New Traps v3.4 Features Improve Protection in Healthcare Environments

With all the recent ransomware attacks, the healthcare industry can use some help in the area of endpoint security. As we’ve seen in the past few months in ransomware attacks on hospitals in Washington, California and Kentucky, malware and software exploits are commonly used together by malware operators to deliver a payload and compromise a system or, worse, a group of systems at the same time. As part of Palo Alto Networks Next-Generation Security Platform, Traps advanced endpoint protection plays a key role in a cyberattack prevention strategy by preventing malware and exploits. Traps was recently enhanced and now uses a “multi-method prevention” approach that combines the most effective, purpose-built malware and exploit prevention methods to protect endpoints from known and unknown threats.

Let’s look at Traps capabilities and highlight several new ones recently added to Traps v3.4 that eliminate the need for a traditional antivirus, and are especially beneficial to healthcare organizations.

Traps multi-method prevention for malware incorporates the following five techniques:

1. Static Analysis via Machine Learning: (new for v3.4): This malware prevention method evaluates an executable file before it is allowed to run by examining several characteristics of the file itself to determine if it is likely to be malicious or benign. The threat intelligence available through WildFire is used to train a machine learning model to recognize malware, especially variants that have never been seen before, with high accuracy.

Medical practitioners are increasingly working remotely and disconnected from the hospital network. This new method of analysis is especially effective in healthcare environments, for this reason, as offline devices cannot take advantage of the multiple prevention methods that are available through WildFire.

2. Quarantine of malicious executables (new for v3.4): Prior versions of Traps killed malicious processes. Traps v3.4 now immediately removes malicious files to prevent further propagation or execution attempts of infected files.

3. WildFire Inspection and Analysis: Traps works with WildFire to determine whether an executable file is malicious. WildFire can eliminate the threat of the unknown by transforming it into known, in about 300 seconds. The automatic reprogramming of Traps, and the conversion of threat intelligence into prevention, all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect a system.

4. Trusted Publisher Execution Restrictions (new for v3.4): This malware prevention method allows healthcare organizations to identify executable files that are among the “unknown good” because they are published and digitally signed by trusted publishers, or entities that Palo Alto Networks recognize as reputable software publishers (i.e., Microsoft). These executable files are considered benign and, therefore, allowed to run.

Hospitals will often have a number of self-signed applications in their environment. Now you can optionally select to trust certain untrusted signers (like your local signature authority). Any unsigned apps or untrusted signers are tested with other capabilities, like WildFire and local analysis.

5. Policy-Based Execution Restrictions: Healthcare organizations can easily define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment. An example would be to prevent the execution of a particular file type directly from a USB drive.

6. Admin Override Policies: This method allows healthcare organizations to define policies, based on the hash of an executable file, to control what is allowed to run in any environment and what is not.

Traps Multi-Method Prevention for Exploit Prevention includes the following three approaches:

1. Memory Corruption/Manipulation Prevention: Memory corruption is a category of exploitation techniques where the exploit manipulates the operating system’s normal memory management mechanisms for the application opening the weaponized data file that contains the exploit. This prevention method recognizes and stops these exploitation techniques before they have a chance to subvert the application.

2. Logic Flaw Prevention: Logic flaw is a category of exploitation techniques that allow the exploit to manipulate the operating system’s normal processes that are used to support and execute the target application opening the weaponized data file. For example, the exploit may alter the location where dynamic link libraries (DLLs) are loaded from into an application’s execution environment so that the exploit’s malicious DLLs can replace legitimate ones. This prevention method recognizes these exploitation techniques and stops them before they succeed.

3. Malicious Code Execution Prevention: In most cases, the end goal of an exploit is to execute some arbitrary code — the attacker’s commands that are embedded in the exploit data file. This prevention method recognizes the exploitation techniques that allow the attacker’s malicious code to execute and blocks them before they succeed.

Biggest Benefits of Using Traps in Healthcare Environments

• Traps mitigates risks of EoL operating systems: Although efforts were launched in many hospitals to upgrade or replace end-of-life operating systems running on hospital workstations (Windows XP and Server 2003), there are still many in service today. Those machines most likely have not been removed yet due to application dependencies. Traps can be installed as a compensating control to EoL operating systems by preventing the exploitation of both known and unknown vulnerabilities.
• Traps mitigates risks of falling behind in your patch management: Software patch management of endpoints is an ongoing challenge for healthcare institutions. Keeping up to date with the monthly Adobe Acrobat, Flash and Microsoft patches is a very complicated task and many fall behind. Although you should still patch monthly, Traps offers protection from exploitation of both known and unknown vulnerabilities in case you fall behind.
• Traps may be accepted as a PCI compensating control: Many customers tell us that their PCI qualified security assessor (QSA) accepts Traps as a compensating control for unpatched systems. Talk to your QSA to see if they will accept it too.

Learn more about Traps:

• Read the “Protect Yourself From Antivirus” whitepaper
• How Traps Helps You Achieve HIPAA Compliance
• How Traps Helps You Achieve PCI Compliance

Matt Mellen

[Palo Alto Networks Research Center]