Month: April 2016

Posted on

Ignite 2016 Day 1: The Future of Breach Prevention Starts Here

Welcome back to The Cosmopolitan in Las Vegas, where the biggest, boldest, best installment yet of Ignite Conference is already in full swing. Over the next few days, watch this space and follow along on Twitter (@Ignite_Conf and #IgniteConf16) for all the action. For starters, here’s a look at opening day:

Read on for news, photos and updates from the first day of Ignite 2016 and what’s to come on Day 2 and Day 3.

Welcome Back

Ignite 2016 kicked off Sunday with pre-conference Ultimate Test Drives and hands-on workshops designed for security practitioners boning up on the Palo Alto Networks Next-Generation Security Platform. Heading into Monday, we tackled the big questions around how to create an intelligence-led security program, how to create and maintain a disruptive endpoint protection system, how to address IT-OT integration and regulatory compliance in the utilities sector, and many more topics that will continue to drive the cybersecurity conversation this year.

Finally, we convened for a hearty opening reception – and inducted no fewer than eight new books into the Cybersecurity Canon, our hall-of-fame for cybersecurity literature. (Read all about the Cybersecurity Canon and this year’s inductees.)

Today’s Announcements

Coming Up Tomorrow

  • Join us in the general session for some very special guests, including Anthony Zuiker, creator of TV’s CSI franchise, actor and former White House official Kal Penn, and Mark McLaughlin, Lee Klarich and Nir Zuk from Palo Alto Networks
  • The first of two Cyber Range exercises, sponsored by The Wall Street Journal, kicks off at 12:30pm PT. Follow along with all the action using the #IgniteRanger hashtag!
  • Check out more of our tracks and breakout sessions and get psyched for our Tuesday evening event

Stuff For You

Getting Social at Ignite!

See below for some top snaps from the opening day of Ignite 2016 as well as social chatter. You can check out a full gallery of Ignite 2016 photos on our Facebook page – check back for daily updates!

 
[Palo Alto Networks Research Center]
Posted on

NextWave Program Evolution, Redefining Next-Generation Security Provider Engagement

It is a great honor to share that Palo Alto Networks recently conducted a global partner satisfaction survey where we achieved a Partner Net Promoter Score of 58 (a score of 50 or higher is considered excellent). To all the partners reading this, thank you! This achievement underscores the strong ties we’ve built with you; the game-changing differentiation of our Next-Generation Security Platform; and, our steadfast commitment to continue evolving our NextWave partner program.

It inspires us to keep redefining how we engage with and enable you to become next-generation security innovators – experts equipped to help mutual customers around the globe prevent successful cyber breaches.

It goes without saying that the cyberthreat landscape is constantly evolving. Today, many different vendors are clamoring about how their pseudo “platforms” – often legacy technologies cobbled together – are the best way for customers to protect themselves against the latest threats. In all of this noise, analysis of some of our most successful partners’ practices indicates that the best way for you to help your customers sift through what’s real and what’s not is through side-by-side technical comparisons.

Our partners who have the expertise to assist in the technical evaluations by becoming next-generation security innovators create deeper relationships with their customers and are more profitable.

With the newest updates to our NextWave Channel Partner Program, we are committed to helping enable this, fostering your success not just by enabling technical differentiation and specializations, but also by enhancing your profitability opportunities, simplifying the way we interact with and support you, and helping you build sustainable, breach prevention-focused security practices. Below are highlights of note in each of these areas.

New differentiation and specializations so you can scale and strengthen your expertise in our technology and become next-generation security innovators:

  • Pre-sales training added to our enablement framework
  • Comprehensive set of pre-sales, sales and post-sales individual accreditations and certifications
  • Nine pre-sales specializations with different levels and expertise by role
  • Roles: foundation, associate and professional
  • Expertise: cybersecurity, platform, endpoint, mobile, data center, platform, cybersecurity and data center.
  • TRAPS advanced endpoint specialization
  • Partners who achieve this will be granted the highest deal registration protection (up to 25 percent) for one year.

New profitability opportunities to achieve higher deal closure rates and reduce cost of doing business include:

  • Improved Diamond and Platform partner margins that reward partners who exceed quarterly growth targets
  • Predictable NFR discounts based on NextWave level
  • Real-time reporting on the utilization of NFR equipment, NFR return-on-investment and proof-of-concept activities

 New loyalty features make it easier to invest in and grow with Palo Alto Networks:

  • Simplified partner framework with new Silver-level requirements
  • Global availability of the highest NextWave Diamond-level partner status
  • An upgraded deal registration system
  • Updated Partner Learning Center
  • New renewals platform

We are pleased to bring these updates to the program and are dedicated to continue helping drive the development of our next-generation security partners and innovators around the globe!

For more information about the updates to the program, please go to our Partner Portal, NextWave Channel Partner Program page where you can find requirement details, overview presentation and partner webcast replay.

[Palo Alto Networks Research Center]

Posted on

Palo Alto Networks and PwC: Enabling Prevention-focused Cybersecurity

Earlier today at Ignite 2016, our annual user conference, we announced that we are joining forces with PwC’s Cybersecurity Practice to help customers establish security architectures, organizational structures and computing processes optimized to prevent cyber breaches.

Together, we are designing a next-generation security framework to guide customers through establishing a breach prevention-oriented security architecture. This framework incorporates the latest advances in security technology and addresses the modern threat landscape.

To learn more about our partnership, visit Palo Alto Networks & PwC page to read the press release, download an executive overview, and register for a webinar featuring the security framework.

[Palo Alto Networks Research Center]

Posted on

‘Creating Audit Programs’ White Paper Introduces Template Redesign

With the release of its white paper Information Systems Auditing Tools and Techniques:  Creating Audit Programs, ISACA describes the basic steps to create an audit program. This white paper is part of a series created to deliver practical guidance on how to perform an audit engagement—from planning to reporting and closing—that is consistent with ISACA Auditing Standards (ITAF) as well as those issued by the Public Company Accounting Oversight Board (PCAOB), the Institute of Internal Auditors (IIA), and the American Institute of Certified Public Accountants (AICPA).

Information systems (IS) audits help enterprises ensure effective, efficient, secure and reliable operation of information technology. Audits can also help confirm compliance with numerous legal and administrative regulations, and help management determine if the business is functioning well and meeting challenges. Most importantly, audits assure stakeholders of the organization’s financial, operational and ethical well-being. All of these outcomes are supported by IS audits, especially the information and related technology and systems that most businesses and public institutions rely upon for a competitive advantage.

An important component of the audit plan is the audit program. Audit programs are commonly used to document the specific procedures and steps of testing and verifying control effectiveness. The audit program’s quality has significant impact on the consistency and quality of the audit results, so it is imperative that IS auditors understand how to develop comprehensive audit programs.

The many benefits of an effective audit depend on proper and thorough planning of the audit engagement. To make this happen, the auditor and the area being audited must understand and accept the scope and objective of the audit. Once the purpose is defined, the next step is to create an audit plan that captures the agreed scope, objectives and procedures required to get the relevant, reliable and sufficient evidence to draw and support audit conclusions and opinions.

To demonstrate the process described in the white paper, ISACA has released a sample audit and assurance program developed using a five-step process to gather the necessary information to define the audit subject, objective, scope and audit methodology. The sample audit program for a virtual private network can be customized to create a specific audit and assurance program tailored to your unique needs.

The documents are intended for IT audit professionals who are either new to the profession preparing to the Certified Information Systems Auditor (CISA) or simply want to brush up on their skills.

To learn more see the white paper here.

Eva Sweet, Technical Research Manager, ISACA

[ISACA Now Blog]

Posted on

How the EITest Campaign’s Path to Angler EK Evolved Over Time

In October 2014, Malwarebytes identified a campaign based on thousands of compromised websites that kicked off an infection chain to Angler exploit kit (EK). It was named “EITest” campaign, because “EITest” was a variable consistently found in injected scripts across all of the compromised websites. Malwarebytes noted some changes in this campaign in 2015 and2016.

Like others in the cybersecurity threat research community, we have been tracking the EITest campaign. This blog post focuses on network traffic and how indicators have changed over time.

The Evolution of EITest

We first saw traffic related to this campaign in September 2014. Since then, patterns for injected script in the compromised websites have remained consistent. Only the URLs and variable names have changed.

Figure 1: Injected script from the EITest campaign in September 2014.

Figure 2: Injected script from the EITest campaign in March 2016.

The EITest gate occasionally changes IP addresses, but since January 2016, this campaign used the 85.93.0.0/24 block. So far this year, the TLD for these domains has most often been .tk, but other TLDs are also used. Below is a list with the date, IP address, and domain we have seen for the EITest gate URL

  • 2014-09-22: 148.251.56[.]156 – flv.79highstreet.co[.]uk
  • 2014-10-02: 148.251.56[.]156 – fix-mo[.]tk
  • 2015-06-08: 194.15.126[.]7 – joans[.]ga
  • 2015-11-10: 31.184.192[.]206 – ymest[.]ml
  • 2015-12-04: 31.184.192[.]206 – vecexeze[.]tk
  • 2016-01-19: 85.93.0[.]32 – feedero[.]tk
  • 2016-01-25: 85.93.0[.]32 – http://www.bobibo[.]tk
  • 2016-01-26: 85.93.0[.]32 – en.robertkuzma[.]com
  • 2016-02-03: 85.93.0[.]32 – vyetbr[.]tk
  • 2016-02-10: 85.93.0[.]32 – dofned[.]tk
  • 2016-02-15: 85.93.0[.]32 – zeboms[.]tk
  • 2016-02-18: 85.93.0[.]32 – 14s.syte4[.]com
  • 2016-03-04: 85.93.0[.]33 – vovevy[.]tk
  • 2016-03-07: 85.93.0[.]33 – nixsys[.]tk
  • 2016-03-09: 85.93.0[.]33 – mvcvideo[.]tk
  • 2016-03-14: 85.93.0[.]33 – bab.aba98[.]com
  • 2016-03-29: 85.93.0[.]34 – folesd[.]tk

When we first noticed the EITest gate in September 2014, the URL format was:[domain]/player.php?pid=[long hexadecimal string]. Sometime in 2015, player.php switched to[random word].php and ?pid changed to ?sid. By mid-February 2016, the EITest gate URL experienced more drastic changes. See figure 3 for details.

Figure 3: Changes in EITest gate URLs since 2016-02-15.

Flash File for Redirection

The EITest gate URL continues to return a Flash file that redirects traffic to Angler EK. This gate URL always generates two HTTP GET requests. The first request retrieves the Flash file and the second request returns script pointing to an Angler EK landing page.

Figure 4: First HTTP GET request to EITest gate returns a Flash file.

Figure 5: Second HTTP GET request to EITest gate returns script pointing to Angler EK.

Differences in Angler EK Used by This Campaign

Angler EK used by this campaign is somewhat different than Angler EK for other actors. Campaigns like pseudo-Darkleech tend to distribute ransomware like CryptoWall or TeslaCrypt. However, the group behind EITest pushes a variety of malware. Below are examples of the Angler EK caused by the EITest campaign and the associated malware.

  • 2014-09-22: Vawtrak
  • 2014-10-02: Pushdo.s
  • 2015-06-08: Vawtrak
  • 2015-11-10: Tinba
  • 2015-12-04: TeslaCrypt
  • 2016-01-19: Bedep and Kovter.B
  • 2016-01-25: Fareit/Pony and Pusdo.s
  • 2016-01-26: Bedep and TeslaCrypt
  • 2016-02-03: HydraCrypt
  • 2016-02-10: Ursnif variant
  • 2016-02-15: TeslaCrypt
  • 2016-02-18: TeslaCrypt
  • 2016-03-03: TeslaCrypt
  • 2016-03-04: dropper, possible Andromeda
  • 2016-03-07: dropper, undetermined
  • 2016-03-09: TeslaCrypt
  • 2016-03-14: Zeus variant
  • 2016-03-29: Bedep and possible Neutrino/Andromeda malware

Conclusion

The EITest campaign has been active since at least September 2014. Patterns of injected scripts sent by the websites compromised in this campaign have remained fairly static. However, the gate URL has evolved considerably since the campaign first started. The EITest gate leads to Angler EK and delivers a variety of malware. This campaign is not limited to ransomware like other campaigns that use Angler EK.

Palo Alto Networks customers are protected from the EITest campaign through our next-generation security platform. Associated domains have been flagged as malicious in Threat Prevention, and WildFire classifies the Flash files used in this campaign as malicious.

[Palo Alto Networks Research Center]

English
English
Exit mobile version