24
Academic Freedom vs. Application Chaos Matt Keil
Academic Freedom vs.
Application Chaos
Matt Keil
619
schools
1,000s of
students
1,248
applications
1
challenge
What do you really know about your network?
Frequency That External Proxies Were Found?
4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Frequency is defined as a single instance found on a network (n=619).
Frequency That External Proxies Were Found
A total of 34 different proxies were in use, with an average
of five variants found on 85% of the 619 university
networks.
Frequency is defined as a single instance found on a network (n=619).
How Many non-VPN Encrypted Tunnels Were Found?
Frequency is defined as a single instance found on a network (n=619).
Frequency Of non-VPN Encrypted Tunnels
Non-VPN related tunnels were found on 67% of the
University Networks – the question is what is the use case?
Frequency is defined as a single instance found on a network (n=619).
Students Find a Way
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Encrypted tunnels (Tor, UltraSurf, Hamachi) used to “hide”
• External proxies commonly used to bypass URL filtering
• Remote access commonly used to evade controls; known as a cyber criminal target
TeamSpy: A Dark(er) Side of Remote Access Tools
Detection avoidance
• Used dll hijacking to operate in background
• Once compromised, SW was patched
• Issued sleep commands to avoid AV
Communications mechanism
• Modified TV for persistent connection
• Fed data to C2 servers using HTTP commands
Who was targeted
• Activist/political groups, industrial organizations
What they looked for/stole
• Roughly 85 pieces of system (end point) info
• Devices and folder shares connected/in use
• Files containing info based on attacker interests
• Keystrokes and passwords
Challenge: TeamViewer hops ports, uses SSL, is digitally signed, widely used
www.website.com
Installed TeamViewer 6
in the background
How Much Bandwidth is Consumed by File Transfer?
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
% of Total Bandwidth Consumed by File Transfer?
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
P2P, browser-based and client-server filesharing applications
consumed 33% of total bandwidth – more that 3.5X the
same amount as viewed in the enterprise environments.
P2P Dwarfs All Other Application Categories
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
How Many Applications ONLY Use Port 80?
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The Number of Applications Using Port 80 Exclusively
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The number of applications that ONLY use Port 80 is 307 or
25% of the 1,248 applications found on participating
university networks.
Port 80-Only Security is Shortsighted
15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Port 80 represents significant risks; yet too much emphasis
can be shortsighted.
% of applications that can use SSL?
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
% of applications that can use SSL?
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
289 out of 1,311 applications are capable of using SSL.
The challenge we face is this: is the usage for security or
to hide something?
Freegate
SSL/Port 443: The Universal Firewall Bypass
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
TDL-4
Poison IVY
Rustock
APT1 Ramnit
Bot
Citadel
Aurora
Gozi
tcp/443
How Many Video and Social Media Applications in use?
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The Number of Video and Social Media Applications
20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
111 video and 86 social media applications were found – 15%
of all applications and 18% of all bandwidth. Less than
expected.
Secondary
Payload
Spread
Laterally
Custom C2
& Hacking
Data Stolen
Exploit Kit Malware From
New Domain
ZeroAccess
Delivered
C2
Established
Hidden
within SSL
New domain
has no
reputation
Payload
designed to
avoid AV
Non-standard
port use evades
detection
Custom
malware = no
AV signature
Internal traffic is
not monitored
Custom protocol
avoids C2
signatures
RDP & FTP
allowed on the
network
Conclusions
Solutions
Inspect all traffic and set policy by application
Coordinate threat prevention with appropriate policies
Take an approach of safely enabling applications rather than
blacklisting apps entirely
Challenges
Students are evading existing security measures
Malware is evading existing security measures
Schools need to enable access, not block it
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications and preventing cyber threats
Able to address all network security and cybersecurity needs
Exceptional ability to support global customers
Experienced technology and management team
1,150+ employees globally
4,700
9,000
13,500
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
Jul-11 Jul-12
$13 $49
$255
$396
$119
$0
$50
$100
$150
$200
$250
$300
$350
$400
FY09 FY10 FY11 FY12 FY13
Revenues
Enterprise customers
$MM
FYE July
Jul-13
24 | ©2012, Palo Alto Networks. Confidential and Proprietary. 24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
