You have less than one month to prepare for the first ever Unit 42 Capture the Flag (CTF) challenge: LabyREnth! Hone your skills and get ready to test yourself against challenges designed by the best threat research teams across Palo Alto Networks.
The CTF will be open to the public starting July 15, 2016, at 4:00 pm PST, and we’ve asked our technical teams to craft challenges that delve into their most used skills across, but not limited to, the following areas:
Reverse Engineering
Malware Analysis
Programming
Threat Intelligence Analysis
Critical Thinking
Winning will require being a master of many disciplines, and you should expect challenges in lots of different mediums and architectures. Trust us when we say the prizes will be worth it! The challenge will start on Friday July 15, 2016, at 4:00 pm PST and will run until August 14,, 2016, at 11:59pm PST.
The LabyREnth challenges were developed by members of Palo Alto Networks’ threat research and security engineering groups, led by Richard Wartell. Richard runs the GSRT Malware & Countermeasures team at Palo Alto Networks, and is also known for having created the first FLARE-On challenge previously.
Follow the countdown at LabyREnth, and check out the overview of the challenge. Information about the rules and prizes are also there, if you are clever enough to find them! We’ll announce updates here on the blog and through Twitter: @unit42_intel, @wartortell, and keep an eye out for our hashtag, #labyrenth.
SaaS‐based applications are typically adopted by users because they’re fast and easy to use, not to mention accessible from anywhere there’s a reliable Internet connection. Many of these applications are built for use on mobile devices, where speed is even more critical to users. The industry has made great strides in securing mobile devices, but the explosive growth of SaaS adoption means organizations are concerned about data that resides outside the traditional network perimeter, especially if those SaaS applications fall into the category of “Shadow IT.”
Last year, as part of a concerted effort to help organizations better secure mobile devices, we expanded our strategic partnership with VMware AirWatch. You’ll recall three important takeaways from that announcement:
VPN & Network Security: Palo Alto Networks GlobalProtect provides a secure connection between AirWatch managed mobile devices and the Palo Alto Networks Next-Generation Firewall at the device or application level utilizing per-app VPN.
Network Protection: AirWatch integration with Palo Alto Networks GlobalProtect HIP (Host Information Profile) provides a direct tie between information about the mobile device, its configuration and what data and applications the device can access.
Prevention of Malware: Palo Alto Networks WildFire identifies known and previously unknown mobile malware. By integrating the intelligence provided by WildFire with AirWatch, our customers can identify infected applications and take immediate and automated action for security and containment.
Now, as a member of the AirWatch Mobile Security Alliance, we are proud to announce that we have further expanded our relationship with VMware to include Aperture, another part of the Palo Alto Networks Next-Generation Security Platform. Aperture delivers complete visibly and granular enforcement across user, folder and file activity within sanctioned SaaS applications to prevent data risk, malware insertion and compliance violations.
With this integration, customers will have Enterprise Mobility Management (EMM) through the VMWare AirWatch platform, network security thanks to GlobalProtect and the next-generation firewall, and SaaS application visibility and control from Aperture, to enforce policy and remediate any risks across mobile and cloud environments. Add to all that threat intelligence through WildFire, and we will be able to detect malware on any device or the propagation of malware through SaaS apps on these devices. These capabilities that combine the power of the VMware platform and our next-generation security platform open the door to many new possibilities in preventive security, and will deliver the most complete mobile-cloud security platform in the industry.
We will post more updates on the details of the integration as we bring together our engineering teams to build the necessary interfaces for exchange of information between the VMware AirWatch platform and Aperture.
Consumer tech adoption has outpaced tech evolution in business for more than ten years. SaaS and cloud solutions, new apps and devices are at the disposal of empowered workers, making it very easy for employees to get what they need to work anywhere or—despite policies forbidding it—take career-making IP as they exit one company for the next. Legacy backup can neither unlock nor disarm these threats.
At the same time, data has become the new currency: cyber-crime syndicates have boomed with new variations on stealing or disabling data, particularly spear phishing and ransomware targeted at employees. As for breach, the headlines say it’s not a matter of if. It’s when. Legacy backup, long rejected by workers, simply cannot address these threats.
Finally, encrypted data moving through the network has made the intelligence it houses opaque—even to its stewards. A CISO recently shared with us that more than 75% of his network traffic is encrypted, making it nearly impossible to identify the threats facing his organization.
While it’s safe to say encryption is a must, it also means the focus of security must shift to the endpoints to mitigate risk and regain control.
Modern endpoint backup sees what you can’t Modern endpoint backup gives IT and InfoSec the ability to see, monitor movement of and recover data housed on every employee device.
It neutralizes the threat of ransomware by making up-to-the-minute data recovery simple and fast. It decreases the cost of litigation by leveraging a complete dataset for legal holds, and it supports rapid response and remediation of breach via data attribution—with or without the device. From a productivity perspective, modern endpoint backup makes everyday challenges like data migration a lighter lift for IT and end users.
In response to modern data security problems, more than 39,000 businesses—including ten of the most recognized brands in the world, the 7 of the top 10 technology brands, and 7 of the 8 Ivy League schools—have adopted Code42 to regain visibility and mitigate risk.
In 2008, Code42 launched its enterprise endpoint backup software—knowing it was time for backup to catch up. Now approaching its sixth-generation platform, Code42 provides visibility of all the data through a single console and the real-time recovery and security tools the enterprise needs to be more resilient, more accountable, and more defensible.
Modern endpoint backup imparts the right to “Be Certain” in the face of modern data protection and security problems. We invite you to find out how.
In previous posts we have discussed how AutoFocus accelerates the analysis, hunting, and incident response workflows by providing full context for threat events seen on your network, as well as high-level visibility into how targeted a threat is against you or your industry peers.
This visibility into the threat landscape enables teams to move away from chasing alerts, instead prioritizing response activities for the most critical threats, and proactively implementing new defensive measures. The real power of AutoFocus is its ability to not only consolidate billions of indicators from WildFire customers around the globe, but more importantly to provide a platform for deriving intelligence and context around those indicators through crowd-sourced tags. AutoFocus customers can develop their own private tags for internal company use, or they can choose to share them publicly for the benefit of all AutoFocus users. And of course, all AutoFocus customers benefit from the expertise of Unit 42, our threat intelligence team, which is constantly monitoring the front lines and dark recesses of the web to identify new malware families and attack campaigns, publish research, and develop new tags.
Previously, AutoFocus tags were targeted in two areas:
Malware Family tags, based on any combination of behavioral and atomic characteristics of a malware family. These are highly durable, and allow security teams to detect and gain context on new variants and other tweaks the malware authors make to avoid detection.
Campaign tags, which provide a way to “bucketize” atomic indicators such as hashes and domains related to a threat campaign or Unit 42 report, providing responders with the additional context to know that an alert is not just bad but related to a known adversary or campaign. These Campaign tags can also be used proactively to implement defenses in advance of an actual attack on your company or industry.
AutoFocus is constantly evolving, and with the release of the 1.0.7 version of AutoFocus today, we have further enhanced our ability to provide context into events and facilitate speedy educated response. AutoFocus tags can now differentiate between tag classes, such as Malware Family and Campaigns (See Figure 1), which helps responders know immediately if an tagged event is based on internal intelligence or from Unit 42 researchers.
In this release of AutoFocus, Unit 42 researchers have also added an additional class of tag, Malicious Behavior, to provide additional insight into the capabilities or intent of a piece of malware. Even if a malware sample is unique enough that an existing Malware Family tag has not been developed, it very likely will match an existing Malicious Behavior tag that provides the responder immediate insight into what a piece of malware is trying to do. Additionally, because the Malicious Behavior tags are behavior-based, they can even apply to benign samples that may exhibit some questionable behavior, thus warranting further research.
Figure 1 Malicious Behavior and Malware Family tags represented in AutoFocus.
To showcase the power and flexibility of the Malicious Behavior tags, we have selected a range of new Malicious Behavior tags to help you visualize the wide range of capabilities this new tag class provides.
Since malware normally has to communicate to an external server for command and control or to download additional malware, it frequently takes steps to lower the security posture of the affected system by modifying the Windows Firewall settings or even disabling it altogether. This tag detects a wide variety of mechanisms malware can utilize to modify the firewall, including the legitimate command line utilities and changes to the system registry.
A common goal of Android malware is to intercept, read, or delete SMS messages from an infected device. Not only are there privacy and data theft implications, but also this tactic can be used to prevent detection or hide ongoing activity. (Note that this behavior does not include sending SMS messages, which is a different tag.)
There are a wide variety of malware families that attempt to steal digital currency such as Bitcoin, and often this capability is bundled with other common malware families that may normally lack that “feature”. This tag highlights the common approaches taken to access or steal the most prevalent digital currencies.
PowerShell is a powerful command-line shell with an associated scripting language, commonly used for administrative activities and automation. Of course our adversaries also leverage this tool to perform a wide range of nefarious activities. One capability that PowerShell provides is the ability to query the system to identify installed Antivirus software, which obviously is useful information for avoiding detection, taking steps to disable AV, or otherwise gaining insight into the system or environment for reconnaissance purposes.
Malicious software is often injected into legitimate running processes on affected systems to make identification and recovery of the malware more difficult. There are a wide variety of mechanisms for injecting code, and more often than not this is indicative of malicious activity that warrants further investigation.
Browser Helper Objects (BHO) were designed by Microsoft to provide a way to add third-party extensions to Internet Explorer to enhance functionality, but BHO have also been leveraged for malicious intent. The addition of a BHO to a system could be a legitimate activity, or it could be more nefarious such as an adware toolbar or even malware designed to hijack or intercept internet browsing.
One of the primary goals of Advanced threat actors is credential theft, and normally this starts with the local system credentials which are then used to attempt to spread laterally across the network. Legitimate software should rarely, if ever, attempt to access the local SAM database.
Microsoft Windows has security measures to prompt the user before executing files downloaded from the internet, and malware often tries to avoid this prompt, which would alert the user that something malicious was potentially happening and help prevent it. Unfortunately there are system changes that malware can implement to prevent the “Open File – Security Warning” dialog box from appearing.
The Volume Snapshot Service, also known as Shadow Copy, is a backup and recovery technology in Windows that can be used to restore a system to a previously “known good” state after a system crash or faulty software installation. Shadow copies can also be used to restore from malware infections, so malware, especially ransomware, will often attempt to delete these backups to prevent the user from being able to restore his or her system.
Attackers and malware authors often want to get a quick snapshot of a compromised system, or even a more complete local network recon, which is then uploaded to the command and control server. Usually this reconnaissance is performed with a variety of common built-in Windows commands, which while commonly used by Administrators are rarely executed by benign software.
Hopefully this introduction into Malicious Behavior tags gave you some insight into the power of this capability and its ability to provide as much context as possible to responders immediately. The goal of AutoFocus is to empower security teams to protect their organizations from unique and targeted attacks, and the use of real-time, full-context insight into the events happening not only on their network but across the Palo Alto Networks customer base is the first step in that process.
Last week, Netskope released its global Cloud Report as well as its Europe, Middle East and Africa version highlighting cloud activity from January through March of 2016. Each quarter we report on aggregated, anonymized findings such as top used apps, top activities, top policy violations, and other cloud security findings from across our customers using the Netskope Active Platform, including by industry.
This report took up where we last off last quarter on our cloud malware research, in which we found that 4.1 percent of enterprises had at least one sanctioned cloud app laced with malware. This quarter that number has risen to 11.0 percent, or nearly triple since last quarter. This is before counting unsanctioned apps, which we are researching and will incorporate into future reports. When we do, we expect these numbers to increase dramatically. Beyond sharing volume of detections, this quarter’s report breaks down those malware into the following observed categories, several of which are known to be used to distribute or propagate ransomware:
JavaScript exploits and droppers
MS Office macros
Backdoors
Mobile malware
Spy- and Adware
Mac malware
We also rated discovered malware in terms of its severity based on the extent to which it affects user privacy and computer security and causes damage to files, computers, or networks. 73.5 percent of detected malware this quarter ranks “high” in terms of severity, with 8.3 percent “medium,” and 18.2 percent “low.”
Perhaps the most shocking finding is that 26.2 percent of discovered malware files had been shared, either internally (with one or more people inside of the organization), externally (with one or more people outside of the organization), or publicly (with a publicly-accessible link). Sync and share, two important capabilities that characterize the cloud, are liabilities when it comes to malware because malware can use sync and share to propagate rapidly between users and devices, and the reason we dubbed this issue the cloud malware fan-out effect.
What do we recommend to combat the fan-out? Five things:
Back up versions of your critical content in the cloud. Enable your app’s “trash” feature and set the default purge to a week or more. This is one of your best bets for preserving your data should you become infected with data destructing malware such as ransomware.
Use your CASB to scan for and remediate cloud malware in your sanctioned apps. Make sure to check for infected users through sync and share. Integrate your CASB with, and share detections across, your existing security infrastructure such as your sandbox and endpoint detection and response (EDR) so you can stop malware wherever it’s propagating in your environment.
Detect malware incoming via sanctioned and unsanctioned apps.
Detect anomalies in your sanctioned and unsanctioned cloud apps, such as unusual file upload activity or other out-of-the-norm behaviors.
Monitor uploads to sanctioned and unsanctioned cloud apps for sensitive data, which can indicate exfiltration in which malware is communicating with a cloud-based command and control server.