Protect your company against Zero Day attacks
Mikkel Bossen | Channel SE May 2021 2020 Top Ransomware Variants
● Ryuk ● Maze (ChaCha) ● Defray777 ● WastedLocker ● GandCrab + REvil ● NetWalker ● DoppelPaymer ● Dharma ● Phobos ● Zepplin
https://start.paloaltonetworks.com/unit-42-ransomware-threat-report.html 3 | © 2021 Palo Alto Networks, Inc. All rights reserved. 4 | © 2021 Palo Alto Networks, Inc. All rights reserved. How is Ransomware delivered?
5 | © 2021 Palo Alto Networks, Inc. All rights reserved. Unsecured RDP Connections
Unsecured RDP connections.
69% of organizations expose RDP (port 3389). Up 30%
https://blog.shodan.io/trends-in-internet-exposure/
Cloud Threat Report * Putting the Sec into DevOps Spring 2020
6 | © 2021 Palo Alto Networks, Inc. All rights reserved. Exposed RDP Adversary Workflow
Exposed Adversary Server
Stolen Credentials Moves laterally to or other resources Brute Force Extracts Credentials
7 | © 2021 Palo Alto Networks, Inc. All rights reserved. https://cfcs.dk/globalassets/cfcs/dokumenter/rapporter/CFCS-rapport-anatomien-af-maalrettede-ransomwareangreb.pdf Anatomien af målrettede ransomware angreb
8 | © 2021 Palo Alto Networks, Inc. All rights reserved. Security Needs - When Talking about Zero Day Attacks
Protection against Vulnerability Exploitation
Protection against Execution of Malicious Code
Visibility into Attack Surface
Segmentation of Infrastructure - Zero Trust
Backup and Recovery is Essential
9 | © 2021 Palo Alto Networks, Inc. All rights reserved. Preventing ransomware with machine learning powered NGFW
March 2021 Securing Your Transformed Enterprise
STRATA PRISMA SECURE SECURE THE ENTERPRISE THE CLOUD Hybrid data center
SaaS Internet Perimeter Public cloud
Branch & mobile & DevOps SD-WAN DATA LAKE
5G & IoT
Secure access
CORTEX SECURE THE FUTURE Endpoint Detection & Automation & Network traffic & Threat protection response orchestration behavioral analytics intelligence A Single Platform to Connect and Secure Everything
Data Public Internet SaaS Center Cloud
Centralized Management Unit 42 Threat Intelligence
Intrusion Prevention Malware Analysis Cloud Access Security Secure Web Gateway IoT Security Data Loss Protection SD-WAN & MPLS
Cloud-delivered Virtual Containerized Physical
Branch HQ Partner Mobile IoT
12 | © 2021 Palo Alto Networks, Inc. All rights reserved. Zero Trust based security rules that support your business
Rule usage to guide policy optimization
No need to specify ports ...
Users Devices Applications All Security Subscriptions
One Policy One Unified Console
13 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. NGFW features and subscriptions
Cloud Delivered Security Subscriptions
PAN-OS 9.0 PAN-OS 8.1 PAN-OS 10.0 PAN-OS 9.1 (PAN-OS 10) Threat URL DNS IoT Data Loss Global WildFire SD-WAN Prevention Filtering Security Security Prevention Protect Prevent all Prevent Ensures files Disrupts Visibility and Consistent VPN service to Networking known threats access to are safe with attacks that protection protection extends NGFW and security across all known and automatic use DNS for of IoT and from capabilities natively traffic in a new malicious detection and command-a OT devices sensitive everywhere integrated single pass websites prevention of nd-control data loss unknown and data malware theft
NGFW value keeps increasing through continuous innovation Detect and Prevent New and unknown Threats with WildFire
Malware Analysis Bare metal analysis
Machine learning Dynamic unpacking
Dynamic analysis Network traffic profiling
Static analysis Recursive analysis
Web Malware, URLs, DNS, C2
Flash Unknowns Scripts Updated within seconds, globally Archive
Binaries Protections Prevent Patient Zero with inline ML Documents
Partner Network Endpoint Cloud Ecosystem Data collected from a vast Analysis techniques far beyond Automated protection against global community traditional sandboxing multiple attack variants
15 | © 2021 Palo Alto Networks, Inc. All rights reserved. Slashing Our Industry-Leading Time for Distributed Protections
Seconds PAN-OS 10.0
Threat detected across Content-Based Protection streamed All customers with 35K+ WF installed base Signature Created in seconds WildFire updated
BEFORE With PAN-0S 10.0 Industry-leading Protection streams 5-minute signature to NGFW in generation/ single-digit seconds distribution time
16 | © 2021 Palo Alto Networks, Inc. All rights reserved. Today’s Prevention of Unknown Threats Through Cloud Scale, PAN-OS 9.X Cloud-delivered security services scale prevention Partner DNS Security Integrations Cyber Threat capabilities URL Filtering Alliance Shared intelligence allows WildFire the fastest distribution Data Lake of protections Infinite scale | Trillions of samples analyzed | Fast, high fidelity updates File Protections: 5 min
URL URL Protections : 1 min
DNS Protections: Instant Industry-leading security subscriptions offer unknown threat protection within minutes or less Prevention of Unknown Threats with Inline Machine Learning, PAN-OS 10 Cloud-delivered security services scale prevention Partner DNS Security Integrations Cyber Threat capabilities URL Filtering Alliance Shared intelligence allows WildFire the fastest distribution Data Lake of protections Infinite scale | Trillions of samples analyzed | Fast, high fidelity updates File Protections: Instant
URL URL Protections : Instant
DNS Protections: Instant Up to of common file & WildFire Inline ML web-based threats 95% prevented in-line URL Filtering Inline ML Current Trends With TLS
95% of internet traffic today is encrypted 2016 2020
Encrypted traffic Weak protocols will Obtaining certs is Rapid move to is now the norm not be supported easier than ever secure web (HTTPS)
70% of malware campaigns TLS 1.0 and TLS 1.1 can Services like Let’s Encrypt Major browsers mark non-HTTPs sites as in 2020 will use encryption be deprecated anytime offer certificates for free "Not Secure" to conceal malicious and modern protocols (HTTP/2, (Let's Encrypt) activity (Gartner) TLS 1.3) gaining popularity Massive Risks Within Encrypted Traffic
Encrypted traffic is now the norm And attackers are taking advantage
70% 95% of internet traffic today is encrypted More than 70% of malware campaigns in 2020 will use some type of encryption to conceal malicious activity, says Gartner 2016 2020
Source: Encrypted Traffic (2016) | Encrypted Traffic (2020) | Encrypted Walwave (Gartner)
20 | © 2021 Palo Alto Networks, Inc. All rights reserved. Deploying Decryption Is Now Easier Than Ever with PAN-OS 10
Mitigate Deploy decryption, Secure cloud security risks worry-free apps quickly
Control use of legacy TLS Easily deploy and maintain Secure traffic that uses protocols, insecure ciphers & decryption using purpose-built protocols like TLS 1.3 and incorrectly configured certs troubleshooting & visibility HTTP/2.
21 | © 2021 Palo Alto Networks, Inc. All rights reserved. Secure Encrypted Traffic Without Compromising Privacy
Self-signed certs Unsafe TLS versions Untrusted certs Block Weak cipher suites Expired certs Block
Dangerous Unsafe
Decrypt and Do Not Secure
Decrypt Healthcare Government Banking ?
Governed by All Else Regulations
Return to Security CORTEX XDR Extended detection and response Cortex Vision for Proactive Security
Scope and protect your attack surface
Prevent Everything you can’t Automate response everything prevent, detect and and get smarter with you can investigate fast every incident
24 | © 2021 Palo Alto Networks, Inc. All rights reserved. Endpoint Protection
EPP
Our Approach: Breaking down data Endpoint User Detection & EDR UBA Behavior and product silos Response Analytics
Prevention, Detection and Response Across Endpoint,
Network & Cloud Data
NDR
Network Detection & Response
25 | © 2021 Palo Alto Networks, Inc. All rights reserved. Cortex XDR Agent Protection
Pre-Execution Cloud Post-Execution
Reconnaissance Technique-Based Kernel Threat AI-Driven WildFire Malware Malicious Process Ransomware Behavioral Threat Protection Exploit Prevention Protection Intelligence Local Analysis Analysis Prevention Protection Protection
Prevents Blocks exploit Protects against Prevents known Prevents Detects advanced Stops script-based Blocks Stops attacks by vulnerability techniques used to exploits targeting threats with intel Unknown threats unknown threats threats ransomware analyzing chains of profiling used by manipulate good or originating from gathered from endpoint events exploit kits applications the kernel WildFire
Cross-Platform On and Offline Scheduled and Protection (Win, Protection On-Demand Scanning MacOS, Linux) WastedLocker Attack Lifecycle
Web browser Malicious JS from PowerShell Cobalt downloaded ZIP file Strike Loader
Ransomware System Utilities Cobalt Strike Execution Beacon
27 | © 2021 Palo Alto Networks, Inc. All rights reserved. Cortex XDR Stops WastedLocker at Every Step Behavioral Threat Behavioral Threat Threat Protection Protection Intelligence
Web browser Malicious JS from PowerShell Cobalt downloaded ZIP file Strike Loader
Ransomware Behavioral Threat BIOC: Lateral Analytics: Protection Protection Movement C2 Detection
Ransomware System Utilities Cobalt Strike Execution Beacon https://pan-unit42.github.io/playbook_viewer/?pb=wastedlocker-ransomware
28 | © 2021 Palo Alto Networks, Inc. All rights reserved. Cortex XDR data sources for detection
CORTEX Data Lake
Fortinet, Check Point, Cisco, Windows Events, OKTA, Azure AD, PingOne, GCP, AWS, LEEF, Filebeat, Kubernetes Network Endpoint Cloud Third-Party Data Key differentiator: supercharge investigation & response
Unified Automated Root Integrated Incident Engine Cause Analysis Response Intelligently group related alerts Reveal the root cause Quick actions to contain into one incident of attacks in one click attacks, isolate hosts or run custom forensics
30 | © 2021 Palo Alto Networks, Inc. All rights reserved. Summary
NGFW Cortex XDR Agent Cortex XDR Pro
Prevent unknown threats Prevent advanced Speed up faster with Wildfire attacks and investigation and inline ML and ransomware response by SSL decryption combining endpoint and network data Thank You
Mikkel Bossen | Channel SE May 2021