ADVANCED ENDPOINT PROTECTION FOR DUMMIES
These materials are © 2015 John Wiley & Sons, Inc. Any
dissemination, distribution, or unauthorized use is strictly prohibited.
Advanced Endpoint Prot e ction
Palo Alto Networks Special Edition
by Lawrence Miller, CISSP
Chapter 1
Exploits and Malware
In This Chapter
▶ Taking
a look at cybercrime
▶ Targeting
exploits and vulnerabilities
▶ Understanding
how malware is used in an attack
▶ Learning about bots and botnets
▶ Examining
real‐world threats to the enterprise
oday’s threats are more
sophisticated than ever before.
All types of
organizations and information are being
targeted. Attackers exploit vulnerabilities in software and use malware
to further their attack objectives.
In this chapter, you get an
overview of the modern threat landscape and learn about exploits, malware, and
other real‐world threats.
Surveying the Threat Landscape
Cybercrime is big business. By many estimates, cybercrime is
now a US$1 trillion industry. Every organization with digital assets is
vulnerable to attack, and the growing sophistication of cybercriminals and
their evolving tactics only increases the chance of a security breach involving
the theft of sensitive data.
Highly
publicized data breaches at large corporations expose gaps in cyberdefense and
prevention in companies of all sizes. In 2014, nearly half (43 percent) of U.S.
companies surveyed in a study by the Ponemon Institute experienced a data
breach involving the loss or theft of more than 1,000 records — up more than 10
percent from 2013.
Criminals
are executing sophisticated attacks on global organizations with alarming
regularity in order to obtain confidential information, steal trade secrets, or
disrupt business operations. It’s clear that businesses must do more to protect
against these advanced cyberthreats.
For the past decade, technology approaches to securing organizations have stood still, while
adversaries continue to find clever new ways to bypass traditional defenses.
Despite substantial investments made in securing their networks, many
organizations still find themselves vulnerable and unable to defend against
cyberattacks.
Legacy techniques are proving inadequate because they
generally only provide alerts on threats and take a detection‐focused approach,
which requires manual intervention or costly incident response (IR) services
after a breach occurs. But more importantly, these legacy security solutions
are made up of a patchwork of point products that not only lack the capability
to protect against all threat vectors, but also make it very difficult to
coordinate and share intelligence among the various security solutions. For
example, if sandboxing hardware detects an unknown threat, it won’t
automatically share protection data with intrusion prevention systems (IPSs)
and endpoint agents, leaving the organization defenseless against
multidimensional attacks. The detection‐focused approach fails to empower IT and
cybersecurity professionals to defend their enterprises.
Many experts believe the problem will only get worse. For
example, widely used older software such as Windows XP, which stopped receiving
patches and security updates, leaves many organizations vulnerable to newly
discovered exploits. Similarly, the Windows Server 2003 End of Support (EOS) in
July 2015 also leaves businesses vulnerable to major security and compliance
risks. And finally, businesses are increasingly adopting new trends and technologies
such as cloud services, bring your own device (BYOD), and the Internet of
Things (IoT), but these trends and technologies also create new opportunities
for attackers to breach connected devices and infiltrate enterprise
organizations.
Businesses
can’t afford to keep investing in fragmented,
detection‐focused products in their efforts to keep pace with the
rapidly evolving threat landscape. Effective cyberdefense must withstand
changes to adversaries’ tactics and tools that
traditional, nonintegrated
approaches can’t address. It must protect against advanced known threats, as
well as unknown threats, which can be challenging to address with legacy
security solutions.
Exploits and Vulnerabilities
A vulnerability is
a bug or flaw that exists in software and creates a security risk that may be
exploited by an attacker. The attacker crafts an exploit that targets the vulnerable software, essentially fooling
the vulnerable software into performing functions or running code of the
attacker’s choice.
Exploits can be embedded in seemingly innocuous data files,
such as Microsoft Word documents, PDFs, and web pages. Or they can be launched
over the network to target vulnerable services. The fact that exploits often
come in the form of seemingly legitimate files that don’t trigger antivirus
software makes these threats extremely dangerous.
Exploits
are the preferred malware delivery vehicle for modern attackers because they
eliminate the need to rely on social engineering to trick a user into running
an executable file.
Crafting exploit data files is a two‐part process. The first
step is to embed a small piece of malicious code within the data file.
Execution of this code will establish the attacker’s communication with the
victim machine and provide the capability to download additional malware.
However, embedding malicious code isn’t enough. The attacker
still has to fool the application into actually running that code. Thus, the
second part of the exploit typically involves memory corruption techniques that
allow the attacker’s code to be inserted into the execution flow of the
vulnerable software. Once that happens, a legitimate application, such as a
document viewer or web browser, will perform actions on behalf of the attacker.
Because the application being exploited is a legitimate application, antivirus
and whitelisting software have virtually no effectiveness against these
attacks.
Vulnerabilities are discovered in software at an alarming
rate. Vulnerabilities may exist in software when the software is initially
developed and released, or vulnerabilities may be inadvertently created, or
even reintroduced, when subsequent version updates or security patches are
installed.
According
to surveys by Palo Alto Networks, when it comes to endpoint security,
organizations are most worried about zeroday exploits. Furthermore, they
indicate that their existing endpoint solutions do little to prevent such
threats without first receiving a product update.
Security patches are usually developed by software vendors
as quickly as possible after a vulnerability has been discovered in their
software. However, an attacker may learn of a vulnerability and begin
exploiting it before the software vendor is aware of the vulnerability or has
an opportunity to develop a patch. This is known as a zero‐day exploit. It may be months or years before a vulnerability
is announced publicly. After a security patch becomes available, it inevitably
takes time for organizations to properly test and deploy the patch on all
affected systems. During this time, a system running the vulnerable software is
at risk of being exploited by an attacker.
Patch management is merely an
after‐the‐fact remedy for a risk that has likely been in place for a long
period of time.
Understanding
the Role of Malware
Attack techniques have evolved and malware now plays a role
in an attacker’s arsenal and in the life cycle of an attack. Attackers have
developed new methods for delivering malware (such as exploits or drive‐by‐downloads),
hiding malware communications (with encryption), and avoiding traditional
signature‐based detection.
Malware is malicious software or code
that typically damages or disables,
takes control of, or steals information from a computer system. Malware broadly
includes botnets, viruses, worms, Trojan horses, logic bombs, rootkits,
bootkits, backdoors, spyware, and adware.
Malware is somewhat like the pea
in a shell game. A street con running a
shell game on the sidewalk lures the mark
(or victim) into trying to follow the pea, when actually it’s an
exercise in sleight of hand. Similarly, the modern threat life cycle relies on
sleight of hand — how to infect, persist, and communicate without being
detected.
Unfortunately, the traditional
view of malware and old security habits may make you think of malware as the
pea — an executable payload, perhaps attached to an email. To understand,
control, and successfully counter modern threats, you need to focus on not just
the pea (malware), but on the delivery method and all the moving parts.
Bots and Botnets
Information security professionals have been doing battle
with malware for more than two decades. Yet all this hardearned experience
doesn’t necessarily mean that they’re winning the war. Palo Alto Networks real‐world
analysis has consistently found that at least 50 to 60 percent of newly
identified malware found in enterprise networks lacks signature coverage from
any of the top endpoint protection vendors.
This poor catch rate is due to several factors. Some malware
has the capability to mutate or can be updated to avoid detection by
traditional malware signatures. Additionally, advanced malware is increasingly
specialized to the point where the attacker will develop a customized piece of
malware that is targeted against a specific individual or network.
Botnets are a particularly useful example for understanding
some of the unique characteristics of advanced malware. Bots (individual infected endpoints) and botnets (the broader network of bots working together) are
notoriously difficult for traditional endpoint protection solutions to detect.
Bots leverage networks to gain power and resilience. A bot under the remote
control of a human attacker (bot herder
or bot master) can be updated — just
like any other application — so that the attacker can change course and dig
deeper into the network, based on what he finds, or to adapt to changes and
countermeasures.
This is a fundamental shift compared to earlier types of
malware, which were more or less independent agents that simply infected and
replicated themselves. Botnets — and a great deal of advanced malware — are
centrally coordinated, networked applications in a very real sense. In much the
same way that the Internet changed what was possible in personal computing,
ubiquitous network access is changing what is possible in the world of malware.
Now, all malware of the same type can work together toward a common goal, with
each infected endpoint growing the power and value of the overall botnet. The
botnet can evolve to pursue new objectives or adapt to changes in security
measures.
Some of the most important and
unique functional traits of botnets (see Figure 1-1) are discussed in the
following sections.
Distributed and fault‐tolerant
Advanced malware takes full
advantage of the resiliency built into the Internet itself. A botnet can have
multiple control servers distributed all over the world, with multiple fallback
options. Bots can also potentially leverage other infected bots as
communication channels, providing them with a near‐ infinite number of
communication paths to adapt to changing access options or update their code as
needed.
Multifunctional
Updates from the command and control servers can also
completely change the bots functionality. This multifunctional capability
enables a new economic approach for a bot herder, who can now use portions of
the botnet for a particular task, such as collecting credit card numbers, while
other segments of the botnet could be sending spam. The important point is that
the infection is the most important step, because the functionality can always
be changed later as needed.
Persistent and intelligent
Because bots are both hard to
detect and can easily change function, they’re particularly well‐suited for
targeted and longterm intrusions into a network. Because bots are under the
control of a remote bot herder, a botnet is more like having a cybercriminal
inside your network as opposed to a malicious executable program. For example,
a bot can be used to learn more about the organization of the network, find
targets to exploit, and install additional backdoors into the network in case
the bot is ever discovered.
Real‐World Threats
Given their sophistication and capability to evade defenses,
exploits that can deliver advanced malware present an enormous threat to the enterprise.
Advanced malware is virtually unlimited in terms of functionality — from
sending spam to the theft of classified information and trade secrets. The
ultimate impact of malware is largely left up to the attacker: A bot that was
sending spam one day could be stealing credit card data the next.
Targeted intrusions
Exploits are
a key component of targeted, sophisticated attacks. Instead of attempting to
infect large numbers of endpoints to launch malicious large‐scale attacks,
these targeted attacks aim to compromise specific high‐value systems that can
be used to further infiltrate the target network. In these cases, an infected
endpoint can be used to gain access to
Carbanak: The great bank robbery
Carbanak is one of the
latest examples of a targeted attack. It began in August 2013 and is
currently still active. The attackers have sent spear phishing emails with
malicious CPL attachments or Word documents
|
Once inside
the victim’s network, money is extracted. Each raid has lasted two to four
months. To date, the attackers have targeted up to 100 financial
institutions, causing aggregated losses estimated at $1 billion.
|
exploiting known vulnerabilities.
ZeroAccess botnet
The ZeroAccess botnet
was discovered in 2011 and is still
active despite numerous attempts to take it down. ZeroAccess is estimated to
be controlling more than 2 million computers worldwide, splitting its focus
between click fraud (a virus
|
generates fake
clicks on advertising, yielding revenue under pay‐per‐click schemes) and
bitcoin mining. Due mostly to bitcoin mining, the botnet’s infected computers
are reported to be consuming enough energy to power 111,000 homes every day.
|
protected systems, and to establish a backdoor
into the network in case any part of the intrusion is discovered.
These types of threats are almost
always undetectable by traditional antivirus or endpoint protection software.
They represent one of the most dangerous threats to the enterprise because they
specifically target the organization’s most valuable information, such as
research and development, intellectual property, strategic planning, financial
data, and customer information.
Financial botnets
Financial botnets have received
widespread coverage in the press, largely due to the spectacular monetary
damage they have caused. These botnets are typically not as large and
monolithic as spamming botnets, which grow as large as possible for a single
owner. Instead, financial botnets are often
Mighty ZeuS: God of financial botnets
Financial botnets — such as ZeuS —
in very short periods of time. Other are responsible for the direct theft of
financial botnets focus on the theft funds from all types of enterprises. of
credit card information or faking ZeuS botnets have stolen millions of ACH bank
transfers. dollars from numerous enterprises
sold as kits that allow large numbers of attackers
to license the code and set about building their own botnets and targets.
The impact of a financial breach
can be enormous for an enterprise. The breach of customer credit card
information can lead to serious financial, legal, and brand damage, and the
enterprise could lose money that potentially may never be recovered.
Advanced persistent threats
Advanced persistent threats
(APTs) are a class of threats that often begin with an exploit and then combine
malware and botnet components to execute a far more deliberate and potentially
devastating attack. As the name applies, an APT has three defining
characteristics:
✓
Advanced:
The attackers typically have the skills to develop sophisticated exploitation
tools and techniques, sometimes using zero‐day exploits to deliver advanced
malware. They may have access to sophisticated electronic surveillance
equipment, satellite imagery, and even human intelligence assets.
✓
Persistent: An APT may persist over a
period of many years. The attackers pursue specific objectives and use a low‐and‐slow
approach to avoid detection. The attackers are well organized and typically
have access to substantial financial backing to fund their activities, such as
a nation‐state or organized crime.
✓
Threat:
An APT is a deliberate and focused, rather than opportunistic, threat that can
cause real damage.
Going nuclear with Stuxnet
Stuxnet is a
computer worm that was logic controllers (PLCs) that control used in an APT
against Iran’s nuclear nuclear centrifuges. In addition to program. It was
discovered in 2010, collecting information about Iran’s but may have been
operating, in dif- nuclear program, the attack enabled ferent variations, as
early as 2005. its controllers to cause Iran’s nuclear The worm initially
infected endpoints centrifuges to spin faster and tear running Microsoft
Windows by using themselves apart. Stuxnet is believed multiple zero‐day
exploits, then tar- to have destroyed 20
percent of geted software on programmable Iran’s nuclear centrifuges.
|
Chapter 2
Understanding
Advanced
Threats
In This Chapter
▶ Recognizing the modern cybercriminal
▶ Linking
together the steps of the cyberattack life cycle
he scourge of cyberattacks is
reshaping the threat landscape and forcing enterprises to reassess how they
protect their systems and networks. Advanced threats have
outpaced traditional endpoint protection strategies and, in the process, have
established a foothold within the enterprise that cybercriminals and nation‐states
can use to steal information and attack sensitive assets.
In this chapter, you learn
about advanced threats; the cybercriminals that carry out attacks; the tools —
exploits, malware, bots, and botnets —
they use; and how to stop an attack at any stage of the cyberattack life cycle.
Know Thy Enemy
Attackers have evolved from prototypical whiz kids or
hackers — sequestered in a basement, motivated by noto riety, and fueled by too
much caffeinated soda — into bona fide cybercriminals, often motivated by
significant financial gain and sponsored by nation‐states, criminal
organizations, or radical political groups. Today’s attacker fits the following
profile:
✓
Has many resources available to facilitate an
attack
✓
Has great
technical depth and focus
✓
Is well funded
✓
Is organized
Why
does this matter? Because a kid in a basement may be able to break into a corporate
network, but doesn’t necessarily know what to do with, say, RSA source code. On
the other hand, a rogue nation‐state or criminal organization knows exactly
what to do or whom to sell stolen intellectual property to on the gray or black
market.
Additionally, criminal organizations and nation‐states have
far greater financial resources than do independent hackers. Many criminal
hacking operations have been discovered, complete with all the standard
appearance of a legitimate business with offices, receptionists, and cubicles
full of dutiful hackers. These are criminal enterprises in the truest sense,
and their reach extends far beyond that of an individual hacker.
Not only do you face more
sophisticated adversaries today, but the types of information of value to them
is continually expanding as well — these groups can do damage with the most
seemingly innocuous bits of information.
Understand Attack Strategy
The modern attack strategy has also evolved. Instead of a
traditional, direct attack against a high‐value server or asset, today’s attack
strategy employs a patient, multistep process that blends exploits, malware,
and evasion into a coordinated network attack. The cyberattack life cycle is a
sequence of events that an attacker goes through to successfully infiltrate an
organization’s network and steal data from it.
The steps of the cyberattack life cycle are described in the
following sections.
Studying the target
To an attacker, you’re the enemy. And the attacker’s first
task is to know his enemy. Like common criminals, successful attackers
carefully plan their cyberattacks. They research, identify,
and select targets, often using social engineering or phishing tactics —
sometimes using helpful information from employees’ LinkedIn or Facebook
profiles, for example. An attacker may also harvest email addresses from a
corporate directory or collect other useful public information from an
organization’s website. An attacker will also scan networks for
vulnerabilities, services, and applications that can be exploited.
Palo Alto Networks breaks this stage of the cyberattack life
cycle by doing the following:
✓
Preventing the use of social engineering by
blocking known malicious URLs through URL filtering on next‐ generation
firewalls
✓
Continuously inspecting network traffic flows to
detect and prevent port scans and host sweeps using next‐ generation firewall
network security and threat‐ prevention technology
Developing and deploying the payload
Next, the attacker determines the payload and the method
that will be used to deliver it. When it comes to delivery, the attacker
generally has two options: social engineering or exploitation. The social
engineering method is relatively simple. The objective is to trick the user
into clicking on a bad link or opening a malicious executable file, for
example.
Exploitation,
on the other hand, is far more sophisticated because it essentially tricks the
operating system (OS), browser, or other third‐party software into running the
attacker’s code. This means the attacker has to craft an exploit to target
specific vulnerable software on the endpoint. The benefit to the attacker is
that there is usually no way for the victim to know that anything malicious is
going on. The exploit can be embedded in a perfectly legitimate file
attachment. Once the exploitation has succeeded, a malware payload can be
delivered. Understanding how malware and exploits have become closely
interrelated in the modern attack life cycle is important. Data files or web
pages can be weaponized with exploits that are used to target the victim’s
vulnerable software.
Infiltration of a target using exploits has become an
efficient and stealthy method to deliver malware because exploits can be hidden
in files that appear legitimate. In addition, the availability of off‐the‐shelf
exploit kits significantly reduces the technical knowledge needed to develop
exploits. Once an exploit is run, the attacker can take control of the targeted
endpoint and install malware or run the attack entirely in memory, making it
even more difficult to detect given that no new files are created on the
exploited system.
A
drive‐by‐download delivers malware in
the background, usually by exploiting a
vulnerability in an OS, browser, or other third‐party application. This is a
very common delivery mechanism for malware today.
Today’s
threats don’t necessarily come as an executable attachment in an email. A link
or a data file is all that is required. This is why social media, webmail,
message boards, and microblogging platforms, such as Twitter, as well as
commonly used file viewers that can be easily exploited, are rapidly becoming
favorite attack vectors.
Palo Alto Networks breaks this stage of the cyberattack life
cycle on the endpoint by:
✓
Preventing known and unknown exploits using Palo
Alto Networks Traps. Even if the exploit is successfully delivered to the target endpoint, Traps will
prevent the exploitation of vulnerabilities.
✓
Preventing known and unknown malware using Traps
which includes various techniques on the endpoint, including integration with
the WildFire threat intelligence cloud.
Palo Alto Networks breaks this stage of the cyberattack life
cycle on the network by:
✓
Maintaining full visibility into all traffic,
including SSL, and blocking high‐risk applications using a next‐generation
firewall.
✓
Protecting
against perimeter breaches by blocking
malicious or risky websites.
✓
Blocking known exploits, malware, and inbound
commandand‐control (C&C) communications using multiple threat prevention
disciplines, including intrusion prevention, antimalware, anti‐C&C, DNS
monitoring and sinkholing, and file and content blocking.
✓
Detecting unknown threats and automatically
delivering protection globally to thwart new attacks via Palo Alto Networks
cloud‐based threat intelligence platform, WildFire.
Expanding the attack
Once a target endpoint has been infiltrated, the attacker
needs to ensure persistence
(resilience or survivability). Rootkits and bootkits are commonly installed on
compromised endpoints for this purpose. A rootkit
is malware that provides privileged (root‐level) access to a computer. A bootkit is a kernel‐mode variant of a
rootkit, commonly used to attack computers that are protected by full‐disk
encryption.
Backdoors enable an attacker to bypass normal authentication
procedures to gain access to a compromised system. Backdoors are often
installed as a failover in case other malware is detected and removed from the
system.
Malware that counteracts antivirus (anti‐AV) software may
also be installed to disable any legitimately installed antivirus software on
the compromised endpoint, thereby preventing automatic detection and removal of
malware that is subsequently installed by the attacker. Many anti‐AV programs
work by infecting the master boot record (MBR) of a target endpoint.
Palo Alto Networks prevents an attacker from expanding an
attack on the endpoint with the following actions:
✓
Using the Advanced Execution Control functions
within Traps to prevent malicious execution scenarios, including unauthorized
file locations, unsigned executables, and child processes. These policy‐based
rulesets can drastically reduce the endpoint attack surface.
✓
Preventing
execution of malicious files using the Traps integration with WildFire. Traps
can prevent any unknown executable from running until WildFire has analyzed the
file and determined if it is malicious or not.
Palo Alto Networks prevents an attacker from expanding an
attack on the network with the following actions:
✓
Establishing
secure zones with strictly enforced user access control with next‐generation
firewall/ GlobalProtect, and providing ongoing monitoring and inspection of all
traffic between zones (Zero Trust model).
✓
Controlling applications at a granular level to
allow only authorized applications on the network, limiting the attackers’
ability to move laterally with unknown tools and scripts.
Establishing C&C communications infrastructure
Communication is fundamental to a successful attack.
Attackers must be able to communicate with infected systems to enable C&C,
and to extract stolen data from a target system or network. This communication
can also be used by the attacker to target other systems on the victim’s
network. Thus, the initially infected target might only be the first entry
point that enables lateral movement toward the attacker’s ultimate objective.
C&C communications must be stealthy and can’t raise any
suspicion on the network. Such traffic is usually obfuscated or hidden through
techniques that include the following:
✓
Encryption
with SSL, SSH (Secure Shell), or some other custom application. Proprietary
encryption is also commonly used. For example, BitTorrent is known for its use
of proprietary encryption and is a favorite tool — both for infection and
ongoing C&C.
✓
Circumvention via proxies, remote
desktop access tools (such as LogMeIn!, RDP, and GoToMyPC), or by tunneling
applications within other (allowed) applications or protocols.
✓
Port
evasion using network anonymizers or port hopping to tunnel over open
ports. For example, botnets are notorious for sending C&C instructions over
IRC ( Internet relay chat) on nonstandard ports.
✓ Fast Flux (or Dynamic DNS) to proxy
through multiple infected hosts, reroute traffic, and make it extremely difficult for forensic teams to figure out
where the traffic is really going.
C&C
is often accomplished through common applications, including webmail, social
media, P2P networks, blogs, and message boards. C&C traffic doesn’t stand
out or raise suspicion, is often encrypted, and frequently makes use of
backdoors and proxies.
Palo Alto Networks breaks C&C communications by
performing the following actions:
✓
Blocking outbound C&C communications
(through anti‐
C&C signatures), as well as
file and data pattern uploads.
✓
Blocking outbound communication to known
malicious URLs with URL filtering.
✓
Blocking novel attack techniques with
application identification (App‐ID), which is able to identify applications on
any port.
✓
Redirecting malicious outbound communication to
internal honeypots to identify and block compromised hosts.
✓ Creating
a database of malicious domains to ensure global awareness/prevention through
DNS monitoring.
Executing attack objectives
Attackers have many different motives for an attack,
including data theft, destruction of critical infrastructure, hacktivism, or
cyberterrorism. This final phase of the attack often lasts months or even
years, particularly when the objective is data theft, as the attacker uses a
low‐and‐slow attack strategy to avoid detection.
One infamous security breach in
2014 went undetected for five months and resulted in the compromise of more
than 56 million payment cards.
Palo
Alto Networks breaks this stage of the cyberattack life cycle by doing the
following:
✓
Preventing malware techniques on the endpoint
with Traps. Malware prevention modules within Traps can prevent common
techniques used by many categories of malware.
✓
Blocking outbound C&C communications
(through anti‐
C&C signatures), as
well as file and data pattern uploads.
✓
Blocking outbound communication to known malicious
URLs with URL filtering.
✓ Enforcing
file transfer application policies in the enterprise with granular application
and user control, eliminating archiving and transfer tactics.
Breaking
this sequence before the attacker can run malicious code on the endpoint is the
only way to prevent damage from an attack. After the attacker runs exploit code
or installs malware, the breach has occurred and you’re in cleanup mode.
Chapter 3
Endpoint Protection
Approaches
and Limitations
In This Chapter
▶ Acknowledging
the limits of signature and container‐based approaches
▶ Recognizing
the challenges of whitelisting and virtualization
▶ Patching
software vulnerabilities
▶ Deploying network controls
▶ Integrating
network‐ and host‐based approaches
n this chapter, you explore the challenges of legacy
approaches to endpoint protection.
Signature‐Based Approaches
Signature‐based antivirus software is the oldest and most
commonly used approach for detecting and identifying malware on endpoints. This
approach is based on the simple action of collecting malware samples and then
writing signatures for those samples. Signature‐based antivirus (or
antimalware) software scans a computer’s hard drive and memory according to a
predefined schedule, and in real time when a file is accessed. If a known
malware signature is detected, the software performs a predefined action such
as the following:
✓
Quarantine:
Isolates the infected file so that it can’t infect the computer or other files.
✓
Delete: Removes the infected file.
✓
Alert: Notifies the user (and/or system
administrator) that malware has been detected.
Although the signature‐based approach is very popular, its
effectiveness is limited. By design, protection can’t be delivered until the
malware is already in the wild.
Before that, networks and endpoints are
blind to the threat.
A sample of new or unknown
suspicious traffic must be captured and identified before a detection signature
can be created by security vendors. The new signature must then be downloaded
and installed on an enterprise’s endpoints in order to provide protection.
This
means that some users and networks will be successfully breached by new malware
until a new detection signature is created and downloaded. This reactive model
creates a window of opportunity for attackers, leaving endpoints vulnerable — sometimes for weeks or even
months — until new malware is suspected, collected, analyzed, and identified.
During this time, attackers can freely infect networks and endpoints.
Modern malware has taken this weakness and expanded upon it
by evolving techniques to avoid being captured in the wild and to avoid the
signatures that have already been created. Targeted malware and polymorphism
are increasingly common techniques used to exploit the inherent weaknesses of
signature‐based detection.
Polymorphism is used in malware to avoid
signatures by regularly mutating to avoid simple signature matches. Some
malware applications have entire sections of code that serve no purpose other
than to change the signature of the malware.
Another
challenge for the signature‐based approach is that millions of new malware
variations are created each year — on average about 20,000 new forms daily —
for which unique signatures must be written, tested, and deployed — after the
new malware variation is discovered and sampled. This reactive approach is
simply not effective for protecting endpoints against today’s modern threats.
Container‐Based Approaches
Container‐based endpoint protection wraps a protective
virtual barrier around vulnerable processes while they’re running. If a process
is malicious, the container attempts to mitigate the damage by preventing it
from damaging other legitimate processes or files on the endpoint. However, the
container‐based approach typically requires a significant amount of computing
resource overhead and attacks have been demonstrated that circumvent or disable
container‐based protection.
This approach also requires
knowledge of the applications that need to be protected and how they interact
with other software components. So a containerization tool will be developed to
support certain common applications, but will not be capable of protecting most
proprietary or industryspecific software. Even web browser plug‐ins and the
like can have problems operating correctly within a container environment.
Whitelisting
Application whitelisting is another endpoint protection technique that is commonly used to prevent
end users from running unauthorized applications — including malware — on their
endpoints.
Application whitelisting requires a positive control model
in which no applications are permitted to run on the endpoint unless they’re
explicitly permitted by the whitelist policy. In practice, this requires a
large administrative effort to establish and maintain a list of approved
applications. This approach is based on the premise that if you create a list
of applications that are specifically allowed and then prevent any other file
from executing, you can achieve maximum protection for the endpoint. Although this
basic functionality can be useful to reduce the attack surface, it is by no
means a comprehensive approach to endpoint security.
Modern trends like consumerization and bring your own device
(BYOD) make application whitelisting extremely difficult to enforce in the
enterprise. Additionally, once an application is whitelisted it is permitted to
run — even if the application has a vulnerability that can be exploited. This
means the attacker can simply exploit a whitelisted application and have
complete control of the target endpoint regardless of the whitelisting. After
the application has been successfully exploited, the attacker can run malicious
code while keeping all the activity in memory. This means that no new files are
created and no new executables attempt to run, rendering the whitelisting
software completely ineffective against this type of attack.
Whitelisting may prevent a
malicious executable from running, but will do nothing to prevent exploitation
of legitimate software. The attacker can exploit the application and run the
entire attack in memory without creating any new executable files that
whitelisting could block.
Anomaly
Detection
Endpoint security approaches
that use mathematical algorithms to detect unusual activity on an endpoint are
known as heuristics‐based, behavior‐based, or anomaly‐ detection solutions.
This approach relies on first establishing an accurate baseline of what is
considered “normal” activity. Although this approach has been around for many
years, it is still prone to high false positives and offers limited
effectiveness in most implementations.
Host‐Based Intrusion Prevention Systems (HIPS)
HIPS is
another approach to endpoint protection that relies on an agent installed on
the endpoint to detect malware. HIPS can be either signature based or anomaly
based and are therefore susceptible to the same issues as signature‐based and
anomaly‐based approaches. Additionally, HIPS solutions often cause significant
performance degradation on endpoints. A recent Palo Alto Networks survey found
that 25 percent of respondents indicated HIPS solutions “caused significant
enduser performance impact.”
Patch Management
Thousands of new software vulnerabilities and exploits are
discovered each year, requiring diligent software patch management by system
and security administrators in every
organization.
However, patch management only
protects an organization’s endpoints after
a vulnerability has been discovered and the patch installed. Delays of days, weeks,
or longer are inevitable as security patches for newly discovered
vulnerabilities must be developed, distributed, tested, and deployed. Although
patch management is an important aspect of any information security program,
like signature‐based antimalware detection, patch management is an endless race
against time that offers no protection against zero‐day exploits.
Network Controls
Traditional network security solutions simply were never
designed to meet the challenges of exploits and malware on endpoints.
Traditional firewalls and IPS solutions classify traffic based on port
assignments. As a result, a threat that is evasive and dynamic can simply
bounce to an unexpected or seemingly legitimate port, gain access to the
network, and avoid detection. Firewalls and IPS solutions are, nonetheless,
important elements of an enterprise defense‐in‐depth strategy that includes
advanced endpoint protection.
A next‐generation firewall
overcomes many of the technical challenges of traditional, port‐based firewalls
and signaturebased IPS, and accurately identifies applications, content, and
users to determine if traffic should be allowed, rather than simply relying on
port information and signatures.
Taking an
Integrated Approach to Endpoint Protection
Advanced endpoint protection requires an integrated,
multidisciplinary approach to prevent exploits and malware whether they arrive
via the network or directly on the endpoint via other means, such as portable
media.
Many organizations have deployed various security solutions
in addition to their legacy port‐based firewalls, including intrusion
prevention systems (IPSs), proxy servers, web‐ content filtering, antivirus
gateways, and application‐specific solutions — such as instant messaging or email
security (antispam) appliances — in an effort to shore up their defenses
against modern malware threats.
A
recent Palo Alto Networks survey found that integration with network security
solutions (such as IPS, threat intelligence, and network‐based sandboxing) is
the most soughtafter requirement for an endpoint security solution.
However, this cobbled‐together approach to security
infrastructure creates problems of its own, including the following:
✓
Not everything that should be inspected is,
because these solutions either can’t see all the traffic or rely on the same
port‐ and protocol‐based classification scheme as do port‐based firewalls.
✓
Coverage is only applied to a limited set of
traffic, rather than every application.
✓
Policy
management, access control rules, and inspection requirements are spread across
multiple devices and consoles, making it difficult to develop and enforce
a consistent enterprise security policy.
✓
Performance suffers due to relatively high
aggregate latency because the same traffic is scanned and analyzed on multiple
devices.
✓
Information isn’t easily correlated and analyzed
between devices, with raw data in multiple formats easily overwhelming security
analysts.
An ounce of prevention:
Taking a proactive approach to
endpoint protection
Most security products take a reactive approach to endpoint protection.
These are often referred to as detection
and response or visibility and
control solutions but they typically use some form of signature‐ and
anomaly‐based detection or indicator of compromise (IOC) detection.
Essentially, these approaches allow an exploit or malware to compromise the
endpoint, then attempt to perform actions such as removing the malware or
quarantining the endpoint from the network.
These endpoint protection strategies don’t provide enough coverage. The
end‐user workstation or data center server has already been compromised and is
now unusable until the threat is removed and the integrity of the endpoint is
restored. It’s also possible that the attacker has already achieved his
objective at this point — perhaps by encrypting local data for a ransomware
attack or a simple denial‐of‐service attack.
An endpoint protection strategy based on prevention intercepts and blocks
an attack before malicious activity
occurs on the endpoint. This means preventing
an exploit from running (often a precursor to many advanced attacks), or preventing malware from being executed.
This proactive approach enables true endpoint protection and proves
the adage: An ounce of prevention is worth a pound — or in this case, hours,
days, or even weeks spent quarantining a server or workstation, cleaning or
reinstalling software, restoring files, and more — of cure!
Chapter 4
Advanced Endpoint Protection Defined
In This Chapter
▶ Using
a proactive approach for endpoint protection
▶ Bringing
network and endpoint protection together
▶ Learning about Traps
n this chapter, you learn what
advanced endpoint protection is all about — exploit prevention, malware
prevention,
and platform integration — and
how Palo Alto Networks delivers advanced endpoint protection for both workstations
and servers with Traps.
Prevent, Don’t Just Detect
Advanced endpoint protection is a new security product
innovation that requires a different mindset from traditional security
methodologies. Rather than a reactive detect
and respond approach as with
traditional antimalware software, advanced endpoint protection employs a
proactive prevention strategy.
Advanced endpoint protection must do the following:
✓
Prevent all exploits, including those using
unknown zeroday vulnerabilities
✓
Block all malware, without requiring any prior
knowledge of specific malware signatures
✓
Provide
detailed forensics against prevented attacks, in order to strengthen all areas
of the organization by pinpointing the targets and techniques used
✓
Be highly scalable and lightweight to seamlessly
integrate into existing operations with minimal to no disruption
✓
Integrate closely with network and cloud
security for quick data exchange and cross‐organization protection
Use an
Integrated Approach
Many of today’s readily available
legacy endpoint protection products are single faceted, providing only virus
detection and removal, for example. These products rely on the same techniques
(see Chapter 3) that have been unsuccessfully employed for more than 20 years.
Newer endpoint security suites
often incorporate antimalware, personal firewalls, host‐based intrusion
prevention, and cloud‐based signature updates, but still fail to
adequately protect the endpoint against
today’s advanced threats.
Advanced endpoint protection provides a more comprehensive
approach than legacy endpoint protection products, and fully integrates with
other enterprise security solutions, such as next‐generation firewalls, real‐time
threat intelligence, and security information and event management (SIEM).
Traps: Advanced Endpoint Protection
Palo Alto Networks Traps
provides advanced endpoint protection that prevents sophisticated vulnerability
exploits and malware‐driven attacks — both known and unknown. Traps
automatically detects and blocks a core set of techniques that every attacker
must link together in order to execute any type of attack, regardless of its
complexity. Preventing just one technique in the cyberattack life cycle (see
Chapter 2) is all that is needed to thwart the entire attack before it can do
any damage.
The
key to Traps is blocking core exploit and malware techniques, not the
individual attacks.
The Traps agent injects itself
into each process as it’s started, automatically blocking advanced attacks that
would otherwise evade detection. If an exploit attempt is made using one of the
Chapter 4: Advanced Endpoint Protection
Defined 31
attack techniques, Traps immediately blocks that
technique, terminates the process, and notifies both the user and the admin
that an attack was prevented (see Figure 4-1).
before they happen.
Throughout each event, Traps
collects detailed forensics and reports this information to the endpoint
security manager (ESM), resulting in better visibility and an understanding of
attacks that were prevented. With Traps, endpoints are always protected,
regardless of patch, signature, or software‐update levels; plus, it requires no
prior knowledge of an attack in order to prevent it.
Learn more about exploit prevention in Chapter 5.
To prevent the execution of malicious executables on the
endpoint, Traps focuses on three key areas to ensure comprehensive protection.
When combined, these methods offer unparalleled malware prevention and include
the following:
✓
Advanced
execution control: Organizations can easily set up policies restricting
specific execution scenarios. For example, you may want to prevent the
execution of files from the Outlook temp directory, prevent execution of
unsigned files, or prevent the execution of a particular file type directly
from a USB drive.
✓
WildFire inspection and analysis: Traps
queries Palo Alto Networks WildFire threat intelligence cloud with a hash and
submits any unknown .exe files to assess their risk within the global threat
community.
✓
Malware
techniques mitigation: Traps implements
technique‐based mitigations that prevent attacks by blocking techniques
such as thread injection.
Learn more about malware prevention in Chapter 6.
Traps deployment architecture
Traps is a highly scalable
advanced endpoint protection solution
that consists of an Endpoint Security Manager Console, Endpoint Security
Manager Server(s), lightweight Traps Agents (installed on individual endpoints),
and optional external logging.
Endpoint Security Manager Console
The Traps infrastructure
supports various architectural options to allow for scalability to a large
distributed environment. Installation of the Endpoint Security Manager (ESM)
creates a database on a Microsoft SQL server and installs the administrative
console within the Internet Information Server (IIS). Microsoft SQL 2008, 2012,
and 2014 are supported and the SQL server may be dedicated to ESM — or a
database can be created on an existing SQL server.
The Endpoint Server can be installed on Windows Server 2008
R2, Windows Server 2012, or Windows Server 2012 R2 on physical or virtual
machines.
Endpoint Security Manager Servers
ESM servers essentially act as
proxies between Traps agents and the ESM database. Communications from Traps
agents to ESM servers occur over HTTPS. ESM servers don’t store data and,
therefore, can be easily added and removed from the environment as needed to
ensure adequate geographic coverage and redundancy.
To ensure global connectivity,
organizations that don’t use a mobility solution like Palo Alto Networks
GlobalProtect may opt to put an ESM server in the DMZ or in a cloud‐based
environment with external connectivity. ESM servers can be installed on Windows
Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 physical or
virtual machines.
Traps agent
The Traps agent installer is an approximately 9 MB
Microsoft Installer (MSI) package that can be deployed using your software
deployment tool of choice. Subsequent updates to Chapter 4: Advanced Endpoint Protection
Defined 33
the agent can be deployed via
the ESM. The agent consumes less than 25 MB on disk and less than 40 MB while
running in memory. Observed CPU utilization is less than 0.1 percent. The agent
also employs various tamper‐proofing methods that prevent users and malicious
code from disabling protection or tampering with agent configuration.
The lightweight structure
allows for the Traps environment to scale horizontally and support large
deployments of agents, while still maintaining a centralized configuration and
database for policies. Traps can coexist with most major endpoint security
solutions, and the CPU utilization and I/O remains incredibly low. With such
minimal disruption, this makes Traps optimal for critical infrastructures,
specialized systems, and virtual desktop infrastructure (VDI) environments.
External logging
The ESM can write logs to an
external logging platform, such as a security information and event management
(SIEM) solution or anything that supports syslog, in addition to storing its
logs internally.
Palo Alto Networks Enterprise
Security Platform is a fully integrated solution that includes Traps Advanced
Endpoint Protection, the next‐generation firewall, and the WildFire threat
intelligence cloud, enabling full implementation of Zero Trust from network to
endpoint.
Chapter 5
Core Techniques to Prevent Zero‐Day Exploits
In This Chapter
▶ Recognizing
why exploit prevention is critical
▶ Exploiting
vulnerabilities in the cyberattack life cycle
▶ Using Traps to prevent unknown exploits
n this chapter, you learn how Traps breaks the cyberattack
life cycle by preventing exploit techniques.
Making Exploit Prevention a Priority
A great deal of attention has
been paid to malware since the earliest days of computing. Although malware
prevention is certainly critical to advanced endpoint prevention, it is only
one part of a comprehensive enterprise security strategy.
Equally important, but less
understood than malware prevention, is the importance of exploit prevention.
There are several possible reasons for this disparity between malware and
exploit prevention awareness, including the following:
✓
Antimalware
(previously antivirus) software has been around since the early days of
personal computing. Although the common end user may not understand what
malware does or know different types, she at least understands the importance
of having antimalware software installed and updated on her personal computers.
✓
Exploits
take advantage of a vulnerability in legitimate software. This implies a flaw
in the software. Over the decades, different software vendors have taken
different approaches to acknowledging the existence of such flaws in their
software. Even today, there is no standard among software vendors for publicly
acknowledging and patching vulnerabilities.
✓
In many attacks, an exploit is used as a
delivery mechanism for malware. Without any kind of advanced endpoint
protection running on the endpoint, the exploit goes undetected. So, when the
malware is eventually detected on the endpoint, it’s not immediately evident
that the attack began with an exploit.
✓
October is National Malware Awareness Month and
everyone wears carbon gray ribbons in recognition. No such awareness campaign
exists for exploits. Okay, October isn’t really National Malware Awareness
Month — but maybe it should be!
Adobe Flash Player vulnerabilities and the zero‐day month
Recent
Adobe Flash Player vulnerability exploits have increased the risk exposure for
many endpoints. Despite proactive efforts to document, communicate, and patch
Flash vulnerabilities, many exploits enjoyed extended zero‐day timelines.
For example, CVE‐2015‐0313 was discovered as a zero‐day exploit in the wild on February 2, 2015. On February 4 and 5, Adobe released patched versions of its Adobe Flash Player to address this vulnerability. However, on February 25, a fully working exploit code for CVE‐2015‐0313 was published that required modification of only a few lines of code to be effective. A fully patched version of Adobe Flash Player that addressed both CVE‐2015‐0313 and its variant, dubbed CVE‐2015‐X, was finally released on April 14. Thus, even if organizations patched all their endpoints as soon as each update was available, they were still vulnerable to an attack exploiting this vulnerability for almost two months. Just a few months later, more new Adobe Flash exploits were revealed. Again, Traps was able to prevent these exploits from succeeding on protected endpoints — running in its default configuration with no updates needed.
Security techniques such as
application whitelisting (discussed in Chapter 3) are difficult to fully
implement and ineffective against exploits. An exploit takes advantage of a
vulnerability in a legitimate (translation: whitelisted) application to execute
an attack.
Understanding
Exploit Techniques
Many advanced threats work by placing malicious code in a
seemingly innocuous data file. When the file is opened, the malicious code
leverages a vulnerability in the native application used to view the file, and
the code executes. Because the application being exploited is allowed by IT
security policy, this type of attack bypasses application whitelisting
controls.
Although there are many
thousands of exploits, they all rely on a small set of core techniques that
change infrequently. Regardless of the attack or its complexity, in order for
the attack to be successful, the attacker must execute a series of these core
exploit techniques in sequence, like navigating a maze to reach its objective
(see Figure 5-1).
Heap spray is an attempt to insert the
attacker’s code into multiple locations within the memory heap, hoping that one
of those locations will be called by the process and executed.
Some attacks may involve more
steps, some may involve fewer, but typically three to five core techniques must
be used in order to exploit an application.
Preventing Exploits with Traps
Palo Alto Networks Traps focuses on the core techniques used
by all exploits to render those techniques completely ineffective, which means
the application is no longer vulnerable.
The Traps agent injects itself
into each process as it is started. If the process attempts to execute any of
the core attack techniques, the corresponding exploit prevention module (EPM)
prevents that exploit, kills the process, and reports all the details to the
endpoint security manager ( ESM), as depicted in Figure 5-2.
techniques.
By default,
Traps policy is configured to protect more than
100 processes — each one with dozens of
proprietary EPMs.
Traps isn’t limited to protecting only those processes
or applications. Organizations use Traps
to protect all manner of processes and applications by simply adding them to
the policy configuration. Processes that have been run on the endpoint
automatically show up in the ESM console, making it easy to protect those
processes with the click of a button. This is especially useful for
organizations running industry‐specific applications, such as point‐of‐sale
(POS) systems, ATM machines, and supervisory control and data acquisition
(SCADA).
If
for some reason an application conflicts with one of the EPMs, simply disable
that EPM for the specific application and computer. The application is still
protected by dozens of other EPMs (see Figure 5-3). Because exploits rely on a
series of techniques to successfully run, the other EPMs will continue
protecting that application and will block at least one of the techniques, thus
breaking the sequence.
Examples of attacks that the EPMs can prevent include
the following:
✓
Dynamic link library (DLL) hijacking — replacing
a legitimate DLL with a malicious one of the same name
✓
Hijacking
program control flow
✓
Inserting malicious code as an exception handler
Exploits are used to target
both vulnerable applications and network‐based services running on workstations
and servers. Traps Advanced Endpoint Protection protects both workstations and
servers.
Traps covers top high‐risk vulnerabilities highlighted
by US‐CERT
US‐CERT recently issued an alert that took place in 2014 (see
the regarding the 30 most prevalent accompanying table). vulnerabilities in targeted attacks
Memory Corruption, Logical,
and Java Vulnerabilities
CVE ID Targeted Vulnerability
Type Zero day
Application
CVE‐2006‐3227 Internet
Explorer Charset obfuscation
CVE‐2008‐2244 MS
Word Buffer overflow
CVE‐2009‐3129 MS
Excel Excel featherhead
record
CVE‐2009‐3674 Internet
Explorer Uninitialized memory corruption
CVE‐2009‐3953 Adobe
Reader\ Array overflow
Acrobat
CVE‐2010‐0806 Internet Explorer Use after free yes CVE‐2010‐3333 MS
Office Stack buffer
overflow
CVE‐2010‐0188 Adobe Reader\ Stack buffer yes Acrobat overflow
CVE‐2010‐2883 Adobe
Reader\ Stack buffer yes
Acrobat overflow
CVE‐2011‐0101 MS
Excel Excel record parsing
WriteAV
CVE‐2011‐0611 Adobe Flash Object type yes
Player confusion
CVE‐2011‐2462 Adobe
Reader\ Unspecified yes
Acrobat
Source: US‐CERT
Each of these vulnerabilities, when four ColdFusion vulnerabilities
exploited, indicates a compromised (not listed in the accompanying endpoint. From this compromised table).
endpoint, the attacker will expand to The targeted applications are other
endpoints and servers in your ✓ the most common ones. This network until it reaches its goal,
pos- comes as no surprise. The list in sibly stealing the crown jewels it set
the table is solely comprised of out for. Internet
Explorer, Silverlight MS The CERT list is a valuable source, Office, Oracle
Java, and Adobe reflecting the actual threat land- Flash, Reader, and
Acrobat.
scape. Security decision makers can Vulnerabilities from 2012 and derive important knowledge from ✓ before comprise more than half reading
between its lines: of the
list. This tells us more
✓
The prevailing attack scenario about
victims than attackers. is still a
user browsing or open- Apparently nonpatching is a ing an attachment. According common practice. Updating to the
CERT list, the only excep- vulnerable software isn’t tions are one OpenSSL
and always prioritized. This enables
|
( continued )
( continued
)
attackers to successfully leverage
old vulnerabilities (dating back as far as 2006!) for their purpose.
✓
Browser
and attachment attacks are equally distributed. The distribution of these two main attack vectors
is around 50/50 with slightly more browser exploits shown. Browser exploits are
common in watering hole attacks and are typically integrated in exploit kits.
Attachments (Office, Adobe
Reader, and others), on the other hand, are used in spear phishing
attacks, which target specific users. The nearly equal distribution implies
that both vectors remain areas of concern.
✓
Half of
these vulnerabilities are zero days. One of the most pressing issues for
current cybersecurity strategists is the correlation between sophistication and
prevalence. The nonproportional zero-day presence in the CERT list implies that
today’s zero-day is tomorrow’s common attack vector. Of course, there is a
natural selection involved that determines which zero days will spread and
which will decline.
✓
Most of
the memory corruption vulnerabilities enable exploits to bypass Data Execution
Prevention (DEP) and Address Space Layout Randomization (ASLR). In recent
years, Windows-integrated exploit mitigations forced attackers to adjust how
exploits are written. The CERT list suggests they have succeeded. Return
Oriented Programming (ROP), for example, is common to almost all exploits
shown. This illustrates once more the ever‐changing nature of the cyberthreat
arena: Whenever a security measure is introduced, attackers reflect, learn,
reshape, and attack in alternative patterns.
Palo Alto Networks Traps directly addresses the security gaps
reflected in the CERT list. Traps prevents exploitation in
real time by mitigating the core techniques that are common to all exploits.
Exploitations of the vulnerabilities on the CERT list are different from each
other, but all of them converge into a known pool of techniques. Traps
proactively obstructs these techniques, providing protection without relying on
signatures or prior knowledge.
Chapter 6
A Robust Approach to
Prevent
Unknown Malware
In This Chapter
▶ Implementing policy‐based restrictions
▶ Preventing malware using
cloud-based threat intelligence
▶ Blocking malicious behavior
▶ Bringing
it all together
n addition to
preventing exploits hiding in data files or launched over the network
(discussed in Chapter 5), Palo Alto Networks Traps employs a comprehensive
approach to the prevention of malicious executables. Malicious executables,
more commonly known as malware, can
be inadvertently downloaded and run by users without their knowledge.
Traps’
malware prevention engine uses Advanced Execution
Control, WildFire integration, and Malware
Prevention Modules to prevent the execution of malware. When combined, these
technologies offer good malware prevention. In this chapter, you learn about
Traps malware prevention.
Advanced Execution Control
When a user or endpoint attempts to open an executable, Traps
first verifies that the executable doesn’t violate any policy‐based
restrictions. Policy‐based restrictions dramatically reduce the attack surface
by preventing file execution in high‐risk scenarios. For example, you may want
to prevent executing the following:
✓
Particular (or any) file types directly from a
USB drive
✓
Files from certain paths (such as the Outlook
temp folder) or network locations where applications don’t reside
✓
Child processes created by specific applications
(such as
Microsoft
PowerPoint)
✓
Unsigned executables
Alternatively, highly granular restrictions are available to
define trusted processes or file types, locations, and registry paths that
these processes can read from and write to.
If any of the restriction rules apply to the executable,
Traps blocks the file from executing and reports the security event to the
Endpoint Security Manager (ESM).
Traps provides both static and dynamic execution control.
Basic whitelisting and blacklisting of applications can be easily managed from
the ESM console. Every executable that has ever been run in the organization is
listed in the ESM console along with the WildFire verdict (discussed later in
this chapter). The administrator can easily override the verdict with the click
of a button. For relatively static environments or specialized systems like
point‐of‐sale (POS) or supervisory control and data acquisition (SCADA),
endpoints can be hardened with a strict execution‐control policy. For more
dynamic environments like end‐user workstations, dynamic execution analysis and
control is accomplished through integration with WildFire.
The right set of policy‐based
restrictions results in a hardened endpoint with a greatly reduced attack
surface.
WildFire
Analysis and Prevention
Palo Alto Networks WildFire is an advanced, virtual malware
analysis environment, purpose‐built for high‐fidelity hardware emulation,
analyzing suspicious samples as they execute. The cloud‐based service detects
and blocks targeted and unknown malware, exploits, and outbound command‐and‐control
(C&C) activity by observing their actual behavior, rather than relying on preexisting signatures.
In addition to quickly making unknown threats known,
WildFire generates protections that are shared globally in about 15 minutes.
The security service is natively built to run on Palo Alto Networks Next‐Generation
Firewalls and fully integrated with Palo Alto Networks Traps, allowing complete threat prevention and control over
your network and endpoints as cybercriminals attempt to deliver malware or communicate with infected systems.
Behavior‐based cyberthreat discovery
To find unknown malware and exploits, WildFire executes suspicious content in numerous operating
system test environments with full visibility into common file types, such as
the following:
✓
Executables (.exes) and Dynamic Link Libraries
(.dlls)
✓
Compressed ZIP files
✓
PDF documents
✓
Office documents
✓
Java
✓
Android Application Packages (APKs)
✓
Adobe Flash applets
✓
Web pages that include high‐risk embedded
content like JavaScript, Adobe Flash files, images, and multiple versions of an application running
simultaneously
WildFire identifies more than 250 potentially malicious
behaviors to identify the true nature of malicious files based on their
actions, including the following:
✓
Changes made to host: Observes all
processes for modifications to the host, including file and registry activity,
code injection, heap spray (exploit) detection, the addition of auto‐run
programs, mutexes, Windows services, and other suspicious activities.
✓
Suspicious network traffic: Analysis of
all network activity produced by the suspicious file, including backdoor
creation, downloading of next‐stage malware, visiting low‐reputation domains,
network reconnaissance, and more.
✓
Antianalysis
detection: Monitors for techniques used by advanced malware to avoid
virtual machine‐based analysis, such as debugger detection, hypervisor
detection, code injection into trusted processes, disabling of hostbased
security features, and more.
Cloud‐based dynamic analysis architecture
To support dynamic malware
analysis across the network at scale, WildFire is built on a cloud‐based
architecture (see Figure 6-1). Where regulatory or privacy requirements prevent
the use of public cloud infrastructure, a private cloud solution can be built
on premise.
threat prevention.
WildFire integration provides
both the security of granular execution control and the manageability of a dynamic
security policy driven by automated analysis of unknown executables ( see
Figure 6-2).
hash verdicts.
If an executable file has never been seen before on the endpoint,
Traps can submit the file hash for immediate identification by WildFire. If
WildFire identifies the file as malicious, Traps will prevent execution before
any damage is done. With millions of samples analyzed each day, there is a good
chance WildFire has seen the file and can alert Traps if it is malicious. If
the file hasn’t been seen by WildFire, it can be automatically uploaded for
rapid analysis in order to determine whether it’s malicious. Because both Traps
and Palo Alto Networks NextGeneration Firewalls can submit files to WildFire,
this integration allows for seamless sharing of threat intelligence between
next‐generation firewalls and the endpoints.
WildFire’s
threat intelligence significantly increases security posture and protection
against unknown malware. WildFire analyzes an average of 20 million unique
files each week. Of those files, an average of 200,000 are identified as
malicious each week. Each time one of those files is identified as malicious,
protection is available on both the endpoint and network within minutes. On a
recent sample, an average of 54 percent of files identified as malicious by
WildFire were considered unknown by VirusTotal, and 61 percent were
undetectable by the top six enterprise antivirus vendors.
Malware Prevention Modules
If a malicious file isn’t blocked by Advanced Execution
Control or WildFire evaluation and is allowed to execute, malicious activity
can still be blocked by Traps’ multiple malware
prevention modules (MPM). MPMs focus on core techniques leveraged by
many types of malware. For example, they will prevent malicious code from being
injected into trusted applications.
Unlike behavioral anomaly detection, which has to observe
a behavior and then try to mitigate after it has occurred, the MPMs within
Traps are designed with prevention in mind. They block the malware techniques
before any malicious behavior occurs. Thread injection is one example of a malware technique that can be blocked by
Traps.
Recognizing
the Value of an Integrated Platform
The Palo Alto Networks Enterprise Security Platform is a
natively integrated platform that brings network, cloud, and endpoint security
into a common architecture (see Figure 6-3), with complete visibility and
control, ensuring your organization can prevent breaches.
This next‐generation enterprise
platform streamlines dayto‐day operations and boosts security efficacy and the
multilayered defense model prevents threats at each stage of the cyberattack
life cycle. The complete integration between Advanced Execution Control,
WildFire analysis, and Malware Prevention Modules enables a multilayered
approach to malware prevention (see Figure 6-4).
Chapter 7
Achieving Compliance with Advanced
Endpoint Protection
In This Chapter
▶ Going beyond PCI
requirements with compensating controls
▶ Enhancing
security and compliance with Traps
ecurity and
compliance are two very different issues and many organizations have to deal
with both. Government
and
industry bodies have developed compliance standards in order to set a minimum
bar for securing specific types of data. For example, the Payment Card Industry
— consisting of Visa, MasterCard, American Express, Discover, and JCB — jointly
developed the PCI Data Security Standard (PCI DSS) in December 2004. As of
April 2015, version 3.1 is the most current standard, which includes 12
requirements for protecting cardholder data.
It is important for regulatory
bodies to enact standards that set a minimum bar for protection of certain data
types. In the absence of such standards, CISOs across every industry and
organization would have to convince their executives that each expenditure is
necessary to protect data. Some would succeed, but others would fail to
convince their management to invest, leaving some organizations recklessly
undefended. Standards serve to prevent this by setting a minimum bar that all
organizations are required to achieve.
Compliance with a data protection standard, however, doesn’t
mean that the data is necessarily secure. These standards generally make broad
statements that can be implemented in various ways: some more secure than
others. Furthermore, most standards are changed very infrequently, so the types
of attacks and protection capabilities will evolve significantly while the
standard remains unchanged.
PCI is a great example of just
such a standard. PCI hits on many highly relevant security practices, ensuring
that organizations handling cardholder data are required to implement them. But
PCI isn’t updated frequently to reflect advances in technology and the standard
includes some requirements that are rather limiting in regard to their intended
purpose. Here are two examples:
✓
Why does a
security standard require patching? The reason, of course, is to prevent
exploitation of vulnerabilities that could lead to a breach of cardholder data.
But does the standard require the prevention of exploitation of
vulnerabilities? No. It just requires patches to be installed.
✓
Why does a security standard require periodic
scanning for viruses? To prevent malware, of course. But the standard requires
AV scanning, not malware prevention.
The two examples illustrate the divergence that can occur
between compliance and security. But don’t fear; there is a mechanism to bring
these two worlds in alignment. It’s called compensating controls.
In this chapter, you learn how Advanced Endpoint Protection
helps organizations meet, and even exceed, PCI compliance requirements.
Although this chapter uses PCI as an example, Traps can help
organizations achieve compliance with other security regulations that are
specific to their industry.
Using
Compensating Controls for PCI Compliance
According to the PCI Security
Standards Council, the criteria for compensating controls are as follows:
Chapter 7: Achieving Compliance with Advanced
Endpoint Protection 53
Compensating controls may be considered when an entity
cannot meet a requirement explicitly as stated, due to legitimate technical or documented
business constraints, but has sufficiently mitigated the risk associated with
the requirement through implementation of other controls. Compensating controls
must:
1.
Meet the intent and rigor of the original stated
PCI DSS requirement;
2.
Provide a similar level of defense as the
original PCI DSS requirement;
3.
Be “above and beyond” other PCI DSS requirements
(not simply in compliance with other PCI DSS requirements); and
4.
Be commensurate with the additional risk imposed
by not adhering to the PCI DSS requirement.
When it comes to PCI and many
other regulatory standards, compensating
controls generally fall into one of two
categories:
✓
The organization can’t meet the requirements as
they’re specified in the standard, so it’s doing something else to mitigate
this risk and hoping the auditor will consider it good enough.
✓
The
organization has implemented another (usually newer) type of technology or
control that it believes provides the same or better protection. This can
happen when the security technology available to the organization has outpaced
the regulatory standard.
Traps can be used effectively as a
compensating control to provide added defense and enhance a company’s security
posture. For example, without Traps, patching is the only way to ensure protection
from known vulnerabilities and there is no reliable method to protect systems
from unknown vulnerabilities or those with no available patch. Traps enables
organizations to significantly enhance security and exceed PCI DSS requirements
by not only eliminating known vulnerabilities, but also protecting systems from
exploitation of unknown vulnerabilities.
Strengthening Security and
Compliance Posture with Traps
Traps supports organizations in their efforts to achieve PCI
compliance. Traps is an integral part of the Palo Alto Networks Enterprise
Security Platform, which also includes a next‐ generation firewall and the
WildFire threat intelligence cloud.
Although every scenario will be
different, the following sections provide a few examples that demonstrate the
use of compensating controls to meet specific PCI requirements.
Use and regularly update antivirus software or programs
PCI DSS Requirement 5 directly
addresses the use of antivirus software. However, traditional antivirus/antimalware
(AV/ AM) software has varying degrees of effectiveness, all based on reactive detection and response methods. AV/AM
software is designed to detect and remove malicious software from a system
before disrupting computer operation, gathering sensitive information, or
gaining access to a system or application. However, these tools have been shown
to detect only a fraction of the advanced attacks targeting cardholder data
environments. AV/AM identification techniques, whether signature‐based,
heuristics‐based, or behavior‐based, have known limitations such as timely
protection against new attacks, potential system performance impacts, and
potential high rates of false positives. Also, security operations teams are
often overwhelmed by the sheer volume of malware attacks. As a result, the
probability is extremely high that
malware and exploits will bypass traditional AV/AM products.
Traps uses a proactive approach to prevent malware and exploits from wreaking havoc, and can run
alongside traditional AV/AM software. Instead of focusing on the millions of
individual attacks themselves, Traps is designed to proactively stop all
attacks targeting endpoints by automatically blocking a core set of techniques
that every attacker must link together in order to execute an exploit. Traps
also integrates with the WildFire (discussed in Chapter 5) threat intelligence Chapter 7: Achieving Compliance with Advanced
Endpoint Protection 55
cloud, leveraging real‐time
threat intelligence from thousands of WildFire customers. The efficacy of the
antiexploit and antimalware capabilities employed by Traps far exceeds
traditional AV/AM products. However, because the requirements still call for
obsolete techniques like periodic AV scanning, Traps will be considered a
compensating control for this requirement until the regulation is updated to
reflect the current state of technology.
Some
organizations may choose to run Traps alongside a free AV solution in order to
maximize both security and compliance.
Develop and maintain secure systems and applications
Software vulnerabilities are discovered at an alarming rate.
Requirement 6 of PCI DSS addresses the need for patch management. However,
patches are often not made available until after a vulnerability has been in
existence for months or years and inevitably it takes time to thoroughly test
and deploy software patches.
PCI DSS requires both prompt
remediation of critical software vulnerabilities (Sub‐requirement 6.2) and
responsible testing and change management (Sub‐requirement 6.4). These can be
conflicting priorities in some circumstances. Furthermore, patches are merely
an after‐the‐fact remedy for a risk that has likely been in place for a long
period of time. Exploit and malware prevention
is the only true preventive control.
As shown in Figure 7-1,
vulnerabilities exist from the time the software is put into use. From that
point until a patch is installed, the system is at risk. By implementing the
exploit and malware prevention in Traps, this risk is virtually eliminated.
This makes Traps an ideal compensating control for PCI DSS Requirement 6.
An organization running Traps on
the critical systems in scope for PCI is in a very different position from most
organizations. Although the standard only requires protection from known
vulnerabilities, an organization running Traps is also protected from unknown
vulnerabilities and should develop
a vulnerability risk assessment
policy that reflects this enhanced environment. In particular, patches that
would be deemed critical for most organizations may not be critical for an
organization running Traps. This is because an assessment of whether the
vulnerability poses “an imminent threat to the environment” would result in a
determination that the system is actually not vulnerable, due to Traps
protection.
Given that Traps provides comprehensive protection from
exploitation of vulnerabilities, both known and unknown, it exceeds the core
PCI requirement, albeit using a method not prescribed by the standard.
Compensating
controls can play a critical role in building a strong security program.
Chapter 8
Ten Ways to Prevent a Modern Attack
In This Chapter
▶ Case
example: One attack, ten ways to prevent it
ost traditional — and even next‐generation
— endpoint protection products rely on a
reactive detec-
tion and
response approach to discover and identify exploits and malware after an endpoint has been compromised,
then attempt to clean or quarantine the infected server, workstation, or other
endpoint device. But at that point, it’s too late. A cyberattack against your
network is already well underway and has already succeeded in achieving some of
its initial target objectives.
Palo Alto Networks Traps employs a proactive prevention
strategy that keeps exploits and malware from ever compromising your endpoints
in the first place, and thus thwarts cyberattacks before they gain a foothold in your network.
To understand how Traps
prevents an attack from succeeding, take a look at an actual cyberattack
example. In this case, a PDF file with an embedded exploit is sent to an
unsuspecting user. The user opens the PDF file, which does the following:
✓
Exploits
Adobe Reader
✓
Causes Adobe Reader to create a child process,
which is Internet Explorer (IE)
✓
Causes IE to
download an executable (.exe) file from a malicious website
✓
Executes the new .exe file, which then performs
malicious activities on the endpoint, including thread injection into IE
This is a common chain of events
in many attacks. The specific file type, exploit, and malicious executable
payload may vary, but the steps are largely the same from one attack to
another. The key to stopping an attack is to break this chain of events at the earliest possible stage of the
attack.
To prevent an attack from
succeeding, Traps provides prevention capabilities and multiple layers of
protection at each stage of the attack to block the attackers’ ability to
compromise the endpoint and move laterally within the enterprise. In this
particular attack example, Traps would prevent the attack at ten different
steps, thus taking every opportunity to prevent a compromise before it occurs
(see Figure 8-1):
10
Figure 8-1: Traps prevents this attack
example at ten points in the cyberat- tack life cycle.
✓
Exploitation
Technique 1: Remember, for the exploit to work, it has to use a series of
techniques in order to successfully exploit the vulnerability in the targeted
application, Adobe Reader in this case. In this example, the exploit uses
operating system (OS) functions, although the exploit could be a brand new zero
day; the techniques it has to use are common and new techniques are very rare
(typically two to four per year).
✓
Exploitation
Technique 2: In this example, JIT spraying is used as a common
circumvention technique for data execution prevention (DEP), which does not
allow Chapter 8: Ten Ways to Prevent a Modern
Attack 59
execution from
noncode regions in memory. Again, Traps prevents the exploit from executing so
that even if the first exploit technique for some reason succeeds, the second
exploit technique fails and the attack is thwarted.
✓
Exploitation
Technique 3: In this example, heap spraying is used next in order to
facilitate arbitrary code execution. This common exploitation technique allows
the attacker to overcome the problem of predicting the location in memory where
the attacker’s code should be inserted. The attacker “sprays” the heap with
multiple blocks of code in order to increase the probability that the code will
be executed.
✓
Execution
Restriction 1: In this example, Adobe Reader creates a child process (a
technique commonly used to avoid antivirus detection). Traps restricts child
processes from executing arbitrarily and thus prevents the attack from
succeeding.
✓
Execution
Restriction 2: In this example, the attacker attempts to run an unsigned
executable. Here again, Traps prevents the executable from running, based on
rules that can be customized by an administrator.
✓
Execution
Restriction 3: In this example, an executable attempts to run from a
restricted location, the IE temp folder. These locations can be customized by
an administrator if needed.
✓
Local
Verdict Check: A local verdict check compares the file against an
administrator‐configured blacklist to determine whether the file is explicitly
blocked, or against a whitelist to determine if the file has been explicitly
allowed regardless of its WildFire verdict.
✓
WildFire
Known Verdict: Traps checks the file against Palo Alto Networks WildFire
cloud‐based threat intelligence service by sending the file hash. In this example,
WildFire responds that the file is known to be malicious and therefore is not
allowed to execute.
✓
WildFire
On Demand Inspection: If WildFire has never seen the file, it can be uploaded
for analysis and not allowed to run until WildFire provides a verdict.
✓
Malware
Prevention Module: If the malicious executable is allowed to run, it will
attempt a thread injection into IE. This malware technique is blocked by the
Thread Injection malware prevention module in Traps.
While this is just one example,
most modern attacks will use some combination of these steps and various
exploit and malware techniques. Whereas most endpoint protection approaches
focus on one blocking method (whitelisting, for example), Traps takes advantage
of every opportunity to prevent compromise. Any one of these “kill points” is
enough to prevent the attack. The key takeaway to consider when evaluating
endpoint protection solutions is this: Advanced Endpoint Protection is a new
category of security products that encompasses all the prevention capabilities
described here to prevent both known and unknown exploits and malware. Other
approaches, even those labeled “next‐ generation” endpoint protection, fall
short because rather than truly preventing all these stages of the attack, they
generally wait for them to happen and then attempt to mitigate the damage,
through some kind of quarantine, isolation, or cleanup.
When
choosing an Advanced Endpoint Protection solution, ensure that it has the
capability to prevent compromise at the early stages of the cyberattack life
cycle before any damage can be done. Prevention of zero-day exploits is a must.
Glossary
adware: Pop‐up
advertising programs that are commonly installed with freeware or shareware.
API: Application
Programming Interface. A set of routines, protocols, and tools for developing
software applications.
APT: Advanced
Persistent Threat. An Internet‐borne attack usually perpetrated by a group of
individuals with significant resources, such as organized crime or a nation‐state.
backdoor: Malware
that enables an attacker to bypass normal authentication to gain access to a
compromised system.
bootkit: A kernel‐mode
variant of a rootkit, commonly used to attack computers that are protected by
full‐disk encryption.
bot: A target computer that is infected by malware and is part of a
botnet (also known as a zombie).
bot herder (or bot
master): The owner or individual who controls a botnet.
botnet: A broad
network of bots working together.
BYOD (bring your own device): A current policy trend in which
employees are permitted to use their personal mobile devices, such as smartphones
and tablets, in the workplace for work‐related and personal business.
DDNS: Dynamic DNS is a technique used to update domain name system
(DNS) records for networked devices in real time.
DDoS: Distributed
denial‐of‐service is a large‐scale attack that typically uses bots in a botnet
to crash a targeted network or server.
drive‐by‐download: Software, often malware, downloaded onto a
computer from the Internet without the user’s knowledge or permission.
endpoint: Any computing
device on the network, including server, desktop or laptop computer, tablet, or
smartphone.
exploit: Software or code that takes advantage of a vulnerability
in an operating system or application, and causes unintended behavior in the
operating system or application, such as privilege escalation, remote control,
or a denial‐of‐service.
GoToMyPC: A remote control software service, owned by Citrix
Systems, that allows users to operate a remote computer over the Internet.
Heap memory: A
large pool of memory (typically per process)
from which the running program can request chunks.
IM: Instant
messaging. A type of online chat that provides real‐time text messaging over
the Internet.
IPSec: An open‐standard protocol used for secure virtual private
network (VPN) communications over public IP‐based networks.
IRC: Internet
Relay Chat. A client/server protocol that enables text messages to be exchanged
over the Internet.
LogMeIn: A
proprietary remote desktop protocol that enables users to operate a remote computer
over the Internet.
logic bomb: A program, or portion thereof, designed to perform some
malicious function when a predetermined circumstance occurs.
malware: Malicious software or code that typically damages or
disables, takes control of, or steals information from a computer system.
Malware broadly includes viruses, worms, Trojan horses, logic bombs, rootkits,
bootkits, backdoors, spyware, and adware.
MBR: Master Boot Record. The first sector of a partitioned storage
device (such as a hard disk drive or USB thumb drive) that contains information
on how file systems are organized on the device.
nmap: Network mapper is a security
scanner used to discover network hosts and services.
Glossary 63
P2P: Peer‐to‐peer.
An application or network that distributes workload across multiple peers or
nodes.
PCAP: Packet
capture. An application programming interface ( API) for capturing network
traffic for analysis.
PCI DSS: Payment
Card Industry Data Security Standard. A broad computer security mandate
developed by the major payment card brands, including American Express,
Discover, JCB, MasterCard, and Visa.
PLC: Programmable logic controller. A small computer typically used
to automate industrial electromechanical processes.
polymorphism: Polymorphism is used in
malware to avoid signatures by regularly mutating to avoid simple signature
matches. process: An instance of
a program running or executing.
RBL: Real‐time blackhole list. A list of IP addresses that have
been associated with spamming. IP addresses on an RBL may be blocked from
sending email by email servers using an RBL service.
RDP: Remote
Desktop Protocol. A proprietary remote access protocol, developed by Microsoft,
which enables users to operate a remote computer over the Internet.
rootkit: Malware that provides privileged (root‐level) access to a
computer.
security
information and event management (SIEM): SIEM provides real‐time analysis
of security alerts generated by enterprise security solutions.
social engineering:
A low‐tech attack method that employs techniques such as shoulder surfing and
dumpster diving to obtain sensitive information, such as passwords, from a
user.
spear phishing: A
targeted phishing attempt that seems more credible to its victims and thus has
a higher probability of success. For example, a spear phishing email may spoof
an organization or individual that the recipient actually knows. spyware: Software that gathers
information about a person or organization without that person’s or
organization’s knowledge or consent.
SSH: Secure Shell is a set of standards and an associated network
protocol that establishes a secure channel between a local and a remote
computer.
SSL: Secure
Sockets Layer is a transport layer protocol that provides session‐based
encryption and authentication for secure communication between clients and
servers.
TCP: Transmission Control Protocol. A connection‐oriented network
protocol that provides reliable delivery of packets over a network.
TLS: Transport
Layer Security. A cryptographic protocol used for secure Internet
communication.
Trojan horse: A
program that purports to perform a given function, but which actually performs
some other (usually malicious) function.
UDP: User
Datagram Protocol. A connectionless‐oriented network protocol that doesn’t
guarantee packet delivery or the order of packet delivery over a network.
virus: A set of
computer instructions whose purpose is to embed itself within another computer
program in order to replicate itself.
vulnerability: A
bug or flaw in software that creates a security risk which may be exploited by
an attacker.
VPN: Virtual
Private Network. A private network used to communicate privately over public
networks. VPNs utilize encryption and encapsulation to protect and simplify
connectivity.
worm: Malware that usually has the capability to replicate itself
from computer to computer without the need for human interaction.
These materials are © 2015 John Wiley & Sons, Inc. Any
dissemination, distribution, or unauthorized use is strictly prohibited.
0 Comment to "ADVANCED ENDPOINT PROTECTION FOR DUMMIES"
Post a Comment