Extending AutoFocus Threat Intelligence With New Tag Types

In previous posts we have discussed how AutoFocus accelerates the analysis, hunting, and incident response workflows by providing full context for threat events seen on your network, as well as high-level visibility into how targeted a threat is against you or your industry peers.

This visibility into the threat landscape enables teams to move away from chasing alerts, instead prioritizing response activities for the most critical threats, and proactively implementing new defensive measures. The real power of AutoFocus is its ability to not only consolidate billions of indicators from WildFire customers around the globe, but more importantly to provide a platform for deriving intelligence and context around those indicators through crowd-sourced tags. AutoFocus customers can develop their own private tags for internal company use, or they can choose to share them publicly for the benefit of all AutoFocus users. And of course, all AutoFocus customers benefit from the expertise of Unit 42, our threat intelligence team, which is constantly monitoring the front lines and dark recesses of the web to identify new malware families and attack campaigns, publish research, and develop new tags.

Previously, AutoFocus tags were targeted in two areas:

  • Malware Family tags, based on any combination of behavioral and atomic characteristics of a malware family. These are highly durable, and allow security teams to detect and gain context on new variants and other tweaks the malware authors make to avoid detection.
  • Campaign tags, which provide a way to “bucketize” atomic indicators such as hashes and domains related to a threat campaign or Unit 42 report, providing responders with the additional context to know that an alert is not just bad but related to a known adversary or campaign. These Campaign tags can also be used proactively to implement defenses in advance of an actual attack on your company or industry.

AutoFocus is constantly evolving, and with the release of the 1.0.7 version of AutoFocus today, we have further enhanced our ability to provide context into events and facilitate speedy educated response. AutoFocus tags can now differentiate between tag classes, such as Malware Family and Campaigns (See Figure 1), which helps responders know immediately if an tagged event is based on internal intelligence or from Unit 42 researchers.

In this release of AutoFocus, Unit 42 researchers have also added an additional class of tag, Malicious Behavior, to provide additional insight into the capabilities or intent of a piece of malware. Even if a malware sample is unique enough that an existing Malware Family tag has not been developed, it very likely will match an existing Malicious Behavior tag that provides the responder immediate insight into what a piece of malware is trying to do. Additionally, because the Malicious Behavior tags are behavior-based, they can even apply to benign samples that may exhibit some questionable behavior, thus warranting further research.

Figure 1 Malicious Behavior and Malware Family tags represented in AutoFocus.

To showcase the power and flexibility of the Malicious Behavior tags, we have selected a range of new Malicious Behavior tags to help you visualize the wide range of capabilities this new tag class provides.

Since malware normally has to communicate to an external server for command and control or to download additional malware, it frequently takes steps to lower the security posture of the affected system by modifying the Windows Firewall settings or even disabling it altogether. This tag detects a wide variety of mechanisms malware can utilize to modify the firewall, including the legitimate command line utilities and changes to the system registry.

A common goal of Android malware is to intercept, read, or delete SMS messages from an infected device. Not only are there privacy and data theft implications, but also this tactic can be used to prevent detection or hide ongoing activity. (Note that this behavior does not include sending SMS messages, which is a different tag.)

There are a wide variety of malware families that attempt to steal digital currency such as Bitcoin, and often this capability is bundled with other common malware families that may normally lack that “feature”. This tag highlights the common approaches taken to access or steal the most prevalent digital currencies.

PowerShell is a powerful command-line shell with an associated scripting language, commonly used for administrative activities and automation. Of course our adversaries also leverage this tool to perform a wide range of nefarious activities. One capability that PowerShell provides is the ability to query the system to identify installed Antivirus software, which obviously is useful information for avoiding detection, taking steps to disable AV, or otherwise gaining insight into the system or environment for reconnaissance purposes.

Malicious software is often injected into legitimate running processes on affected systems to make identification and recovery of the malware more difficult. There are a wide variety of mechanisms for injecting code, and more often than not this is indicative of malicious activity that warrants further investigation.

Browser Helper Objects (BHO) were designed by Microsoft to provide a way to add third-party extensions to Internet Explorer to enhance functionality, but BHO have also been leveraged for malicious intent. The addition of a BHO to a system could be a legitimate activity, or it could be more nefarious such as an adware toolbar or even malware designed to hijack or intercept internet browsing.

One of the primary goals of Advanced threat actors is credential theft, and normally this starts with the local system credentials which are then used to attempt to spread laterally across the network. Legitimate software should rarely, if ever, attempt to access the local SAM database.

Microsoft Windows has security measures to prompt the user before executing files downloaded from the internet, and malware often tries to avoid this prompt, which would alert the user that something malicious was potentially happening and help prevent it. Unfortunately there are system changes that malware can implement to prevent the “Open File – Security Warning” dialog box from appearing.

The Volume Snapshot Service, also known as Shadow Copy, is a backup and recovery technology in Windows that can be used to restore a system to a previously “known good” state after a system crash or faulty software installation. Shadow copies can also be used to restore from malware infections, so malware, especially ransomware, will often attempt to delete these backups to prevent the user from being able to restore his or her system.

Attackers and malware authors often want to get a quick snapshot of a compromised system, or even a more complete local network recon, which is then uploaded to the command and control server. Usually this reconnaissance is performed with a variety of common built-in Windows commands, which while commonly used by Administrators are rarely executed by benign software.

Hopefully this introduction into Malicious Behavior tags gave you some insight into the power of this capability and its ability to provide as much context as possible to responders immediately. The goal of AutoFocus is to empower security teams to protect their organizations from unique and targeted attacks, and the use of real-time, full-context insight into the events happening not only on their network but across the Palo Alto Networks customer base is the first step in that process.

[Palo Alto Networks Research Center]

More Than One-Fourth of Malware Files “Shared”

Last week, Netskope released its global Cloud Report as well as its Europe, Middle East and Africa version highlighting cloud activity from January through March of 2016. Each quarter we report on aggregated, anonymized findings such as top used apps, top activities, top policy violations, and other cloud security findings from across our customers using the Netskope Active Platform, including by industry.

This report took up where we last off last quarter on our cloud malware research, in which we found that 4.1 percent of enterprises had at least one sanctioned cloud app laced with malware. This quarter that number has risen to 11.0 percent, or nearly triple since last quarter. This is before counting unsanctioned apps, which we are researching and will incorporate into future reports. When we do, we expect these numbers to increase dramatically. Beyond sharing volume of detections, this quarter’s report breaks down those malware into the following observed categories, several of which are known to be used to distribute or propagate ransomware:

  1. JavaScript exploits and droppers
  2. MS Office macros
  3. Backdoors
  4. Mobile malware
  5. Spy- and Adware
  6. Mac malware

We also rated discovered malware in terms of its severity based on the extent to which it affects user privacy and computer security and causes damage to files, computers, or networks. 73.5 percent of detected malware this quarter ranks “high” in terms of severity, with 8.3 percent “medium,” and 18.2 percent “low.”

Perhaps the most shocking finding is that 26.2 percent of discovered malware files had been shared, either internally (with one or more people inside of the organization), externally (with one or more people outside of the organization), or publicly (with a publicly-accessible link). Sync and share, two important capabilities that characterize the cloud, are liabilities when it comes to malware because malware can use sync and share to propagate rapidly between users and devices, and the reason we dubbed this issue the cloud malware fan-out effect.

What do we recommend to combat the fan-out? Five things:

  1. Back up versions of your critical content in the cloud. Enable your app’s “trash” feature and set the default purge to a week or more. This is one of your best bets for preserving your data should you become infected with data destructing malware such as ransomware.
  2. Use your CASB to scan for and remediate cloud malware in your sanctioned apps. Make sure to check for infected users through sync and share. Integrate your CASB with, and share detections across, your existing security infrastructure such as your sandbox and endpoint detection and response (EDR) so you can stop malware wherever it’s propagating in your environment.
  3. Detect malware incoming via sanctioned and unsanctioned apps.
  4. Detect anomalies in your sanctioned and unsanctioned cloud apps, such as unusual file upload activity or other out-of-the-norm behaviors.
  5. Monitor uploads to sanctioned and unsanctioned cloud apps for sensitive data, which can indicate exfiltration in which malware is communicating with a cloud-based command and control server.

Krishna Narayanaswamy, Chief Scientist, Netskope

[Cloud Security Alliance Blog]

Is That You We Saw at Palo Alto Networks Day Japan?

Thanks to everyone who made our record-breaking Palo Alto Networks Day Japan what it was. Watch below a wrap-up of the event — and see if you can spot yourself!

For more on Palo Alto Networks Day

[Palo Alto Networks Research Center]

Customer Spotlight: Warren Rogers Achieves PCI Compliance in its Cloud-based Data Center

Warren Rogers Associates (Warren Rogers) specializes in statistical analyses and advanced system diagnostics for the retail petroleum industry. As an industry leader in retail fuel monitoring and diagnostics, Warren Rogers manages thousands of data collection devices, installed at service stations across the United States, that gather data and transmit it back to the Warren Rogers data center for analysis and reporting.

Because these data collection devices reside alongside the fuel station business systems that handle credit and debit card data, Warren Rogers must guarantee the protection of cardholder data and ensure PCI DSS compliance by segmenting traffic and preventing malicious network traffic from penetrating the company’s cloud-based corporate data center.

By deploying Palo Alto Networks Next-Generation Security Platform with VM-Series next-generation virtualized firewalls and GlobalProtect gateways in AWS, Warren Rogers created aPCI-compliant network that automatically blocks cardholder data from other network traffic. With the virtualized Palo Alto Networks platform deployed in multiple Amazon Web Services (AWS) regions, Warren Rogers also achieved disaster resilience to ensure continuous availability ofthreat prevention and secure gateway services while simplifying day-to-day administration. As Warren Rogers continues to expand its business, the Palo Alto Networks platform also helps the company onboard new customers.

“Every customer is different in the way they implement our On Site Processors (OSP) at their fueling locations,” Matthew McLimans, Computer Engineer at Warren Rogers, says. “The Palo Alto Networks platform provides a uniform approach for implementing security regardless of where the OSP sits on their local network. Palo Alto Networks is also a brand our customers recognize as a leader in the security market, which makes everyone more comfortable.”

Read the full case study.

[Palo Alto Networks Research Center]

English
Exit mobile version