Traps v3.4: New Features Help Prevent Cyberattacks on Banks

In recent months, reports of several breaches at SWIFT (Society for Worldwide Interbank Financial Telecommunications) member banks have come to light. Across these incidents, local security was compromised, and valid credentials were stolen and used to initiate fraudulent transfers.

These attacks bear the hallmarks of an account takeover (ATO), in which a cybercriminal impersonates a valid customer. Some of the best practices to combat ATO include patching security vulnerabilities, network segmentation, and multi-factor authentication. Among financial institutions – especially the larger ones — timely software patching has been a challenge due to rigorous testing requirements, limited change windows, and the sheer quantity and geographically dispersed nature of the laptops, desktops and servers. Although there is growing interest in network segmentation for cybersecurity, actual implementations are rare as most institutions still have flat networks. Multi-factor authentication is common for remote access to the corporate network but is atypical inside the perimeter.

Combating ATO Attacks

Since some of the best practices to address ATO tactics are not in place at many financial institutions, another approach is to use advanced endpoint protection on the laptops, desktops and servers themselves. These devices are the focus of at least two phases of the typical cyberattack lifecycle. End users and their devices are targeted by spear-phishing, drive-by downloads and social engineering. Exploits and malware are introduced to compromise the endpoint. The cybercriminal then uses this as a beachhead to hunt for valuable information or compromise other vulnerable systems (servers) within the network. In financial institutions, antivirus solutions have been a staple for many years on endpoint devices but have proven to be ineffective in protecting them as security breaches are still on the rise.

Multi-Method Prevention

Thanks to recent enhancements, Traps (version 3.4) now uses a multi-method prevention approach that combines the most effective, purpose-built malware and exploit prevention methods to protect endpoints from known and unknown threats. As financial institutions continue to be a favorite target for cyberattacks, improving advanced endpoint protection is well worthwhile. Traps prevents end users from inadvertently running malware or exploits that compromise their systems.

Traps multi-method prevention for malware includes the following five techniques.

1. Static Analysis via Machine Learning: This method delivers an instantaneous verdict on any unknown executable file before it is allowed to run. By examining hundreds of the file’s characteristics in a fraction of a second, this method determines if it is likely to be malicious or benign without reliance on signatures, scanning or behavioral analysis.
2. WildFire Inspection and Analysis. Traps works in concert with WildFire to determine whether an executable file is malicious. WildFire can eliminate the threat of the unknown by transforming it into known, in about 5 minutes. The automatic reprogramming of Traps, and conversion of threat intelligence into prevention, all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect a system.
3. Trusted Publisher Execution Restrictions: This method allows organizations to identify executable files that are among the “unknown good” because they are published and digitally signed by entities that Palo Alto Networks recognizes as reputable software publishers.
4. Policy-Based Execution Restrictions: Organizations can easily define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment. An example would be to prevent the execution of a particular file type directly from a USB drive.
5. Admin Override Policies: This method allows organizations to define policies, based on the hash of an executable file, to control what is allowed to run in any environment and what is not.

For multi-method exploit prevention, Traps provides the following approaches:

1. Memory Corruption/Manipulation Prevention: Memory corruption is a category of exploitation techniques where the exploit manipulates the operating system’s normal memory management mechanisms for the application opening the weaponized data file that contains the exploit. This prevention method recognizes and stops these exploitation techniques before they have a chance to subvert the application.
2. Logic Flaw Prevention: Logic flaw is a category of exploitation techniques that allow the exploit to manipulate the operating system’s normal processes, which are used to support and execute the target application opening the weaponized data file. For example, the exploit may alter the location where dynamic link libraries (DLLs) are loaded from into an application’s execution environment so that the exploit’s malicious DLLs can replace legitimate ones. This prevention method recognizes these exploitation techniques and stops them before they succeed.
3. Malicious Code Execution Prevention: In most cases, the end goal of an exploit is to execute some arbitrary code — the attacker’s commands that are embedded in the exploit data file. This prevention method recognizes the exploitation techniques that allow the attacker’s malicious code to execute and blocks them before they succeed.

Additionally, Traps is now able to quarantine malicious executable files to stop any further propagation, and allows organizations to prevent non-malicious but otherwise undesirable software (e.g., adware) from executing.

In Lieu of Patch Management

As stated earlier, software patch management of endpoints is an ongoing challenge for financial institutions. This is further exacerbated by the sheer volume of ATMs that also need to be patched. Although efforts were launched to upgrade or replace ATMs based on Windows XP, which has been unsupported since April 2014, it would not be surprising to see some of these ATMs still in service today. (As of April 2015, an estimated 75%, or 2.2 million, of the world’s ATMs still ran Windows XP.) To protect those ATMs that have yet to or won’t be upgraded, Traps can be installed as a compensating control to prevent the exploitation of both known and unknown vulnerabilities. Traps would also provide the same benefit to other systems that are behind in or no longer eligible for software patching.

In Lieu of or Addition to Network Segmentation

In many financial institutions, ATMs are not truly segmented from the rest of the corporate network. As mentioned earlier, many financial institutions still have flat and open internal networks. Network segmentation is highly recommended and would certainly help limit the exposure in the event of a compromise. However, yet another layer of defense is advanced endpoint protection for the laptops, desktops and servers. Traps, with its multi-method prevention approach, stops the techniques at the core of these attacks, instead of focusing on the millions of unique malware and exploit samples themselves. Consequently, Traps prevents sophisticated, targeted and never-before-seen attacks from compromising an endpoint. At the end of the day, the endpoints hold the resources (e.g., confidential data, customer PII, and financial transactions) that are most interesting to the cyber attackers. Protecting the endpoints from compromise is a foundation of a sound cybersecurity policy and a cornerstone of the Palo Alto Networks Next-Generation Security Platform.

Secure Your Endpoints

By bridging the communication gap between the endpoint and the network, and by integrating with the WildFire unknown malware analysis environment to increase visibility, Traps prevents new threats from compromising an endpoint. Traps integration with the Palo Alto Networks Next-Generation Security Platform allows organizations to continuously share the growing threat intelligence gained from thousands of enterprise customers, across both their networks and endpoints, to coordinate prevention and response. So whether your financial institution has implemented one or more of the best practices to address ATO attacks, give some further consideration to the ability of Traps to prevent endpoint cyber breaches by blocking both known and unknown threats.

Learn more:

• Traps resources page
• Network segmentation

Lawrence Chin

[Palo Alto Networks Research Center]