1 | © 2015, Palo Alto Networks. Confidential and Proprietary.
TRAPS
Frederik van den Hof, Palo Alto Networks
ULTIMATE TEST DRIVE ADVANCED ENDPOINT PROTECTION
21 september 2016
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Agenda
• Introductions, Goals and Objectives
• Palo Alto Networks Approach to Endpoint Security
• Hands-on Workshop
• Questions and Answers
2 | ©, 2013 Palo Alto Networks. Confidential and Proprietary.
3 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Goals & Objectives
By the end of this workshop you should be able to:
• Understand the Traps prevention workflow that disrupts sophisticated threats targeting endpoints
• Understand and apply exploit and malware threat prevention components to a staged cyber campaign
• Understand Palo Alto Networks’ integrated approach to endpoint threat prevention
60%
76%
#1
Of all breaches took minutes to compromise an organization
Exploited vulnerabilities were more than two years old
Ranked from a total of ten different attack types
Attackers are well funded and more sophisticated
Harsh Reality – We Are More at Risk than Ever
Launching Zero-Day attacks is more accessible and common
Targeted attacks can only be solved on the endpoint
$ $
KEY TECHNIQUES USED TO COMPROMISE ENDPOINTS A Critical Distinction
Exploit
§ Attacks on vulnerabilities in legitimate applications
§ Malformed data file § Enable attackers to execute
arbitrary code § Small payload
Malicious Executable
§ Malicious code § Does not rely on application
vulnerabilities § Contains executable code § Aims to control the machine § Large payload
Examples: weaponized PDF files & Flash videos
Examples: ransomware, fake AV
A Typical Cyber Attack Life Cycle
Prevention of an Attack at the Earliest Stage is Critical Traps Exploit and Malware Prevention Blocks the Attack Before Any Malicious Activity Can Initiate
Plan the Attack
Gather Intelligence
Silent Infection
Leverage Exploit
Malware Communicates with Attacker
Control Channel
Malicious File Executed
Execute Malware
Data Theft, Sabotage,
Destruction
Steal Data
Preventive Controls Reactive Controls
§ Requires prior knowledge § Scanning vs. activity-focused § Can be reverse engineered
§ Malicious activity can disable detection § Remediation takes a great effort § Too much noise – detection is ignored
§ Can’t see all content § No visibility to endpoint infections § Hard to block malicious activity on legit protocols
§ Can’t simulate all environments § Threat emulation can be identified by the malware § Can’t enforce actions on the endpoint
Advanced Endpoint Protection – Why?
69% Attacks
Discovered via Third Party
205 Average Days
to Detect a Targeted Attack
Today's Harsh Reality
Detection Alone is Not a Strategy
Traditional Detection
Detection and
Remediation
Network-Layer Security
Cloud-Based Emulation
HOW TRAPS SOLVES THE PROBLEM
• Comprehensive exploit technique prevention without dependence on signatures or behavioral detection
• Ability to prevent malware infection • Detect all malware with WildFire integration • Apply local policy to stop execution of malware • Apply local restrictions to prevent suspicious
executions
• Flexible and scalable management that fits enterprise operational environment
• Minimal footprint with no requirement for constant processing/scanning
9 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Campaign Disruptions
SEQUENCE OF A SUCCESSFUL EXPLOIT
Normal Application Execution
Heap Spray
DEP Circumvention
Utilizing OS Function
Gaps Are Vulnerabilities
Exploit Attack
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Operation DeputyDog
Begin Malicious Activitiy
§ Activate key logger § Steal critical data § More…
FOCUS ON BLOCKING THE TECHNIQUES
Normal Application Execution
Heap Spray
Traps EPM
No Malicious Activity
Traps Exploit Prevention Modules (EPM)
1. Exploit attempt blocked. Traps requires no prior knowledge of the vulnerability.
Operation DeputyDog
EVEN UNKNOWN TECHNIQUES WILL NOT SUCCEED
Normal Application Execution
Unknown Exploit
Technique
DEP Circumvention
No Malicious Activity
Traps EPM
Traps Exploit Prevention Modules (EPM)
Operation DeputyDog v2
1. Exploit uses new, unknown technique.
2. Required subsequent steps in chain still effectively prevent malicious activity.
Prevention of One Technique in the Chain will Block the Entire Attack
Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques
DLL Security
IE Zero Day CVE-2013-3893 ‘Deputy dog’
Heap Spray DEP Circumven3on UASLR ROP/U3lizing
OS Func3on ROP Mi3ga3on/ DLL Security
Adobe Reader CVE-2013-3346 ‘Uroburos’
Heap Spray
Memory Limit Heap Spray Check and Shellcode
Prealloca3on
DEP Circumven3on UASLR U3lizing
OS Func3on DLL
Security
Adobe Flash CVE-2015- 3010/0311 ‘Forbes.com’
ROP ROP Mi3ga3on JiT Spray J01 U3lizing
OS Func3on DLL
Security
Memory Limit Heap Spray Check
Exploit Prevention – User Experience
When an Exploitation Attempt is Made, the Exploit Hits a Trap and Fails before Any Malicious Activity is Initiated
Infected document opened by
unsuspecting user
Traps is seamlessly injected into processes
Exploit technique is attempted and blocked by Traps before
any malicious activity is initiated
Traps
Traps reports the event and collects detailed
forensics
User\Admin is Notified
PDF PDF
PDF Process is Terminated
Forensic Data is Collected
R
R
R
EFFECTIVE MALWARE CONTROL
User Tries to Open Executable File
Malware Technique Prevention Employed
Examples
Thread Injection?
Restrictions And Executable Rules
Examples
Child Process?
Restricted Folder or Device? Create Suspend?
HASH Checked Against WildFire
WildFire
Unknown ? EXE
Benign
Malicious Execution Stopped Ñ
2. 1. 3.
Attack Flow
explorer.exe
%USERPROFILE%\AppData\Local\Temp
UNSIGNED
Attacker downloads Zeus to a Temp folder
The downloaded malware is not signed by A legitimate certificate issuer.
Zeus attempts to inject its binary into the running system process “explorer.exe” In order to perform remote thread injection
Once successful Zeus seeks and Finds banking credentials
MALWARE PROTECTION
folder
file creden3als file
folder
.exe
Gameover Zeus
%USERPROFILE%\AppData\Local\Temp UNSIGNED .exe explorer.exe
Execution from Local\Temp
Unsigned Executables Module: Thread Injection
A multi-layered approach to malware prevention
Execution Restriction Module 1
Execution Restriction Module 2
Malware Technique Prevention
Gameover Zeus
MALWARE PROTECTION
Traps
Utilization of OS functions JIT Heap Spray
Wildfire Known Verdict
On Demand Inspection
Injection Attempts Blockage
Traps Malware Protection
Traps Kill-Points Through the Attack Life Cycle
Delivery Exploitation Download and Execute
Wildfire Verdict Check
Wildfire Inspection
Malicious
Thread Injection
Intelligence and
Emulation
Traps Exploit Protection
Malicious Behavior
Protection
Memory Corruption
Logic Flaws
Child Process Unsigned
Executable Restricted Location
Execution Restriction 1
Execution Restriction 2
Execution Restriction 3
Advanced Execution Control
7 8 9
Admin Pre-Set Verdicts
Local Verdict Check
4 5 6 10 Exploitation Technique 1
Exploitation Technique 2
Exploitation Technique 3
1 2 3
Scalable Architecture Traps Architecture Leverages a Scalable Endpoint Security Manager (ESM)
Endpoint Security Manager (ESM)
SIEM / External Logging
ESM Server(s)
Endpoints Running Traps
Forensic Folder(s)
WildFire Threat Intelligence
Cloud
@ SMTP Alerting 3-Tier Management Structure
§ ESM Console
§ Database § ESM Servers
(each supports 10,000 endpoints & scales horizontally)
On Premise
Off Premise
Coverage and System Requirements
Supported Operating Systems Footprint
Workstations – Physical and Virtual § Windows XP SP3 (32-bit) § Windows Vista SP2 § Windows 7 § Windows 8 / 8.1 § Windows 10 Servers – Physical and Virtual § Windows Server 2003 (+R2, 32-bit) § Windows Server 2008 (+R2) § Windows Server 2012 (+R2)
§ 25 MB RAM § 0.1% CPU § No Scanning
Application Coverage
§ Default Policy: 100+ processes § Automatically detect new processes § Protect any application including in-house apps
Benefits
Business
§ Lower TCO
§ Zero-day prevention
§ Business continuity
Operations
§ Save time and money on Forensics and remediation
§ Easy to manage, does not require frequent updates
IT
§ Install patches on your own schedule
§ Compatible with existing solutions
§ Minimal performance impact
Intelligence
§ Forensics & Wildfire integration
§ Attack-triggered forensics collection
21 | ©2013, Palo Alto Networks. Confidential and Proprietary.
The Value of an Integrated Platform
22 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Natively Integrated Extensible
Automated
Next-Generation Firewall Advanced Endpoint Protection
Threat Intelligence Cloud
TRAPS
§ Gathers potential threats from network and endpoints
§ Analyzes and correlates threat intelligence
§ Disseminates threat intelligence to network and endpoints
Threat Intelligence Cloud
§ Inspects all traffic
§ Blocks known threats
§ Sends unknown to cloud
§ Extensible to mobile & virtual networks
Next-Generation Firewall
§ Inspects all processes and files
§ Prevents both known & unknown exploits
§ Integrates with cloud to prevent known and unknown malware
Advanced Endpoint Protection
UTD Workshop Environment
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Management Network 10.30.21.0/24
Untrusted Network “CloudShare Network”/ “Internet”
10.30.21.101/24
AAacker Desktop EndUser Desktop ESM Server
AAack Network 10.196.35.16/28
10.196.35.22/28
10.30.21.225/24 10.30.21.211/24
10.196.35.25/28
Virtual FW
Activity 0: Login to UTD Workshop
25 | ©2013, Palo Alto Networks. Confidential and Proprietary.
• Cloudshare Class Link
• https://use.cloudshare.com/Class/jrbve
• Passphrase
• Vince the Fragile GooseStudent
• A copy of the student guide can be found on the desktop folder “UTD-Doc” in the EndUser Desktop VM
Activity 1: The Sophisticated Threat
26 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Scenario: Your organization is a new target for a cyber campaign operated by state sponsored threat actors. These threat actors have performed initial reconnaissance and identified you as the target within your organization. You receive a well-crafted targeted email that contains a weaponized document leveraging a unknown exploit.
Goals:
• Take on the mantle of the targeted individual of a cyber campaign
• Experience a spearphish attack and results of the successful attempt despite AV protection enabled
• Control the compromised endpoint using njRAT
• Understand the stages involved in an advanced cyberattack
Activity 1: Cyber Attack Life Cycle
Delivery Exploitation
DLL Security JIT
Traps Exploit Protection
Memory Corruption
Logic Flaws
Exploitation Technique 1
Exploitation Technique 2
1 2
Download and Execute Malware
Wildfire Known Verdict
On Demand Inspection
Traps Malware Protection
Wildfire Verdict Check
Wildfire Inspection
Intelligence and
Emulation
Malicious Behavior
Protection
Child Process Restricted Location
Unsigned Executable
Execution Restriction 1
Execution Restriction 2
Execution Restriction 3
Advanced Execution Control
6 7 8
Admin Pre-Set Verdicts
Local Verdict Check
3 4 5
Caveat
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Low probability Adobe Reader may crash due to the nature of the pdf weaponization; Proceed by double-clicking the pdf attachment again.
• This exercise shows weaponized document bypassing AV: • However, malware used will eventually be blocked if it is submitted and
signature updates are turned on • Due to configured WildFire restriction policy i.e. endpoint lock-down, users are
encouraged to explore AV before moving to Activity 2.
Activity 2: Traps Introduction
29 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Goals:
• Prevent malicious pdf execution by enabling Traps
• Review Traps prevention flow
• Introduce ESM dashboards
Traps features:
• ESM Policy
• Traps Agent
• ESM dashboards and alerts
Activity 3: Exploit Prevention
30 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Goals:
• Identify the first stage of a sophisticated attack
• Experience how exploit techniques work in concert within the exploit chain
• Gain insight into Exploit Prevention Modules targeting exploit techniques
Traps features:
• Exploit Prevention Modules (EPM) • DLL Security • JIT Mitigation
Activity 3: Exploit Prevention Stage
Delivery Exploitation
DLL Security JIT
Traps Exploit Protection
Memory Corruption
Logic Flaws
Exploitation Technique 1
Exploitation Technique 2
1 2
Download and Execute Malware
Wildfire Known Verdict
On Demand Inspection
Traps Malware Protection
Wildfire Verdict Check
Wildfire Inspection
Intelligence and
Emulation
Malicious Behavior
Protection
Child Process Restricted Location
Unsigned Executable
Execution Restriction 1
Execution Restriction 2
Execution Restriction 3
Advanced Execution Control
6 7 8
Admin Pre-Set Verdicts
Local Verdict Check
3 4 5
Activity 4: Malware Prevention
32 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Goals:
• Identify second stage of a sophisticated attack
• Experience WildFire integration providing protection against unknown and known malware
• Enable best-practice restrictions to limit and prevent malicious executable behavior
Traps features:
• WildFire Validation and Inspection
• Malware Restriction Policies • Child process restriction • Local Folder execution restriction • Unsigned process executable restriction
Activity 4: Malware Prevention Stage
Delivery Exploitation
DLL Security JIT
Traps Exploit Protection
Memory Corruption
Logic Flaws
Exploitation Technique 1
Exploitation Technique 2
1 2
Download and Execute Malware
Wildfire Known Verdict
On Demand Inspection
Traps Malware Protection
Wildfire Verdict Check
Wildfire Inspection
Intelligence and
Emulation
Malicious Behavior
Protection
Child Process Restricted Location
Unsigned Executable
Execution Restriction 1
Execution Restriction 2
Execution Restriction 3
Advanced Execution Control
6 7 8
Admin Pre-Set Verdicts
Local Verdict Check
3 4 5
Review: Traps Kill-Points Through the Attack Life Cycle
Delivery Exploitation
DLL Security JIT
Traps Exploit Protection
Memory Corruption
Logic Flaws
Exploitation Technique 1
Exploitation Technique 2
1 2
Download and Execute Malware
Wildfire Known Verdict
On Demand Inspection
Traps Malware Protection
Wildfire Verdict Check
Wildfire Inspection
Intelligence and
Emulation
Malicious Behavior
Protection
Child Process Restricted Location
Unsigned Executable
Execution Restriction 1
Execution Restriction 2
Execution Restriction 3
Advanced Execution Control
6 7 8
Admin Pre-Set Verdicts
Local Verdict Check
3 4 5
35 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Activity 5: Feedback on Ultimate Test Drive
• Click on the “Survey” tab in the lab environment to access the online survey form
• Please complete the survey and let us know what you think about this event
After today’s workshop,
36 | © 2015, Palo Alto Networks. Confidential and Proprietary.
• Go: https://www.paloaltonetworks.com/products/endpoint-security.html
• Watch: Introductory Video
• Listen: Customer Testimony
• Learn: Forrester Endpoint Thought Leadership
https://paloaltonetworks.com/resources/whitepapers.html
Student Login Link
https://use.cloudshare.com/Class/1z7qv
Student Passphrase
Takumi the Mindful Wallaby
APPENDIX • Cloudshare issues: [email protected] or +1 (650) 331-3417