Adriaan Joubert

Security Systems Engineer

Key Facts and Figures

2 | ©2014 Palo Alto Networks. Confidential and Proprietary.

• 5,500 networks analysed

• 2,100 applications detected

• 51 petabytes of bandwidth

• 16,809 unique threats

• Billions of threat logs

The Evolution of Your Network

3 | ©2014 Palo Alto Networks. Confidential and Proprietary.

What’s Hiding In Plain Sight?

VNC

SMB

pop3

snmpdns

telnet

LDAP

ftp

SSL

� Common sharing applications: heavily used, high in threats, low in activity

� 19% of all threats delivered are code execution exploits found within common

sharing applications

� Only 5% of all threat activity was seen within these applications

� A small number of applications exhibited nearly all of all threat activity

� Malware: 99% all malware logs were generated across a single application.

� Vulnerability exploits: 94% of all exploit logs were found in 10 applications.

� Applications that can use SSL – privacy, evasion, or Heartbleed risk?

� 34% of the applications can use SSL – how many are using OpenSSL?

4 | ©2014 Palo Alto Networks. Confidential and Proprietary.

Global Findings

Common Sharing Applications are Heavily Used

5 | ©2014 Palo Alto Networks. Confidential and Proprietary.

Application Variants

� How many video and filesharing applications are needed to run the business?

Bandwidth Consumed

� 20% of all bandwidth consumed by file-sharing and video alone

High in Threat Delivery; Low in Activity – Why?

6 | ©2014 Palo Alto Networks. Confidential and Proprietary.

� 19% of all threats are code execution exploits within common sharing applications

� Most commonly used applications: Email (SMTP, POP3, IMAP) and file-sharing (FTP,

Webdav)

Source: Palo Alto Networks, Application Usage and Threat Report. May 2014.

Low Activity? Effective Security or Something Else?

7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Low File Sharing Activity: Effective Security or Something

Else?

8 | ©2014 Palo Alto Networks. Confidential and Proprietary.

(7) Code execution exploits seen in SMTP, POP3, IMAP

and web browsing.

IMAP

SMTP

POP3

Web browsing

Twitter

Facebook

Web browsing

Smoke.loader botnet controller

� Delivers and manages payload

� Steals passwords

� Encrypts payload

� Posts to URLs

� Anonymizes identity

Common Sharing Applications: Additional Risks

Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.

� Bandwidth impact on business applications

� Productivity loss from “watching” or “posting”

� Regulatory or copyright violations

� Loss of confidential data

� Videos or posts used as enticement to “click here”

� Downloads infected with malware

9 | ©2012 Palo Alto Networks. Confidential and Proprietary.

Unknown UDP: Malware Hiding Place of Choice

Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.10 | ©2014 Palo Alto Networks. Confidential and Proprietary.

� 1 application delivered nearly all of the malware logs: UDP

� ZeroAccess command & control traffic represented nearly all of the traffic

Malware Activity Hiding in Plain Sight: UDP

11 | ©2014 Palo Alto Networks. Confidential and Proprietary.

End Point Controlled

Blackhole Exploit Kit

ZeroAccessDelivered

$$$

Bitcoin miningSPAM

ClickFraud

� Distributed computing = resilience

� High number UDP ports mask its use

� Multiple techniques to evade detection

� Robs your network of processing power

Business Applications = Heaviest Exploit Activity

12 | ©2014 Palo Alto Networks. Confidential and Proprietary.

� 10 applications transmitted 94% of the exploit logs

� Primary source: Brute force attacks

DNS ANY Query: A Simple Yet High Risk Attack

13 | ©2014, Palo Alto Networks. Confidential and Proprietary.

1) Begin attack

2) DNS Query: "any" in example.com domain to open recursive

DNS servers; set SRC to xx.xx.x.x (target IP)

3) Open DNS resolvers: ask example.com nameserver for record “any”

4) example.com responds: “example.com A 93.184.216.119

example.com NS b.iana-servers.net……” Target server: xx.xx.x.x

Name server: example.com

Open DNSServers

Ensure your business infrastructure components are isolated and protected.

DNS server: disabled

14 | ©2014 Palo Alto Networks. Confidential and Proprietary.

The Two Faces of SSL

Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

TDL-4

Poison IVYRustock

APT1Ramnit

Citadel

Aurora

BlackPOS

tcp/443

tcp/80

tcp/139

10am-5pm

Trojan.POSRAM

15 | ©2014 Palo Alto Networks. Confidential and Proprietary.

ftp

icmpnetbios

webdav

ssl

16 | ©2014, Palo Alto Networks. Confidential and Proprietary.

� Widely used remote access tool –

found on 75% of your networks

� Uses SSL, hops ports, is digitally

signed

� “Free” for non-commercial use,

supported on many devices

� TeamSpy: Background installation

and full end point control

� Enabled theft of 85 pieces of

system (end point) info

� Utilized a range of evasion

techniques to remain hidden

SSL: Protection, Evasion or Heartbleed Risk?

34% (539) of the applications found can use SSL. What is your exposure?

17 | ©2014 Palo Alto Networks. Confidential and Proprietary.

Dealing with the Heartbleed Risk

18 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Heartbleed will be with us for some time

� Exert tighter control over those applications that can use SSL

� Identify and patch your affected systems

� Work with your cloud application providers to expedite cleanup

� Get new keys

� Change your passwords

� Beware of the inevitable phishing campaigns

Recommendations and Actions

� Common sharing applications

� User education: “Say Yes to the Update” and “Think Before You Click!”

� Gain agreement on business use case for each category

� Document the policy; educate users; enforce with technology, review and adjust

� Unknown applications

� Determine what they are; where they are going

� Identify and isolate internal applications

� Apply strict policies for unknown applications

� Internal, business applications and SSL

� Reduce the volume of traffic and associated risks

� Identify and isolate internal applications

� Determine the applications that are using SSL to assess your Heartbleed exposure

19 | ©2014 Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks Enterprise Security Platform

20 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Next-Generation Firewall

� Inspects all traffic

� Blocks known threats

� Sends unknown to cloud

� Extensible to mobile & virtual networks

� Inspects all processes and files

� Prevents both known & unknown exploits

� Integrates with cloud to prevent known & unknown malware

Next-Generation Endpoint Protection

Threat Intelligence Cloud

� Gathers potential threats from network and endpoints

� Analyzes and correlates threat intelligence

� Disseminates threat intelligence to network and endpoints

21 | ©2014, Palo Alto Networks. Confidential and Proprietary.

22 | ©2014 Palo Alto Networks. Confidential and Proprietary.

Unit 42 – Application Usage and Threat Report