Cyvera 1kAS | Agent-based so|unon for MS W|ndows system
Compauble wlLh servers, deskLops, vlrLual machlnes, Lermlnal sesslons, Lhlnk cllenLs, wlndows embedded sysLems CMC | Cyvera Management Center for reports, po||cy enforcement and agents contro| lnLernal + LxLernal (uMZ or cloud) Method | Cbstruct ma|n vectors of targeted remote auacks rather than |dennfy them Soware vulnerablllLy explolLs (lncludlng 0-days), memory-corrupuon-relaLed Lechnlques, loglc-ow-relaLed Lechnlques, user-weaknesses-relaLed Lechnlques and execuuon of undeslred execuLables keector | ost-prevennon ana|ys|s center 1wo-phases examlnauon - LxplolL SLrlpplng" Lo dlscover explolLauon ow and furLher auack emulauon 2 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. Why secur|ty so|unons fa|| to |dennfy the unknown or ta||ored auacks 1he Inherent Ia||ure of Idennhcanon Approaches Sensors can always geL turned-o
Ma||c|ous acuvlLy musL be |n|nated
keverse englneerlng enables evas|on
8equlre pr|or know|edge
3 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. DLMC 1argeted Auacks Must Inc|ude a hase of Lvas|ve Ma|ware In[ecnon Lxecunon of ma||c|ous executab|e h|es (by a persuaded end-user) Cames, add-ons, Loolbars, Anu-vlruses, embedded exes Un||z|ng !"##$%&#' )*+&,- !"# %& ' ()!*"'+)+ )#+,"*)!- Day-to-day work|ng h|es (pdf, doc, ppL, xls, zlp, [pg) Lxterna| Storage Lma|| Auachment Web ||nks 5 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. 0 bugs |s not feas|b|e 1r|ggered 8ugs are actua||y "Vu|nerab|||nes" Some vu|nerab|||nes are exp|o|tab|e Any ma|ware on-top of any exp|o|t C:\ ers|stence A llle carrles 2ero-Day exp|o|t, uullzes a vulnerablllLy LhaL ls known only Lo Lhe auacker A le carrles man|pu|ated exp|o|t uullzes a vulnerablllLy LhaL ls known Lo Lhe world 8ypasses SecurlLy SulLes and hlLs unpatched systems 8ypasses SecurlLy SulLes and hlLs even patched systems 6 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. LvLn1 nAML WPLn MeLhod/ 8esulLs nlghL uragon 2010-resenL Lxp|o|tanon | Clobal operauon Lo conLrol energy resources SLuxneL 2009-resenL Lxp|o|tanon | 1argeLed operauon Lo conLrol nuclear cenLrlfuges Coogle (Cperauon Aurora) 2009-2010 Lxp|o|tanon | Access Lo source code reposlLorles of hlgh Lech, securlLy and defense conLracLor companles 8SA 2011
Lxp|o|tanon | Securelu compromlsed (exposed 40 M cllenLs Lo Cyber rlsks)
23 uou conLracLors 2011 Lxp|o|tanon | zero-day explolL ln Adobe reader. unknown damage (classled) In most recent h|gh-proh|e cases 1he auack was |n|nated by exp|o|nng sohware vu|nerab|||ty CVLkA SUCCLSSIULL S1CLD LVLk U8LISnLD WINDCWS-8ASLD 2LkCDA SINCL MAkCn 2012 Luropean Aerospace (lnfecLor) 2012 Lxp|o|tanon | Lwo slgnlcanL zero-days ln lnLerneL Lxplorer and MS omce nASA\ norLel 2012 Lxp|o|tanon | perslsLenL campalgn - compromlsed boLh l and physlcal asseLs. WaLerlng-Pole auacks 2013 Lxp|o|tanon | lour slgnlcanL zero-days used hlgh-prole sLaLe- sponsored campalgns. 7 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. Idennhcanon and kesponse ! Cbstrucnon and Decepnon " 1argeted kemote Auack revennon System 8 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. Cyvera's Concept Cbstruct auack's core techn|ques, |nterrupt auack's cr|nca| path, obv|ate auacker's too|box. re||m|nary research of exp|o|tanon structure kesearch outcome: ~20 Lxp|o|tanon 1echn|ques conta|ned a|ternanve|y |n 99 of auacks Deve|opment of exp|o|t m|nganon techn|ques un||z|ng nW and SW gener|c qua||nes to |nterrupt auack ow, rather than |dennfy |t Deve|opment of enforcement capab|||nes to cover a|| processes of CS and 3 rd party sohware 9 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. Lxp|o|tanon Core 1echn|ques Lvo|unon Vu|nerab|||nes Growth Lxp|o|ts Growth (k) Core 1echn|ques Growth 8uer Cverow neap Spray kC ay|oad She||code ay|oad ost Lxp|o|tanon revennon of one ||nk |n the cha|n = Lnnre auack 8|ocked Lxample Lo explolL crlucal paLh 10 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. Cyvera Core | Ma|n ko|es Lnforcement capab|||nes on a|| processes\ p|auorms Des|gnated propr|etary |n[ecnon methods Sohware |og|c fau|ts exp|o|tanon prevennon Memory Corrupnon exp|o|tanon prevennon kea|-nme b|ock]nonfy based on externa| |nd|cators Layer 1 | Ann Lxp|o|tanon - 19 des|gnated modu|es (7 paLenLs pendlng) Layer 2 | Ann Ma|ware Lxecunon - ex|b|e |nfrastructure (2 paLenLs pendlng) Lmbedded exe h|es and other restr|cted executab|es kestr|cted execunon from spec|hc fo|ders or network shares kestr|cted execunon from spec|hc dev|ces lolders creauon\access, key reglsLry access, PASPs, llle name, locauon, le aurlbuLes (hldden, noL slgned, archlved eLc.) 11 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. revennon 1ypes (ow-based) Stage I - reparanon Stage II - 1r|gger|ng Stage III - Lxp|o|tanon Stage IV - ost Heap-spray method A Heap-spray method B JIT Spray .
Use After Free Heap Corruption DLL Hijacking .
ROP Stack Pivoting Execution from Hack .
Utilizing OS Functions Sandbox Escaping Execution from Hack .
Stage V (or stage 0) - ma||c|ous acnv|ty Files Dropping Files Execution Rootkit deployment . 12 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. Lxp|o|tanon Core 1echn|ques (noL exhausuve) 8C SLack lvoung Lxecuuon from Lhe sLack/heap Peap-sprays null-polnLer dereference SLP-handler overwrlLe Peap-corrupuon Memory-Corrupnon-ke|ated M|nganons Connecuon Lo CS funcuons use aer free lmplemenLauons uouble free lmplemenLauons Sandboxed escaplng (malnly !ava, buL adopLable Lo oLhers) Wlndows loglc vulnerablllues (l.e., Lnk) Wlndows kernel vulnerablllues (l.e., fonLs) uLL Pl[acklng Lmbedded execuLables (l.e., ln ppL, doc, pdf) Macros LhaL leads Lo execuuon Log|c-I|ows-ke|ated M|nganons 8esLrlcLed folders and lnLerneL sources 8esLrlcLed devlce (deep devlce conLrol) AurlbuLes: hldden and\or recenLly wrluen and\or un-slgned User-Interacnon that |nvo|ves executab|es 13 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. In-Crgan|zanon Arch|tecture nybr|d revennon (Centra||zed + Lnd-po|nt-based) vlrLual Machlnes ueskLop\ servers 1ermlnals 1ableLs\ SmarLphones Cyvera ManagemenL CenLer Cyvera Cloud monlLorlng servlces SlLM/ SCC/ Syslog Cyvera 8eecLor (SLrlpplng+analysls) 14 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. 18AS agenL (Wlndows ueskLop and Servers) Cyvera ManagemenL CenLer Cloud ManagemenL And osL-prevenuon analysls Cyvera 8eecLor for osL-prevenuon analysls " " Cyvera 18AS enhancemenL " " CLher Cperaung SysLems & moblle & lnLegrauon 2014 15 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. Secur|ty updates lmplemenLauon can be safe|y postponed for boLh ueskLops and servers No need for denluons and s|gnatures update (raLher Lhan few updaLes a year) 8esponse Lo ldenucauon and ulsasLer recovery ls mlugaLed, I1 overhead |s saved An emclenL a|ternanve to m|ngate "Adm|n|stranon pr|v||eges" LhreaLs lree of access - noL lnLruslve, very perm|ss|ve ln Lerms of users' allowed acuons keeps your sensluve daLa asseLs and manufacLurlng lnfrasLrucLure secured even from Lhe mosL lnnovauve auacks and save dlrecL nance damages and repuLauon-relaLed damages Gener|c so|unon LhaL proLecLs a|| processes, does noL requlred compllcaLed congurauon 8equlres less Lhen 0.1 CU resources on process runume Compauble wlLh all wlndows-based plauorm, lncludlng term|na|s, VDIs and VMs. 16 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary. 1hanks.
.)) /0!) 1 22234&5)!'340/
60#7'47 "* 1 8#90:4&5)!'340/ 17 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.