Starting next week, we will be on the road with VMware and VMUG in the U.S. and Canada to discuss how you can strengthen your data center security without compromising application performance.
Click through to register for one of the below events. Space is limited so sign up now!
The past decade of Cybersecurity has been relentlessly focused on stopping threats at the network edge. The implicit assumption of this approach is that the interior of your network is a trusted zone, and everything outside is untrusted. With this idea in mind, vendors began offering more and more ways to scan traffic at this logical boundary, attempting to detect known threats and hopefully taking some type of blocking action against them.
For the better part of the past ten years, this approach was the only one offered, and did a reasonably good job at keeping organizations safe. Traditional IPS/IDS, stateful firewalls, web security – it all relied on scanning traffic and making binary “yes, no” decisions as it passed through. Typically these decisions were made on known-bad content; only able to stop what security vendors thought was malicious.
Then, adversaries and threats changed. They had been watching, learning, and understood that this “hard outer shell, squishy center” represented a golden opportunity to carry out their objectives. To the adversary, this meant that getting past the edge gave them free reign to move laterally within organizations, finding valuable intellectual property wherever it resides, and exfiltrating it out using undetectable protocols. The edge, and the legacy technologies that protected it, had become an easily evaded – and expected – barrier.
This all begs one simple question: Why would you only detect malware at the network edge?
Let’s take a step back and examine how a typical advanced attack works:
• Make an initial compromise via a spear-phishing email, which leads to an infected site with a drive-by download or a malicious attachment.
• This drive-by download exploits a zero-day vulnerability in a browser, or the malicious attachment exploits one in client-site reader software.
• In this case, the attacker has masked his traffic by compromising a benign site or using an exploit that has never been seen before, making it undetectable for traditional solutions.
• The attacker has now established a foothold through this exploited client, a base of operations for future activity.
• From here, the attacker will deliver the actual malicious payload, so-called 2nd stage malware. This will often be done over protocols such as FTP, using encryption, over non-standard ports.
• Once the malicious payload has been delivered, the attacker now has free-reign to pivot laterally within the organization, moving from the initial client toward their final target.
• Often, they will hop multiple times, and the steal data using evasive means.
In this example, the perimeter has become a trivial “wall” for the adversary to overcome. The combination of unknown threats and persistent action within the organization itself is a very common method for truly advanced attackers.
Now, going back to the initial question: what if your entire organization’s network was able to detect and prevent this attack in multiple places? Not only this, but what if your security devices automatically augmented your security posture by discovering new threats and creating new protections?
Now your infrastructure has become an adaptive security framework that is tailored toward how advanced threats operate today. In order to gain this pervasive functionality, there are a few typical places where security devices can be deployed:
• Internet Edge
• Data Center Edge
• Between Virtual Machines in the Data Center
• On Mobile Devices and Endpoints
With this type of architecture, new threats are being discovered at each location in the network, and protections created. This intelligence is then automatically fed into every single security device wherever they are deployed. This gives you the advantage, instead of the adversary, as you are now increasing the probability of stopping an attack at each location, at each stage in the attack kill-chain.
The network edge is the ideal location for quickly preventing the vast majority of attacks, but looking forward, you should consider how pervasive deployments can stop the new breed of advanced attack.
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.
Unit 42 discussed CryptoWall 2.0, the latest version of this malware family that uses the Tor network for command and control. Learn how you can protect yourself.
Knowledge Is Power: Kate Taylor looks at using cyber scrutiny to defend against phishing attacks and examines how cybersecurity education significantly bolsters an enterprise’s cyber defense.
Unit 42’s Ryan Olson discusses Dridex, the latest descendent of the Bugat/Feodo/Cridex banking Trojan lineage, now being distributed through word documents and how to protect yourself against this wave of Dridex attacks.
We wrapped up a big week at VMworld Europe, where we were featured as part of VMware CEO Pat Gelsinger’s keynote address, announcing the latest milestone in our integration with VMware. Check out scenes from show.
We’re on the road across North and South America with Citrix and CA for the next few weeks to talk about how enterprises can streamline virtualized data centers, radically simply network services for delivering critical applications and reduce complexity and cost, all without sacrificing performance and security. Join us at an event near you.
It was another successful year at Black Hat Europe where we met with attendees from more than 40 countries. We captured a few great photos at our booth during the show, check them out here.
We participated in Security Leaders 2014 in Brazil, an annual gathering of about 3,000 security professionals to discuss information security and risk for enterprises. Check out some photos from our time there.
The effective date for CIP version 5 Standards is rapidly approaching and entities are beginning to implement new controls to meet the updated requirements. During this webinar on October 29, Palo Alto Networks expert Del Rodillas, along with experts from EnergySec and ENMAX, will discuss the new requirements and potential technical approaches to meeting compliance obligations.
Dridex, the latest descendent of the Bugat/Feodo/Cridex banking Trojan lineage has been a constant source of attacks using the malware since its release in July. To date, Dridex has centered on sending executable attachments via e-mail. That seems to have changed this week, as we’ve seen a tactical shift to sending those executable attachments via Microsoft Word documents loaded with macros that download and execute the malware.
Like its precursors, Dridex is a sophisticated Banking Trojan, similar to the infamous Zeus malware. Its core functionality is to steal credentials of online banking websites and allow a criminal to use those credentials to initiate transfers and steal funds. Dridex uses an XML-based configuration file to specify which websites it should target and other options for the malware. For instance, the configuration specifies which websites to capture form submissions from, and which to ignore with the following XML.
The first wave of this attack began on October 21, with e-mails claiming to carry invoices fromHumber Merchant’s group. On October 22 and 23 (and today) we’ve seen new brands abused but the e-mails continued to use invoice themes. The organizations we’ve seen receiving these files break down into the following countries.
With this latest wave, WildFire has detected nine distinct Word documents, each of which uses the same technique to install Dridex. The word documents contain a complex VBA macro that downloads an executable from one of the following URLs and executes it on the system.
These are all legitimate websites that appear to be compromised by the actors running this Dridex campaign. The files are each different versions of the Dridex malware that communicate with their command and control servers over HTTP. Kimberly from StopMalvertising has a great article on how this communication process works and allows Dridex to download its main criminal components.
While the latest attack began this week, Dridex has been in the wild since late July, and since then our WildFire system has been detecting Dridex variants very effectively. As a result, we pulled data on all of the malware we’ve seen talking to known Dridex command and control servers to get an idea of the volume of Dridex activity since its release. Abuse.ch operates theFeodo Tracker, which tracks these servers and those used by earlier versions of the Trojan.
While the latest attacks are certainly significant, the volume we’ve observed has been much lower than in July and August when the first variants of Dridex were first observed.
You can protect yourself against this wave of Dridex attacks by disabling macros in Microsoft Word. Macro-based malware has been around for over well over a decade. Most organizations should have them disabled by default, enabling macros only for trusted files.
The effective date for CIP version 5 Standards is rapidly approaching and entities are beginning to implement new controls to meet the updated requirements.
Palo Alto Networks expert Del Rodillas, along with experts from EnergySec and ENMAX will discuss the new requirements and potential technical approaches to meeting compliance obligations.
Register now, and see full details below:
CIP Version 5 Standards: Electronic Security Perimeters and Interactive Remote Access
Wednesday, October 29, 2014, 10 a.m. PT / 1 p.m. ET
