NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Matthew Ancelin
•Download as PPTX, PDF•
2 likes•1,590 views
Matthew Ancelin, Network Security Specialist, Palo Alto Networks What has been done in the past worked fine back then, but it doesn’t cut it anymore. What are the problems with the past technology and where are we headed.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Matthew Ancelin
Similar to NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Matthew Ancelin (20)
More from North Texas Chapter of the ISSA
More from North Texas Chapter of the ISSA (20)
Recently uploaded
Recently uploaded (19)
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Matthew Ancelin
- 1. 11 Next-Generation Security and the Problem of Exploitation April 2015 Matthew Ancelin, CISSP, CNSE 1
- 2. 2 Network: Old Methods vs. New Methods • Port and protocol allow/block firewalling • URL filtering, black lists • Blacklisting of IP or range • Standalone signature based IPS • UTM: unified threat management • Web gateways/Proxy • Visibility and Control • Application based firewalling • Integrated Threat Prevention • SSL decryption/inspection • Automated threat intelligence sharing • Sandboxing
- 3. 3 Visibility and Control: Application based firewalling, SSL Decryption/Inspection, Integrated Threat Prevention
- 4. 4 Sharing is Cyber-Caring: Verizon’s 2015 Breach report Source: Verizon 2015 Data Breach Investigations Report
- 5. 5 Sharing is Cyber-Caring: Verizon’s 2015 Breach report Source: Verizon 2015 Data Breach Investigations Report 75% of attacks spread from victim 0 to victim 1 within 24 hours
- 6. 6 Sandboxing and Threat Intelligence…3 years later Watchguard- Dimension (threat intel only) CheckPoint - Threat Emulation(sandbox), ThreatCloud service (intel, MSP) Cisco(Sourcefire) - Threat Grid and AMP Palo Alto Networks – WildFire Threat Intelligence Cloud McAfee – TrustedSource (threat intel only – IP/Domain) Fortinet – FortiSandbox FireEye – core product + Threat Intelligence BlueCoat – Malware Analysis Appliance Source: www.watchguard.com
- 7. 7 Sandboxing and Automated Threat Intelligence sharing AV Signatures DNS Signatures C&C Signatures Malware URL Filtering Global install base and Threat Intel Consortium SIEM other
- 8. 8 Endpoint Protection “Anti-virus is Dead” Source: Wall Street Journal, May 2014
- 9. 9 Endpoint: Old Methods vs. New Methods • Signature matching • Heuristics • Kernel-level root-kit protection • Cloud based updates • Web threat protection • IP Reputation services • Registry cleaners • Micro-virtualization • Task introspection • Process/App whitelisting • Automated threat intelligence • Exploit trapping • Sandboxing • Predictive math modeling • Either Prevent or Detect/Remediate
- 12. 12 Predictive Math Modeling Source: www.cylance.com
- 13. 13 Traps - Exploit Trapping by Technique Individual Attacks Software Vulnerability Exploits Thousands of new vulnerabilities and exploits per year 1,000s/yr Core Techniques Exploitation Techniques In the past 3 years, 2 new techniques have been discovered 1 or 2/yr Source: www.cvedetails.com
- 14. 14 Prevention of One Technique in the Chain will Block the Entire Attack Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques DLL Security IE Zero Day CVE-2013-3893 Heap Spray DEP Circumvention ROP/Utilizing OS Function Adobe Reader CVE-2013-3346 Heap Spray DEP Circumvention Utilizing OS Function Adobe Flash CVE-2015- 3010/0311 ROP JiT Spray Utilizing OS Function
- 15. 15 Are exploits really the problem? 99.9% of the exploited vulnerabilities were compromised more than 1 year after the CVE was published. ~50% of 2014 CVEs exploited fell within 2 weeks of announcement. * Source: Verizon 2015 Data Breach Investigations Report
- 16. 16 How does exploit trapping fare against a sophisticated APT?
- 17. 17 Traps stops 0-day exploits without prior knowledge of them
- 18. 18 Attacks LEAD with exploits Nov 2014: Operation CloudyOmega Nov 2014: Dark Hotel campaign Oct 2014: SandWorm Oct 2014: Hurricane Panda Feb 2014: Operation SnowMan (MS IE 0-day exploit) Sept 2013: Ichitaro Zero Day Feb 2014: IE 0-day, Watering Hole attack Feb 2014: ‘The Mask’ Campaign Dec 2013: Operation KeyChang Oct 2013: Egobot Campaign Sept 2013: Icefog campaign Sept 2013: EvilGrab campaign June 2013: NetTraveler campaign …this pattern repeats over and over again
- 19. 19 Social Engineering 101 – determine an Attack Vector
- 20. 20 Social Engineering 101 – determine an Attack Vector Upgrade to Office 2010
- 21. 21
- 22. 22
- 23. 23 Social Engineering 101 – deliver the Attack
- 24. 24 Social Engineering 101 – deliver the Attack SEND US YOUR RESUME
- 25. 25
Editor's Notes
- Agenda: What is ‘next-generation’? Discussion of new techniques and approaches, network and endpoint Look at some recent attacks to see how these new techniques would or would not be effective Demonstrate exploitation and its prevention
- I work for pioneer in this space, here 3 years later, many of our competitors have adopted similar functionality- Some functionality has been around awhile, but has finally been made operationally possible to actually turn on.
- Visibility and Control on the network layer has improved: moving beyond port/protocol, to application and user based controls, looking across all ports/protocols, inside of SSL. Since deep packet inspection is required here, what better place to also then look for and block known threats. Not all ‘application control’ is the same- check the flow of any given implementation of it… It makes a lot of sense to in fact validate applications- just because its coming over port 53, IS it DNS? It also makes a lot of sense to organize firewall policies according to the users (by name) that they apply to. In my engagements, I poll network admins as to whether they are decrypting and/or inspecting SSL… maybe 10% or less are.
- Statistically, different sources are reporting different data- different threats…
- But WHAT is shared, and how useful is that? IP addresses #1, Host information #2 The faster the sharing, and the faster that is actionable, is where the value lies.
- 3 years ago, FireEye was the leading name in commercialized enterprise sandboxing Palo Alto added WildFire shortly after 3 years later, everyone’s got one What data elements are captured? How shared? And what is DONE with the resulting data?
- Explain Sandboxing Threat Intel sharing inside of your environment Threat Intel sharing within your vendors install base Threat Intel sharing within your industry (ISACs) – or between vendors
- next-generation: new methods May 2014, Brian Dye Sr VP of IS Symantec: “Antivirus is Dead” Nir Zuk: port/protocol dead (despite inventing stateful packet inspection, based on port/protocol 20 yrs prior) Roll Video
- As we examined these requirements we realized an entirely new approach would be needed in order to effectively block threats that have never been seen before. We chose to focus our efforts on blocking the core techniques that attackers use versus the threat itself. As it turns out there is a finite amount of techniques that can be employed in order for an attacker to achieve their objectives. And these techniques don’t change frequently when compared to the actual number of new vulnerabilities and malware. So our strategy was actually quite simple – If we could successfully disrupt the technique, then the attack would be thwarted. So, relative to exploit driven attacks we focused on the exploit techniques and not the thousands of vulnerabilities that emerge each year. For malware it’s similar, in that we’ve focused on the malware techniques as opposed to the millions of individual pieces of malware that emerge each year. So that’s how you have to think about the problem, focus on the core techniques for exploits and malware specifically. --------------------------------------- Additional points you may want to raise: Currently the total number of exploit techniques available to attackers numbers in the mid-20’s. You can use Heap Spray as an example to articulate how complicated these techniques are and how infrequent they’re created. Heap Spray took two years for academia to develop. Once it was developed the attacker community got ahold of the technique and began to use it within their toolkits. In parallel we were working with the universities to build mechanisms to block this exploit technique through Traps, so when Heap Spray was exposed to the attacker community we were already prepared to prevent through Traps.
- Let’s drill down into how that works using a recent Zero-Day as an example – cve-2014-1776, also known as Clandestine Fox. The actual process of exploiting a system via a vulnerability involves the use of multiple techniques working in concert. In order for an attack to be successful the attacker must execute each of these exploit techniques in a path that has multiple stages that lead to the execution of the malicious activity. In this CVE you can see the exploit techniques used in each of the stages… They can’t begin their malicious activity until they’ve concluded these steps. Some attacks may involve more steps, some may involve less. In all cases you can count on at least two or three techniques that must be used in order to exploit that endpoint. The reason why I’m providing this background is because it’s important to understand the process an attacker must take, the chain of events their exploit must follow, in order to achieve their objectives. If you understand this process it will be easy to understand the approach we’ve taken with Traps. At a basic level Traps employs a series prevention modules aimed at blocking the different exploit techniques available to attackers. These modules operate like “traps”, injected into the user processes, and designed to block the attackers exploit technique as soon as it’s used. It’s critical that your approach be able to block all techniques. These techniques can be grouped into the following four buckets [Click]. In each case we’re able to block the attack without having any prior knowledge of the vulnerability. This didn’t require signatures or software updates to prevent. Even though an attack may have involved a Zero-Day that had never been seen before.