Hvordan stopper du CryptoLocker?
-
Upload
steinar-aandal-vanger -
Category
Technology
-
view
121 -
download
0
Transcript of Hvordan stopper du CryptoLocker?
![Page 1: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/1.jpg)
Traps
VS.
Cryptolocker
Steinar Aandal-VangerWestcon Security
![Page 2: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/2.jpg)
Hvem er vi?
Steinar Aandal-Vanger
Jobbet med Palo Alto Networks siden 2009Palo Alto Networks instruktør
Holdt Palo Alto kurs de siste 5 årene i Norge og på Island
Har jobbet med it-sikkerhetsprodukter siden 1999, herunder Ironport, Check Point, Juniper, RSA Security, TippingPoint, SourceFire...m.fl.
Westcon Security- distributør av it-sikkerhetsprodukter i Norge
- Palo Alto Networks- Juniper- F5- Arbor, Infoblox, HP Enterprise m.fl.
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Wes
tcon
Sec
urity
![Page 3: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/3.jpg)
Age
nda
• Traps – Advanced Endpoint protection
• Ransomware
• Traps; Exploit and Malware prevention
• Prevention Stages
![Page 4: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/4.jpg)
Is Real-Time, Automatic Prevention of Attacksthat Exploit Unknown and Zero-Day Vulnerabilities Possible?
4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
![Page 5: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/5.jpg)
Palo Alto Networks Security Platform
Natively Integrated
Extensible
Automated
Next-Generation Firewall
Advanced Endpoint Protection
WildFireThreatIntelligence Cloud
TRAPS
Unknown Files
Query Verdict
![Page 6: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/6.jpg)
What is the Best Approach to Preventing Attacks?Anatomy of a Targeted Attack
Plan theAttack
GatherIntelligence
SilentInfection
LeverageExploit
MalwareCommunicateswith Attacker
ControlChannel
Malicious FileExecuted
ExecuteMalware
Data Theft, Sabotage, Destruction
Steal Data
![Page 7: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/7.jpg)
What is the Best Approach to Preventing Attacks?Anatomy of a Targeted Attack
Plan theAttack
GatherIntelligence
SilentInfection
LeverageExploit
MalwareCommunicateswith Attacker
ControlChannel
Malicious FileExecuted
ExecuteMalware
Data Theft, Sabotage, Destruction
Steal Data
Pot
entia
l Im
pact
![Page 8: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/8.jpg)
What is the Best Approach to Preventing Attacks?Anatomy of a Targeted Attack
Traps Prevention
Plan theAttack
GatherIntelligence
SilentInfection
LeverageExploit
MalwareCommunicateswith Attacker
ControlChannel
Malicious FileExecuted
ExecuteMalware
Data Theft, Sabotage, Destruction
Steal Data
Pot
entia
l Im
pact
![Page 9: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/9.jpg)
Exploits vs. Malicious Executables
Exploit Malformed data file Processed by a legitimate
application Exploits a vulnerability in the
legitimate application to allows the attacker to execute code
Small payload
Malicious Executable Malicious code Does not rely on application
vulnerabilities Contains executable code Aims to control the machine Large payload
Examples: weaponized PDF files & Flash videos
Examples: ransomware, fake AV
![Page 10: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/10.jpg)
Exploits vs. Malicious Executables
Exploit Malformed data file Processed by a legitimate
application Exploits a vulnerability in the
legitimate application to allows the attacker to execute code
Small payload
Malicious Executable Malicious code Does not rely on application
vulnerabilities Contains executable code Aims to control the machine Large payload
Examples: weaponized PDF files & Flash videos
Examples: ransomware, fake AV
“Next Gen” Anti-Malware Solutions Signature-based AV
Palo Alto Networks Traps
![Page 11: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/11.jpg)
1: Infect System with
Malware
2: Restrict Access to
System/Data
3: Profit!
Ransomware, Cryptolocker etc…
![Page 12: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/12.jpg)
1User visits
compromised website
2Exploit Kit silently exploits client-side
vulnerability
4 System infected, attacker has full access to steal data
3Drive-by download of malicious payload
Via Website
![Page 13: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/13.jpg)
Backdoor Trojan
Exploit Document
Backdoor Access
Spear Phishing Email
Attacker Target
Via eMail
![Page 14: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/14.jpg)
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
![Page 15: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/15.jpg)
$300- 500
![Page 16: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/16.jpg)
The 3 Core Capabilities of Advanced Endpoint Protection
1. Prevents ExploitsIncluding unknown & zero-day exploits
![Page 17: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/17.jpg)
The 3 Core Capabilities of Advanced Endpoint Protection
1.
2.
Prevents ExploitsIncluding unknown & zero-day exploits
Prevents Malicious Executables
Including unknown & advanced malware
![Page 18: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/18.jpg)
The 3 Core Capabilities of Advanced Endpoint Protection
1.
2.
Prevents ExploitsIncluding unknown & zero-day exploits
Prevents Malicious Executables
Including unknown & advanced malware
3.Highly-Scalable, Integrated
Security PlatformFor data exchange &
cross-organization protection
![Page 19: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/19.jpg)
Prevent Exploits
Number of New Variants Each Year
Individual Attacks
Software Vulnerability Exploits
+10,000sCore Techniques
Exploitation Techniques
< 3
*Source: CVEDetails.com
Block the Core Techniques – Not the Individual Attacks
![Page 20: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/20.jpg)
Exploit technique prevention
21 | ©2013, Palo Alto Networks. Confidential and Proprietary.
A document is opened by user
Traps engines seamlessly inject traps
to the software that opens the file
Process is protected. Traps perform NO scanning and NO
monitoring
CPU <0.1%
In case of exploitation attempt, the exploit hits a “trap” and fails before
any malicious activity initiation
Attack is blocked before any malicious activity
initiation
Safe!Process is terminated
Forensic data is collected
User\admin is notified
Traps triggers immediate actions
![Page 21: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/21.jpg)
Exploit Techniques - Example
BeginMaliciousActivity
Normal ApplicationExecution
Heap Spray
ROP
UtilizingOS Function
Gaps AreVulnerabilities
Activate key logger Steal critical data More…
Exploit Attack1. Exploit attempt contained in a
PDF sent by “known” entity.2. PDF is opened and exploit
techniques are set in motion to exploit vulnerability in Acrobat Reader.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
![Page 22: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/22.jpg)
Exploit Techniques
Normal ApplicationExecution
HeapSpray
TrapsEPM
No MaliciousActivity
Exploit Attack
Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps
requires no prior knowledge of the vulnerability.
1. Exploit attempt contained in a PDF sent by “known” entity.
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
![Page 23: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/23.jpg)
Exploit Techniques - Unknown Technique
Normal ApplicationExecution
UnknownExploit
Technique
ROP
No MaliciousActivity
TrapsEPM
Exploit Attack1. Exploit attempt contained in a
PDF sent by “known” entity.2. PDF is opened and exploit
techniques are set in motion to exploit vulnerability in Acrobat Reader.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps
requires no prior knowledge of thevulnerability.
2. If there is a new technique it will succeed but the next one will be blocked, still preventing malicious activity.
![Page 24: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/24.jpg)
Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques
DLLSecurity
IE Zero DayCVE-2013-3893 Heap Spray DEP
Circumvention UASLR ROP/UtilizingOS Function
ROP Mitigation/DLL Security
Adobe ReaderCVE-2013-3346 Heap Spray
Memory LimitHeap SprayCheck andShellcode
Preallocation
DEPCircumvention UASLR Utilizing
OS FunctionDLL
Security
Adobe FlashCVE-2015-3010/0311
ROP ROP Mitigation JiT Spray J01 Utilizing
OS FunctionDLL
Security
MemoryLimit Heap
Spray Check
![Page 25: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/25.jpg)
Prevent Malicious Executables
AdvancedExecution Control
Reduce surface area of attack. Control execution scenarios
based on file location, device, child processes, unsigned
executables.
Local hash control allows for granular system hardening.
Dynamic analysis with cloud-based threat intelligence.
WildFire Inspection and Analysis
Prevent unknown malware with technique-based
mitigation. (Example: Thread Injection)
Malware TechniquesMitigation
![Page 26: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/26.jpg)
The Right Way to Prevent Malicious Executables
User Tries to OpenExecutable File
Restrictions And Executable Rules
HASH CheckedAgainst WildFire
Malware TechniquePrevention Employed
WildFire
ESM ForensicsCollected
Unknown?E X E
Benign
Malicious
Examples Examples
Child Process?Thread
Injection?
Restricted Folderor Device?
Create Suspend?
Execution StoppedÑ
Safe!
![Page 27: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/27.jpg)
Utilization of OS functions JIT Heap Spray
Child ProcessSuspend Guard
Unsigned Executable
Restricted Location
Admin Pre-Set Verdicts
Wildfire Known Verdict
On Demand Inspection
Injection Attempts Blockage
TrapsMalware Protection
Example: CryptoLocker Traps Kill-Points Through the Attack Life Cycle
Delivery Exploitation Download and Execute
Execution Restriction 1
Execution Restriction 2
Execution Restriction 3
Local Verdict Check
Wildfire Verdict Check
Wildfire Inspection
Malicious
Thread Injection
Intelligenceand
Emulation
Traps Exploit Protection
Advanced Execution
Control
MaliciousBehaviorProtection
Memory Corruption
Logic Flaws
4 5 6 78 9 10Exploitation Technique 1
Exploitation Technique 2
Exploitation Technique 3
1 2 3
![Page 28: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/28.jpg)
Exploit Prevention Notification
![Page 29: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/29.jpg)
End User Alert Wildfire
![Page 30: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/30.jpg)
End User Alert Unsigned Execution
![Page 31: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/31.jpg)
End User Alert Suspend Guard
![Page 32: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/32.jpg)
Traps Prevention Screen on ESM Console.
![Page 33: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/33.jpg)
Traps System Requirements, Footprint, and Coverage
Supported Operating Systems Footprint
Workstations – Physical and Virtual Windows XP SP3 Windows Vista SP2 Windows 7 Windows 8 / 8.1 Windows 10
Servers – Physical and Virtual Windows Server 2003 32 bit Windows Server 2008 (+R2) Windows Server 2012 (+R2)
25 MB RAM 0.1% CPU No Scanning
Application Coverage
Default Policy: 100+ processes Automatically detects new processes Can extend protection to any
application, including in-house developed apps.
![Page 34: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/34.jpg)
Highly-Scalable, Integrated Security Platform
Architecture Scalability Ease of security administration
Operational Capabilities Footprint Performance Impact
Platform Coverage Physical systems Virtual systems
Threat Intelligence Integrated threat intelligence Threat data sharing
![Page 35: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/35.jpg)
Traps Benefits
Prevent Zero Day
Vulnerabilities and Unknown
Malware
Install Patches on Your Own Schedule
Protect ANY Application
From Exploits
Minimal Performance
Impact
Save Time and Money
Signature-less No Frequent
Updates
Networkand Cloud integration
![Page 36: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/36.jpg)
Palo Alto Networks Security Platform
Natively Integrated
Extensible
Automated
Next-Generation Firewall
Advanced Endpoint Protection
ThreatIntelligence Cloud
TRAPS
Unknown Files
Query Verdict
![Page 37: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/37.jpg)
Neste steg
40 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Ultimate Test Drive (UTD)Du få praktisk erfaring i bruk av TRAPS i en gruppe på 6-10 personer.
Vår instruktør guider deg gjennom ulike konfigurasjonseksempler.
Demo i eget nettverk.Hvis du allerede er overbevist om at TRAPS kan være riktig for deg, kan vi komme til deg og installere en live test i ditt eget nettverk.
Begge aktiviteter er kostnadsfrie.
Ta kontakt på [email protected] for mer informasjon.Legg til Subject: "Jeg vil være med på kostnadsfri UTD"Legg til Subject: "Jeg vil ha kostnadsfri TRAPS-demo i eget nettverk."
![Page 38: Hvordan stopper du CryptoLocker?](https://reader035.fdocument.pub/reader035/viewer/2022062522/587f28711a28ab121d8b47e7/html5/thumbnails/38.jpg)
Thank youSteinar Aandal-Vanger
Westcon Security47 9189 8832