—°‰¸‚° ¾€¾€°†¸¸ ½° »°‚„¾€¼µ Palo Alto Networks

  • View

  • Download

Embed Size (px)

Text of —°‰¸‚° ¾€¾€°†¸¸...

PowerPoint Presentation

Palo Alto Networks


dbatrankov@paloaltonetworks.comtwitter @batrankov


drive-by-download: Andromeda Pony Neutrino Exploit Kit

- , ,

-, . Yandex Money

, 52 . 1 . .

50 . 1 . 2013 2014 http://securityaffairs.co/wordpress/31405/cyber-crime/apt-anunak-steals-millions-from-banks.html http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf

meThoDs of mAlwAre DisTribuTion At the very beginning of their activity in 2013 due to lack of the target Trojan the attackers began to distribute Andromeda and Pony. They distributed these malware using Driveby through a bunch of Neutrino Exploit Kit exploits. Parallel to this technique they also use another infection method, which was one of the principal methods. The main method of distribution is sending emails with malicious attachments on behalf of the Central Bank of the Russian Federation. Another used method is to install a special malware to carry out targeted attacks via another malware that might appear in the local network by accident. To find such malicious programs the criminal group keeps in touch with several owners of large botnets that massively distributes their malware. The attackers buy from these botnet owners the information about IP-addresses of computers where the botnet owners have installed malware and then check whether the IP-address belongs to the financial and government institutions. If the malware is in the subnet of interest, the attackers pay the large botnet owner for installation of their target malware. Such partner relations were established with owners of botnets Zeus, Shiz Ranbyus. All of these trojans are bank Trojans, their usage is explained by the previously established relationships. Availability of access to bank internal networks opens great opportunities for the hackers. One of these opportunities is access to ATMs from special network segments that had to be isolated. It is confirmed that this criminal group gained access to 52 ATMs. Having access, the attackers downloaded malicious scripts and changed denominations of issued banknotes in the ATM operating system registry. As a result, for query to get 10 notes with denomination of 100 rubles the attackers received 10 banknotes with denomination of 5,000 rubles. When the attackers had obtained control of ATM management service (attacker purpose), money were withdrawn directly from the ATM by the attacker command. In this case the whole cashout process consisted in that a drop person had to be near the ATM at the specified time with a bag to empty the dispenser In addition to all the above methods, cash sending channels were also employed through the settlements systems, electronic wallets and payment systems, such as web money, Yandex Money. The average time from the moment of penetration into the financial institutions internal network till successful theft is 42 days.

---------------------------------------------------------Facts & Credits



1.0 IPS ( IDS) ( top10)


Apps Ports368 Applipedia TCP/UPD (18,5%)352 (18%)740 (37%)11% - unknown tcp/udp



MS Lync? !

1434(UDP), 5060, 5061, 444, 135, 5062, 8057, 8058, 5063, 57501-65535, 80, 443, 8080, 4443, 8060, 8061, 5086, 5087, 5064, 5072, 5070, 5067, 5068, 5081, 5082, 5065, 49152-57500(TCP/UDP), 5073, 5075, 5076, 5066, 5071, 8404, 5080, 448, 445, 881, 5041


SourceAddressTCP Port 80


SourceAddressTCP Port 80

DestinationAddress ?: = (., HTTP = 80) : = flash = Adobe

DNStcp-over-dns dns2tcp Iodine Heyoka OzymanDNS NSTX


c FW? 80 53 21 25

You can only see what you are looking for.

With a Palo Alto Networks Next Generation Firewall, its like walking into a dark room and turning on the light. Complete visibility and control.12

NGFW: 200-300

You can only see what you are looking for.

With a Palo Alto Networks Next Generation Firewall, its like walking into a dark room and turning on the light. Complete visibility and control.13

P2P file sharing, , , , TOR, Bitcoin

- web . 200-300 ?

HTTP Port 80HTTPS Port 443?????????????????? HTTP and HTTPS

The list of applications and protocols supported by most proxies is limited to a handful of applications, such as web-based clients and media streaming. It is also limited to specific protocols, such as HTTP (port 80), HTTPS (port 443), and FTP (port 21).

While many applications are web-based by design, and are using ports 80 or 443, some very common applications, like Skype, BitTorrent, or Lync are capable of dynamically seeking out and utilizing any available port on the network. We have to remember there are more than 65,000 ports available on any network.

These port-hopping capabilities allow these applications to scale, be responsive, service the needs of the user and bypass the limited visibility and security technologies of proxy-based devices.

Along the same lines, proxies are limited in their ability to protect against evasive techniques used by tools such as open proxy servers such as PHProxy or CGIproxy, or anonymizers such as Tor.


IPS , -


IPS/IDS Firewall

HTTPPort 80

Gartner: NGFW IPS

Good? SSL


Bad?TDL-4Poison IVYRustockAPT1RamnitCitadelAuroraBlackPOS

SSL or HTTPs specifically, was always intended to be used for security. There are many applications that use SSL as a means of security.

But attackers are smart.

Here are some of the applications as well as the threats that we see on the network that use SSL as a means of hiding. Tor ultrasurf neither belong on your network.

APT 1, the attack found by mandiant, BlackPOS the recent attack on the US retailer target, RamNIT a 2012 bot that has resurfaced in 2014 all use SSL as a means of both privacy and hiding in plain sight.

The two faces of SSL present us with a challenge how do you know?



, !




!Enterprise Network










Explain why customers have deployed all of these devices the control that once existed in the firewall has eroded over time. UTMs exist for the sole purpose of consolidating devices to save money UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etcUTMs are all stateful inspection based the all make their first decision on port. This is not our value-add24



Threat InspectionAnti-VirusProxyAV InspectionWeb FilteringPolicyURL Inspection

Packet Inspection FlowStateful FW policyPort-based sessionInspection

L4 Session Table





2014 Palo Alto Networks. Proprietary and Confidential.Page 27 | 2007 Palo Alto Networks. Proprietary and ConfidentialPage 27 |

Palo Alto Networks


Palo Alto Networks

App-IDUser-IDContent-ID + SSL

:/ , URL .. Data plane Control plane

200 /,


, (App-ID) / (User-ID) / SSL/SSH (Content-ID) ,


1 - - HTTPS ( HTTP) VIP / ( ) , DLP -,

No way with any Firewall other than Palo Alto Networks ones to allow internal users download files from a given webApp and deny downloads on another WebApp if these apps live in the same Web Application Server (same IP and TCP Port)32

2 lync-voice gold CoS MPLS WAN X , MPLS VPN. (CoS) Lync golden CoS Lync best-effort CoSDSCP Marking by applicationMark only lync-voice application with DSCP EFto become gold CoS. Dont do that forlync-file-transfer


3 jabber IT X MPLS VPN. , jabber , VPN. ADSL. jabber ( TCP ) ITadministrators ( IP ) ADSL .Any TCP Port

Any Source AddressRouter ADSL

Were the only ones capable of PBF based on applications (jabber is in the PBF list)34

4 OracleWarehouse connector En@gas 300 , MPLS IP/VPN. OracleWarehose connector. , 300 TCP , . TCP payload, charString en@gas:getServerParamsCustomAppIdentifies en@gas:getServerParamsIn any TCP connection (any port)

Introducing the benefits of using custom TCP apps to avoid complex tracking of what servers host a given client-server application and on what port the application was bound to35

NGFW Palo Alto Networks

Palo Alto Networks

PA-500250 / FW/100 / /64,000 8 copper gigabit

PA-505010 / FW/5 / /2,000,000 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 RJ-45 gigabitPA-50205 / FW/2 / /1,000,000 8 SFP, 12 RJ-45 gigabitPA-506020 / FW/10 / /4,000,000 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 RJ-45 gigabit

PA-200100 / FW/50 / /64,000 4 copper gigabit4 Gbps FW2 Gbps threat prevention500,000