6. What is the Best Approach to Preventing Attacks?
Anatomy of a Targeted Attack
Plan the
Attack
Gather
Intelligence
Silent
Infection
Leverage
Exploit
Malware
Communicates
with Attacker
Control
Channel
Malicious File
Executed
Execute
Malware
Data Theft,
Sabotage,
Destruction
Steal Data
7. What is the Best Approach to Preventing Attacks?
Anatomy of a Targeted Attack
Plan the
Attack
Gather
Intelligence
Silent
Infection
Leverage
Exploit
Malware
Communicates
with Attacker
Control
Channel
Malicious File
Executed
Execute
Malware
Data Theft,
Sabotage,
Destruction
Steal Data
PotentialImpact
8. What is the Best Approach to Preventing Attacks?
Anatomy of a Targeted Attack
Traps Prevention
Plan the
Attack
Gather
Intelligence
Silent
Infection
Leverage
Exploit
Malware
Communicates
with Attacker
Control
Channel
Malicious File
Executed
Execute
Malware
Data Theft,
Sabotage,
Destruction
Steal Data
PotentialImpact
9. Exploits vs. Malicious Executables
Exploit
Malformed data file
Processed by a legitimate
application
Exploits a vulnerability in the
legitimate application to allows the
attacker to execute code
Small payload
Malicious Executable
Malicious code
Does not rely on application
vulnerabilities
Contains executable code
Aims to control the machine
Large payload
Examples:
weaponized PDF files & Flash videos
Examples:
ransomware, fake AV
10. Exploits vs. Malicious Executables
Exploit
Malformed data file
Processed by a legitimate
application
Exploits a vulnerability in the
legitimate application to allows the
attacker to execute code
Small payload
Malicious Executable
Malicious code
Does not rely on application
vulnerabilities
Contains executable code
Aims to control the machine
Large payload
Examples:
weaponized PDF files & Flash videos
Examples:
ransomware, fake AV
“Next Gen” Anti-Malware Solutions
Signature-based AV
Palo Alto Networks Traps
12. User visits
compromised website
Exploit Kit silently
exploits client-side
vulnerability
System infected,
attacker has full
access to steal data
Drive-by
download of
malicious
payload
Via Website
16. The 3 Core Capabilities of Advanced Endpoint Protection
1.
Prevents Exploits
Including unknown &
zero-day exploits
17. The 3 Core Capabilities of Advanced Endpoint Protection
1.
2.
Prevents Exploits
Including unknown &
zero-day exploits
Prevents Malicious Executables
Including unknown & advanced malware
18. The 3 Core Capabilities of Advanced Endpoint Protection
1.
2.
Prevents Exploits
Including unknown &
zero-day exploits
Prevents Malicious Executables
Including unknown & advanced malware
3.
Highly-Scalable,
Integrated
Security Platform
For data exchange &
cross-organization
protection
19. Prevent Exploits
Number of New Variants Each Year
Individual Attacks
Software Vulnerability Exploits
+10,000s
Core Techniques
Exploitation Techniques
< 3
*Source: CVEDetails.com
Block the Core Techniques – Not the Individual Attacks
21. Exploit Techniques - Example
Begin
Malicious
Activity
Normal Application
Execution
Heap
Spray
ROP
Utilizing
OS Function
Gaps Are
Vulnerabilities
Activate key logger
Steal critical data
More…
Exploit Attack
1. Exploit attempt contained in a
PDF sent by “known” entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the
target.
4. Malware evades AV, runs in
memory.
22. Exploit Techniques
Normal Application
Execution
Heap
Spray
Traps
EPM
No Malicious
Activity
Exploit Attack
Traps Exploit Prevention
Modules (EPM)
1. Exploit attempt blocked. Traps
requires no prior knowledge of the
vulnerability.
1. Exploit attempt contained in a
PDF sent by “known” entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the
target.
4. Malware evades AV, runs in
memory.
23. Exploit Techniques - Unknown Technique
Normal Application
Execution
Unknown
Exploit
Technique
ROP
No Malicious
Activity
Traps
EPM
Exploit Attack
1. Exploit attempt contained in a
PDF sent by “known” entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the
target.
4. Malware evades AV, runs in
memory.
Traps Exploit Prevention
Modules (EPM)
1. Exploit attempt blocked. Traps
requires no prior knowledge of the
vulnerability.
2. If there is a new technique it will succeed
but the next one will be blocked, still
preventing malicious activity.
24. Exploit Prevention Case Study
Unknown Exploits Utilize Known Techniques
DLL
Security
IE Zero Day
CVE-2013-3893
Heap Spray
DEP
Circumvention
UASLR
ROP/Utilizing
OS Function
ROP Mitigation/
DLL Security
Adobe Reader
CVE-2013-3346
Heap Spray
Memory Limit
Heap Spray
Check and
Shellcode
Preallocation
DEP
Circumvention
UASLR
Utilizing
OS Function
DLL
Security
Adobe Flash
CVE-2015-
3010/0311
ROP
ROP
Mitigation
JiT Spray J01
Utilizing
OS Function
DLL
Security
Memory
Limit Heap
Spray Check
25. Prevent Malicious Executables
Advanced
Execution Control
Reduce surface area of attack.
Control execution scenarios
based on file location, device,
child processes, unsigned
executables.
Local hash control allows for
granular system hardening.
Dynamic analysis with cloud-
based threat intelligence.
WildFire Inspection
and Analysis
Prevent unknown malware
with technique-based
mitigation.
(Example: Thread Injection)
Malware Techniques
Mitigation
26. The Right Way to Prevent Malicious Executables
User Tries to Open
Executable File
Restrictions And
Executable Rules
HASH Checked
Against WildFire
Malware Technique
Prevention Employed
WildFire
ESM Forensics
Collected
Unknown?
E X E
Benign
Malicious
Examples Examples
Child Process?
Thread
Injection?
Restricted Folder
or Device?
Create Suspend?
Execution
Stopped
Safe!
27. Utilization of OS
functions JIT Heap Spray
Child Process
Suspend Guard
Unsigned
Executable
Restricted
Location
Admin Pre-Set
Verdicts
Wildfire Known
Verdict
On Demand
Inspection
Injection Attempts
Blockage
Traps
Malware Protection
Example: CryptoLocker
Traps Kill-Points Through the Attack Life Cycle
Delivery Exploitation Download and Execute
Execution
Restriction 1
Execution
Restriction 2
Execution
Restriction 3
Local Verdict
Check
Wildfire Verdict
Check
Wildfire
Inspection
Malicious
Thread Injection
Intelligence
and
Emulation
Traps
Exploit Protection
Advanced
Execution
Control
Malicious
Behavior
Protection
Memory Corruption
Logic Flaws
4 5 6 78 9 10
Exploitation
Technique 1
Exploitation
Technique 2
Exploitation
Technique 3
1 2 3
33. Traps System Requirements, Footprint, and Coverage
Supported Operating Systems Footprint
Workstations – Physical and Virtual
Windows XP SP3
Windows Vista SP2
Windows 7
Windows 8 / 8.1
Windows 10
Servers – Physical and Virtual
Windows Server 2003 32 bit
Windows Server 2008 (+R2)
Windows Server 2012 (+R2)
25 MB RAM
0.1% CPU
No Scanning
Application Coverage
Default Policy: 100+ processes
Automatically detects new processes
Can extend protection to any
application, including in-house
developed apps.
34. Highly-Scalable, Integrated Security Platform
Architecture
Scalability
Ease of security administration
Operational Capabilities
Footprint
Performance Impact
Platform Coverage
Physical systems
Virtual systems
Threat Intelligence
Integrated threat intelligence
Threat data sharing
35. Traps Benefits
Prevent
Zero Day
Vulnerabilities
and Unknown
Malware
Install
Patches on
Your Own
Schedule
Protect ANY
Application
From Exploits
Minimal
Performance
Impact
Save Time
and Money
Signature-less
No Frequent
Updates
Network
and Cloud
integration