Hvordan stopper du CryptoLocker?
-
Upload
steinar-aandal-vanger -
Category
Technology
-
view
122 -
download
0
Transcript of Hvordan stopper du CryptoLocker?
Traps
VS.
Cryptolocker
Steinar Aandal-VangerWestcon Security
Hvem er vi?
Steinar Aandal-Vanger
Jobbet med Palo Alto Networks siden 2009Palo Alto Networks instruktør
Holdt Palo Alto kurs de siste 5 årene i Norge og på Island
Har jobbet med it-sikkerhetsprodukter siden 1999, herunder Ironport, Check Point, Juniper, RSA Security, TippingPoint, SourceFire...m.fl.
Westcon Security- distributør av it-sikkerhetsprodukter i Norge
- Palo Alto Networks- Juniper- F5- Arbor, Infoblox, HP Enterprise m.fl.
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Wes
tcon
Sec
urity
Age
nda
• Traps – Advanced Endpoint protection
• Ransomware
• Traps; Exploit and Malware prevention
• Prevention Stages
Is Real-Time, Automatic Prevention of Attacksthat Exploit Unknown and Zero-Day Vulnerabilities Possible?
4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks Security Platform
Natively Integrated
Extensible
Automated
Next-Generation Firewall
Advanced Endpoint Protection
WildFireThreatIntelligence Cloud
TRAPS
Unknown Files
Query Verdict
What is the Best Approach to Preventing Attacks?Anatomy of a Targeted Attack
Plan theAttack
GatherIntelligence
SilentInfection
LeverageExploit
MalwareCommunicateswith Attacker
ControlChannel
Malicious FileExecuted
ExecuteMalware
Data Theft, Sabotage, Destruction
Steal Data
What is the Best Approach to Preventing Attacks?Anatomy of a Targeted Attack
Plan theAttack
GatherIntelligence
SilentInfection
LeverageExploit
MalwareCommunicateswith Attacker
ControlChannel
Malicious FileExecuted
ExecuteMalware
Data Theft, Sabotage, Destruction
Steal Data
Pot
entia
l Im
pact
What is the Best Approach to Preventing Attacks?Anatomy of a Targeted Attack
Traps Prevention
Plan theAttack
GatherIntelligence
SilentInfection
LeverageExploit
MalwareCommunicateswith Attacker
ControlChannel
Malicious FileExecuted
ExecuteMalware
Data Theft, Sabotage, Destruction
Steal Data
Pot
entia
l Im
pact
Exploits vs. Malicious Executables
Exploit Malformed data file Processed by a legitimate
application Exploits a vulnerability in the
legitimate application to allows the attacker to execute code
Small payload
Malicious Executable Malicious code Does not rely on application
vulnerabilities Contains executable code Aims to control the machine Large payload
Examples: weaponized PDF files & Flash videos
Examples: ransomware, fake AV
Exploits vs. Malicious Executables
Exploit Malformed data file Processed by a legitimate
application Exploits a vulnerability in the
legitimate application to allows the attacker to execute code
Small payload
Malicious Executable Malicious code Does not rely on application
vulnerabilities Contains executable code Aims to control the machine Large payload
Examples: weaponized PDF files & Flash videos
Examples: ransomware, fake AV
“Next Gen” Anti-Malware Solutions Signature-based AV
Palo Alto Networks Traps
1: Infect System with
Malware
2: Restrict Access to
System/Data
3: Profit!
Ransomware, Cryptolocker etc…
1User visits
compromised website
2Exploit Kit silently exploits client-side
vulnerability
4 System infected, attacker has full access to steal data
3Drive-by download of malicious payload
Via Website
Backdoor Trojan
Exploit Document
Backdoor Access
Spear Phishing Email
Attacker Target
Via eMail
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
$300- 500
The 3 Core Capabilities of Advanced Endpoint Protection
1. Prevents ExploitsIncluding unknown & zero-day exploits
The 3 Core Capabilities of Advanced Endpoint Protection
1.
2.
Prevents ExploitsIncluding unknown & zero-day exploits
Prevents Malicious Executables
Including unknown & advanced malware
The 3 Core Capabilities of Advanced Endpoint Protection
1.
2.
Prevents ExploitsIncluding unknown & zero-day exploits
Prevents Malicious Executables
Including unknown & advanced malware
3.Highly-Scalable, Integrated
Security PlatformFor data exchange &
cross-organization protection
Prevent Exploits
Number of New Variants Each Year
Individual Attacks
Software Vulnerability Exploits
+10,000sCore Techniques
Exploitation Techniques
< 3
*Source: CVEDetails.com
Block the Core Techniques – Not the Individual Attacks
Exploit technique prevention
21 | ©2013, Palo Alto Networks. Confidential and Proprietary.
A document is opened by user
Traps engines seamlessly inject traps
to the software that opens the file
Process is protected. Traps perform NO scanning and NO
monitoring
CPU <0.1%
In case of exploitation attempt, the exploit hits a “trap” and fails before
any malicious activity initiation
Attack is blocked before any malicious activity
initiation
Safe!Process is terminated
Forensic data is collected
User\admin is notified
Traps triggers immediate actions
Exploit Techniques - Example
BeginMaliciousActivity
Normal ApplicationExecution
Heap Spray
ROP
UtilizingOS Function
Gaps AreVulnerabilities
Activate key logger Steal critical data More…
Exploit Attack1. Exploit attempt contained in a
PDF sent by “known” entity.2. PDF is opened and exploit
techniques are set in motion to exploit vulnerability in Acrobat Reader.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Exploit Techniques
Normal ApplicationExecution
HeapSpray
TrapsEPM
No MaliciousActivity
Exploit Attack
Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps
requires no prior knowledge of the vulnerability.
1. Exploit attempt contained in a PDF sent by “known” entity.
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Exploit Techniques - Unknown Technique
Normal ApplicationExecution
UnknownExploit
Technique
ROP
No MaliciousActivity
TrapsEPM
Exploit Attack1. Exploit attempt contained in a
PDF sent by “known” entity.2. PDF is opened and exploit
techniques are set in motion to exploit vulnerability in Acrobat Reader.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps
requires no prior knowledge of thevulnerability.
2. If there is a new technique it will succeed but the next one will be blocked, still preventing malicious activity.
Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques
DLLSecurity
IE Zero DayCVE-2013-3893 Heap Spray DEP
Circumvention UASLR ROP/UtilizingOS Function
ROP Mitigation/DLL Security
Adobe ReaderCVE-2013-3346 Heap Spray
Memory LimitHeap SprayCheck andShellcode
Preallocation
DEPCircumvention UASLR Utilizing
OS FunctionDLL
Security
Adobe FlashCVE-2015-3010/0311
ROP ROP Mitigation JiT Spray J01 Utilizing
OS FunctionDLL
Security
MemoryLimit Heap
Spray Check
Prevent Malicious Executables
AdvancedExecution Control
Reduce surface area of attack. Control execution scenarios
based on file location, device, child processes, unsigned
executables.
Local hash control allows for granular system hardening.
Dynamic analysis with cloud-based threat intelligence.
WildFire Inspection and Analysis
Prevent unknown malware with technique-based
mitigation. (Example: Thread Injection)
Malware TechniquesMitigation
The Right Way to Prevent Malicious Executables
User Tries to OpenExecutable File
Restrictions And Executable Rules
HASH CheckedAgainst WildFire
Malware TechniquePrevention Employed
WildFire
ESM ForensicsCollected
Unknown?E X E
Benign
Malicious
Examples Examples
Child Process?Thread
Injection?
Restricted Folderor Device?
Create Suspend?
Execution StoppedÑ
Safe!
Utilization of OS functions JIT Heap Spray
Child ProcessSuspend Guard
Unsigned Executable
Restricted Location
Admin Pre-Set Verdicts
Wildfire Known Verdict
On Demand Inspection
Injection Attempts Blockage
TrapsMalware Protection
Example: CryptoLocker Traps Kill-Points Through the Attack Life Cycle
Delivery Exploitation Download and Execute
Execution Restriction 1
Execution Restriction 2
Execution Restriction 3
Local Verdict Check
Wildfire Verdict Check
Wildfire Inspection
Malicious
Thread Injection
Intelligenceand
Emulation
Traps Exploit Protection
Advanced Execution
Control
MaliciousBehaviorProtection
Memory Corruption
Logic Flaws
4 5 6 78 9 10Exploitation Technique 1
Exploitation Technique 2
Exploitation Technique 3
1 2 3
Exploit Prevention Notification
End User Alert Wildfire
End User Alert Unsigned Execution
End User Alert Suspend Guard
Traps Prevention Screen on ESM Console.
Traps System Requirements, Footprint, and Coverage
Supported Operating Systems Footprint
Workstations – Physical and Virtual Windows XP SP3 Windows Vista SP2 Windows 7 Windows 8 / 8.1 Windows 10
Servers – Physical and Virtual Windows Server 2003 32 bit Windows Server 2008 (+R2) Windows Server 2012 (+R2)
25 MB RAM 0.1% CPU No Scanning
Application Coverage
Default Policy: 100+ processes Automatically detects new processes Can extend protection to any
application, including in-house developed apps.
Highly-Scalable, Integrated Security Platform
Architecture Scalability Ease of security administration
Operational Capabilities Footprint Performance Impact
Platform Coverage Physical systems Virtual systems
Threat Intelligence Integrated threat intelligence Threat data sharing
Traps Benefits
Prevent Zero Day
Vulnerabilities and Unknown
Malware
Install Patches on Your Own Schedule
Protect ANY Application
From Exploits
Minimal Performance
Impact
Save Time and Money
Signature-less No Frequent
Updates
Networkand Cloud integration
Palo Alto Networks Security Platform
Natively Integrated
Extensible
Automated
Next-Generation Firewall
Advanced Endpoint Protection
ThreatIntelligence Cloud
TRAPS
Unknown Files
Query Verdict
Neste steg
40 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Ultimate Test Drive (UTD)Du få praktisk erfaring i bruk av TRAPS i en gruppe på 6-10 personer.
Vår instruktør guider deg gjennom ulike konfigurasjonseksempler.
Demo i eget nettverk.Hvis du allerede er overbevist om at TRAPS kan være riktig for deg, kan vi komme til deg og installere en live test i ditt eget nettverk.
Begge aktiviteter er kostnadsfrie.
Ta kontakt på [email protected] for mer informasjon.Legg til Subject: "Jeg vil være med på kostnadsfri UTD"Legg til Subject: "Jeg vil ha kostnadsfri TRAPS-demo i eget nettverk."
Thank youSteinar Aandal-Vanger
Westcon Security47 9189 8832