building next-gen security framework and architecture for ... · type of malware • worms:these...
TRANSCRIPT
![Page 1: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/1.jpg)
Building Next-Gen Security
Framework and Architecture for Preventing Cyber Attacks
![Page 2: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/2.jpg)
![Page 3: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/3.jpg)
Cyber Attack Life Cycle
Know Your Enemy
![Page 4: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/4.jpg)
Cyber Kill Chain (2010)
Source:http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
![Page 5: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/5.jpg)
Reconnaissance Weaponization
andDelivery
Exploitation Command-and-Control Actionson
theObjective
UnauthorizedAccess UnauthorizedUse
Installation
Cyber Attack Life Cycle
Exfiltrate Intellectual Property
Steal Credit Card Information
Destroy critical infrastructure
Deface your website
CYBER HACKTIVISM
CYBERMISCHIEF
CYBERWARFARE
CYBER CRIME
CYBER ESPIONAGE
CYBER TERRORISM Create fear by threatening employees
Dox embarrassing email messages
![Page 6: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/6.jpg)
Wanacrypt Ransomware
![Page 7: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/7.jpg)
1. ReconnaissanceAttackerresearch,identify,andselecttargets,oftentimesusingphishingtacticsorextracting
publicinformationfromanemployeecsLinkedInprofileorcorporatewebsites.Thesecriminals
alsoscanfornetworkvulnerabilitiesandservicesorapplicationstheycanexploit
• Email Harvesting
• Person profile,
Credential
• Server & Application profile
![Page 8: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/8.jpg)
2. Weaponization & Delivery
Exploit
§ Malformed data file that
is processed by a
legitimate app
§ Takes advantage of a vulnerability
in the legitimate app which allows
the attacker to run code
§ ‘Tricks’ the legitimate application into
running the attacker’s code
§ Small payload
Malware
§ Malicious code that comes
in an executable file form
§ Does not rely on any
application vulnerability
§ Already executes code – aims to control
the machine
§ Large payload
Exploit vs. Malware – What’s the DifferenceE
Weaponization
andDelivery
![Page 9: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/9.jpg)
Type of Exploit
1. Known Exploit• Announced publicly
• Patch is available
• Everyone knows
• Signature available
2. Unknown (0-Day) Exploits• No patch available
• Vendor is not aware of
• Found by hacker, Surveillance
• Sell in black market
![Page 10: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/10.jpg)
Type of Malware
• Worms: These programs have the ability to replicate themselves. Their sole objective is to
increase their population and transfer themselves to another computers via the internet or
through storage media.• Viruses: Theyalsohavetheabilitytoreplicatethemselves,buttheydodamagefilesonthecomputer
theyattack.Theirmainweaknessliesinthefact,theycangetintoactiononlyiftheyhavethesupport
ofahostprogram,otherwisetheycrejustlikeadefeatedwarrior.
• Trojans: Basically,TrojansarenoViruses,andarenotmeanttodamageordeletefilesonyoursystem.
Theirsoletaskistoprovidetoabackdoorgatewayformaliciousprogramsormalevolentusersto
enteryoursystemandstealyourvaluabledatawithoutyourknowledgeandpermission.
• Adware: Adwareareusedtodisplayadvertisementsintheprograms
• Spyware: Theseprogramsalsocomeattachedwithotherfreewaresoftware,trackyourbrowsingand
otherpersonaldetailsandsendittoaremoteuser.Theycanalsofacilitateinstallation.
• Bots: BotsorRobotsareautomatedprocessesthataredesignedtointeractovertheinternetwithout
theneedofhumaninteraction.
• Ransomware: Thesetypeofmalwarealterthenormaloperationofyourmachine,thusbarringyouto
useitproperly.
+
![Page 11: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/11.jpg)
Make use of software vulnerability for delivery
Carrier Files
Common File Types
Exploit
Unknown
Malware
open
Victim
![Page 12: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/12.jpg)
Wanacryt make use of Exploit & Worm & Ransomware
Cloud & Virtualization
Wanacrypt
Exploit
Malware
Exploit
MS17-010
Exploit
MS17-010
Wanacrypt
Wanacrypt WanacryptWanacrypt
Wanacrypt
Exploit
MS17-010
WanacryptWanacrypt
Wanacrypt
Wanacrypt
Exploit
MS17-010
Wanacrypt
![Page 13: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/13.jpg)
Malware Delivery methods
Applications
File Transfer
Evasive, Encrypted
Http, Https
Social media,
SaaS, AD, etc
Ultrasurf, Bittorent,
Tor, VPN etc.
USB
Web, Social, SaaS
Wanacrypt
![Page 14: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/14.jpg)
N. Exploitation
Exploit
![Page 15: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/15.jpg)
4. Installation (Malware)
☣Targeted and custom malware
☣Polymorphic malware
☣Newly released malware
Highly variable time to protection
Advanced malware is increasingly able to:
- Targeted malware avoids traditional AV honey-pots
- Evolve before protection can be delivered via polymorphism, re-encoding, and changing URLs
Wanacrypt
![Page 16: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/16.jpg)
5. Command and Control
Wanacrypt
C2 Server
![Page 17: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/17.jpg)
6. Action on Objectives CYBER CRIME
![Page 18: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/18.jpg)
Lesson Learned
2. Detection, response and remidiation is 2nd priority
3. Zero-Trust architecture is a must
4. Kill-Switch is not solution
7. Backup and test recovery is important
1. Prevention is 1’st priority
6. Patching is important
5. Breaking every stage of life cycle is the best
![Page 19: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/19.jpg)
Building Next-Gen Security Framework and Architecture
Know Yourself
![Page 20: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/20.jpg)
PWC & PANW Security Framework White Paper
Source:https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/white-papers/pwc-executive-summary.pdf
![Page 21: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/21.jpg)
Security Framework: A Guide for Business Leaders
Business
Priorities
IDENTIFY
Governance
Risk Strategy
Asset
Management
Incident Response
Planning
DETECT & RESPOND
Detection
Notifications
Mitigate Incident
Enhance
Protection
Observe All
Network Traffic
MONITOR & ANALYZE
Visibility of
All Applications,
Users and Content
Define Information
Security Policies
Prevent Unknown
Threats
PROTECT & PREVENT
Prevent Known
Threats
Enforce Policy to
Reduce Attack
Surface
Source:https://www.paloaltonetworks.com/resources/whitepapers/pwc-security-framework-guide-for-business-leaders
![Page 22: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/22.jpg)
PALO ALTO NETWORKS:
SECURITY FRAMEWORK
![Page 23: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/23.jpg)
• All applications
• All users
• All content
• Encrypted traffic
• Private Cloud
• Public Cloud
• Mobile
• Enable business
apps
• Block “bad” apps
• Limit app
functions
• Limit file types
• Block websites
• Exploits
• Malware
• Command &
control
• Malicious websites
• Bad domains
• Credentials Theft
and abuse
• Dynamic analysis
• Static analysis
• Bare metal
analysis
• Anomaly
detection
• Analytics
Automated
Conversion
REDUCE
ATTACK
SURFACE
COMPLETE
VISIBILITY
PREVENT
KNOWN
THREAT
PREVENT
UNKNOWN
THREAT
PREVENTION SECURITY FRAMEWORK
![Page 24: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/24.jpg)
24 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SECURITY FRAMEWORK: COMPLETE VISIBILITY
COMPLETE
VISIBILITY
![Page 25: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/25.jpg)
344 KBfile-sharing
URL category
PowerPointfile type
“Confidential and Proprietary”
content
Jasonuser
prodmgmtgroup
canadadestination country
172.16.1.10source IP
64.81.2.23destination IP
TCP/443destination port
SSLprotocol
HTTPprotocol
slideshareapplication
slideshare-uploadingapplication function
![Page 26: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/26.jpg)
70% Encrypted Internet Traffic in 2016
26 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
![Page 27: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/27.jpg)
Application Visibility COMPLETE
VISIBILITY
![Page 28: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/28.jpg)
User Visibility COMPLETE
VISIBILITY
![Page 29: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/29.jpg)
COMPLETE
VISIBILITYContent Visibility (URL, Filename, FileType)
Marketing
IT Admin
Type: Doc, Office
Name: ABC.doc
URL Category
![Page 30: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/30.jpg)
30 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SECURITY FRAMEWORK: REDUCE ATTACK SURFACE
REDUCE
ATTACK
SURFACE
![Page 31: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/31.jpg)
OnlyallowtheApps,User,Content
Blockallunknown
MarketingDB Admin
REDUCE
ATTACK
SURFACE
Apply “Least Privilege” Policy
AccountingIT Admin
![Page 32: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/32.jpg)
SECURITY FRAMEWORK: PREVENT KNOWN THREATS
PREVENT
KNOWN
THREAT
vulnerabilitiesCnC
viruses
malware
drive-by downloadsmalicious DNS
Trojan
WormBotnet Spyware
Credential Theft
malicious URL
![Page 33: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/33.jpg)
Source Code
ERP
Intranet
1
Phishing
email sent to
victim
2
Credentials
sent to phishing
page
N
Adversary navigates
through network to
access critical
applications with stolen
credentials
CREDENTIAL THEFT AND ABUSE PREVENTION
33 | © 2017, Palo Alto Networks. Confidential and Proprietary.
Email link Inspection
and Phishing URL
prevention
Suspicious credential
submission blocked
Policy-based MFA enforced at
network layer
RADIUS
PREVENT
KNOWN
THREAT
![Page 34: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/34.jpg)
34 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SECURITY FRAMEWORK: PREVENT UNKNOWN THREAT
PREVENT
UNKNOWN
THREAT
![Page 35: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/35.jpg)
Detonation reveals
zero-day exploitation
& malware
Detection of known
exploits, malware,
and new variants
Dynamically steers
highly evasive,
suspicious files to
bare metal
Detonates malware
on real hardware,
detecting all
VM-aware malware
Static Analysis
Dynamic Analysis
Bare MetalAnalysis
Heuristic engine
Final frontier for anti-VM detection
New machine learning
The only custom-built anti-evasion malware analysis environment
Unknown Threat Analysis Engine
![Page 36: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/36.jpg)
36 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SECURITY FRAMEWORK: AUTOMATED CONVERSION
Automated
Conversion
Indicator of Compromise
Malware payload
C2 payload
C2 Domain & URL
Malicious url link
IP Connectivity
![Page 37: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/37.jpg)
37 | © 2017, Palo Alto Networks. Confidential and Proprietary.
PREVENTION SECURITY FRAMEWORK
REDUCE
ATTACK
SURFACE
COMPLETE
VISIBILITY
PREVENT
KNOWN
THREAT
PREVENT
UNKNOWN
THREAT
Automated
Conversion
+ GLOBAL SHARING
![Page 38: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/38.jpg)
How Global Threat Intelligence sharing works
ContentMalicious URL
C&C domain
Malware Signature
5 Min updated
ContentMalicious URL
C&C domain
Malware Signature
5 Min updated
ContentMalicious URL
C&C domain
Malware Signature
5 Min updated
Threat Intel Big Data
• 150M sample/month
• 100,000 new protection/day
• More than 2B files
• More than 500B artifacts
![Page 39: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/39.jpg)
App
ID
User
ID
Content
ID
Global
ProtectIPS
Exploit
WildfireUnknown
URL
FilteringTRAPS
End-point
ApertureSaaS
AutoFocusThreat Intel
Recon X X
Delivery X X X X X X X X X X
Establish
Beachhead
(Exploit&
Malware)
X X X X X
Command
&ControlX X X X X X X X
Actionson
the
Objective
X X X X X X X X X X
AttackLifeCycle
Palo Alto Networks’ Platform – Prevention Down the Kill Chain
![Page 40: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/40.jpg)
Zero-Trust Model Architecture
![Page 41: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/41.jpg)
Zero-Trust Model
All resources are accessed in a secure manner regardless of location.
Access control is on a “need-to-know” basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
The network is designed from the inside out.
Source: Forrester Research
41 |©2015, PaloAltoNetworks
![Page 42: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/42.jpg)
Break all stages of Life Cycle all Locations
Cloud & Virtualization
Wanacrypt
Exploit
Malware
Exploit
MS17-010
Exploit
MS17-010
Wanacrypt
Wanacrypt WanacryptWanacrypt
Wanacrypt
Exploit
MS17-010
WanacryptWanacrypt
Wanacrypt
![Page 43: Building Next-Gen Security Framework and Architecture for ... · Type of Malware • Worms:These programs have the ability to replicate themse lves.Their sole objective is to increase](https://reader036.vdocuments.net/reader036/viewer/2022070806/5f0465f97e708231d40dc6ab/html5/thumbnails/43.jpg)
43 | © 2015, Palo Alto Networks. Confidential and Proprietary.