Hvordan stopper du CryptoLocker?

Traps

VS.

Cryptolocker

Steinar Aandal-VangerWestcon Security

Hvem er vi?

Steinar Aandal-Vanger

Jobbet med Palo Alto Networks siden 2009Palo Alto Networks instruktør

Holdt Palo Alto kurs de siste 5 årene i Norge og på Island

Har jobbet med it-sikkerhetsprodukter siden 1999, herunder Ironport, Check Point, Juniper, RSA Security, TippingPoint, SourceFire...m.fl.

Westcon Security- distributør av it-sikkerhetsprodukter i Norge

- Palo Alto Networks- Juniper- F5- Arbor, Infoblox, HP Enterprise m.fl.

2 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Wes

tcon

Sec

urity

Age

nda

• Traps – Advanced Endpoint protection

• Ransomware

• Traps; Exploit and Malware prevention

• Prevention Stages

Is Real-Time, Automatic Prevention of Attacksthat Exploit Unknown and Zero-Day Vulnerabilities Possible?


Palo Alto Networks Security Platform

Natively Integrated

Extensible

Automated

Next-Generation Firewall

Advanced Endpoint Protection

WildFireThreatIntelligence Cloud

TRAPS

Unknown Files

Query Verdict

What is the Best Approach to Preventing Attacks?Anatomy of a Targeted Attack

Plan theAttack

GatherIntelligence

SilentInfection

LeverageExploit

MalwareCommunicateswith Attacker

ControlChannel

Malicious FileExecuted

ExecuteMalware

Data Theft, Sabotage, Destruction

Steal Data


Plan theAttack

GatherIntelligence

SilentInfection

LeverageExploit


ControlChannel


ExecuteMalware


Steal Data

Pot

entia

l Im

pact


Traps Prevention

Plan theAttack

GatherIntelligence

SilentInfection

LeverageExploit


ControlChannel


ExecuteMalware


Steal Data

Pot

entia

l Im

pact

Exploits vs. Malicious Executables

Exploit Malformed data file Processed by a legitimate

application Exploits a vulnerability in the

legitimate application to allows the attacker to execute code

Small payload

Malicious Executable Malicious code Does not rely on application

vulnerabilities Contains executable code Aims to control the machine Large payload

Examples: weaponized PDF files & Flash videos

Examples: ransomware, fake AV

Exploits vs. Malicious Executables

Exploit Malformed data file Processed by a legitimate

application Exploits a vulnerability in the

legitimate application to allows the attacker to execute code

Small payload

Malicious Executable Malicious code Does not rely on application

vulnerabilities Contains executable code Aims to control the machine Large payload

Examples: weaponized PDF files & Flash videos

Examples: ransomware, fake AV

“Next Gen” Anti-Malware Solutions Signature-based AV

Palo Alto Networks Traps

1: Infect System with

Malware

2: Restrict Access to

System/Data

3: Profit!

Ransomware, Cryptolocker etc…

1User visits

compromised website

2Exploit Kit silently exploits client-side

vulnerability

4 System infected, attacker has full access to steal data

3Drive-by download of malicious payload

Via Website

Backdoor Trojan

Exploit Document

Backdoor Access

Spear Phishing Email

Attacker Target

Via eMail


$300- 500

The 3 Core Capabilities of Advanced Endpoint Protection

1. Prevents ExploitsIncluding unknown & zero-day exploits


1.

2.

Prevents ExploitsIncluding unknown & zero-day exploits

Prevents Malicious Executables

Including unknown & advanced malware


1.

2.

Prevents ExploitsIncluding unknown & zero-day exploits

Prevents Malicious Executables

Including unknown & advanced malware

3.Highly-Scalable, Integrated

Security PlatformFor data exchange &

cross-organization protection

Prevent Exploits

Number of New Variants Each Year

Individual Attacks

Software Vulnerability Exploits

+10,000sCore Techniques

Exploitation Techniques

< 3

*Source: CVEDetails.com

Block the Core Techniques – Not the Individual Attacks

Exploit technique prevention

21 | ©2013, Palo Alto Networks. Confidential and Proprietary.

A document is opened by user

Traps engines seamlessly inject traps

to the software that opens the file

Process is protected. Traps perform NO scanning and NO

monitoring

CPU <0.1%

In case of exploitation attempt, the exploit hits a “trap” and fails before

any malicious activity initiation

Attack is blocked before any malicious activity

initiation

Safe!Process is terminated

Forensic data is collected

User\admin is notified

Traps triggers immediate actions

Exploit Techniques - Example

BeginMaliciousActivity

Normal ApplicationExecution

Heap Spray

ROP

UtilizingOS Function

Gaps AreVulnerabilities

Activate key logger Steal critical data More…

Exploit Attack1. Exploit attempt contained in a

PDF sent by “known” entity.2. PDF is opened and exploit

techniques are set in motion to exploit vulnerability in Acrobat Reader.

3. Exploit evades AV and drops a malware payload onto the target.

4. Malware evades AV, runs in memory.

Exploit Techniques


HeapSpray

TrapsEPM

No MaliciousActivity

Exploit Attack

Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps

requires no prior knowledge of the vulnerability.

1. Exploit attempt contained in a PDF sent by “known” entity.

2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.



Exploit Techniques - Unknown Technique


UnknownExploit

Technique

ROP

No MaliciousActivity

TrapsEPM

Exploit Attack1. Exploit attempt contained in a

PDF sent by “known” entity.2. PDF is opened and exploit

techniques are set in motion to exploit vulnerability in Acrobat Reader.



Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps

requires no prior knowledge of thevulnerability.

2. If there is a new technique it will succeed but the next one will be blocked, still preventing malicious activity.

Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques

DLLSecurity

IE Zero DayCVE-2013-3893 Heap Spray DEP

Circumvention UASLR ROP/UtilizingOS Function

ROP Mitigation/DLL Security

Adobe ReaderCVE-2013-3346 Heap Spray

Memory LimitHeap SprayCheck andShellcode

Preallocation

DEPCircumvention UASLR Utilizing

OS FunctionDLL

Security

Adobe FlashCVE-2015-3010/0311

ROP ROP Mitigation JiT Spray J01 Utilizing

OS FunctionDLL

Security

MemoryLimit Heap

Spray Check

Prevent Malicious Executables

AdvancedExecution Control

Reduce surface area of attack. Control execution scenarios

based on file location, device, child processes, unsigned

executables.

Local hash control allows for granular system hardening.

Dynamic analysis with cloud-based threat intelligence.

WildFire Inspection and Analysis

Prevent unknown malware with technique-based

mitigation. (Example: Thread Injection)

Malware TechniquesMitigation

The Right Way to Prevent Malicious Executables

User Tries to OpenExecutable File

Restrictions And Executable Rules

HASH CheckedAgainst WildFire

Malware TechniquePrevention Employed

WildFire

ESM ForensicsCollected

Unknown?E X E

Benign

Malicious

Examples Examples

Child Process?Thread

Injection?

Restricted Folderor Device?

Create Suspend?

Execution StoppedÑ

Safe!

Utilization of OS functions JIT Heap Spray

Child ProcessSuspend Guard

Unsigned Executable

Restricted Location

Admin Pre-Set Verdicts

Wildfire Known Verdict

On Demand Inspection

Injection Attempts Blockage

TrapsMalware Protection

Example: CryptoLocker Traps Kill-Points Through the Attack Life Cycle

Delivery Exploitation Download and Execute

Execution Restriction 1



Local Verdict Check

Wildfire Verdict Check

Wildfire Inspection

Malicious

Thread Injection

Intelligenceand

Emulation

Traps Exploit Protection

Advanced Execution

Control

MaliciousBehaviorProtection

Memory Corruption

Logic Flaws

4 5 6 78 9 10Exploitation Technique 1

Exploitation Technique 2

Exploitation Technique 3

1 2 3

Exploit Prevention Notification

End User Alert Wildfire

End User Alert Unsigned Execution

End User Alert Suspend Guard

Traps Prevention Screen on ESM Console.

Traps System Requirements, Footprint, and Coverage

Supported Operating Systems Footprint

Workstations – Physical and Virtual Windows XP SP3 Windows Vista SP2 Windows 7 Windows 8 / 8.1 Windows 10

Servers – Physical and Virtual Windows Server 2003 32 bit Windows Server 2008 (+R2) Windows Server 2012 (+R2)

25 MB RAM 0.1% CPU No Scanning

Application Coverage

Default Policy: 100+ processes Automatically detects new processes Can extend protection to any

application, including in-house developed apps.

Michael Moshiri

Need to capture "high availability DB + new servers (not sure what was the final verdict here)

Michael Moshiri

There was a question from Alon on this. Need to verify the numbers.

Highly-Scalable, Integrated Security Platform

Architecture Scalability Ease of security administration

Operational Capabilities Footprint Performance Impact

Platform Coverage Physical systems Virtual systems

Threat Intelligence Integrated threat intelligence Threat data sharing

Traps Benefits

Prevent Zero Day

Vulnerabilities and Unknown

Malware

Install Patches on Your Own Schedule

Protect ANY Application

From Exploits

Minimal Performance

Impact

Save Time and Money

Signature-less No Frequent

Updates

Networkand Cloud integration

Palo Alto Networks Security Platform

Natively Integrated

Extensible

Automated

Next-Generation Firewall

Advanced Endpoint Protection

ThreatIntelligence Cloud

TRAPS

Unknown Files

Query Verdict

Neste steg


Ultimate Test Drive (UTD)Du få praktisk erfaring i bruk av TRAPS i en gruppe på 6-10 personer.

Vår instruktør guider deg gjennom ulike konfigurasjonseksempler.

Demo i eget nettverk.Hvis du allerede er overbevist om at TRAPS kan være riktig for deg, kan vi komme til deg og installere en live test i ditt eget nettverk.

Begge aktiviteter er kostnadsfrie.

Ta kontakt på [email protected] for mer informasjon.Legg til Subject: "Jeg vil være med på kostnadsfri UTD"Legg til Subject: "Jeg vil ha kostnadsfri TRAPS-demo i eget nettverk."

Thank youSteinar Aandal-Vanger

Westcon Security47 9189 8832

Technology

Hvordan stopper du CryptoLocker?