Which predefined malware signature action notifies the user that malware has been detected?
We put our five years of experience in designing, implementing, supporting and managing Palo Alto Networks solutions together and wrote this guide to share our best practices to secure an enterprise network using Palo Alto Networks Next-Generation FireWalls. Show
The single most important message which we would like to bring across is that that there is no magic box that does everything on its own and any threat prevention technique like AV, IPS or URL Filtering can be evaded and as such doesn’t provide 100% security on its own. The solution is what I like to call the magic sauce, which is to put the right combination of threat prevention techniques together to make it close to impossible for an attacker to evade all of them. This is what this blog post is all about, to provide an overview of the approaches used by hackers to infiltrate a network and explain the threat prevention techniques and best practices to mitigate attacks. If you are interested to learn more, then you should also consider our official Palo Alto Networks training like the new PAN-EDU-231 Advanced Threat Management course where we teach you the insights and best practices on cyber threats and how to protect your enterprise network effectively in real life. 1. SummaryThe main objective of this document is to provide enterprises with a framework under which they can implement and maintain security best practices to defend their network and valuable IT infrastructure. Information security requires a holistic approach that involves many areas of information technology. In this document, we are focusing on network security and the different threat prevention techniques used to defend against Advanced Persistent Threats “APTs”. The Cyber Kill Chain, a term first used by Lockheed Martin, describes a sophisticated, stealthy and continuous computer hacking process which attackers use nowadays to target their victims. The challenge for any hacker is to successfully go through every single stage in this chain to accomplish the end-goal of either attacking the IT infrastructure directly or using the infrastructure as a resource for other criminal activity. The challenge for the company is to defend each link and stop the attack at the earliest possible stage along the kill chain, successfully defending itself against the entire Advanced Persistent Threat. In reality however, 100% security is not possible, every threat prevention technique can be evaded and cyber criminals have been very successful at doing so. For instance a recent whitepaper from the SANS Institute “Beating the IPS” shows that every Intrusion Prevention System “IPS” from every vendor, can be evaded. A good analogy is the human immune system. A healthy lifestyle will keep us fit but for example, there is no total protection from viral infection. However being sick isn’t the end of the world as long as the body is able, or sometimes with medical intervention, enabled to effectively defend itself and mitigate the impact of the infection. There is however a big difference between us humans and an IT system. We know when we feel sick and we instinctively know when to go to the doctor. Getting this level of intelligence into an IT infrastructure is difficult and expensive. Enterprises should therefore adopt the approach of visibility, control and threat prevention. The Palo Alto Networks Next-Generation FireWall can provide the visibility necessary to allow a company to determine exactly what needs to be protected. Controlling the use of applications will not only ensure appropriate usage of the network but also reduce the attack surface which will establish the foundation for a secure network. The final step is to implement different threat prevention techniques at every step of the cyber kill chain as it is the combination of different threat prevention techniques which reduces the ability to evade all of them and in turn provide the enterprise with the best possible security defence. This document focuses on the two main targets of the IT infrastructure, the data centre and end-user devices. In order to secure these targets, enterprises need to understand where the risk exists and how they might be attacked. Therefore we will first outline the common techniques used by attackers along the cyber kill chain to infiltrate these targets and then describe the recommended threat prevention techniques which should be implemented and maintained to defend them. If you are interested to learn more, then you should also consider our official Palo Alto Networks training like the new PAN-EDU-231 Advanced Threat Management course where we teach you the insights and best practices on cyber threats and how to protect your enterprise network effectively in real life. Table of Contents1. Executive Summary 2.1. Kill Chain Step 1 – Reconnaissance 3. End-user Devices 3.1. Kill Chain Step 1 – Reconnaissance 4. Monitoring 4.1. Reporting 2. Data CentreData centres, and by this we mean servers or any other devices which are not directly operated by a human, generally provide services and with this have to be available to a wide audience. This presents a broad threat surface for attacks as the server has to process data and with this as well malicious code which can be used by attackers to exploit software vulnerabilities. With this, data centres share a common threat vector as they provide services that are based on software which by its nature has bugs or even features which adversaries can exploit. Once this has been accomplished, the intruder gets access to the system where he can take actions to realise his objectives, which might be to violate the confidentiality, integrity, or availability of a system or move laterally inside the network. 2.1. Kill Chain Step 1 – Reconnaissance 2.1.1. Possible Action by the Attacker (Risks) Possible attacks are:
2.1.2. Threat Prevention Techniques for Mitigation & Defence
2.2. Kill Chain Step 2 –
Weaponization 2.3. Kill Chain Step 3 – Delivery 2.3.1. Possible Action by the Attacker (Risks) Common attacks at this stage are:
2.3.2. Threat Prevention Techniques for Mitigation & Defence
2.4. Kill Chain Step 4 – Exploitation The transfer of the malicious code traverses the firewall at the previous stage where it will be blocked, only if the malicious code triggers a signature match of a known threat. The exploit itself however can only be detected and blocked on the end system e.g. the server itself and as such is outside the control of the firewall. The prevention of exploits on the target is therefore outside the scope of this document. However, we still would like to point out possible solutions like Palo Alto Networks Advanced Endpoint Protection called “Traps”. In a typical attack scenario, an attacker uses attempts to gain control of a system by first attempting to corrupt or bypass memory allocation or handlers. Using memory-corruption techniques such as buffer overflows and heap corruption, the hacker can then trigger a bug in the software or exploit a vulnerability in a process. The attacker must then manipulate a program to run code provided or specified by the attacker and evade detection. If the attacker gains access to the operating system, the attacker could then upload Trojan horses, malware programs that contain malicious executables, or otherwise use the system to their advantage which is the next step in the kill chain (step 5 installation). Classical AntiVirus solutions employ signatures to identify executables, dynamic-link libraries (DLLs), or other pieces of code as malicious. The weakness of this method is that signature-based solutions first need to identify newly created threats (also known as Zero-Day attacks or exploits) and then add them to lists of known threats before they will be detected, leaving the endpoint vulnerable until the signatures are updated. Attackers rely on a small number of exploit techniques like buffer overflows and heap sprays to trigger a bug in the software. Palo Alto Network’s “Traps” prevents exploit attempts by blocking these exploit techniques rather than trying to identify the malware based on its signature which makes it possible to block even zero-day attacks and vulnerabilities which are still unknown. When a service starts on the server the Traps agent seamlessly injects drivers into the software process at the earliest possible stage before any files belonging to the process are loaded into memory. If the process then opens the file, Traps injects a code module called an Exploitation Prevention Module (EPM) into the process. The EPM targets a specific exploitation technique and is designed to prevent attacks on program vulnerabilities based on memory corruption or logic flaws. Examples of attacks that the EPMs can prevent include:
In addition to automatically protecting processes from such attacks, Traps reports any prevention events to the Endpoint Security Manager and performs additional actions according to the settings of the policy rules. Common actions performed by TRAPS include collecting forensic data and notifying the user about the event. Traps neither relies on nor performs any additional scanning or monitoring actions which makes it a lightweight application with very little CPU and memory usage. 2.5. Kill Chain Step 5 – Installation 2.5.1. Possible Action by the Attacker (Risks) Once downloaded, the RAT will install itself often with rootkit capabilities, which enable the malware to embed itself deeply and stealthily into the operating system. Because of this, it evades detection by hiding the existence of certain processes or programs. Most AntiVirus solutions will neither be able to detect nor remove such rootkit enabled RATs. 2.5.2. Threat Prevention Techniques for Mitigation & Defence
2.6. Kill Chain Step 6 – Command and Control (C2) At the command and control stage, the remote access trojan “RAT” on the compromised host will establish a communication channel to the attackers command and control “C2” server. Once the C2 channel has been established, the intruder has “hands on the keyboard” access to the compromised host inside the target environment. 2.6.1. Possible Action by the Attacker (Risks) Persistence is one of the main objectives of an APT. This means in case the command and control “C2” server is no longer reachable, because for instance it has been taken down by law enforcement, then the RAT on the compromised host has to again establish a C2 channel to a new C2 server in order for the attacker to re-establish control. Attackers achieve this resilience by using DNS which easily enables them to point their command and control domain to a new IP address. More sophisticated malicious operations on the internet even use a technique called “Fast-flux” which constantly changes the mapping of the IP address to the domain. This enables the attacker to build a network that obscures his true location as all connections are proxied through a constantly changing layer of IP addresses. Once the RAT has resolved the IP address of its C2 server via DNS it will establish the C2 channel. Blocking these C2 channels can be challenging with legacy port-based firewalls as applications can use any TCP or UDP port number to communicate and therefore the assumption, based on which port-based firewalls are designed, that a specific port equals a specific application is no longer true. The same applies to command and control communication of malware which often uses port numbers of common applications like web-browsing (port 80) or DNS (port 53) to evade detection. 2.6.2. Threat Prevention Techniques for Mitigation & Defence
2.7. Kill Chain Step 7 – Actions on Objectives Only at the last stage, after progressing through the first six phases, can intruders take actions to achieve their original objectives. 2.7.1. Possible Action by the Attacker (Risks) Typically, the objective of the attacker at this stage is data exfiltration. This involves collecting, encrypting and extracting information from the victim environment; violations of data integrity and or availability are also potential objectives. Alternatively, the intruders may only desire access to the initial victim device for use as a hop point to compromise additional systems and move laterally inside the network or simply use the compromised host for other criminal activity like sending out spam e-mails, participate in click-fraud or launch denial of services attacks against other victims. 2.7.2. Threat Prevention Techniques for Mitigation & Defence
3. End-user DevicesEnd-user devices, which can be fixed or mobile devices, share a common threat vector as they are all operated by a human being. Such end-user devices usually do not host any services which significantly reduces the attack surface for an attack i.e. an attacker as easily send malicious code directly to the devices to exploit a software vulnerability as we have seen in the previous section. Therefore the first step for an attacker is to target the human factor by baiting the user to initiate the compromise either by, clicking on a link, opening a file, or any other activities which enable the attacker to load malicious code onto the device. In 2011, RSA was the target of a spear-phishing attack made successful by just one employee opening the malicious attachment even after their spam filter had correctly placed the email in the “junk” folder. RSA suffered a severe data breach as a result. Educating users on cybersecurity is important but there is no 100% immunity against social engineering in the same way that there is no total protection from any threat prevention technique on its own. So blaming the end-user is not the solution as he is only one element in the chain and the attacker still has to successfully go through several other stages to accomplish his objective. For this reason, the same principle applies to end-user devices, that is, only a combination of different threat prevention techniques aligned in the right way at every stage of the cyber kill chain will provide an adequate defence. 3.1. Kill Chain Step 1 – Reconnaissance At the Reconnaissance stage, the intruder tries to gather information in order to identify and select a possible target. This stage does not involve any direct communication by the adversary to the target and as such cannot be prevented by the Next-Generation FireWall however, it still has to be taken seriously as a couple of basic preventative measurement by the user can avoid an attack even at this early stage. Based on the objectives of the adversary we need to differentiate if the enterprise could be a direct or indirect target. As a direct target, the adversary’s specific objective is to infiltrate the company directly to for instance extract or manipulate data. As an indirect target, the attacker’s main objective is to take control of any available device to use for other criminal activity. This makes everyone a potential target even if there are no obvious reasons to infiltrate an enterprise directly. Exploiting the human factor, the most effective attacker strategy is a spear-phishing attack, targeting a specific individual or group of people in a specific organisation. So if an attacker has an objective to infiltrate a specific company then he will explore the interests of his target to make a phishing e-mail look more authentic by appearing to originate from a legitimate organization or individual and contain role-relevant or topic-of-interest content to entice its intended target. Preventing a direct attack at this early stage of reconnaissance is close to impossible because every enterprise and individual has freely available information about themselves which can be used by adversaries. With an indirect attack, however, the intruder takes more of an opportunistic approach where he tries to find as many targets as possible for instance by crawling the web for e-mail addresses and then focuses on the weakest possible target. With this users can take simple measures to protect their private data like for example, not making their e-mail address freely available. 3.2. Kill Chain Step 2 – Weaponization Weaponization is the stage where the adversary is preparing an exploit as a deliverable payload like for instance preparing an e-mail with a malicious attachment. This stage does not involve any communication by the attacker and as such cannot be directly prevented but also does not impose any direct risks. It is however still important to have an understanding on the techniques employed by the attacker at this stage. The following is a real live example of an “Infostealer Campaign” taken from the Palo Alto Networks Blog which illustrates the craftsmanship of the attacker at the weaponisation stage and the power of social engineering to influence a person. The campaign started with an email sent to an employee responsible for processing financial statements at a global financial organization (Figure below). The sender’s email address was spoofed as originating from an energy company. The subsequent analysis would show that this façade was very thin; yet, it is often all that is required to encourage a user to open an attachment or click on a link that then executes malicious code. This e-mail employs common pressure tactics for phishing messages. Specifically, it touches on two areas of potential concern for a target: financial responsibility and the introduction of a state of uncertainty and confusion. In this case, the role of the target as a processor of financial statements might mean that the target is accustomed to receiving similarly structured legitimate e-mails; accordingly, they may open a malicious attachment without a second thought. The second factor is much broader and relates to how humans deal with uncertainty. Without specific awareness and training, some users may be inclined to open the attachment, wondering why the e-mail was sent to them. In psychology, this is referred to as the “Need for Closure” personality trap. The next layer of this attack is found within the malicious DOC file once a victim opens it. With a system properly configured to protect against automatic execution of macros, no malicious code has been run at this point. The Figure below presents a screenshot of the malicious attachments displayed contents. This content further compound the two points of concern for the target, and now presents a convenient option of clicking on “Enable Content” to obtain closure on the matter. Despite a security warning, a number of users still choose to enable respective content, allowing for malicious macros to run on their system. After enabling macros, none of the promised data is shown to the victim; however, the malicious macro script executes in the background without the user’s knowledge. 3.3. Kill Chain Step 3 – Delivery At this stage, the attacker tries to deliver malicious code to the target. This is the first stage where the attack goes from the outside to the inside and where it could be stopped by the Next-Generation FireWall. 1.3.1. Possible Action by
the Attacker (Risks) E-Mail can be used to deliver malicious code directly as an E-Mail attachment or by luring the user to click on a link inside the E-Mail which will then deliver the malware via web browsing (see below). Enterprises often spend a considerable amount on E-Mail security solutions to secure their corporate E-Mail but then at the same time allow their employees to use private web-based E-Mail. Such private web-based e-mail often only provides moderate security protection to block malicious attachments and evades detection through the use of SSL encryption which makes it an ideal channel to malware by circumventing corporate e-mail security. Web Browsing requires the attacker to place malware on a webpage which ideally is very popular and visited by a lot of potential victims. Common targets are often webpages of smaller companies who once paid a web development firm to set up their webpage with one of the common content management systems like WordPress or Drupal. The company then only manages the content of the webpage but does not update the software of the content management system itself which makes it an easy target once a new vulnerability has been discovered for this system. Once an attacker has compromised a webpage, he can deliver malicious code to the user’s device in mainly two different forms. The first option is to embed malicious code directly into the webpage which is then loaded by the user’s browser and with this can exploit vulnerabilities of the browser itself or any plug-ins loaded by the browser. The other option is to get the user to download a file like a PDF which can exploit vulnerabilities in the software that opens the file or even directly download malware in form of a portable executable file that can be run on the victims PC. Another way to distribute malicious code via web browsing is to use an advertisement network. Webpages that provide space for advertisement are loading code from the advertisement company every time the webpage is loaded. With this, an attacker can buy advertisement and distribute malicious code through for instance flash videos. The risk for the attacker’s malicious code to get blocked by the advertisement firm is high but if it is not detected then it provides high leverage as the malicious code is automatically distributed to hundreds of web pages that serve thousands of users. Another important aspect to take into account with web browsing is encrypted traffic. SSL is widely used to secure communications in order to guarantee the authenticity, integrity and confidentiality of the transferred data. For the very same reason, sophisticated malware and cybercriminals are using SSL to evade detection and with this are able to deliver malware into corporate networks and evade detection. It is important to note that the volume of SSL on the network is not the criteria to enable or disable SSL decryption because the risk evolves based on the fact that there is the possibility to evade detection by using SSL. The traffic volume generated by modern malware is often very low. 1.3.2. Threat Prevention Techniques for Mitigation & Defence
3.4. Kill Chain Step 4 – Exploitation At this stage, the malicious code has been delivered to the target where it can trigger the exploitation of a vulnerability. At this stage, the attacker is acting inside the trusted environment. An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use exploits as a means to access and use a system to their advantage. To gain control of a system, the attacker must bypass a chain of vulnerabilities in the system. Blocking any attempt to exploit a vulnerability in the chain will block the exploitation attempt entirely. The transfer of the malicious code traverses the firewall at the previous stage where it can be blocked but only if the malicious code triggers a signature match of a known threat. The exploit itself however can only be detected and blocked on the end-users device and as such is outside the control of the firewall. The prevention of exploits on the target is therefore outside the scope of this document. However, we still would like to point out possible solutions like Palo Alto Networks Advanced Endpoint Protection called “Traps”. In a typical attack scenario, an attacker uses attempts to gain control of a system by first attempting to corrupt or bypass memory allocation or handlers. Using memory-corruption techniques such as buffer overflows and heap corruption, the hacker can then trigger a bug in the software or exploit a vulnerability in a process. The attacker must then manipulate a program to run code provided or specified by the attacker and evade detection. If the attacker gains access to the operating system, the attacker could then download a Trojan horse, malware programs that contain malicious executables, or otherwise use the system to their advantage which is the next step of the kill chain (step 5 – Installation). Classical AntiVirus solutions employ signatures to identify executables, dynamic-link libraries (DLLs), or other pieces of code as malicious. The weakness of this method is that signature-based solutions take time to identify newly created threats known only to the attacker (also known as Zero-Day attacks or exploits) and add them to lists of known threats, leaving the endpoint vulnerable until the signatures are updated. Attackers rely on a small number of exploit techniques like buffer overflows and heap sprays to trigger a bug in a software. Traps prevent exploit attempts by blocking these exploit techniques rather than trying to identify the malware based on its signature which makes it possible to block even zero-day attacks and vulnerabilities which are still unknown. When a user opens a non-executable file, such as a PDF or Word document, the Traps agent seamlessly injects drivers into the software that opens the file. The drivers are injected at the earliest possible stage before any files belonging to the process are loaded into memory. If the process then opens the file, Traps injects a code module called an Exploitation Prevention Module (EPM) into the process. The EPM targets a specific exploitation technique and is designed to prevent attacks on program vulnerabilities based on memory corruption or logic flaws. Examples of attacks that the EPMs can prevent include:
In addition to automatically protecting processes from such attacks, Traps reports any prevention events to the Endpoint Security Manager and performs additional actions according to the settings of the policy rules. Common actions that Traps performs include collecting forensic data and notifying the user about the event. Traps do not perform nor relies on any additional scanning or monitoring actions which makes them lightweight with very little CPU and memory usage. 3.5. Kill Chain Step 5 – Installation At stage number 5, the attacker tries to install a remote access trojan “RAT” or backdoor on the target to maintain persistence inside the environment. At this point, it is important to understand the difference between an exploit which we described in the previous two stages and executable malware like a Trojan or backdoor. For an advanced persistent threat, the attacker needs to establish persistence on the target which means that he has to establish full remote access and control on the victim’s device while evading detection. At the exploit stage, the attacker is however still limited by the functionality of the program in which vulnerability was exploited. Even if the attacker gained shell access through the exploit then he is still limited to the operation of the shell which for instance does not provide any advanced functionality like key-logging. In addition, such shell access is usually logged which makes it difficult to evade detection. Therefore the attacker has to download additional executable software like a Remote Access Trojan “RAT” which will provide all the necessary functionality to gain full remote access independent of the exploited application as well as additional tools to for instance monitor the victim’s activity. Through social engineering, adversaries have the possibility to deliver executable software like a Remote Access Trojan “RAT” directly to the end user’s device for instance via e-mail and trick the victim into installing the software. This allows the attacker to skip the previous two steps of the kill chain. However, the scope for such attacks is narrow which makes adversaries still dependent on the previous two exploit stages for most attacks. 3.5.1. Possible Action by the Attacker (Risks) At the installation stage, the attacker uses the elevated access which he gains through the previous exploitation stage to execute commands or code which instructs the target device to download the RAT or backdoor. The biggest risk is therefore if an end-user device is allowed to download executable files from the internet. Once downloaded, the RAT will install itself, often with rootkit capabilities that enable the malware to embed itself deeply into the operating system which makes it stealthy. With this, it will evade detection by hiding the existence of certain processes or programs. Most AntiVirus solutions will not be able to detect such modern malware at the download stage as they are highly polymorphic which means they constantly change their signatures to effectively avoid the detection by signature-based AntiVirus. Even if the AntiVirus software receives an update at a later stage that could identify the malicious file then it will still not be able to detect or remove it as the malware is already installed and hidden by the rootkit. 3.5.2. Threat Prevention Techniques for Mitigation & Defence
At the command and control stage, the remote access trojan “RAT” on the compromised host will establish a communication channel to the attackers command and control the “C2” server. Once the C2 channel has been established, the intruder has “hands on the keyboard” access to the compromised host inside the target environment. For end-user devices, there is also the possibility of an already compromised host connecting to the corporate network. This stage provides the opportunity to identify such malware-infected devices as they come into the network and stop further communication between the compromised host and the C2 server. 3.6.1. Possible Action by the Attacker (Risks) Once the RAT has resolved the IP address of its C2 server via DNS it will establish the C2 channel. Blocking these C2 channels can be challenging with legacy port based firewalls as applications can use any TCP or UDP port number to communicate and therefore the assumption, based on which a port-based firewalls are designed, that a specific port equals a specific application is no longer true. The same applies to the command and control communication of malware which often uses port numbers of common applications like web-browsing (port 80) or DNS (port 53) to evade detection. 3.6.2. Threat Prevention Techniques for Mitigation & Defence
3.7. Kill Chain Step 7 – Actions on Objectives Only at the last stage, after progressing through the first six phases, can intruders take action to achieve their original objectives. 3.7.2. Threat Prevention Techniques for Mitigation & Defence
4. Monitoring
Which endpoint protection technique is commonly used to prevent end users from running unauthorized applications including malware on their endpoints?Firewall stops malicious inbound and outbound network traffic. Application containment quarantines malicious applications and processes on endpoints even when they're offline.
Which malware protection module uses a machine learning technique to detect malware?Local Analysis via Machine Learning If a file remains unknown after the initial hash lookup, the Cortex XDR agent uses local analysis via machine learning on the endpoint—trained by the rich threat intelligence from global sources including WildFire—to determine whether the file can run.
Is cortex XDR a virus?Cortex XDR is an enterprise level security application that provides anti-virus and anti-malware protection through the cloud, network, and on physical devices. This runs continuously in the background on all district devices.
What does cortex XDR prevent do for endpoints?Cortex XDR Prevent—provides protection for endpoints and includes device control, disk encryption, and host firewall features. It also includes an incident engine, integrated response capabilities, and an optional threat intelligence feed.
|