Academic Freedom vs.

Application Chaos

Matt Keil

619

schools

1,000s of

students

1,248

applications

1

challenge

What do you really know about your network?

Frequency That External Proxies Were Found?

4 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Frequency is defined as a single instance found on a network (n=619).

Frequency That External Proxies Were Found

A total of 34 different proxies were in use, with an average

of five variants found on 85% of the 619 university

networks.

Frequency is defined as a single instance found on a network (n=619).

How Many non-VPN Encrypted Tunnels Were Found?

Frequency is defined as a single instance found on a network (n=619).

Frequency Of non-VPN Encrypted Tunnels

Non-VPN related tunnels were found on 67% of the

University Networks – the question is what is the use case?

Frequency is defined as a single instance found on a network (n=619).

Students Find a Way

8 | ©2012, Palo Alto Networks. Confidential and Proprietary.

• Encrypted tunnels (Tor, UltraSurf, Hamachi) used to “hide”

• External proxies commonly used to bypass URL filtering

• Remote access commonly used to evade controls; known as a cyber criminal target

TeamSpy: A Dark(er) Side of Remote Access Tools

Detection avoidance

• Used dll hijacking to operate in background

• Once compromised, SW was patched

• Issued sleep commands to avoid AV

Communications mechanism

• Modified TV for persistent connection

• Fed data to C2 servers using HTTP commands

Who was targeted

• Activist/political groups, industrial organizations

What they looked for/stole

• Roughly 85 pieces of system (end point) info

• Devices and folder shares connected/in use

• Files containing info based on attacker interests

• Keystrokes and passwords

Challenge: TeamViewer hops ports, uses SSL, is digitally signed, widely used

www.website.com

Installed TeamViewer 6

in the background

How Much Bandwidth is Consumed by File Transfer?

10 | ©2012, Palo Alto Networks. Confidential and Proprietary.

% of Total Bandwidth Consumed by File Transfer?

11 | ©2012, Palo Alto Networks. Confidential and Proprietary.

P2P, browser-based and client-server filesharing applications

consumed 33% of total bandwidth – more that 3.5X the

same amount as viewed in the enterprise environments.

P2P Dwarfs All Other Application Categories

12 | ©2012, Palo Alto Networks. Confidential and Proprietary.

How Many Applications ONLY Use Port 80?

13 | ©2012, Palo Alto Networks. Confidential and Proprietary.

The Number of Applications Using Port 80 Exclusively

14 | ©2012, Palo Alto Networks. Confidential and Proprietary.

The number of applications that ONLY use Port 80 is 307 or

25% of the 1,248 applications found on participating

university networks.

Port 80-Only Security is Shortsighted

15 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Port 80 represents significant risks; yet too much emphasis

can be shortsighted.

% of applications that can use SSL?

16 | ©2012, Palo Alto Networks. Confidential and Proprietary.

% of applications that can use SSL?

17 | ©2012, Palo Alto Networks. Confidential and Proprietary.

289 out of 1,311 applications are capable of using SSL.

The challenge we face is this: is the usage for security or

to hide something?

Freegate

SSL/Port 443: The Universal Firewall Bypass

Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

TDL-4

Poison IVY

Rustock

APT1 Ramnit

Bot

Citadel

Aurora

Gozi

tcp/443

How Many Video and Social Media Applications in use?

19 | ©2012, Palo Alto Networks. Confidential and Proprietary.

The Number of Video and Social Media Applications

20 | ©2012, Palo Alto Networks. Confidential and Proprietary.

111 video and 86 social media applications were found – 15%

of all applications and 18% of all bandwidth. Less than

expected.

Secondary

Payload

Spread

Laterally

Custom C2

& Hacking

Data Stolen

Exploit Kit Malware From

New Domain

ZeroAccess

Delivered

C2

Established

Hidden

within SSL

New domain

has no

reputation

Payload

designed to

avoid AV

Non-standard

port use evades

detection

Custom

malware = no

AV signature

Internal traffic is

not monitored

Custom protocol

avoids C2

signatures

RDP & FTP

allowed on the

network

Conclusions

Solutions

Inspect all traffic and set policy by application

Coordinate threat prevention with appropriate policies

Take an approach of safely enabling applications rather than

blacklisting apps entirely

Challenges

Students are evading existing security measures

Malware is evading existing security measures

Schools need to enable access, not block it

23 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks at a glance

Corporate highlights

Founded in 2005; first customer shipment in 2007

Safely enabling applications and preventing cyber threats

Able to address all network security and cybersecurity needs

Exceptional ability to support global customers

Experienced technology and management team

1,150+ employees globally

4,700

9,000

13,500

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

Jul-11 Jul-12

$13 $49

$255

$396

$119

$0

$50

$100

$150

$200

$250

$300

$350

$400

FY09 FY10 FY11 FY12 FY13

Revenues

Enterprise customers

$MM

FYE July

Jul-13

24 | ©2012, Palo Alto Networks. Confidential and Proprietary. 24 | ©2012, Palo Alto Networks. Confidential and Proprietary.