security


Command and
Control


Custom app or
protocol


Config files


EXE download


P2P, social
networks


More use of
fast flux


© 2010 Palo Alto Networks. Proprietary and Confidential.

Page
33

|

4 Qualities of Modern Malware

Infection


How does the malware infect the
target without being detected?



Persistence


How does the malware remain on
the infected host?


Communication


How does the malware
communicate securely without being
detected?

Control


How does the malware coordinate
and control itself without being taken
over?


Social

Media

Configuration

Files

EXE

Updates

Remote

Exploits

Hidden

Traffic

Custom

Malware

Rootkit
s

Backdoors

Anti
-
AV

Encryption

Proxies

&

Evasions

Fast

Flux

4 Qualities of Modern Malware

Infection


How does the malware infect the
target without being detected?



Persistence


How does the malware remain on
the infected host?


Communication


How does the malware
communicate securely without being
detected?

Control


How does the malware coordinate
and control itself without being taken
over?


Control

Social

Media

Detect

Configuration

Files via IPS

Block EXE

Downloads

Integrated IPS
and Anti
-
Malware

Drive
-
by
-
Download

Protection

Ensure
Visibility
into Traffic

Rootkit
s

Detect and
Block
Backdoors

Integrated

Anti
-
AV

Decrypt
SSL, Block
Encryption

Control

Proxies

&

Evasions

Track Fast

Flux &
Dynamic
DNS

Long
-
Term Attacks
Require
Multiple Tactics

Applications / Evasions


Attackers have learned to use
applications and evasions to hide
their traffic from security


-
Travel over non
-
standard ports

-
Tunnel within protocols

-
Tunnel within SSL

-
Dynamic DNS to cover their tracks

-
Use circumventing
applications (
remote
desktop, SSH
)

-
Use
anonymizing

applications (proxies,
Tor, personal VPNs)


Exploits / Malware


The fusion of exploits and malware
allows any connection to deliver
malware

-
Exploit user on a web
-
page, establish
shell access, download malware in
background

-
Malware is no longer simply an exe for
a user to click on


Signature avoidance

-
Polymorphic malware

-
Zero
-
Day vulnerabilities

Long
-
Term Attacks Require Multiple Tactics

Applications / Evasions


Attackers have learned to use
applications and evasions to hide
their traffic from security


-
Travel over non
-
standard ports

-
Tunnel within protocols

-
Tunnel within SSL

-
Dynamic DNS to cover their tracks

-
Use circumventing
applications (
remote
desktop, SSH
)

-
Use
anonymizing

applications (proxies,
Tor, personal VPNs)


Exploits / Malware


The fusion of exploits and malware
allows any connection to deliver
malware

-
Exploit user on a web
-
page, establish
shell access, download malware in
background

-
Malware is no longer simply an exe for
a user to click on


Signature avoidance

-
Polymorphic malware

-
Zero
-
Day vulnerabilities

Example

User visits infected webpage

Crafted image exploits

vulnerability on client

Exploit gains shell access and


downloads malware in background

Infected host used to
investigate network,
capture passwords,
exploit other users
and systems

Example

User visits infected webpage

Crafted image exploits

vulnerability on client

Exploit gains shell access and


downloads malware in background

Remote Desktop

Example

User visits infected webpage

Crafted image exploits

vulnerability on client

Exploit gains shell access and


downloads malware in background

Remote Desktop

SSL