1 / 26

Cyber Threats: Industry Trends and Actionable Advice

Cyber Threats: Industry Trends and Actionable Advice. Presented by: Elton Fontaine. Palo Alto Networks Modern Malware Elton Fontaine: CCIE, CNSE SE Manager – West Territory Palo Alto Networks. What are we seeing. Key Facts and Figures - Americas. 2,200+ networks analyzed

yule
Download Presentation

Cyber Threats: Industry Trends and Actionable Advice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine

  2. Palo Alto Networks Modern MalwareElton Fontaine: CCIE, CNSESE Manager – West TerritoryPalo Alto Networks

  3. What are we seeing

  4. Key Facts and Figures - Americas • 2,200+ networks analyzed • 1,600 applications detected • 31 petabytes of bandwidth • 4,600+ unique threats • Billions of threat logs

  5. Common Sharing Applications are Heavily Used • Application Variants • How many video and filesharing applications are needed to run the business? • Bandwidth Consumed • 20% of all bandwidth consumed by file-sharing and video alone Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

  6. High in Threat Delivery; Low in Activity • 11% of all threats observed are code execution exploits within common sharing applications • Most commonly used applications: email (SMTP, Outlook Web, Yahoo! Mail), social media (Facebook, Twitter) and file-sharing (FTP) Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

  7. Low Activity? Effective Security or Something Else?

  8. Low Activity: Effective Security or Something Else? Twitter Web browsing SMTP • Smoke.loader botnet controller • Delivers and manages payload • Steals passwords • Encrypts payload • Posts to URLs • Anonymizes identity IMAP POP3 Facebook Web browsing (7) Code execution exploits seen in SMTP, POP3, IMAP and web browsing.

  9. Malware Activity Hiding in Plain Sight: UDP Blackhole Exploit Kit End Point Controlled ZeroAccessDelivered Bitcoin mining SPAM ClickFraud • Distributed computing = resilience • High number UDP ports mask its use • Multiple techniques to evade detection • Robs your network of processing power $$$

  10. Unknown UDP Hides Significant Threat Activity • 1 application = 96% of all malware logs • ZeroAccess.Gen command & control traffic represents nearly all malware activity Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

  11. Business Applications = Heaviest Exploit Activity • 90% of the exploit activity was found in 10 applications • Primary source: Brute force attacks Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

  12. Target data breach – APTs in action Compromised internal server to collect customer data Exfiltrated data command-and-control servers over FTP Recon on companies Target works with Spearphishing third-party HVAC contractor Breached Target network with stolen payment system credentials Moved laterally within Target network and installed POS Malware Maintain access

  13. Best Practices

  14. Security from Policy to Application • What assumptions drive your security policy? • Does your current security implementation adequately reflect that policy? • Doss your current security implementation provide the visibility and insight needed to shape your policy? Assumptions Policy Visibility & Insight Implementation

  15. Security Perimeter Paradigm Organized Attackers The Enterprise Infection Command and Control Escalation Exfiltration Exfiltration

  16. Is there Malware inside your network today??? Applications provide exfiltration • Threat communication • Confidential data

  17. Application Visibility • Reduce attack surface • Identify Applications that circumvent security policy. • Full traffic visibility that provides insight to drive policy • Identify and inspect unknown traffic

  18. Identify All Users • Do NOT Trust, always verify all access • Base security policy on users and their roles, not IP addresses. • For groups of users, tie access to specific groups of applications • Limit the amount of exfiltration via network segmentation

  19. SSL/Port 443: The Universal Firewall Bypass Freegate Gozi Rustock Citadel TDL-4 tcp/443 Aurora Poison IVY • Ramnit • Bot APT1 Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

  20. Evolution of Network Segmentation & Datacenter Security Packet Filtering, ACL’s, IP/Port-based firewallingfor known traffic?Layer 1-4 Stateful Firewall Port-hopping applications, Malware, Mobile Users – Different entry points into DC?Layer 7 “Next Generation” Appliance

  21. Platform Solution

  22. Modern Attacks Are Coordinated 1 2 3 4 5 Exploit Bait theend-user DownloadBackdoor EstablishBack-Channel Explore & Steal End-user lured to a dangerous application or website containing malicious content Infected content exploits the end-user, often without their knowledge Secondary payload is downloaded in the background. Malware installed Malware establishes an outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack

  23. Coordinated Threat Prevention An Integrated Approach to Threat Prevention Explore &Steal EstablishBack-Channel DownloadBackdoor Bait theend-user Exploit Block C&C on non-standard ports Block high-risk apps Reduce Attack Surface Block known malware sites Block malware, fast-flux domains Block the exploit Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors Block spyware, C&C traffic Block malware Prevent drive-by-downloads Detect unknown malware Block new C&C traffic

  24. Adapt to Day-0 threats Threat Intelligence Sources WildFire Users WildFire Cloud On-Prem • Anti-C&CSignatures • AVSignatures • DNSSignatures • Malware URLFiltering • WildFireSignatures • Constant • Daily • Daily • 1 Week • ~30 Minutes

  25. Contextual Awareness

More Related