ultimate test drive advanced endpoint protection

1 | © 2015, Palo Alto Networks. Confidential and Proprietary.

TRAPS

Frederik van den Hof, Palo Alto Networks

ULTIMATE TEST DRIVE ADVANCED ENDPOINT PROTECTION

21 september 2016


Agenda

•  Introductions, Goals and Objectives

•  Palo Alto Networks Approach to Endpoint Security

•  Hands-on Workshop

•  Questions and Answers

2 | ©, 2013 Palo Alto Networks. Confidential and Proprietary.


Goals & Objectives

By the end of this workshop you should be able to:

•  Understand the Traps prevention workflow that disrupts sophisticated threats targeting endpoints

•  Understand and apply exploit and malware threat prevention components to a staged cyber campaign

•  Understand Palo Alto Networks’ integrated approach to endpoint threat prevention

Ultimate Test Drive (UTD) TRAPS OVERVIEW

UTD-AEP-1.0

60%

76%

#1

Of all breaches took minutes to compromise an organization

Exploited vulnerabilities were more than two years old

Ranked from a total of ten different attack types

Attackers are well funded and more sophisticated

Harsh Reality – We Are More at Risk than Ever

Launching Zero-Day attacks is more accessible and common

Targeted attacks can only be solved on the endpoint

$ $

KEY TECHNIQUES USED TO COMPROMISE ENDPOINTS A Critical Distinction

Exploit

§ Attacks on vulnerabilities in legitimate applications

§ Malformed data file § Enable attackers to execute

arbitrary code § Small payload

Malicious Executable

§ Malicious code § Does not rely on application

vulnerabilities § Contains executable code § Aims to control the machine § Large payload

Examples: weaponized PDF files & Flash videos

Examples: ransomware, fake AV

A Typical Cyber Attack Life Cycle

Prevention of an Attack at the Earliest Stage is Critical Traps Exploit and Malware Prevention Blocks the Attack Before Any Malicious Activity Can Initiate

Plan the Attack

Gather Intelligence

Silent Infection

Leverage Exploit

Malware Communicates with Attacker

Control Channel

Malicious File Executed

Execute Malware

Data Theft, Sabotage,

Destruction

Steal Data

Preventive Controls Reactive Controls

§  Requires prior knowledge §  Scanning vs. activity-focused §  Can be reverse engineered

§  Malicious activity can disable detection §  Remediation takes a great effort §  Too much noise – detection is ignored

§  Can’t see all content §  No visibility to endpoint infections §  Hard to block malicious activity on legit protocols

§  Can’t simulate all environments §  Threat emulation can be identified by the malware §  Can’t enforce actions on the endpoint

Advanced Endpoint Protection – Why?

69% Attacks

Discovered via Third Party

205 Average Days

to Detect a Targeted Attack

Today's Harsh Reality

Detection Alone is Not a Strategy

Traditional Detection

Detection and

Remediation

Network-Layer Security

Cloud-Based Emulation

HOW TRAPS SOLVES THE PROBLEM

•  Comprehensive exploit technique prevention without dependence on signatures or behavioral detection

•  Ability to prevent malware infection •  Detect all malware with WildFire integration •  Apply local policy to stop execution of malware •  Apply local restrictions to prevent suspicious

executions

•  Flexible and scalable management that fits enterprise operational environment

•  Minimal footprint with no requirement for constant processing/scanning


Campaign Disruptions

SEQUENCE OF A SUCCESSFUL EXPLOIT

Normal Application Execution

Heap Spray

DEP Circumvention

Utilizing OS Function

Gaps Are Vulnerabilities

Exploit Attack

2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.

1. Exploit attempt contained in a PDF sent by “known” entity.

3. Exploit evades AV and drops a malware payload onto the target.

4. Malware evades AV, runs in memory.

Operation DeputyDog

Begin Malicious Activitiy

§  Activate key logger §  Steal critical data §  More…

FOCUS ON BLOCKING THE TECHNIQUES


Heap Spray

Traps EPM

No Malicious Activity

Traps Exploit Prevention Modules (EPM)

1. Exploit attempt blocked. Traps requires no prior knowledge of the vulnerability.

Operation DeputyDog

EVEN UNKNOWN TECHNIQUES WILL NOT SUCCEED


Unknown Exploit

Technique

DEP Circumvention

No Malicious Activity

Traps EPM

Traps Exploit Prevention Modules (EPM)

Operation DeputyDog v2

1.  Exploit uses new, unknown technique.

2.  Required subsequent steps in chain still effectively prevent malicious activity.

Prevention of One Technique in the Chain will Block the Entire Attack

Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques

DLL Security

IE Zero Day CVE-2013-3893 ‘Deputy dog’

Heap Spray DEP Circumven3on UASLR ROP/U3lizing

OS Func3on ROP Mi3ga3on/ DLL Security

Adobe Reader CVE-2013-3346 ‘Uroburos’

Heap Spray

Memory Limit Heap Spray Check and Shellcode

Prealloca3on

DEP Circumven3on UASLR U3lizing

OS Func3on DLL

Security

Adobe Flash CVE-2015- 3010/0311 ‘Forbes.com’

ROP ROP Mi3ga3on JiT Spray J01 U3lizing

OS Func3on DLL

Security

Memory Limit Heap Spray Check

Exploit Prevention – User Experience

When an Exploitation Attempt is Made, the Exploit Hits a Trap and Fails before Any Malicious Activity is Initiated

Infected document opened by

unsuspecting user

Traps is seamlessly injected into processes

Exploit technique is attempted and blocked by Traps before

any malicious activity is initiated

Traps

Traps reports the event and collects detailed

forensics

User\Admin is Notified

PDF PDF

PDF Process is Terminated

Forensic Data is Collected

R

R

R

EFFECTIVE MALWARE CONTROL

User Tries to Open Executable File

Malware Technique Prevention Employed

Examples

Thread Injection?

Restrictions And Executable Rules

Examples

Child Process?

Restricted Folder or Device? Create Suspend?

HASH Checked Against WildFire

WildFire

Unknown ? EXE

Benign

Malicious Execution Stopped Ñ

2. 1. 3.

Attack Flow

explorer.exe

%USERPROFILE%\AppData\Local\Temp

UNSIGNED

Attacker downloads Zeus to a Temp folder

The downloaded malware is not signed by A legitimate certificate issuer.

Zeus attempts to inject its binary into the running system process “explorer.exe” In order to perform remote thread injection

Once successful Zeus seeks and Finds banking credentials

MALWARE PROTECTION

folder

file creden3als file

folder

.exe

Gameover Zeus

%USERPROFILE%\AppData\Local\Temp UNSIGNED .exe explorer.exe

Execution from Local\Temp

Unsigned Executables Module: Thread Injection

A multi-layered approach to malware prevention

Execution Restriction Module 1

Execution Restriction Module 2

Malware Technique Prevention

Gameover Zeus

MALWARE PROTECTION

Traps

Utilization of OS functions JIT Heap Spray

Wildfire Known Verdict

On Demand Inspection

Injection Attempts Blockage

Traps Malware Protection

Traps Kill-Points Through the Attack Life Cycle

Delivery Exploitation Download and Execute

Wildfire Verdict Check

Wildfire Inspection

Malicious

Thread Injection

Intelligence and

Emulation

Traps Exploit Protection

Malicious Behavior

Protection

Memory Corruption

Logic Flaws

Child Process Unsigned

Executable Restricted Location

Execution Restriction 1



Advanced Execution Control

7 8 9

Admin Pre-Set Verdicts

Local Verdict Check

4 5 6 10 Exploitation Technique 1

Exploitation Technique 2


1 2 3

Scalable Architecture Traps Architecture Leverages a Scalable Endpoint Security Manager (ESM)

Endpoint Security Manager (ESM)

SIEM / External Logging

ESM Server(s)

Endpoints Running Traps

Forensic Folder(s)

WildFire Threat Intelligence

Cloud

@ SMTP Alerting 3-Tier Management Structure

§  ESM Console

§  Database §  ESM Servers

(each supports 10,000 endpoints & scales horizontally)

On Premise

Off Premise

Coverage and System Requirements

Supported Operating Systems Footprint

Workstations – Physical and Virtual §  Windows XP SP3 (32-bit) §  Windows Vista SP2 §  Windows 7 §  Windows 8 / 8.1 §  Windows 10 Servers – Physical and Virtual §  Windows Server 2003 (+R2, 32-bit) §  Windows Server 2008 (+R2) §  Windows Server 2012 (+R2)

§  25 MB RAM §  0.1% CPU §  No Scanning

Application Coverage

§  Default Policy: 100+ processes §  Automatically detect new processes §  Protect any application including in-house apps

Benefits

Business

§ Lower TCO

§ Zero-day prevention

§ Business continuity

Operations

§ Save time and money on Forensics and remediation

§ Easy to manage, does not require frequent updates

IT

§ Install patches on your own schedule

§ Compatible with existing solutions

§ Minimal performance impact

Intelligence

§ Forensics & Wildfire integration

§ Attack-triggered forensics collection

21 | ©2013, Palo Alto Networks. Confidential and Proprietary.

The Value of an Integrated Platform


Natively Integrated Extensible

Automated

Next-Generation Firewall Advanced Endpoint Protection

Threat Intelligence Cloud

TRAPS

§  Gathers potential threats from network and endpoints

§  Analyzes and correlates threat intelligence

§  Disseminates threat intelligence to network and endpoints

Threat Intelligence Cloud

§  Inspects all traffic

§  Blocks known threats

§  Sends unknown to cloud

§  Extensible to mobile & virtual networks

Next-Generation Firewall

§  Inspects all processes and files

§  Prevents both known & unknown exploits

§  Integrates with cloud to prevent known and unknown malware

Advanced Endpoint Protection

Ultimate Test Drive (UTD) Hands-on Workshop

UTD-AEP-1.0

UTD Workshop Environment


Management Network 10.30.21.0/24

Untrusted Network “CloudShare Network”/ “Internet”

10.30.21.101/24

AAacker Desktop EndUser Desktop ESM Server

AAack Network 10.196.35.16/28

10.196.35.22/28

10.30.21.225/24 10.30.21.211/24

10.196.35.25/28

Virtual FW

Activity 0: Login to UTD Workshop


•  Cloudshare Class Link

•  https://use.cloudshare.com/Class/jrbve

•  Passphrase

•  Vince the Fragile GooseStudent

•  A copy of the student guide can be found on the desktop folder “UTD-Doc” in the EndUser Desktop VM

Activity 1: The Sophisticated Threat


Scenario: Your organization is a new target for a cyber campaign operated by state sponsored threat actors. These threat actors have performed initial reconnaissance and identified you as the target within your organization. You receive a well-crafted targeted email that contains a weaponized document leveraging a unknown exploit.

Goals:

•  Take on the mantle of the targeted individual of a cyber campaign

•  Experience a spearphish attack and results of the successful attempt despite AV protection enabled

•  Control the compromised endpoint using njRAT

•  Understand the stages involved in an advanced cyberattack

Activity 1: Cyber Attack Life Cycle

Delivery Exploitation

DLL Security JIT


Memory Corruption

Logic Flaws



1 2

Download and Execute Malware





Wildfire Inspection

Intelligence and

Emulation

Malicious Behavior

Protection

Child Process Restricted Location

Unsigned Executable





6 7 8


Local Verdict Check

3 4 5

Caveat


•  Low probability Adobe Reader may crash due to the nature of the pdf weaponization; Proceed by double-clicking the pdf attachment again.

•  This exercise shows weaponized document bypassing AV: •  However, malware used will eventually be blocked if it is submitted and

signature updates are turned on •  Due to configured WildFire restriction policy i.e. endpoint lock-down, users are

encouraged to explore AV before moving to Activity 2.

Activity 2: Traps Introduction


Goals:

•  Prevent malicious pdf execution by enabling Traps

•  Review Traps prevention flow

•  Introduce ESM dashboards

Traps features:

•  ESM Policy

•  Traps Agent

•  ESM dashboards and alerts

Activity 3: Exploit Prevention


Goals:

•  Identify the first stage of a sophisticated attack

•  Experience how exploit techniques work in concert within the exploit chain

•  Gain insight into Exploit Prevention Modules targeting exploit techniques

Traps features:

•  Exploit Prevention Modules (EPM) •  DLL Security •  JIT Mitigation

Activity 3: Exploit Prevention Stage


DLL Security JIT


Memory Corruption

Logic Flaws



1 2






Wildfire Inspection

Intelligence and

Emulation

Malicious Behavior

Protection


Unsigned Executable





6 7 8


Local Verdict Check

3 4 5

Activity 4: Malware Prevention


Goals:

•  Identify second stage of a sophisticated attack

•  Experience WildFire integration providing protection against unknown and known malware

•  Enable best-practice restrictions to limit and prevent malicious executable behavior

Traps features:

•  WildFire Validation and Inspection

•  Malware Restriction Policies •  Child process restriction •  Local Folder execution restriction •  Unsigned process executable restriction

Activity 4: Malware Prevention Stage


DLL Security JIT


Memory Corruption

Logic Flaws



1 2






Wildfire Inspection

Intelligence and

Emulation

Malicious Behavior

Protection


Unsigned Executable





6 7 8


Local Verdict Check

3 4 5

Review: Traps Kill-Points Through the Attack Life Cycle


DLL Security JIT


Memory Corruption

Logic Flaws



1 2






Wildfire Inspection

Intelligence and

Emulation

Malicious Behavior

Protection


Unsigned Executable





6 7 8


Local Verdict Check

3 4 5


Activity 5: Feedback on Ultimate Test Drive

•  Click on the “Survey” tab in the lab environment to access the online survey form

•  Please complete the survey and let us know what you think about this event

After today’s workshop,


•  Go: https://www.paloaltonetworks.com/products/endpoint-security.html

•  Watch: Introductory Video

•  Listen: Customer Testimony

•  Learn: Forrester Endpoint Thought Leadership

https://paloaltonetworks.com/resources/whitepapers.html


Questions?

READY – SET – GO GO GO!

Student Login Link

https://use.cloudshare.com/Class/1z7qv

Student Passphrase

Takumi the Mindful Wallaby

APPENDIX •  Cloudshare issues: [email protected] or +1 (650) 331-3417

ultimate test drive advanced endpoint protection

Documents