1 | © 2017, Palo Alto Networks, Inc. Confidential and Proprietary.

CYBER WEAPONS

TRAINING

Cyber Weapons Training Agenda

Today’s Breach Detection Gap

Threats: Malware, Risky Behavior, Insiders & Advanced Attacks

Top Cyber Weapons

Signature vs. Behavior-based Attack Detection

Automated Behavioral Analytics

Breach Detection Gap

99%of post-intrusion attacks such as reconnaissance and lateral movement do not originate from malware.

170 daysIs the median length that attackers are present on a victim’s network before detection

Most Organizations

Focus on Malware

and External Attacks

Most Organizations Cannot Find

Breaches on Their Own

But Cannot Detect

Attackers

in Their Network

Sources: LightCyber Cyber Weapons Report, Ponemon

Most Organizations Focus Only on Malware

MALWARE

Threats Analyzed for Cyber

Weapons Research: Targeted Attacks, Insider Attacks, Risky

Behavior, and Malware

Targeted Attacks

Outside the Network

Intrusion

(Seconds – Minutes)

Intrusion

Active Breach

(Hours - Weeks)

Establish

Backdoor

Recon &

Lateral

Movement

Data

Exfiltration

Inside the Network

Attacker compromises a

client or server in the

network

k Attacker performs

reconnaissance and

moves laterally to

find valuable data

l Attacker steals data

by uploading or

transferring files

Insider Attacks

Recon & Lateral

Movement

Abuse of User Rights

Data Exfiltration

Employee is upset by demotion;

decides to steal data and quit job

k Employee accesses many file

shares including rarely

accessed file shares

l Employee uses other user’s

credentials and exfiltrates a

large volume of data

IT Assets at Risk

• Databases and file servers are considered the most vulnerable to insider attacks

SOURCE: LinkedIn Group - Insider Threat Report sponsored by LightCyber

File Server

Insider

Sensitive Data

Risky Behavior

k User credentials for service

account shared by multiple admins

Remote desktop access

from home

l Access to high-risk websitesHigh Risk

Website

Home Desktop

Internet

Data Breach Incidents

SOURCE: 2016 Verizon: Data Breach Investigations Report

User

Remote Desktop

IT Admin

IT Admin

Miscellaneous errors, such as misconfiguration, misdelivery, and other errors, accounted for the highest number of data breaches in 2015

‘With all of the hubris and bravado in the InfoSec world, one proclamation we usually don’t hear is “Our employees NEVER make mistakes.”’

MalwareRansomware Attack

Laptop

File Servers

Malicious

Website

kInfected client contacts

command and control server

and receives a unique

cryptographic key

User downloads ransomware

from a website or opens a

malicious email attachmentlRansomware encrypts

data on the local client

mRansomware encrypts

data on network drivesInfected Email

Command &

Control

Internet

Cyber Weapons Research Findings

Based on Anonymized Alert Data and Network to Process

Association (N2PA) Technology

Top Attack Behaviors

• Reconnaissance

was the most

common attack

behavior

• Reconnaissance is

an iterative process

of trial and error as

attackers search for

valuable assets

Cyber Weapons Used in Phases of an Attack

Networking and Hacking Tools

• Attackers use well-known

tools to map the network,

probe clients, and monitor

activity

• NCrack, Mimikatz, and

Windows Credential Editor

can be used to steal user

credentials

• Some tools are native OS

utilities

Admin Tools

• Attackers use a variety

of command line

shells, including native

OS utilities

• Admin tools are used

for lateral movement

as well as recon and

exfiltration

Remote Desktop Tools

• Remote desktop

tools are:

• Used for C&C and

lateral movement

• Also indicative

of risky user behavior

Malware

• 28% of suspicious

processes associated

with alerts were

either malware or

riskware

• 1% of east-west

threats originated

from malware

Major Findings

70%+ of malware was only

detected on a single site,

revealing targeted &

polymorphic variants

Attackers often use “benign”

apps, native OS tools and

web browsers to conduct

attacks

Companies that only look

for malware will miss

attackers that are already

in the network

Signature vs. Behavior-based

Attack Detection

Problems:

• Focuses on known threats

• Cannot easily detect unknown threats or

insider threats or attacks that do not rely on

malware

Agents &

Signatures

19

Traditional Security

Known Bad

Traditional Security

▪ Signatures, IoC’s, Packet Signatures, Domains,

Sandbox Activity

▪ Block, or miss

▪ Necessary, but not sufficient for internal threats

What’s Needed

▪ Learn What is Good [Baseline]

▪ Detect What Isn’t [Anomaly]

▪ Catch What Slips Through the Cracks of

Traditional Security

Learned Good

Benefits:

• Eliminates Zero-Day Exploit Dilemma

• Hundreds of Opportunities to Detect

• Applicable to All Techniques & Stages

Behavioral Analytics

Agentless &

Signature-less

LightCyber MagnaPowered by Machine Learning, Magna

Closes the Breach Detection Gap

20

AWARDS

About LightCyber and Palo Alto Networks

21

LightCyber

▪ Founded in 2012 by cyberwarfare experts

▪ Acquired in February 2017 by Palo Alto

Networks

▪ 500+ deployments since Q1/2015

▪ Recognized in Gartner Market Guides for

UEBA and EDR

“We have spent quite some time

evaluating the players in this fast-growing

space and are very impressed with the

capabilities and team at LightCyber.”

– Mark McLaughlin, CEO, Palo Alto Networks

22

If an active attacker were operating

inside your network right now…

…could you see them?

Endpoint

Network

User

LightCyber Magna profiles

network, user and endpoint

behavior to catch threats

across the attack lifecycle.

Endpoint

Network

User

LightCyber

Magna

LightCyber Magna profiles

network, user and endpoint

behavior to catch threats

across the attack lifecycle.

Endpoint

Detection &

Response

Network Traffic

Analysis

User & Entity

Behavior

Analytics

LightCyber

Magna

Profiling, Detection, Investigation and Response

Intelligent nDimensional Profiling

- Continuous Baseline of Network, User, and Endpoint Behavior

Accurate Detection

- Anomalous Attack Behavior Detected Across Attack Lifecycle

Automated Investigation

- Network, User, & Process Association + Cloud (N2PA)

Integrated Response

- Blacklist Attackers or Accounts with NGFW, NAC, Active Directory

25

Magna Detection FrameworkPre-compute Learning Of 1,000+ Behavioral Dimensions

Time Profile• History, per Detector

• Network -> Application

Peer Profile• Peer profile, per

Detector

Entity Profile• Entity Type

• User, admin, workstation,

server, server type

ML T

echniq

ue

Pre-Compute Learning UN

SU

PE

RV

ISE

DS

UP

ER

VIS

ED

MagnaPlatform

HQ / DC

Remote Office

Endpoints

MAGNAPATHFINDER

MAGNAMASTER

TAP / SPAN

Switch

TAP / SPAN

Core Switch

Email & Reports SIEM MAGNA UIRemediation

MAGNAPROBERemote VPN

Users

Network-to-Process

Association (N2PA)

MAGNADETECTOR

MAGNADETECTOR & MAGNAPROBE for AWS

IaaS Cloud

Risky Behavior MalwareInsider Attacks Advanced and

Targeted Attacks

LightCyber Detects the Threats That Lead to Data Loss and Destruction

28

Lower Operating Costs With Accurate, Efficient Alerts

Most IT security teams can’t keep up

with the deluge of security alerts

61%ACROSS

ALL ALERTS

99%ACROSS MAGNA’S

AUTOMATED “CONFIRMED

ATTACK” CATEGORY

LIGHTCYBER

ACCURACY

Source: Ponemon survey of 700 enterprises with average 14,000 endpoints and 16,937 alerts per week

Source: Lockheed Martin Cyber Kill Chain, LightCyber Cyber Weapons Report

Active Attack Phase(Weeks – Months)

Intrusion Attempt Phase(Seconds – Minutes)

Incident Response(Weeks – Months)

Breach Detection Gap

Post Incident

Response

Solutions

Traditional

Network Security

Closing the Gap in Breach Detection

Demonstrate Security Assurance

30

▪ LightCyber Magna Security

Assurance Report:

• Documents that there is no

evidence of compromise to

auditors, partners and the board

• Eliminates the need for costly

third-party assessments

• Provides visibility of security

events

Malware Example

Magna Detects:

• Active Command &

Control channel

• Malware Infection

• No signs of internal

spreading

• Likely opportunistic, not

(yet) targeted

Detection

Pattern:

• C&C

• Malware

• (No East-

West)

Risky Behavior Example

Magna Detects:

• RDP to > 20

Workstations

• Likely non-

malicious Internal

activity since there

is no association

with other

malicious findings

Detection Pattern:

• Credential Abuse

• Not Linked to Exfil

or Other

Insider Attack Example

Detection Pattern:

• Credential Abuse

• Linked to Exfil or Other

Findings

Magna Detects:

• Suspicious access to

file shares

• Exfiltration

• This Correlation

indicates likely Insider

Attack

Targeted Attack Example

Magna Detects:

• Anomalous file with

known Threat

Intelligence

• Recon

• Lateral Movement

• Exfiltration

• This Correlation

Indicates Targeted

Attack

Detection Pattern:

• Multiple Correlated

Findings

• North-South + East-

West

User, Entity; Network + Endpoint

Magna Detects:

• Anomalous Network

Activity

• Anomalous and

Malicious Processes on

the Endpoint

• Anomalous User

Activity

Magna

Correlates:

• User

• Entity

• Network

• Process

• Endpoint

Demo

Resources

37 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Contact Palo Alto Networks

to schedule a demo

Request more information about LightCyber

Magna at www.paloaltonetworks.com.

Download Cyber Weapons

Report

38 | © 2017, Palo Alto Networks, Inc. Confidential and Proprietary.

QUESTIONS?