Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
The Palo Alto Networks AutoFocus threat intelligence services accelerates analysis and response workflows for unique, targeted attacks. The services further make an immense set of threat intelligence available via the AutoFocus API, which can enrich existing security systems or workflows. Today, security teams can easily build scripts on top of this data using theAutoFocus Python Client Library (af_lenz.py) script, providing an even simpler way to extract and automate actionable information from AutoFocus, which can be used to respond or proactively take action, against security threats.
The AutoFocus Lenz script builds on top of the Python client library by providing a set of outputs that enable rapid extraction of relevant information that can be used for operational intelligence, or further research, by performing various analytical tasks for you.
To demonstrate some of the scenarios where this tool may be helpful, we’ve put together a short video showing it in action.
The video covers:
Enumerating potential targets of a malicious email campaign, within an organization, by dynamic behaviors
Pro-actively identifying C2 domains for blocking, pattern improvement, or further research
Converting dynamic analysis information into YARA signatures for in-memory hunting
For its initial release, there are 8 “functions” that pull back data from AutoFocus, based on your query, and display it in various ways to expedite analytical tasks.
hash_scrape – The most straightforward function, it simply provides output for each section of the analysis reports (e.g. Network, DNS, HTTP, File, Registry, Process), which allows for chaining to other utilities through the command line. This can be run for multiple samples to pull back large amounts of behavioral information.
common_artifacts – This function takes an AutoFocus query, iterates across all samples identified, and outputs the dynamic artifacts which exist in each sample across the set. The commonality percentage can be adjusted with the “-c” flag, such that you can find things that exist in 75% of the samples. This is useful while trying to build detective or preventive signatures across your security tool stack by identifying truly unique artifacts across malware families or campaigns.
common_pieces – Similar to common_artifacts function, but takes it one step further and breaks down the artifact entries into smaller parts. Where common_artifacts might match on “sample.exe, DeleteFile, C:\importantfile”, common_pieces will match on “sample.exe”, “DeleteFile”, and “C:\importantfile”. This is particularly useful when dealing with malware that randomly generates files, or injects into random processes, but also increases the likelihood of noise since there will be more matches.
uniq_sessions – Displays unique values across some of the more relevant session fields, such as filename, e-mail subject, and the application used for delivery. This can allow a blue team to quickly identify targeted users of e-mail campaigns, files to search for on endpoints, and get the jump on responding to threats.
http_scrape, dns_scrape, and mutex_scrape – These functions will iterate across all of the identified samples, scrape out the unique values for their respective section of behavioral artifacts, and then try to format and print them in a concise way. These can be particularly helpful when trying to identify all of the callbacks seen for a type of malware as they relate to HTTP and DNS traffic, which might be used to proactively put blocks into tool stack.
meta_scrape – This last function is more of a high-level overview of the items which matched your AutoFocus query, similar to if you were using the AutoFocus UI but from the CLI. Specifically, it provides the SHA256, file type, first seen date, malicious verdict, file size, and accompanying AutoFocus tags.
To further aid in pulling back only the most relevant data, output returned from the functions can be filtered based on how prevalent the artifacts are throughout the AutoFocus corpus of files. For example, if an artifact is seen in 1 million samples, it may not be unique to that sample and can be removed from the output.
For more details and usage examples, please check out the Lenz repo on our Palo Alto Networks GitHub.
Hopefully this will prove to be a useful tool for users of AutoFocus in ascertaining information quickly for verdict determinations, operational intelligence, defending their networks and preventing threats.
Attack campaigns that have very limited scope often remain hidden for years. If only a few malware samples are deployed, it’s less likely that security industry researchers will identify and connect them together.
In May 2015, Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account, sent to an Israeli industrial organization. One e-mail carried a Microsoft PowerPoint file named “thanks.pps” (VirusTotal), the other a Microsoft Word document named “request.docx”.
Around the same time, WildFire also captured an e-mail containing a Word document (“hello.docx”) with an identical hash as the earlier Word document, this time sent to a U.S. Government recipient.
Based on various attributes of these files and the functionality of the malware they install, we have identified and collected over 40 variants of a previously unpublished malware family we call Infy, which has been involved in attacks stretching back to 2007. Attacks using this tool were still active as of April 2016.
Attack Technique
The attacks we have identified carrying Infy begin with a spear-phishing e-mail carrying a Word or PowerPoint document. The attached document file contains a multi-layer Self-Extracting Executable Archive (SFX), and content attempting to social engineer the recipient into activating the executable. In this example, the PPS file, when clicked, opens in “PowerPoint Show” mode. The user sees a PowerPoint page (Figure 1) that mimics a paused movie, and is tricked into clicking “Run” (Figure 2), which allows the embedded SFX file to execute.
Figure 1 PowerPoint page mimics a paused video
Figure 2 User tricked into running embedded SFX EXE
One of the SFX layers is encrypted with the key “1qaz2wsx3edc”. The package (Figure 3) typically includes a fake readme.txt file as camouflage (for example, impersonating an Aptana Studio application), and in some campaigns, image or video files (Figure 4). The executable typically has a filename pattern ins[*].exe where * are random digits of up to 4 characters. The main payload is a DLL file with a typical filename pattern mpro[*].dll where * are random digits of up to 3 characters (early versions used a .cpl extension).
Figure 3 Embedded SFX contents
Figure 4 Some campaigns include image or video files as camouflage
The executable installs the DLL, writes to the autorun registry key, and doesn’t activate until a reboot. After reboot, it first checks for antivirus and then connects to the C2. It starts collecting environment data, initiates a keylogger, and steals browser passwords and content such as cookies, before exfiltrating the stolen data to the C2 server.
The initially-observed “thanks.pps” example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll.
Infrastructure
In our initial samples, we observed C2 servers updateserver3[.]com and us1s2[.]strangled[.]net.
Other campaigns use a combination of Dynamic DNS providers, third-party site hosting services, and apparently first-party-registered domains as C2 servers.
Analysis of hosting and WHOIS data (Figure 5) led to a total of 12 related first-party-registered domains used for C2 servers:
bestbox3[.]com
myblog2000[.]com
safehostonline[.]com
updateserver3[.]com
short-name[.]com
bestupdateserver2[.]com
bestwebstat[.]com
updatebox4[.]com
bestupdateserver[.]com
short-url20[.]com
updateserver1[.]com
box4054[.]net
Ages of these domains suggest that some may have been used for malicious activity back as far as early 2010.
Figure 5 Infrastructure and Actor information related to Infy Attacks
We initially found a file with an identical hash as the originally-observed PowerPoint file, but a different filename (“syria.pps”), uploaded to VirusTotal (Figure 6) also in May of 2015. A characteristic observed across these campaigns is that the actor puts deliberate effort into the specific geographic targeting, with region-specific attack content.
Figure 6 Powerpoint file uploaded to VirusTotal with a different file name
We were subsequently able to pivot and associate additional malware and campaigns based on infrastructure, hashes, strings, and payload links and similarities. The most conclusive evidence that all of these are linked is found in a single key, used to encode strings within the malware across all examples. Only the offset varies: older versions encode just the C2 data, newer versions encode most strings, and some double-encode the C2 data with two different offsets. The following script can be used to decode these strings:
Based on this specific encoding technique and key, we have identified related Infy samples from as early as mid 2007 (Figure 7), although more frequent related activity is observed after 2011. Historic registration of the C2 domain associated with the oldest sample that we found, fastupdate[.]net, suggests that it may have been associated with malicious activity as far back as December 2004.
Over the years, we notice continued development and feature improvement in the code. For instance, support for the new Microsoft Edge browser was recently introduced in “version 30”.
Figure 7 Oldest related example found dates to 2007
Most of the associated malware samples dating back over the last five years were eventually detected by antivirus programs, but in most cases with a generic signature. Other examples are named with multiple unrelated signature classifications, including Win32/Tuax.A (very old versions), W32/ADOKOOB, Win32/Cloptern.A & B (old versions), TR/Graftor.106254, TR/Spy.Arpnatis.A, and Win32/Skeeyah.A!bit.
We refer to the malware as “Infy” because the actor used this string in multiple locations, including filenames (“infy74f1.exe” – Infy version 7.4 F1), C2 strings (“subject=INFY M 7.8”), and C2 folder names.
Attribution
The Gmail account sending the emails in the attack that we first observed (Figure 8), belongs to an Israeli victim. That account was itself victim of an e-mail-borne attack that compromised the user’s system and e-mail account.
Figure 8 First-observed attack, via email
Among WHOIS records for first-party domains used in the C2 infrastructure, we find three email accounts bearing a strong similarity in naming pattern:
The WHOIS records with the first two email addresses (and other C2 domains) have apparently fake WHOIS content. The “aminjalali_58 (at) yahoo.com” email address is associated with 6 known C2 domains, dating back to 2010. Unlike the fake WHOIS examples, this example has content more consistent with the email address:
amin jalali safehostonline afriqa street number 68 tehran Tehran 19699 IR +98.935354252 aminjalali_58 (at) yahoo.com
The name “Amin Jalali” is not unique, though it does appear to have Iranian-specific origins. We find profiles and artifacts combining the name and “58”, which may (or may not) be the same individual, and all of which have Iranian links.
When we look at domains on neighboring IP addresses from known first-party C2s, we observe numerous Iranian domains, suggesting possibly an Iranian hosting reseller – and in at least one case, a free Iranian web host (Figure 9).
Figure 9 Neighbor IP addresses with Iranian domains
Conclusion
We have enough evidence to conclude a pattern of behavior following extensive analysis of this malware and C2 infrastructure between these samples. The activity has been observed over almost 10 years, with the malware being constantly improved and developed. The low-volume of activity, deliberate campaign focus and content tailoring, and nature of targets hints at the goals of this actor.
We believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most of its existence as targeted espionage originating from Iran. It is aimed at governments and businesses of multiple nations as well as its own citizens.
Palo Alto Networks customers are protected from this threat in the following ways:
WildFire accurately identifies all malware samples related to this operation as malicious.
Domains used by this operation have been flagged as malicious in Threat Prevention.
AutoFocus users can view malware related to this attack using the “Infy tag.
IOCs can be found in the appendices of this report.
Special thanks to Michael Scott for assistance with Maltego in this investigation.
Appendix 1 – Detailed Infy Malware Analysis
Although Infy is fundamentally one malware family, we observe two distinct variants. The regular variant “Infy” is versioned by the malware author 1-30 (1999 -15999 sub-versions). In addition, we observe a distinct variant “Infy M” developed in parallel with the regular variant since about 2013. Infy M appears to be a full featured variant, deployed against high-value targets. It includes more functionality: while the original variant has no remote control, “M” adds the ability for the C2 to issue commands to the malware via C2 PHP scripts; HTTP support; a hidden GUI control panel; and FTP client.
Infy
Detailed analysis of a recent Infy sample (version 30, active from 24 February 2016):
The initial executable first checks for installed antivirus programs. It uses the Windows API function “GetFileattributeA” on a list of several common AV installation directories, testing any positive return with “file_attribute_directory”. Depending on which AV Infy finds, it will either abort, or install the malicious Infy DLL using a different technique. This concern with avoiding client-AV detection, skipping installation rather than risk alerting, is somewhat noteworthy (as opposed to the relatively common sandbox-detection techniques). The EXE installs the DLL, writes to the autorun key, and does nothing else until restart.
Upon restart, the EXE loader executes the main function, exported by the DLL malware file DLL (previously we observed functions named “start1/start2/start3”) with the parameter /rcv (this version uses a decryption offset of 19). It installs itself in “cyberlink” directory.
It will then search for files with “bak”, “csv”, or “cnt”, extensions. If the parameter “/rcv” was used, it starts a keylogger (the keylogger uses a window name “TRON2VDLLB” (GetMessageA/translate message/DispatchMessageA). It next registers hotkeys, and gets clipboard data. Get_browser_data steals passwords, forms, cookies, history (from Microsoft Edge, Internet Explorer, Google Chrome, Opera, and Firefox).
The malware connects to the C2 every five minutes using HTTP, posting:
<computer name>
<user name>
dn = n1
ver = 30
lfolder= f
cpuid=
machineguid (from hklm\SOFTWARE\Microsoft\Cryptography\machineguid)
tt= time
After posting data about the infected system to the C2 server, the malware downloaded an update named “v30nXf1.tmp” file to %temp%\drvtem64.tmp. If the download is successful, the malware writes “OK, Downloaded [url file]” to log file. It then connects again, with a similar posting format, but this time also adding “tt=” (time) and “cpuid=”. It installs the downloaded file with parameter “-sp/ins -pBA5a88E”. A third connection adds “sfolder”, “subject”, and this time exfiltrates data in the “body=” parameter.
Each variant of Infy uses specific “cover” camouflage to with file metadata that makes it appear as though it is legitimate software. In this case, the file used the software name “Cyberlink,” and a description of “CLMediaLibrary Dynamic Link Library” and listing version 4.19.9.98.
Infy M
We observed the Infy M variant with versions 6.1 through 7.8, adding features including screen capture, document capture & upload, and microphone capture. Infy M supports the following C2 commands:
ASIDLE – idle
ASDIR – directory list of files
ASPUT – download file
ASGET – upload file
ASZIPGET – upload as zip
ASDELETE – delete file
ASRENAME – rename file
ASRUN – execute file
ASENDTASK – terminate process
ASZIP – zip file
ASSHELL – remote shell
The “M” variant uses mostly distinct C2 servers from the regular Infy samples (although very recently, we also observed version 7.8 using C2 “youripinfo.com”, previously seen as C2 for the regular variant):
Versions 6.x of the Infy M variant camouflage themselves with file and window names set to Borland hcrtf. They use a single EXE, rather than a loader EXE and payload DLL as seen in the original variant. The malware initially performs a check to see if the victim as already infected by checking for window names “Borland hcrtf 6.x” or “Macromedia Swsoc 7.x”.
We have identified five hidden GUI control forms in Infy M, one of which is not used. The first form includes three possible parameters. Parameter “/ins” installs the Trojan. It first creates and starts the service and on Windows versions prior to Vista it requires the “/s” parameter. After installing itself, the malware deletes any previous Infy installations. The does this by terminating processes and deleting Infy files in %system32%, %appdata%, %appdata%\hcrtf (for example, pre-6.1 files incsy32.exe, incs32.exe, ntvdn.exe, grep.exe, hcrtf.exe, grep.dll). It then renames the ini file from grepc.ini to hcrtfc.ini. It completes clean-up by deleting the “inverse Ser32”, “grep”, and “hcrtf” services. Finally, it downloads and executes the update file from the C2 at /infy/update.php.
The /c (copy) parameter sets up autostart for the malware by writing to registry key “run” (Windows Vista and above) or “runservices” (versions prior to Windows Vista). The /s (service) parameter creates and starts the service (Windows Vista and later). At this point, the malware waits, and handles any commands issued over HTTP from the C2 (for example, execute a remote shell upon receiving command “ASSHELL”).
The second form monitors for new or modified document files using “CreateIoCompletionPort” and “ReadDirectoryChangesW”. It targets document file types .doc, .xls , .jpg, .jpe, .txt, .htm, .pgp, .pdf, .zip, and .rar and ZIP compresses them (using the password “Z8(2000_2001uI”) into a file located at \Program Files\Yahoo!\Messenger\Profiles\yfsbg\yfsbg\3dksf.tmp.
The third form takes a screen captures and stores it the “yfsbg” folder as 4dksf.tmp. It the uploads the screenshot and document-capture files using POST (instead of using GET as seen in the regular variants) to <C2 server>/infy/fms.php.
The fourth form is not used. The fifth form is used for microphone capture.
The 7.x versions install themselves as swsoc.exe (7.4 also seen using infy74f1.exe) at <documents and settings>\all users\application data\macromedia\8080\swsoc.exe. They also create a subfolder “fsbg”, where they store the copies of documents opened by the user. These are stored with their CRC value as their filename, RAR compressed with the same password “Z8(2000_2001uI”.
We observed a server reply with error in the PHP, giving us some of their underlying file structure:
<b>Warning</b>: Cannot modify header information – headers already sent by (output started at /home/bestupda/public_html/infy/fms.php:115) in <b>/home/bestupda/public_html/infy/fms.php</b> on line <b>116</b><br />
Upgrade requests are observed with this syntax (here, version 6.2 to the latest version):
Program to Feature Insights and Perspectives into the Federal Government Cloud Strategy and Use of Cloud Services along with Best Practices to Ensure Cloud Security in Regulatory Environments
Washington, DC – April 28, 2016 – The Cloud Security Alliance (CSA) today announced a world-class line up of speakers and presentations for its second annual Cloud Security Alliance Federal Summit, a one day free-for-government event taking place at the Ronald Reagan Building and International Trade Center. The event, scheduled to take place on May 12, is expected to draw 250 information security professionals from civilian and defense agencies to exchange experiences, lessons learned and best practices for securely implementing cloud computing to support agency missions.
“Agencies today are being tasked with new requirements and mandates when it comes to deploying cloud services. It is now more important than ever to provide an educational platform where these information security professionals can understand and prepare for the future direction of cloud security requirements in order to effectively leverage cloud-based services,” said Jim Reavis, co-founder and CEO of the Cloud Security Alliance. “This year’s event was carefully built on the success of last year’s event where, for the first time, attendees gained unique expert access and insight that they could readily apply within their own environment. We look forward to doing that once again this year, with even greater content and use cases.”
The program will feature presentations from some of the most prominent names and organizations in the federal space including an opening keynote presentation by:
Tony Scott, U.S. Chief Information Officer, Office of Management and Budget, Executive Office of the President (pending agency approval).
Additional speakers and panelists include:
Emery Csulak, Chief Information Security Officer, Centers for Medicare & Medicaid Services, U.S. Department of Health and Human Services
Joe Paiva, Chief Information Officer, International Trade Administration
Jim Tunnessen, Chief Technology Officer, Food Safety and Inspection Service, U.S. Department of Agriculture
Noah Kunin, Director of Delivery Architecture and Infrastructure Services, 18F, U.S. General Services Administration
Matt Goodrich, FedRAMP Director, U.S. General Services Administration
John Hale, Chief, Enterprise Applications, Defense Information Systems Agency
In addition to the one-day event, the CSA will be holding a CCSK (Certificate of Cloud Security Knowledge) Foundation Training at the Carr Workplaces at The Willard in Washington, D.C. Taking place on May 11 from 9:00 a.m. to 5:00 p.m., the CCSK Foundation course is based on V3.0 of the CCSK exam and the CSA Security Guidance for Critical Areas of Cloud Computing V3.0. The Cloud Computing Security Knowledge-Foundation class provides attendees with a comprehensive one day review of cloud security fundamentals and prepares them to take the Cloud Security Alliance CCSK v3.0 certificate exam. This is a fee-based workshop. For more information on this CCSK Foundation Training event, please visit: www.fedsummits.com/csa/ccsk.
WHAT
Cloud Security Alliance Federal Summit 2016
WHEN
Wednesday, May 11, 2016
7:30 am – 8:00 am: Doors Open, Breakfast and Opening of Cloud Security Exhibition Hall
8:00 am – 4:30 pm: Conference Program
4:00 pm – 6:00 pm: Cocktail Reception
WHERE
Ronald Reagan Building and International Trade Center
1300 Pennsylvania Ave. NW
Washington, DC
Room: Atrium Hall
Members of the media and analyst community interested in attending the event should contactkari@zagcommunications.com for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
In mid-April 2016, a campaign using Nuclear Exploit Kit (EK) to distribute Locky ransomware switched to using the Angler EK to install CryptXXX ransomware. This campaign uses gates registered through FreeDNS at afraid.org. We are calling this the Afraidgate campaign. Although we continue to see Locky distributed through malicious spam, we have not noticed Locky from EK traffic since mid-April.
An Evolving Campaign
In March 2016, we observed Nuclear EK from the Afraidgate campaign spreading Locky ransomware. A consistent gate pattern in the infection chain pointed to the same campaign using Neutrino EK the previous month. Now this campaign points to Angler EK. Also with the change in EKs, the malware has switched from Locky to CryptXXX. Both of these malware families employ the ransomware business model, in which they encrypt a user’s files and demand a ransom in return for the decryption keys. The following chart illustrates the changes in this particular campaign:
Figure 1: Changes in EK and payload from the Afraidgate campaign.
The Angler/Bedep/CryptXXX Combo
In mid-April 2016, the pseudo-Darkleech campaign started delivering CryptXXX through Bedep from Angler EK. The same Angler EK/Bedep/CryptXXX combination has spread to the Afraidgate campaign, replacing Nuclear EK traffic used to deliver Locky.
Angler EK is a bit more advanced than Nuclear EK. Angler uses new exploits, usually before these exploits have made their way into Nuclear EK. When sending Bedep, Angler uses a“fileless” infection technique originally implemented in 2014. Bedep is installed without creating any files because it is loaded directly into memory by the exploit shellcode.
Bedep is a file downloader that infects the host with other malware. In addition to CryptXXX, Bedep also installs click-fraud malware. Recent updates to Bedep make it harder to use virtual machines (VMs) to investigate this malware. Bedep acts differently if it detects a VM. It will not download CryptXXX, and post-infection click-fraud traffic is different than seen from a normal physical host.
Figure 2: VM infection shows different post-infection traffic than the other examples here.
Three examples of Angler/Bedep/CryptXXX infection traffic from the Afraidgate campaign are shown below.
Figure 3: Gate on 185.118.164.42 leads to Angler EK/Bedep/CryptXXX on Friday 2016-04-22.
Figure 4: Similar gate on 185.118.164.42 leads to more Angler EK traffic on Monday 2016-04-25.
Figure 5: Similar gate on 185.118.164.42 leads to more Angler EK on Tuesday 2016-04-26.
Conclusion
CryptXXX is now the default ransomware deployed in at least two major EK campaigns and should be considered a growing cybersecurity threat.
Domains, IP addresses, and other indicators associated with Angler EK, Bedep, and CryptXXX are constantly changing. We continue to investigate this activity for applicable indicators to inform the community and further enhance our threat prevention platform.
WildFire continues to detect submitted .dll samples of CryptXXX ransomware, and AutoFocus identifies this threat under the Unit 42 CryptXXX tag.
Indicators of Compromise
As of Tuesday 2016-04-26, we have seen the following indicators of compromise associated with this campaign:
Gates used in this campaign:
185.118.164.42 port 80 – host.vivialvarez.com[.]ar – GET /widget.js
185.118.164.42 port 80 – kw.projetoraizes.com[.]br – GET /js/script.js
185.118.164.42 port 80 – net.jacquieleebrasil.com[.]br – GET /js/script.js
Angler EK:
85.25.160.124 port 80 – bintiye.helpthevets[.]org
85.25.160.124 port 80 – mcimaildmz.dinnerplate.co[.]uk
192.169.189.167 port 80 – candidulumbestuurlijk.newlandsierrarealestate[.]com
192.169.190.97 port 80 – frageboegen-plletyksin.breastcanceroutreach[.]com
192.169.190.97 port 80 – reikleivn-azarashi.orlandohomesbydevito[.]com
209.126.120.8 port 80 – litigators.esteroscreen[.]com
Bedep post-infection traffic:
104.193.252.241 port 80 – qrwzoxcjatynejejsz[.]com
95.211.205.228 port 80 – yfczmludodohkdqnij[.]com (using a VM)
Click-fraud traffic:
5.199.141.203 port 80 – ranetardinghap[.]com
93.190.141.27 port 80 – cetinhechinhis[.]com
95.211.205.218 port 80 – tedgeroatref[.]com
104.193.252.236 port 80 – rerobloketbo[.]com
162.244.34.11 port 80 – tonthishessici[.]com
207.182.148.92 port 80 – allofuslikesforums[.]com
85.25.79.211 port 80 – oqpwldjc.mjobrkn3[.]eu (using a VM)
We’re pleased that Forrester Research has identified Palo Alto Networks as a leader in The Forrester Wave™: Automated Malware Analysis, Q2 2016. As part of the report, Forrester evaluated WildFire based on criteria in the categories of current offering, market presence, and strategy.
Automated malware analysis is a necessity in the security stack, providing visibility into targeted attack vectors and creating tailored threat intelligence to generate what Forrester calls “highest fidelity” alerts.
Palo Alto Networks takes automated malware analysis several steps further by broadening the scope of threat intelligence and extending its preventive capabilities. As part of our Next-Generation Security Platform, WildFire identifies — and helps prevent — malware attempting to traverse the network, infect endpoints, and make its way to cloud environments.