ADVANCED ENDPOINT PROTECTION FOR DUMMIES




ADVANCED ENDPOINT PROTECTION FOR DUMMIES
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Advanced Endpoint Prot e ction
Palo Alto Networks Special Edition
by Lawrence Miller, CISSP


Chapter 1
Exploits and Malware
In This Chapter
Taking a look at cybercrime
Targeting exploits and vulnerabilities
Understanding how malware is used in an attack
Learning about bots and botnets
Examining real‐world threats to the enterprise

oday’s threats are more sophisticated than ever before.
All types of organizations and information are being  targeted. Attackers exploit vulnerabilities in software and use malware to further their attack objectives.
In this chapter, you get an overview of the modern threat landscape and learn about exploits, malware, and other  real‐world threats.
Surveying the Threat Landscape
Cybercrime is big business. By many estimates, cybercrime is now a US$1 trillion industry. Every organization with digital assets is vulnerable to attack, and the growing sophistication of cybercriminals and their evolving tactics only increases the chance of a security breach involving the theft of sensitive data.
Highly publicized data breaches at large corporations expose gaps in cyberdefense and prevention in companies of all sizes. In 2014, nearly half (43 percent) of U.S. companies surveyed in a study by the Ponemon Institute experienced a data breach involving the loss or theft of more than 1,000 records — up more than 10 percent from 2013.
Criminals are executing sophisticated attacks on global organizations with alarming regularity in order to obtain confidential information, steal trade secrets, or disrupt business operations. It’s clear that businesses must do more to protect against these advanced cyberthreats.
For the past decade, technology approaches to securing  organizations have stood still, while adversaries continue to find clever new ways to bypass traditional defenses. Despite substantial investments made in securing their networks, many organizations still find themselves vulnerable and unable to defend against cyberattacks.
Legacy techniques are proving inadequate because they generally only provide alerts on threats and take a detection‐focused approach, which requires manual intervention or costly incident response (IR) services after a breach occurs. But more importantly, these legacy security solutions are made up of a patchwork of point products that not only lack the capability to protect against all threat vectors, but also make it very difficult to coordinate and share intelligence among the various security solutions. For example, if sandboxing hardware detects an unknown threat, it won’t automatically share protection data with intrusion prevention systems (IPSs) and endpoint agents, leaving the organization defenseless against multidimensional attacks. The detection‐focused approach fails to empower IT and cybersecurity professionals to defend their enterprises.
Many experts believe the problem will only get worse. For example, widely used older software such as Windows XP, which stopped receiving patches and security updates, leaves many organizations vulnerable to newly discovered exploits. Similarly, the Windows Server 2003 End of Support (EOS) in July 2015 also leaves businesses vulnerable to major security and compliance risks. And finally, businesses are increasingly adopting new trends and technologies such as cloud services, bring your own device (BYOD), and the Internet of Things (IoT), but these trends and technologies also create new opportunities for attackers to breach connected devices and infiltrate enterprise organizations.
Businesses can’t afford to keep investing in fragmented,  detection‐focused products in their efforts to keep pace with the rapidly evolving threat landscape. Effective cyberdefense must withstand changes to adversaries’ tactics and tools that


traditional, nonintegrated approaches can’t address. It must protect against advanced known threats, as well as unknown threats, which can be challenging to address with legacy security solutions.
Exploits and Vulnerabilities
A vulnerability is a bug or flaw that exists in software and creates a security risk that may be exploited by an attacker. The attacker crafts an exploit that targets the vulnerable software, essentially fooling the vulnerable software into performing functions or running code of the attacker’s choice.
Exploits can be embedded in seemingly innocuous data files, such as Microsoft Word documents, PDFs, and web pages. Or they can be launched over the network to target vulnerable services. The fact that exploits often come in the form of seemingly legitimate files that don’t trigger antivirus software makes these threats extremely dangerous.
Exploits are the preferred malware delivery vehicle for modern attackers because they eliminate the need to rely on social engineering to trick a user into running an executable file.
Crafting exploit data files is a two‐part process. The first step is to embed a small piece of malicious code within the data file. Execution of this code will establish the attacker’s communication with the victim machine and provide the capability to download additional malware.
However, embedding malicious code isn’t enough. The attacker still has to fool the application into actually running that code. Thus, the second part of the exploit typically involves memory corruption techniques that allow the attacker’s code to be inserted into the execution flow of the vulnerable software. Once that happens, a legitimate application, such as a document viewer or web browser, will perform actions on behalf of the attacker. Because the application being exploited is a legitimate application, antivirus and whitelisting software have virtually no effectiveness against these attacks.
Vulnerabilities are discovered in software at an alarming rate. Vulnerabilities may exist in software when the software is initially developed and released, or vulnerabilities may be inadvertently created, or even reintroduced, when subsequent version updates or security patches are installed.
According to surveys by Palo Alto Networks, when it comes to endpoint security, organizations are most worried about zeroday exploits. Furthermore, they indicate that their existing endpoint solutions do little to prevent such threats without first receiving a product update.
Security patches are usually developed by software vendors as quickly as possible after a vulnerability has been discovered in their software. However, an attacker may learn of a vulnerability and begin exploiting it before the software vendor is aware of the vulnerability or has an opportunity to develop a patch. This is known as a zero‐day exploit. It may be months or years before a vulnerability is announced publicly. After a security patch becomes available, it inevitably takes time for organizations to properly test and deploy the patch on all affected systems. During this time, a system running the vulnerable software is at risk of being exploited by an attacker.
Patch management is merely an after‐the‐fact remedy for a risk that has likely been in place for a long period of time.
Understanding the  Role of Malware
Attack techniques have evolved and malware now plays a role in an attacker’s arsenal and in the life cycle of an attack. Attackers have developed new methods for delivering malware (such as exploits or drive‐by‐downloads), hiding malware communications (with encryption), and avoiding traditional signature‐based detection.
Malware is malicious software or code that typically damages  or disables, takes control of, or steals information from a computer system. Malware broadly includes botnets, viruses, worms, Trojan horses, logic bombs, rootkits, bootkits, backdoors, spyware, and adware.
Malware is somewhat like the pea in a shell game. A street  con running a shell game on the sidewalk lures the mark  (or victim) into trying to follow the pea, when actually it’s an exercise in sleight of hand. Similarly, the modern threat life cycle relies on sleight of hand — how to infect, persist, and communicate without being detected.
Unfortunately, the traditional view of malware and old security habits may make you think of malware as the pea — an executable payload, perhaps attached to an email. To understand, control, and successfully counter modern threats, you need to focus on not just the pea (malware), but on the delivery method and all the moving parts.
Bots and Botnets
Information security professionals have been doing battle with malware for more than two decades. Yet all this hardearned experience doesn’t necessarily mean that they’re winning the war. Palo Alto Networks real‐world analysis has consistently found that at least 50 to 60 percent of newly identified malware found in enterprise networks lacks signature coverage from any of the top endpoint protection vendors.
This poor catch rate is due to several factors. Some malware has the capability to mutate or can be updated to avoid detection by traditional malware signatures. Additionally, advanced malware is increasingly specialized to the point where the attacker will develop a customized piece of malware that is targeted against a specific individual or network.
Botnets are a particularly useful example for understanding some of the unique characteristics of advanced malware. Bots (individual infected endpoints) and botnets (the broader network of bots working together) are notoriously difficult for traditional endpoint protection solutions to detect. Bots leverage networks to gain power and resilience. A bot under the remote control of a human attacker (bot herder or bot master) can be updated — just like any other application — so that the attacker can change course and dig deeper into the network, based on what he finds, or to adapt to changes and countermeasures.
This is a fundamental shift compared to earlier types of malware, which were more or less independent agents that simply infected and replicated themselves. Botnets — and a great deal of advanced malware — are centrally coordinated, networked applications in a very real sense. In much the same way that the Internet changed what was possible in personal computing, ubiquitous network access is changing what is possible in the world of malware. Now, all malware of the same type can work together toward a common goal, with each infected endpoint growing the power and value of the overall botnet. The botnet can evolve to pursue new objectives or adapt to changes in security measures.
Some of the most important and unique functional traits of botnets (see Figure 1-1) are discussed in the following  sections.

Distributed and fault‐tolerant

Advanced malware takes full advantage of the resiliency built into the Internet itself. A botnet can have multiple control servers distributed all over the world, with multiple fallback options. Bots can also potentially leverage other infected bots as communication channels, providing them with a near‐ infinite number of communication paths to adapt to changing access options or update their code as needed.

Multifunctional

Updates from the command and control servers can also completely change the bots functionality. This multifunctional capability enables a new economic approach for a bot herder, who can now use portions of the botnet for a particular task, such as collecting credit card numbers, while other segments of the botnet could be sending spam. The important point is that the infection is the most important step, because the functionality can always be changed later as needed.

Persistent and intelligent

Because bots are both hard to detect and can easily change function, they’re particularly well‐suited for targeted and longterm intrusions into a network. Because bots are under the control of a remote bot herder, a botnet is more like having a cybercriminal inside your network as opposed to a malicious executable program. For example, a bot can be used to learn more about the organization of the network, find targets to exploit, and install additional backdoors into the network in case the bot is ever discovered.
Real‐World Threats
Given their sophistication and capability to evade defenses, exploits that can deliver advanced malware present an enormous threat to the enterprise. Advanced malware is virtually unlimited in terms of functionality — from sending spam to the theft of classified information and trade secrets. The ultimate impact of malware is largely left up to the attacker: A bot that was sending spam one day could be stealing credit card data the next.

Targeted intrusions

Exploits are a key component of targeted, sophisticated attacks. Instead of attempting to infect large numbers of endpoints to launch malicious large‐scale attacks, these targeted attacks aim to compromise specific high‐value systems that can be used to further infiltrate the target network. In these cases, an infected endpoint can be used to gain access to


Carbanak: The great bank robbery
Carbanak is one of the latest examples of a targeted attack. It began in August 2013 and is currently still active. The attackers have sent spear phishing emails with malicious CPL attachments or Word documents
Once inside the victim’s network, money is extracted. Each raid has lasted two to four months. To date, the attackers have targeted up to 100 financial institutions, causing aggregated losses estimated at $1 billion.
exploiting known  vulnerabilities.
ZeroAccess botnet
The ZeroAccess botnet was  discovered in 2011 and is still active despite numerous attempts to take it down. ZeroAccess is estimated to be controlling more than 2 million computers worldwide, splitting its focus between click fraud (a virus
generates fake clicks on advertising, yielding revenue under pay‐per‐click schemes) and bitcoin mining. Due mostly to bitcoin mining, the botnet’s infected computers are reported to be consuming enough energy to power 111,000 homes every day.
 protected systems, and to establish a backdoor into the network in case any part of the intrusion is discovered.
These types of threats are almost always undetectable by traditional antivirus or endpoint protection software. They represent one of the most dangerous threats to the enterprise because they specifically target the organization’s most valuable information, such as research and development, intellectual property, strategic planning, financial data, and customer information.

Financial botnets

Financial botnets have received widespread coverage in the press, largely due to the spectacular monetary damage they have caused. These botnets are typically not as large and monolithic as spamming botnets, which grow as large as possible for a single owner. Instead, financial botnets are often
Mighty ZeuS: God of financial botnets
Financial botnets — such as ZeuS — in very short periods of time. Other are responsible for the direct theft of financial botnets focus on the theft funds from all types of enterprises. of credit card information or faking ZeuS botnets have stolen millions of ACH bank transfers. dollars from numerous enterprises
sold as kits that allow large numbers of attackers to license the code and set about building their own botnets and targets.
The impact of a financial breach can be enormous for an enterprise. The breach of customer credit card information can lead to serious financial, legal, and brand damage, and the enterprise could lose money that potentially may never be recovered.

Advanced persistent threats

Advanced persistent threats (APTs) are a class of threats that often begin with an exploit and then combine malware and botnet components to execute a far more deliberate and potentially devastating attack. As the name applies, an APT has three defining characteristics:
     Advanced: The attackers typically have the skills to develop sophisticated exploitation tools and techniques, sometimes using zero‐day exploits to deliver advanced malware. They may have access to sophisticated electronic surveillance equipment, satellite imagery, and even human intelligence assets.
     Persistent: An APT may persist over a period of many years. The attackers pursue specific objectives and use a low‐and‐slow approach to avoid detection. The attackers are well organized and typically have access to substantial financial backing to fund their activities, such as a nation‐state or organized crime.
     Threat: An APT is a deliberate and focused, rather than opportunistic, threat that can cause real damage.
Going nuclear with Stuxnet
Stuxnet is a computer worm that was logic controllers (PLCs) that control used in an APT against Iran’s nuclear nuclear centrifuges. In addition to program. It was discovered in 2010, collecting information about Iran’s but may have been operating, in dif- nuclear program, the attack enabled ferent variations, as early as 2005. its controllers to cause Iran’s nuclear The worm initially infected endpoints centrifuges to spin faster and tear running Microsoft Windows by using themselves apart. Stuxnet is believed multiple zero‐day exploits, then tar- to have destroyed 20  percent of geted software on programmable Iran’s nuclear centrifuges.




Chapter 2

Understanding 
Advanced Threats
In This Chapter
Recognizing the modern cybercriminal
Linking together the steps of the cyberattack life cycle

he scourge of cyberattacks is reshaping the threat landscape and forcing enterprises to reassess how they
protect their systems and networks. Advanced threats have outpaced traditional endpoint protection strategies and, in the process, have established a foothold within the enterprise that cybercriminals and nation‐states can use to steal information and attack sensitive assets.
In this chapter, you learn about advanced threats; the cybercriminals that carry out attacks; the tools — exploits,  malware, bots, and botnets — they use; and how to stop an attack at any stage of the cyberattack life cycle.
Know Thy Enemy
Attackers have evolved from prototypical whiz kids or hackers — sequestered in a basement, motivated by noto riety, and fueled by too much caffeinated soda — into bona fide cybercriminals, often motivated by significant financial gain and sponsored by nation‐states, criminal organizations, or radical political groups. Today’s attacker fits the following profile:
     Has many resources available to facilitate an attack
     Has great technical depth and focus
     Is well funded
     Is organized
Why does this matter? Because a kid in a basement may be able to break into a corporate network, but doesn’t necessarily know what to do with, say, RSA source code. On the other hand, a rogue nation‐state or criminal organization knows exactly what to do or whom to sell stolen intellectual property to on the gray or black market.
Additionally, criminal organizations and nation‐states have far greater financial resources than do independent hackers. Many criminal hacking operations have been discovered, complete with all the standard appearance of a legitimate business with offices, receptionists, and cubicles full of dutiful hackers. These are criminal enterprises in the truest sense, and their reach extends far beyond that of an individual hacker.
Not only do you face more sophisticated adversaries today, but the types of information of value to them is continually expanding as well — these groups can do damage with the most seemingly innocuous bits of information.
Understand Attack Strategy
The modern attack strategy has also evolved. Instead of a traditional, direct attack against a high‐value server or asset, today’s attack strategy employs a patient, multistep process that blends exploits, malware, and evasion into a coordinated network attack. The cyberattack life cycle is a sequence of events that an attacker goes through to successfully infiltrate an organization’s network and steal data from it.
The steps of the cyberattack life cycle are described in the following sections.

Studying the target

To an attacker, you’re the enemy. And the attacker’s first task is to know his enemy. Like common criminals, successful attackers carefully plan their cyberattacks. They research, identify, and select targets, often using social engineering or phishing tactics — sometimes using helpful information from employees’ LinkedIn or Facebook profiles, for example. An attacker may also harvest email addresses from a corporate directory or collect other useful public information from an organization’s website. An attacker will also scan networks for vulnerabilities, services, and applications that can be exploited.
Palo Alto Networks breaks this stage of the cyberattack life cycle by doing the following:
     Preventing the use of social engineering by blocking known malicious URLs through URL filtering on next‐ generation firewalls
     Continuously inspecting network traffic flows to detect and prevent port scans and host sweeps using next‐ generation firewall network security and threat‐ prevention technology

Developing and deploying  the payload

Next, the attacker determines the payload and the method that will be used to deliver it. When it comes to delivery, the attacker generally has two options: social engineering or exploitation. The social engineering method is relatively simple. The objective is to trick the user into clicking on a bad link or opening a malicious executable file, for example.
Exploitation, on the other hand, is far more sophisticated because it essentially tricks the operating system (OS), browser, or other third‐party software into running the attacker’s code. This means the attacker has to craft an exploit to target specific vulnerable software on the endpoint. The benefit to the attacker is that there is usually no way for the victim to know that anything malicious is going on. The exploit can be embedded in a perfectly legitimate file attachment. Once the exploitation has succeeded, a malware payload can be delivered. Understanding how malware and exploits have become closely interrelated in the modern attack life cycle is important. Data files or web pages can be weaponized with exploits that are used to target the victim’s vulnerable software.
Infiltration of a target using exploits has become an efficient and stealthy method to deliver malware because exploits can be hidden in files that appear legitimate. In addition, the availability of off‐the‐shelf exploit kits significantly reduces the technical knowledge needed to develop exploits. Once an exploit is run, the attacker can take control of the targeted endpoint and install malware or run the attack entirely in memory, making it even more difficult to detect given that no new files are created on the exploited system.
A drive‐by‐download delivers malware in the background,  usually by exploiting a vulnerability in an OS, browser, or other third‐party application. This is a very common delivery mechanism for malware today.
Today’s threats don’t necessarily come as an executable attachment in an email. A link or a data file is all that is required. This is why social media, webmail, message boards, and microblogging platforms, such as Twitter, as well as commonly used file viewers that can be easily exploited, are rapidly becoming favorite attack vectors.
Palo Alto Networks breaks this stage of the cyberattack life cycle on the endpoint by:
     Preventing known and unknown exploits using Palo Alto Networks Traps. Even if the exploit is successfully  delivered to the target endpoint, Traps will prevent the exploitation of vulnerabilities.
     Preventing known and unknown malware using Traps which includes various techniques on the endpoint, including integration with the WildFire threat intelligence cloud.
Palo Alto Networks breaks this stage of the cyberattack life cycle on the network by:
     Maintaining full visibility into all traffic, including SSL, and blocking high‐risk applications using a next‐generation firewall.
     Protecting against perimeter breaches by blocking  malicious or risky websites.
     Blocking known exploits, malware, and inbound commandand‐control (C&C) communications using multiple threat prevention disciplines, including intrusion prevention, antimalware, anti‐C&C, DNS monitoring and sinkholing, and file and content blocking.
     Detecting unknown threats and automatically delivering protection globally to thwart new attacks via Palo Alto Networks cloud‐based threat intelligence platform, WildFire.

Expanding the attack

Once a target endpoint has been infiltrated, the attacker needs to ensure persistence (resilience or survivability). Rootkits and bootkits are commonly installed on compromised endpoints for this purpose. A rootkit is malware that provides privileged (root‐level) access to a computer. A bootkit is a kernel‐mode variant of a rootkit, commonly used to attack computers that are protected by full‐disk encryption.
Backdoors enable an attacker to bypass normal authentication procedures to gain access to a compromised system. Backdoors are often installed as a failover in case other malware is detected and removed from the system.
Malware that counteracts antivirus (anti‐AV) software may also be installed to disable any legitimately installed antivirus software on the compromised endpoint, thereby preventing automatic detection and removal of malware that is subsequently installed by the attacker. Many anti‐AV programs work by infecting the master boot record (MBR) of a target endpoint.
Palo Alto Networks prevents an attacker from expanding an attack on the endpoint with the following actions:
     Using the Advanced Execution Control functions within Traps to prevent malicious execution scenarios, including unauthorized file locations, unsigned executables, and child processes. These policy‐based rulesets can drastically reduce the endpoint attack surface.
     Preventing execution of malicious files using the Traps integration with WildFire. Traps can prevent any unknown executable from running until WildFire has analyzed the file and determined if it is malicious or not.
Palo Alto Networks prevents an attacker from expanding an attack on the network with the following actions:
     Establishing secure zones with strictly enforced user access control with next‐generation firewall/ GlobalProtect, and providing ongoing monitoring and inspection of all traffic between zones (Zero Trust model).
     Controlling applications at a granular level to allow only authorized applications on the network, limiting the attackers’ ability to move laterally with unknown tools and scripts.

Establishing C&C communications infrastructure

Communication is fundamental to a successful attack. Attackers must be able to communicate with infected systems to enable C&C, and to extract stolen data from a target system or network. This communication can also be used by the attacker to target other systems on the victim’s network. Thus, the initially infected target might only be the first entry point that enables lateral movement toward the attacker’s ultimate objective.
C&C communications must be stealthy and can’t raise any suspicion on the network. Such traffic is usually obfuscated or hidden through techniques that include the following:
     Encryption with SSL, SSH (Secure Shell), or some other custom application. Proprietary encryption is also commonly used. For example, BitTorrent is known for its use of proprietary encryption and is a favorite tool — both for infection and ongoing C&C.
     Circumvention via proxies, remote desktop access tools (such as LogMeIn!, RDP, and GoToMyPC), or by tunneling applications within other (allowed) applications or protocols.
     Port evasion using network anonymizers or port hopping to tunnel over open ports. For example, botnets are notorious for sending C&C instructions over IRC ( Internet relay chat) on nonstandard ports.
     Fast Flux (or Dynamic DNS) to proxy through multiple infected hosts, reroute traffic, and make it extremely  difficult for forensic teams to figure out where the traffic is really going.
C&C is often accomplished through common applications, including webmail, social media, P2P networks, blogs, and message boards. C&C traffic doesn’t stand out or raise suspicion, is often encrypted, and frequently makes use of backdoors and proxies.
Palo Alto Networks breaks C&C communications by performing the following actions:
     Blocking outbound C&C communications (through anti‐
C&C signatures), as well as file and data pattern uploads.
     Blocking outbound communication to known malicious URLs with URL filtering.
     Blocking novel attack techniques with application identification (App‐ID), which is able to identify applications on any port.
     Redirecting malicious outbound communication to internal honeypots to identify and block compromised hosts.
     Creating a database of malicious domains to ensure global awareness/prevention through DNS monitoring.

Executing attack objectives

Attackers have many different motives for an attack, including data theft, destruction of critical infrastructure, hacktivism, or cyberterrorism. This final phase of the attack often lasts months or even years, particularly when the objective is data theft, as the attacker uses a low‐and‐slow attack strategy to avoid detection.
One infamous security breach in 2014 went undetected for five months and resulted in the compromise of more than 56 million payment cards.
Palo Alto Networks breaks this stage of the cyberattack life cycle by doing the following:
     Preventing malware techniques on the endpoint with Traps. Malware prevention modules within Traps can prevent common techniques used by many categories of malware.
     Blocking outbound C&C communications (through anti‐
C&C signatures), as well as file and data pattern uploads.
     Blocking outbound communication to known malicious URLs with URL filtering.
     Enforcing file transfer application policies in the enterprise with granular application and user control, eliminating archiving and transfer tactics.
Breaking this sequence before the attacker can run malicious code on the endpoint is the only way to prevent damage from an attack. After the attacker runs exploit code or installs malware, the breach has occurred and you’re in cleanup mode.


Chapter 3

Endpoint Protection
Approaches and Limitations
In This Chapter
Acknowledging the limits of signature and container‐based approaches
Recognizing the challenges of whitelisting and virtualization
Patching software vulnerabilities
Deploying network controls
Integrating network‐ and host‐based approaches

n this chapter, you explore the challenges of legacy approaches to endpoint protection.
Signature‐Based Approaches
Signature‐based antivirus software is the oldest and most commonly used approach for detecting and identifying malware on endpoints. This approach is based on the simple action of collecting malware samples and then writing signatures for those samples. Signature‐based antivirus (or antimalware) software scans a computer’s hard drive and memory according to a predefined schedule, and in real time when a file is accessed. If a known malware signature is detected, the software performs a predefined action such as the following:
     Quarantine: Isolates the infected file so that it can’t infect the computer or other files.
     Delete: Removes the infected file.
     Alert: Notifies the user (and/or system administrator) that malware has been detected.
Although the signature‐based approach is very popular, its effectiveness is limited. By design, protection can’t be delivered until the malware is already in the wild. Before that,  networks and endpoints are blind to the threat.
A sample of new or unknown suspicious traffic must be captured and identified before a detection signature can be created by security vendors. The new signature must then be downloaded and installed on an enterprise’s endpoints in order to provide protection.
This means that some users and networks will be successfully breached by new malware until a new detection signature is created and downloaded. This reactive model creates a window of opportunity for attackers, leaving endpoints  vulnerable — sometimes for weeks or even months — until new malware is suspected, collected, analyzed, and identified. During this time, attackers can freely infect networks and  endpoints.
Modern malware has taken this weakness and expanded upon it by evolving techniques to avoid being captured in the wild and to avoid the signatures that have already been created. Targeted malware and polymorphism are increasingly common techniques used to exploit the inherent weaknesses of signature‐based detection.
Polymorphism is used in malware to avoid signatures by regularly mutating to avoid simple signature matches. Some malware applications have entire sections of code that serve no purpose other than to change the signature of the malware.
Another challenge for the signature‐based approach is that millions of new malware variations are created each year — on average about 20,000 new forms daily — for which unique signatures must be written, tested, and deployed — after the new malware variation is discovered and sampled. This reactive approach is simply not effective for protecting endpoints against today’s modern threats.
Container‐Based Approaches
Container‐based endpoint protection wraps a protective virtual barrier around vulnerable processes while they’re running. If a process is malicious, the container attempts to mitigate the damage by preventing it from damaging other legitimate processes or files on the endpoint. However, the container‐based approach typically requires a significant amount of computing resource overhead and attacks have been demonstrated that circumvent or disable container‐based protection.
This approach also requires knowledge of the applications that need to be protected and how they interact with other software components. So a containerization tool will be developed to support certain common applications, but will not be capable of protecting most proprietary or industryspecific software. Even web browser plug‐ins and the like can have problems operating correctly within a container  environment.
Whitelisting
Application whitelisting is another endpoint protection  technique that is commonly used to prevent end users from running unauthorized applications — including malware — on their endpoints.
Application whitelisting requires a positive control model in which no applications are permitted to run on the endpoint unless they’re explicitly permitted by the whitelist policy. In practice, this requires a large administrative effort to establish and maintain a list of approved applications. This approach is based on the premise that if you create a list of applications that are specifically allowed and then prevent any other file from executing, you can achieve maximum protection for the endpoint. Although this basic functionality can be useful to reduce the attack surface, it is by no means a comprehensive approach to endpoint security.
Modern trends like consumerization and bring your own device (BYOD) make application whitelisting extremely difficult to enforce in the enterprise. Additionally, once an application is whitelisted it is permitted to run — even if the application has a vulnerability that can be exploited. This means the attacker can simply exploit a whitelisted application and have complete control of the target endpoint regardless of the whitelisting. After the application has been successfully exploited, the attacker can run malicious code while keeping all the activity in memory. This means that no new files are created and no new executables attempt to run, rendering the whitelisting software completely ineffective against this type of attack.
Whitelisting may prevent a malicious executable from running, but will do nothing to prevent exploitation of legitimate software. The attacker can exploit the application and run the entire attack in memory without creating any new executable files that whitelisting could block.
Anomaly Detection
Endpoint security approaches that use mathematical algorithms to detect unusual activity on an endpoint are known as heuristics‐based, behavior‐based, or anomaly‐ detection solutions. This approach relies on first establishing an accurate baseline of what is considered “normal” activity. Although this approach has been around for many years, it is still prone to high false positives and offers limited effectiveness in most implementations.
Host‐Based Intrusion  Prevention Systems (HIPS)
HIPS is another approach to endpoint protection that relies on an agent installed on the endpoint to detect malware. HIPS can be either signature based or anomaly based and are therefore susceptible to the same issues as signature‐based and anomaly‐based approaches. Additionally, HIPS solutions often cause significant performance degradation on endpoints. A recent Palo Alto Networks survey found that 25 percent of respondents indicated HIPS solutions “caused significant enduser performance impact.”
Patch Management
Thousands of new software vulnerabilities and exploits are discovered each year, requiring diligent software patch management by system and security administrators in every  organization.
However, patch management only protects an organization’s endpoints after a vulnerability has been discovered and the patch installed. Delays of days, weeks, or longer are inevitable as security patches for newly discovered vulnerabilities must be developed, distributed, tested, and deployed. Although patch management is an important aspect of any information security program, like signature‐based antimalware detection, patch management is an endless race against time that offers no protection against zero‐day exploits.
Network Controls
Traditional network security solutions simply were never designed to meet the challenges of exploits and malware on endpoints. Traditional firewalls and IPS solutions classify traffic based on port assignments. As a result, a threat that is evasive and dynamic can simply bounce to an unexpected or seemingly legitimate port, gain access to the network, and avoid detection. Firewalls and IPS solutions are, nonetheless, important elements of an enterprise defense‐in‐depth strategy that includes advanced endpoint protection.
A next‐generation firewall overcomes many of the technical challenges of traditional, port‐based firewalls and signaturebased IPS, and accurately identifies applications, content, and users to determine if traffic should be allowed, rather than simply relying on port information and signatures.
Taking an Integrated Approach to Endpoint Protection
Advanced endpoint protection requires an integrated, multidisciplinary approach to prevent exploits and malware whether they arrive via the network or directly on the endpoint via other means, such as portable media.
Many organizations have deployed various security solutions in addition to their legacy port‐based firewalls, including intrusion prevention systems (IPSs), proxy servers, web‐ content filtering, antivirus gateways, and application‐specific solutions — such as instant messaging or email security (antispam) appliances — in an effort to shore up their defenses against modern malware threats.
A recent Palo Alto Networks survey found that integration with network security solutions (such as IPS, threat intelligence, and network‐based sandboxing) is the most soughtafter requirement for an endpoint security solution.
However, this cobbled‐together approach to security infrastructure creates problems of its own, including the following:
     Not everything that should be inspected is, because these solutions either can’t see all the traffic or rely on the same port‐ and protocol‐based classification scheme as do port‐based firewalls.
     Coverage is only applied to a limited set of traffic, rather than every application.
     Policy management, access control rules, and inspection requirements are spread across multiple devices and consoles, making it difficult to develop and enforce a  consistent enterprise security policy.
     Performance suffers due to relatively high aggregate latency because the same traffic is scanned and analyzed on multiple devices.
     Information isn’t easily correlated and analyzed between devices, with raw data in multiple formats easily overwhelming security analysts.
An ounce of prevention:
Taking a proactive approach to endpoint protection


Most security products take a reactive approach to endpoint protection. These are often referred to as detection and response or visibility and control solutions but they typically use some form of signature‐ and anomaly‐based detection or indicator of compromise (IOC) detection. Essentially, these approaches allow an exploit or malware to compromise the endpoint, then attempt to perform actions such as removing the malware or quarantining the endpoint from the network.
These endpoint protection strategies don’t provide enough coverage. The end‐user workstation or data center server has already been compromised and is now unusable until the threat is removed and the integrity of the endpoint is restored. It’s also possible that the attacker has already achieved his objective at this point — perhaps by encrypting local data for a ransomware attack or a simple denial‐of‐service attack.
An endpoint protection strategy based on prevention intercepts and blocks an attack before malicious activity occurs on the endpoint. This means preventing an exploit from running (often a precursor to many advanced attacks), or preventing malware from being executed.
This proactive approach enables true endpoint protection and proves the adage: An ounce of prevention is worth a pound — or in this case, hours, days, or even weeks spent quarantining a server or workstation, cleaning or reinstalling software, restoring files, and more — of cure!



Chapter 4

Advanced Endpoint Protection Defined
In This Chapter
Using a proactive approach for endpoint protection
Bringing network and endpoint protection together
Learning about Traps

n this chapter, you learn what advanced endpoint protection is all about — exploit prevention, malware prevention,
and platform integration — and how Palo Alto Networks delivers advanced endpoint protection for both workstations and servers with Traps.
Prevent, Don’t Just Detect
Advanced endpoint protection is a new security product innovation that requires a different mindset from traditional security methodologies. Rather than a reactive detect and respond approach as with traditional antimalware software, advanced endpoint protection employs a proactive prevention strategy. Advanced endpoint protection must do the following:
     Prevent all exploits, including those using unknown zeroday vulnerabilities
     Block all malware, without requiring any prior knowledge of specific malware signatures
     Provide detailed forensics against prevented attacks, in order to strengthen all areas of the organization by pinpointing the targets and techniques used
     Be highly scalable and lightweight to seamlessly integrate into existing operations with minimal to no disruption
     Integrate closely with network and cloud security for quick data exchange and cross‐organization protection
Use an Integrated Approach
Many of today’s readily available legacy endpoint protection products are single faceted, providing only virus detection and removal, for example. These products rely on the same techniques (see Chapter 3) that have been unsuccessfully employed for more than 20 years.
Newer endpoint security suites often incorporate antimalware, personal firewalls, host‐based intrusion prevention, and cloud‐based signature updates, but still fail to adequately  protect the endpoint against today’s advanced threats.
Advanced endpoint protection provides a more comprehensive approach than legacy endpoint protection products, and fully integrates with other enterprise security solutions, such as next‐generation firewalls, real‐time threat intelligence, and security information and event management (SIEM).
Traps: Advanced Endpoint Protection
Palo Alto Networks Traps provides advanced endpoint protection that prevents sophisticated vulnerability exploits and malware‐driven attacks — both known and unknown. Traps automatically detects and blocks a core set of techniques that every attacker must link together in order to execute any type of attack, regardless of its complexity. Preventing just one technique in the cyberattack life cycle (see Chapter 2) is all that is needed to thwart the entire attack before it can do any damage.
The key to Traps is blocking core exploit and malware techniques, not the individual attacks.
The Traps agent injects itself into each process as it’s started, automatically blocking advanced attacks that would otherwise evade detection. If an exploit attempt is made using one of the   Chapter 4: Advanced Endpoint Protection Defined 31
attack techniques, Traps immediately blocks that technique, terminates the process, and notifies both the user and the admin that an attack was prevented (see Figure 4-1).
before they happen.
Throughout each event, Traps collects detailed forensics and reports this information to the endpoint security manager (ESM), resulting in better visibility and an understanding of attacks that were prevented. With Traps, endpoints are always protected, regardless of patch, signature, or software‐update levels; plus, it requires no prior knowledge of an attack in order to prevent it.
Learn more about exploit prevention in Chapter 5.
To prevent the execution of malicious executables on the endpoint, Traps focuses on three key areas to ensure comprehensive protection. When combined, these methods offer unparalleled malware prevention and include the following:
     Advanced execution control: Organizations can easily set up policies restricting specific execution scenarios. For example, you may want to prevent the execution of files from the Outlook temp directory, prevent execution of unsigned files, or prevent the execution of a particular file type directly from a USB drive.
     WildFire inspection and analysis: Traps queries Palo Alto Networks WildFire threat intelligence cloud with a hash and submits any unknown .exe files to assess their risk within the global threat community.
     Malware techniques mitigation: Traps implements  technique‐based mitigations that prevent attacks by blocking techniques such as thread injection.
Learn more about malware prevention in Chapter 6.

Traps deployment architecture

Traps is a highly scalable advanced endpoint protection  solution that consists of an Endpoint Security Manager Console, Endpoint Security Manager Server(s), lightweight Traps Agents (installed on individual endpoints), and optional external logging.
Endpoint Security Manager Console
The Traps infrastructure supports various architectural options to allow for scalability to a large distributed environment. Installation of the Endpoint Security Manager (ESM) creates a database on a Microsoft SQL server and installs the administrative console within the Internet Information Server (IIS). Microsoft SQL 2008, 2012, and 2014 are supported and the SQL server may be dedicated to ESM — or a database can be created on an existing SQL server.
The Endpoint Server can be installed on Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 on physical or virtual machines.
Endpoint Security Manager Servers
ESM servers essentially act as proxies between Traps agents and the ESM database. Communications from Traps agents to ESM servers occur over HTTPS. ESM servers don’t store data and, therefore, can be easily added and removed from the environment as needed to ensure adequate geographic coverage and redundancy.
To ensure global connectivity, organizations that don’t use a mobility solution like Palo Alto Networks GlobalProtect may opt to put an ESM server in the DMZ or in a cloud‐based environment with external connectivity. ESM servers can be installed on Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 physical or virtual machines.
Traps agent
The Traps agent installer is an approximately 9 MB Microsoft Installer (MSI) package that can be deployed using your software deployment tool of choice. Subsequent updates to   Chapter 4: Advanced Endpoint Protection Defined 33
the agent can be deployed via the ESM. The agent consumes less than 25 MB on disk and less than 40 MB while running in memory. Observed CPU utilization is less than 0.1 percent. The agent also employs various tamper‐proofing methods that prevent users and malicious code from disabling protection or tampering with agent configuration.
The lightweight structure allows for the Traps environment to scale horizontally and support large deployments of agents, while still maintaining a centralized configuration and database for policies. Traps can coexist with most major endpoint security solutions, and the CPU utilization and I/O remains incredibly low. With such minimal disruption, this makes Traps optimal for critical infrastructures, specialized systems, and virtual desktop infrastructure (VDI) environments.
External logging
The ESM can write logs to an external logging platform, such as a security information and event management (SIEM) solution or anything that supports syslog, in addition to storing its logs internally.
Palo Alto Networks Enterprise Security Platform is a fully integrated solution that includes Traps Advanced Endpoint Protection, the next‐generation firewall, and the WildFire threat intelligence cloud, enabling full implementation of Zero Trust from network to endpoint.



Chapter 5

Core Techniques to Prevent Zero‐Day Exploits
In This Chapter
Recognizing why exploit prevention is critical
Exploiting vulnerabilities in the cyberattack life cycle
Using Traps to prevent unknown exploits

n this chapter, you learn how Traps breaks the cyberattack life cycle by preventing exploit techniques.
Making Exploit Prevention  a Priority
A great deal of attention has been paid to malware since the earliest days of computing. Although malware prevention is certainly critical to advanced endpoint prevention, it is only one part of a comprehensive enterprise security strategy.
Equally important, but less understood than malware prevention, is the importance of exploit prevention. There are several possible reasons for this disparity between malware and exploit prevention awareness, including the following:
     Antimalware (previously antivirus) software has been around since the early days of personal computing. Although the common end user may not understand what malware does or know different types, she at least understands the importance of having antimalware software installed and updated on her personal computers.
     Exploits take advantage of a vulnerability in legitimate software. This implies a flaw in the software. Over the decades, different software vendors have taken different approaches to acknowledging the existence of such flaws in their software. Even today, there is no standard among software vendors for publicly acknowledging and patching vulnerabilities.
     In many attacks, an exploit is used as a delivery mechanism for malware. Without any kind of advanced endpoint protection running on the endpoint, the exploit goes undetected. So, when the malware is eventually detected on the endpoint, it’s not immediately evident that the attack began with an exploit.
     October is National Malware Awareness Month and everyone wears carbon gray ribbons in recognition. No such awareness campaign exists for exploits. Okay, October isn’t really National Malware Awareness Month — but maybe it should be!
Adobe Flash Player vulnerabilities  and the zero‐day month


Recent Adobe Flash Player vulnerability exploits have increased the risk exposure for many endpoints. Despite proactive efforts to document, communicate, and patch Flash vulnerabilities, many exploits enjoyed extended zero‐day timelines.

For example, CVE‐2015‐0313 was discovered as a zero‐day exploit in the wild on February 2, 2015. On February 4 and 5, Adobe released patched versions of its Adobe Flash Player to address this vulnerability. However, on February 25, a fully working exploit code for CVE‐2015‐0313 was published that required modification of only a few lines of code to be effective. A fully patched version of Adobe Flash Player that addressed both CVE‐2015‐0313 and its variant, dubbed CVE‐2015‐X, was finally released on April 14. Thus, even if organizations patched all their endpoints as soon as each update was available, they were still vulnerable to an attack exploiting this vulnerability for almost two months. Just a few months later, more new Adobe Flash exploits were revealed. Again, Traps was able to prevent these exploits from succeeding on protected endpoints — running in its default configuration with no updates needed.


Security techniques such as application whitelisting (discussed in Chapter 3) are difficult to fully implement and ineffective against exploits. An exploit takes advantage of a vulnerability in a legitimate (translation: whitelisted) application to execute an attack.
Understanding Exploit Techniques
Many advanced threats work by placing malicious code in a seemingly innocuous data file. When the file is opened, the malicious code leverages a vulnerability in the native application used to view the file, and the code executes. Because the application being exploited is allowed by IT security policy, this type of attack bypasses application whitelisting controls.
Although there are many thousands of exploits, they all rely on a small set of core techniques that change infrequently. Regardless of the attack or its complexity, in order for the attack to be successful, the attacker must execute a series of these core exploit techniques in sequence, like navigating a maze to reach its objective (see Figure 5-1).
Heap spray is an attempt to insert the attacker’s code into multiple locations within the memory heap, hoping that one of those locations will be called by the process and executed.
Some attacks may involve more steps, some may involve fewer, but typically three to five core techniques must be used in order to exploit an application.
Preventing Exploits with Traps
Palo Alto Networks Traps focuses on the core techniques used by all exploits to render those techniques completely ineffective, which means the application is no longer vulnerable.
The Traps agent injects itself into each process as it is started. If the process attempts to execute any of the core attack techniques, the corresponding exploit prevention module (EPM) prevents that exploit, kills the process, and reports all the details to the endpoint security manager ( ESM), as depicted in Figure  5-2.
 techniques.
By default, Traps policy is configured to protect more than
100  processes — each one with dozens of proprietary EPMs.
Traps isn’t limited to protecting only those processes or  applications. Organizations use Traps to protect all manner of processes and applications by simply adding them to the policy configuration. Processes that have been run on the endpoint automatically show up in the ESM console, making it easy to protect those processes with the click of a button. This is especially useful for organizations running industry‐specific applications, such as point‐of‐sale (POS) systems, ATM machines, and supervisory control and data acquisition (SCADA).
If for some reason an application conflicts with one of the EPMs, simply disable that EPM for the specific application and computer. The application is still protected by dozens of other EPMs (see Figure 5-3). Because exploits rely on a series of techniques to successfully run, the other EPMs will continue protecting that application and will block at least one of the techniques, thus breaking the sequence.
Examples of attacks that the EPMs can prevent include the  following:
     Dynamic link library (DLL) hijacking — replacing a legitimate DLL with a malicious one of the same name
     Hijacking program control flow
     Inserting malicious code as an exception handler
Exploits are used to target both vulnerable applications and network‐based services running on workstations and servers. Traps Advanced Endpoint Protection protects both workstations and servers.
Traps covers top high‐risk vulnerabilities highlighted by US‐CERT
US‐CERT recently issued an alert that took place in 2014 (see the regarding the 30 most prevalent accompanying table).  vulnerabilities in targeted attacks
Memory Corruption, Logical, and Java Vulnerabilities
CVE ID             Targeted                Vulnerability Type               Zero day
Application
CVE‐2006‐3227             Internet Explorer                  Charset obfuscation
CVE‐2008‐2244             MS Word                Buffer overflow
CVE‐2009‐3129             MS Excel                 Excel featherhead
record
CVE‐2009‐3674                                         Internet Explorer      Uninitialized memory corruption
CVE‐2009‐3953             Adobe Reader\     Array overflow
Acrobat
CVE‐2010‐0806 Internet Explorer   Use after free yes CVE‐2010‐3333 MS Office   Stack buffer
 overflow
CVE‐2010‐0188      Adobe Reader\             Stack buffer         yes Acrobat             overflow
CVE‐2010‐2883             Adobe Reader\     Stack buffer         yes
Acrobat   overflow
CVE‐2011‐0101             MS Excel                 Excel record parsing
WriteAV
CVE‐2011‐0611      Adobe Flash Object type           yes Player                confusion
CVE‐2011‐2462             Adobe Reader\     Unspecified          yes
Acrobat
CVE ID
Targeted Application
Vulnerability Type
Zero day
CVE‐2012‐0158
MS Office DOC\RTF
Stack buffer  overflow
yes
CVE‐2012‐1856
MS Office
Use after free

CVE‐2012‐4792
Internet Explorer
Use after free
yes
CVE‐2012‐1723
Oracle Java
Sandbox escape

CVE‐2013‐0074
MS Silverlight
Double dereference

CVE‐2013‐1347
Internet Explorer
Use after free
yes
CVE‐2013‐2465
Oracle Java
Sandbox escape

CVE‐2013‐2729
Adobe Reader
Integer overflow

CVE‐2014‐0322
Internet Explorer
Use after free
yes
CVE‐2014‐1761
Word
Object type  confusion
yes
CVE‐2014‐1776
Internet Explorer
Use after free
yes
CVE‐2014‐4114
MS Office
Logical
yes
Source: US‐CERT
Each of these vulnerabilities, when four ColdFusion vulnerabilities exploited, indicates a compromised (not listed in the accompanying  endpoint. From this compromised table).
endpoint, the attacker will expand to The targeted applications are other endpoints and servers in your the most common ones. This network until it reaches its goal, pos- comes as no surprise. The list in sibly stealing the crown jewels it set the table is solely comprised of out for. Internet Explorer, Silverlight MS The CERT list is a valuable source, Office, Oracle Java, and Adobe reflecting the actual threat land- Flash, Reader, and Acrobat.
scape. Security decision makers can Vulnerabilities from 2012 and derive important knowledge from before comprise more than half reading between its lines: of the list. This tells us more
The prevailing attack scenario about victims than attackers. is still a user browsing or open- Apparently nonpatching is a ing an attachment. According common practice. Updating to the CERT list, the only excep- vulnerable software isn’t tions are one OpenSSL and always prioritized. This enables
( continued )


( continued )
 attackers to successfully leverage old vulnerabilities (dating back as far as 2006!) for their purpose.
       Browser and attachment attacks are equally distributed. The  distribution of these two main attack vectors is around 50/50 with slightly more browser exploits shown. Browser exploits are common in watering hole attacks and are typically integrated in exploit kits.
Attachments (Office, Adobe
Reader, and others), on the other hand, are used in spear phishing attacks, which target specific users. The nearly equal distribution implies that both vectors remain areas of concern.
       Half of these vulnerabilities are zero days. One of the most pressing issues for current cybersecurity strategists is the correlation between sophistication and prevalence. The nonproportional zero-day presence in the CERT list implies that today’s zero-day is tomorrow’s common attack vector. Of course, there is a natural selection involved that determines which zero days will spread and which will decline.
       Most of the memory corruption vulnerabilities enable exploits to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). In recent years, Windows-integrated exploit mitigations forced attackers to adjust how exploits are written. The CERT list suggests they have succeeded. Return Oriented Programming (ROP), for example, is common to almost all exploits shown. This illustrates once more the ever‐changing nature of the cyberthreat arena: Whenever a security measure is introduced, attackers reflect, learn, reshape, and attack in alternative patterns.
Palo Alto Networks Traps directly addresses the security gaps
reflected in the CERT list. Traps prevents exploitation in real time by mitigating the core techniques that are common to all exploits. Exploitations of the vulnerabilities on the CERT list are different from each other, but all of them converge into a known pool of techniques. Traps proactively obstructs these techniques, providing protection without relying on signatures or prior knowledge.


Chapter 6

A Robust Approach to
Prevent Unknown Malware
In This Chapter
Implementing policy‐based restrictions
Preventing malware using cloud-based threat intelligence
Blocking malicious behavior
Bringing it all together

n addition to preventing exploits hiding in data files or launched over the network (discussed in Chapter 5), Palo Alto Networks Traps employs a comprehensive approach to the prevention of malicious executables. Malicious executables, more commonly known as malware, can be inadvertently downloaded and run by users without their knowledge.
Traps’ malware prevention engine uses Advanced Execution
Control, WildFire integration, and Malware Prevention Modules to prevent the execution of malware. When combined, these technologies offer good malware prevention. In this chapter, you learn about Traps malware prevention.
Advanced Execution Control
When a user or endpoint attempts to open an executable, Traps first verifies that the executable doesn’t violate any policy‐based restrictions. Policy‐based restrictions dramatically reduce the attack surface by preventing file execution in high‐risk scenarios. For example, you may want to prevent executing the following:
     Particular (or any) file types directly from a USB drive
     Files from certain paths (such as the Outlook temp folder) or network locations where applications don’t reside
     Child processes created by specific applications (such as
Microsoft PowerPoint)
     Unsigned executables
Alternatively, highly granular restrictions are available to define trusted processes or file types, locations, and registry paths that these processes can read from and write to.
If any of the restriction rules apply to the executable, Traps blocks the file from executing and reports the security event to the Endpoint Security Manager (ESM).
Traps provides both static and dynamic execution control. Basic whitelisting and blacklisting of applications can be easily managed from the ESM console. Every executable that has ever been run in the organization is listed in the ESM console along with the WildFire verdict (discussed later in this chapter). The administrator can easily override the verdict with the click of a button. For relatively static environments or specialized systems like point‐of‐sale (POS) or supervisory control and data acquisition (SCADA), endpoints can be hardened with a strict execution‐control policy. For more dynamic environments like end‐user workstations, dynamic execution analysis and control is accomplished through integration with WildFire.
The right set of policy‐based restrictions results in a hardened endpoint with a greatly reduced attack surface.
WildFire Analysis and Prevention
Palo Alto Networks WildFire is an advanced, virtual malware analysis environment, purpose‐built for high‐fidelity hardware emulation, analyzing suspicious samples as they execute. The cloud‐based service detects and blocks targeted and unknown malware, exploits, and outbound command‐and‐control (C&C) activity by observing their actual behavior, rather than  relying on preexisting signatures.
In addition to quickly making unknown threats known, WildFire generates protections that are shared globally in about 15 minutes. The security service is natively built to run on Palo Alto Networks Next‐Generation Firewalls and fully integrated with Palo Alto Networks Traps, allowing  complete threat prevention and control over your network and endpoints as cybercriminals attempt to deliver malware or  communicate with infected systems.

Behavior‐based cyberthreat discovery

To find unknown malware and exploits, WildFire executes  suspicious content in numerous operating system test environments with full visibility into common file types, such as the following:
     Executables (.exes) and Dynamic Link Libraries (.dlls)
     Compressed ZIP files
     PDF documents
     Office documents
     Java
     Android Application Packages (APKs)
     Adobe Flash applets
     Web pages that include high‐risk embedded content like JavaScript, Adobe Flash files, images, and multiple  versions of an application running simultaneously
WildFire identifies more than 250 potentially malicious behaviors to identify the true nature of malicious files based on their actions, including the following:
     Changes made to host: Observes all processes for modifications to the host, including file and registry activity, code injection, heap spray (exploit) detection, the addition of auto‐run programs, mutexes, Windows services, and other suspicious activities.
     Suspicious network traffic: Analysis of all network activity produced by the suspicious file, including backdoor creation, downloading of next‐stage malware, visiting low‐reputation domains, network reconnaissance, and more.
     Antianalysis detection: Monitors for techniques used by advanced malware to avoid virtual machine‐based analysis, such as debugger detection, hypervisor detection, code injection into trusted processes, disabling of hostbased security features, and more.

Cloud‐based dynamic analysis architecture

To support dynamic malware analysis across the network at scale, WildFire is built on a cloud‐based architecture (see Figure 6-1). Where regulatory or privacy requirements prevent the use of public cloud infrastructure, a private cloud solution can be built on premise.
threat prevention.
WildFire integration provides both the security of granular execution control and the manageability of a dynamic security policy driven by automated analysis of unknown executables ( see Figure  6-2).
hash verdicts.
If an executable file has never been seen before on the endpoint, Traps can submit the file hash for immediate identification by WildFire. If WildFire identifies the file as malicious, Traps will prevent execution before any damage is done. With millions of samples analyzed each day, there is a good chance WildFire has seen the file and can alert Traps if it is malicious. If the file hasn’t been seen by WildFire, it can be automatically uploaded for rapid analysis in order to determine whether it’s malicious. Because both Traps and Palo Alto Networks NextGeneration Firewalls can submit files to WildFire, this integration allows for seamless sharing of threat intelligence between next‐generation firewalls and the endpoints.
WildFire’s threat intelligence significantly increases security posture and protection against unknown malware. WildFire analyzes an average of 20 million unique files each week. Of those files, an average of 200,000 are identified as malicious each week. Each time one of those files is identified as malicious, protection is available on both the endpoint and network within minutes. On a recent sample, an average of 54 percent of files identified as malicious by WildFire were considered unknown by VirusTotal, and 61 percent were undetectable by the top six enterprise antivirus vendors.
Malware Prevention  Modules
If a malicious file isn’t blocked by Advanced Execution Control or WildFire evaluation and is allowed to execute, malicious activity can still be blocked by Traps’ multiple malware  prevention modules (MPM). MPMs focus on core techniques leveraged by many types of malware. For example, they will prevent malicious code from being injected into trusted  applications.
Unlike behavioral anomaly detection, which has to observe a behavior and then try to mitigate after it has occurred, the MPMs within Traps are designed with prevention in mind. They block the malware techniques before any malicious behavior occurs. Thread injection is one example of a  malware technique that can be blocked by Traps.
Recognizing the Value of an Integrated Platform
The Palo Alto Networks Enterprise Security Platform is a natively integrated platform that brings network, cloud, and endpoint security into a common architecture (see Figure 6-3), with complete visibility and control, ensuring your organization can prevent breaches.
This next‐generation enterprise platform streamlines dayto‐day operations and boosts security efficacy and the multilayered defense model prevents threats at each stage of the cyberattack life cycle. The complete integration between Advanced Execution Control, WildFire analysis, and Malware Prevention Modules enables a multilayered approach to malware prevention (see Figure 6-4).







Chapter 7

Achieving Compliance  with Advanced 
Endpoint Protection
In This Chapter
Going beyond PCI requirements with compensating controls
Enhancing security and compliance with Traps

ecurity and compliance are two very different issues and many organizations have to deal with both. Government
and industry bodies have developed compliance standards in order to set a minimum bar for securing specific types of data. For example, the Payment Card Industry — consisting of Visa, MasterCard, American Express, Discover, and JCB — jointly developed the PCI Data Security Standard (PCI DSS) in December 2004. As of April 2015, version 3.1 is the most current standard, which includes 12 requirements for protecting cardholder data.
It is important for regulatory bodies to enact standards that set a minimum bar for protection of certain data types. In the absence of such standards, CISOs across every industry and organization would have to convince their executives that each expenditure is necessary to protect data. Some would succeed, but others would fail to convince their management to invest, leaving some organizations recklessly undefended. Standards serve to prevent this by setting a minimum bar that all organizations are required to achieve.
Compliance with a data protection standard, however, doesn’t mean that the data is necessarily secure. These standards generally make broad statements that can be implemented in various ways: some more secure than others. Furthermore, most standards are changed very infrequently, so the types of attacks and protection capabilities will evolve significantly while the standard remains unchanged.
PCI is a great example of just such a standard. PCI hits on many highly relevant security practices, ensuring that organizations handling cardholder data are required to implement them. But PCI isn’t updated frequently to reflect advances in technology and the standard includes some requirements that are rather limiting in regard to their intended purpose. Here are two examples:
     Why does a security standard require patching? The reason, of course, is to prevent exploitation of vulnerabilities that could lead to a breach of cardholder data. But does the standard require the prevention of exploitation of vulnerabilities? No. It just requires patches to be installed.
     Why does a security standard require periodic scanning for viruses? To prevent malware, of course. But the standard requires AV scanning, not malware prevention.
The two examples illustrate the divergence that can occur between compliance and security. But don’t fear; there is a mechanism to bring these two worlds in alignment. It’s called compensating controls.
In this chapter, you learn how Advanced Endpoint Protection helps organizations meet, and even exceed, PCI compliance requirements.
Although this chapter uses PCI as an example, Traps can help organizations achieve compliance with other security regulations that are specific to their industry.
Using Compensating Controls for PCI Compliance
According to the PCI Security Standards Council, the criteria for compensating controls are as follows:
  Chapter 7: Achieving Compliance with Advanced Endpoint Protection 53
Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:
1.   Meet the intent and rigor of the original stated PCI DSS requirement;
2.   Provide a similar level of defense as the original PCI DSS requirement;
3.   Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
4.   Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
When it comes to PCI and many other regulatory  standards, compensating controls generally fall into one of two  categories:
     The organization can’t meet the requirements as they’re specified in the standard, so it’s doing something else to mitigate this risk and hoping the auditor will consider it good enough.
     The organization has implemented another (usually newer) type of technology or control that it believes provides the same or better protection. This can happen when the security technology available to the organization has outpaced the regulatory standard.
Traps can be used effectively as a compensating control to provide added defense and enhance a company’s security posture. For example, without Traps, patching is the only way to ensure protection from known vulnerabilities and there is no reliable method to protect systems from unknown vulnerabilities or those with no available patch. Traps enables organizations to significantly enhance security and exceed PCI DSS requirements by not only eliminating known vulnerabilities, but also protecting systems from exploitation of unknown  vulnerabilities.
Strengthening Security and Compliance Posture with Traps
Traps supports organizations in their efforts to achieve PCI compliance. Traps is an integral part of the Palo Alto Networks Enterprise Security Platform, which also includes a next‐ generation firewall and the WildFire threat intelligence cloud.
Although every scenario will be different, the following sections provide a few examples that demonstrate the use of compensating controls to meet specific PCI requirements.

Use and regularly update antivirus software or programs

PCI DSS Requirement 5 directly addresses the use of antivirus software. However, traditional antivirus/antimalware (AV/ AM) software has varying degrees of effectiveness, all based on reactive detection and response methods. AV/AM software is designed to detect and remove malicious software from a system before disrupting computer operation, gathering sensitive information, or gaining access to a system or application. However, these tools have been shown to detect only a fraction of the advanced attacks targeting cardholder data environments. AV/AM identification techniques, whether signature‐based, heuristics‐based, or behavior‐based, have known limitations such as timely protection against new attacks, potential system performance impacts, and potential high rates of false positives. Also, security operations teams are often overwhelmed by the sheer volume of malware attacks. As a result, the probability is extremely high that  malware and exploits will bypass traditional AV/AM products.
Traps uses a proactive approach to prevent malware and exploits from wreaking havoc, and can run alongside traditional AV/AM software. Instead of focusing on the millions of individual attacks themselves, Traps is designed to proactively stop all attacks targeting endpoints by automatically blocking a core set of techniques that every attacker must link together in order to execute an exploit. Traps also integrates with the WildFire (discussed in Chapter 5) threat intelligence   Chapter 7: Achieving Compliance with Advanced Endpoint Protection 55
cloud, leveraging real‐time threat intelligence from thousands of WildFire customers. The efficacy of the antiexploit and antimalware capabilities employed by Traps far exceeds traditional AV/AM products. However, because the requirements still call for obsolete techniques like periodic AV scanning, Traps will be considered a compensating control for this requirement until the regulation is updated to reflect the current state of technology.
Some organizations may choose to run Traps alongside a free AV solution in order to maximize both security and  compliance.

Develop and maintain secure systems and applications

Software vulnerabilities are discovered at an alarming rate. Requirement 6 of PCI DSS addresses the need for patch management. However, patches are often not made available until after a vulnerability has been in existence for months or years and inevitably it takes time to thoroughly test and deploy  software patches.
PCI DSS requires both prompt remediation of critical software vulnerabilities (Sub‐requirement 6.2) and responsible testing and change management (Sub‐requirement 6.4). These can be conflicting priorities in some circumstances. Furthermore, patches are merely an after‐the‐fact remedy for a risk that has likely been in place for a long period of time. Exploit and malware prevention is the only true preventive control.
As shown in Figure 7-1, vulnerabilities exist from the time the software is put into use. From that point until a patch is installed, the system is at risk. By implementing the exploit and malware prevention in Traps, this risk is virtually eliminated. This makes Traps an ideal compensating control for PCI DSS Requirement 6.
An organization running Traps on the critical systems in scope for PCI is in a very different position from most organizations. Although the standard only requires protection from known vulnerabilities, an organization running Traps is also protected from unknown vulnerabilities and should develop
a vulnerability risk assessment policy that reflects this enhanced environment. In particular, patches that would be deemed critical for most organizations may not be critical for an organization running Traps. This is because an assessment of whether the vulnerability poses “an imminent threat to the environment” would result in a determination that the system is actually not vulnerable, due to Traps protection.
Given that Traps provides comprehensive protection from exploitation of vulnerabilities, both known and unknown, it exceeds the core PCI requirement, albeit using a method not prescribed by the standard.
Compensating controls can play a critical role in building a strong security program.

Chapter 8

Ten Ways to Prevent a Modern Attack
In This Chapter
Case example: One attack, ten ways to prevent it

ost traditional — and even next‐generation —  endpoint protection products rely on a reactive detec-
tion and response approach to discover and identify exploits and malware after an endpoint has been compromised, then attempt to clean or quarantine the infected server, workstation, or other endpoint device. But at that point, it’s too late. A cyberattack against your network is already well underway and has already succeeded in achieving some of its initial target objectives.
Palo Alto Networks Traps employs a proactive prevention strategy that keeps exploits and malware from ever compromising your endpoints in the first place, and thus thwarts cyberattacks before they gain a foothold in your network.
To understand how Traps prevents an attack from succeeding, take a look at an actual cyberattack example. In this case, a PDF file with an embedded exploit is sent to an unsuspecting user. The user opens the PDF file, which does the  following:
     Exploits Adobe Reader
     Causes Adobe Reader to create a child process, which is Internet Explorer (IE)
     Causes IE to download an executable (.exe) file from a malicious website
     Executes the new .exe file, which then performs malicious activities on the endpoint, including thread injection into IE
This is a common chain of events in many attacks. The specific file type, exploit, and malicious executable payload may vary, but the steps are largely the same from one attack to another. The key to stopping an attack is to break this chain of events at the earliest possible stage of the attack.
To prevent an attack from succeeding, Traps provides prevention capabilities and multiple layers of protection at each stage of the attack to block the attackers’ ability to compromise the endpoint and move laterally within the enterprise. In this particular attack example, Traps would prevent the attack at ten different steps, thus taking every opportunity to prevent a compromise before it occurs (see Figure 8-1):
10
Figure 8-1: Traps prevents this attack example at ten points in the cyberat- tack life cycle.
     Exploitation Technique 1: Remember, for the exploit to work, it has to use a series of techniques in order to successfully exploit the vulnerability in the targeted application, Adobe Reader in this case. In this example, the exploit uses operating system (OS) functions, although the exploit could be a brand new zero day; the techniques it has to use are common and new techniques are very rare (typically two to four per year).
     Exploitation Technique 2: In this example, JIT spraying is used as a common circumvention technique for data execution prevention (DEP), which does not allow   Chapter 8: Ten Ways to Prevent a Modern Attack 59
 execution from noncode regions in memory. Again, Traps prevents the exploit from executing so that even if the first exploit technique for some reason succeeds, the second exploit technique fails and the attack is thwarted.
     Exploitation Technique 3: In this example, heap spraying is used next in order to facilitate arbitrary code execution. This common exploitation technique allows the attacker to overcome the problem of predicting the location in memory where the attacker’s code should be inserted. The attacker “sprays” the heap with multiple blocks of code in order to increase the probability that the code will be executed.
     Execution Restriction 1: In this example, Adobe Reader creates a child process (a technique commonly used to avoid antivirus detection). Traps restricts child processes from executing arbitrarily and thus prevents the attack from succeeding.
     Execution Restriction 2: In this example, the attacker attempts to run an unsigned executable. Here again, Traps prevents the executable from running, based on rules that can be customized by an administrator.
     Execution Restriction 3: In this example, an executable attempts to run from a restricted location, the IE temp folder. These locations can be customized by an administrator if needed.
     Local Verdict Check: A local verdict check compares the file against an administrator‐configured blacklist to determine whether the file is explicitly blocked, or against a whitelist to determine if the file has been explicitly allowed regardless of its WildFire verdict.
     WildFire Known Verdict: Traps checks the file against Palo Alto Networks WildFire cloud‐based threat intelligence service by sending the file hash. In this example, WildFire responds that the file is known to be malicious and therefore is not allowed to execute.
     WildFire On Demand Inspection: If WildFire has never seen the file, it can be uploaded for analysis and not allowed to run until WildFire provides a verdict.
     Malware Prevention Module: If the malicious executable is allowed to run, it will attempt a thread injection into IE. This malware technique is blocked by the Thread Injection malware prevention module in Traps.
While this is just one example, most modern attacks will use some combination of these steps and various exploit and malware techniques. Whereas most endpoint protection approaches focus on one blocking method (whitelisting, for example), Traps takes advantage of every opportunity to prevent compromise. Any one of these “kill points” is enough to prevent the attack. The key takeaway to consider when evaluating endpoint protection solutions is this: Advanced Endpoint Protection is a new category of security products that encompasses all the prevention capabilities described here to prevent both known and unknown exploits and malware. Other approaches, even those labeled “next‐ generation” endpoint protection, fall short because rather than truly preventing all these stages of the attack, they generally wait for them to happen and then attempt to mitigate the damage, through some kind of quarantine, isolation, or cleanup.
When choosing an Advanced Endpoint Protection solution, ensure that it has the capability to prevent compromise at the early stages of the cyberattack life cycle before any damage can be done. Prevention of zero-day exploits is a must.
Glossary
adware: Pop‐up advertising programs that are commonly installed with freeware or shareware.
API: Application Programming Interface. A set of routines, protocols, and tools for developing software applications.
APT: Advanced Persistent Threat. An Internet‐borne attack usually perpetrated by a group of individuals with significant resources, such as organized crime or a nation‐state.
backdoor: Malware that enables an attacker to bypass normal authentication to gain access to a compromised system.
bootkit: A kernel‐mode variant of a rootkit, commonly used to attack computers that are protected by full‐disk encryption.
bot: A target computer that is infected by malware and is part of a botnet (also known as a zombie).
bot herder (or bot master): The owner or individual who controls a botnet.
botnet: A broad network of bots working together.
BYOD (bring your own device): A current policy trend in which employees are permitted to use their personal mobile devices, such as smartphones and tablets, in the workplace for work‐related and personal business.
DDNS: Dynamic DNS is a technique used to update domain name system (DNS) records for networked devices in real time.
DDoS: Distributed denial‐of‐service is a large‐scale attack that typically uses bots in a botnet to crash a targeted network or server.
drive‐by‐download: Software, often malware, downloaded onto a computer from the Internet without the user’s knowledge or permission.
endpoint: Any computing device on the network, including server, desktop or laptop computer, tablet, or smartphone.
exploit: Software or code that takes advantage of a vulnerability in an operating system or application, and causes unintended behavior in the operating system or application, such as privilege escalation, remote control, or a denial‐of‐service.
GoToMyPC: A remote control software service, owned by Citrix Systems, that allows users to operate a remote computer over the Internet.
Heap memory: A large pool of memory (typically per process)  from which the running program can request chunks.
IM: Instant messaging. A type of online chat that provides real‐time text messaging over the Internet.
IPSec: An open‐standard protocol used for secure virtual private network (VPN) communications over public IP‐based networks.
IRC: Internet Relay Chat. A client/server protocol that enables text messages to be exchanged over the Internet.
LogMeIn: A proprietary remote desktop protocol that enables users to operate a remote computer over the Internet.
logic bomb: A program, or portion thereof, designed to perform some malicious function when a predetermined circumstance occurs.
malware: Malicious software or code that typically damages or disables, takes control of, or steals information from a computer system. Malware broadly includes viruses, worms, Trojan horses, logic bombs, rootkits, bootkits, backdoors, spyware, and adware.
MBR: Master Boot Record. The first sector of a partitioned storage device (such as a hard disk drive or USB thumb drive) that contains information on how file systems are organized on the device.
nmap: Network mapper is a security scanner used to discover network hosts and services.
 Glossary 63
P2P: Peer‐to‐peer. An application or network that distributes workload across multiple peers or nodes.
PCAP: Packet capture. An application programming interface ( API) for capturing network traffic for analysis.
PCI DSS: Payment Card Industry Data Security Standard. A broad computer security mandate developed by the major payment card brands, including American Express, Discover, JCB, MasterCard, and Visa.
PLC: Programmable logic controller. A small computer typically used to automate industrial electromechanical processes.
polymorphism: Polymorphism is used in malware to avoid signatures by regularly mutating to avoid simple signature matches. process: An instance of a  program running or executing.
RBL: Real‐time blackhole list. A list of IP addresses that have been associated with spamming. IP addresses on an RBL may be blocked from sending email by email servers using an RBL service.
RDP: Remote Desktop Protocol. A proprietary remote access protocol, developed by Microsoft, which enables users to operate a remote computer over the Internet.
rootkit: Malware that provides privileged (root‐level) access to a computer.
security information and event management (SIEM): SIEM provides real‐time analysis of security alerts generated by enterprise security solutions.
social engineering: A low‐tech attack method that employs techniques such as shoulder surfing and dumpster diving to obtain sensitive information, such as passwords, from a user.
spear phishing: A targeted phishing attempt that seems more credible to its victims and thus has a higher probability of success. For example, a spear phishing email may spoof an organization or individual that the recipient actually knows. spyware: Software that gathers information about a person or organization without that person’s or organization’s knowledge or consent.
SSH: Secure Shell is a set of standards and an associated network protocol that establishes a secure channel between a local and a remote computer.
SSL: Secure Sockets Layer is a transport layer protocol that provides session‐based encryption and authentication for secure communication between clients and servers.
TCP: Transmission Control Protocol. A connection‐oriented network protocol that provides reliable delivery of packets over a network.
TLS: Transport Layer Security. A cryptographic protocol used for secure Internet communication.
Trojan horse: A program that purports to perform a given function, but which actually performs some other (usually malicious) function.
UDP: User Datagram Protocol. A connectionless‐oriented network protocol that doesn’t guarantee packet delivery or the order of packet delivery over a network.
virus: A set of computer instructions whose purpose is to embed itself within another computer program in order to replicate itself.
vulnerability: A bug or flaw in software that creates a security risk which may be exploited by an attacker.
VPN: Virtual Private Network. A private network used to communicate privately over public networks. VPNs utilize encryption and encapsulation to protect and simplify connectivity.
worm: Malware that usually has the capability to replicate itself from computer to computer without the need for human interaction.








These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Share this

0 Comment to "ADVANCED ENDPOINT PROTECTION FOR DUMMIES"