Documente Academic
Documente Profesional
Documente Cultură
March 2015
91%
Increase in targeted
attacks in 2013
Launching Zero-Day
attacks is more accessible
and common
78%
71%
Of breaches involve
a targeted user device
Malicious Executable
Gather
Intelligence
Leverage
Exploit
Execute
Malware
Control
Channel
Steal Data
Plan the
Attack
Silent
Infection
Malicious File
Executed
Malware
Communicates
with Attacker
Data Theft,
Sabotage,
Destruction
Preventive Controls
Reactive Controls
Detection
and
Remediation
Network-Layer
Security
Cloud-Based
Emulation
225
Average Days
to Detect a
Targeted Attack
84%
Attacks
Discovered via
Third Party
Detection Alone
is Not a Strategy
Individual Attacks
Core Techniques
1,000s
2-4
Exploitation Techniques
1,000,000s
~10s
Malware
Malware Techniques
Exploit Techniques
DEP
Circumvention
Exploit Attack
1. Exploit attempt contained in a PDF
sent by known entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.
Begin
Malicious
Activitiy
Heap
Spray
Normal Application
Execution
Gaps Are
Vulnerabilities
Utilizing
OS Function
Exploit Techniques
Exploit Attack
1. Exploit attempt contained in a PDF
sent by known entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.
No Malicious
Activity
Heap
Spray
Normal Application
Execution
Traps
EPM
Exploit Techniques
DEP
Circumvention
Exploit Attack
1. Exploit attempt contained in a PDF
sent by known entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.
No Malicious
Activity
Heap
Spray
Normal Application
Execution
Traps
EPM
IE Zero Day
CVE-2013-3893
Adobe Reader
CVE-2013-3346
Adobe Flash
CVE-20153010/0311
ROP
Mitigation/
DLL
Security
Heap Spray
Memory
DEP
Limit Heap
Circumvention
Spray Check
UASLR
ROP/Utilizing
OS Function
Heap Spray
Memory Limit
Heap Spray
DEP
Check and
Circumvention
Shellcode
Preallocation
UASLR
Utilizing
OS Function
DLL
Security
DLL
Utilizing
Security
DLL
Security
ROP
ROP
Mitigation
JiT Spray
J01
OS Function
Prevention of One Technique in the Chain will Block the Entire Attack
Infected document
opened by
unsuspecting user
Traps is seamlessly
injected into processes
R
R
R
Forensic
Forensic Data
Data
is
is Collected
Collected
Process
Process is
is
Terminated
Terminated
User\Admin
User\Admin
is
is Notified
Notified
Advanced
Execution Control
Reduce surface area of
attack. Control execution
scenarios based on file
location, device, child
processes, unsigned
executables.
Local hash control allows for
granular system hardening.
WildFire Inspection
and Analysis
Malware Techniques
Mitigation
with technique-based
mitigation. (Example:
Thread Injection)
20+ Exploit
Prevention
Modules
Local Hash
Management
Execution
Restrictions
WildFire
Integration
Malware
Prevention Modules
Delivery
Malicious
10
Exploitation
Technique 1
Exploitation
Technique 2
Exploitation
Technique 3
Execution
Restriction 1
Execution
Restriction 2
Execution
Restriction 3
Local Verdict
Check
Wildfire Verdict
Check
Wildfire
Inspection
Thread Injection
Utilization of OS
functions
JIT
Heap Spray
Child Process
Unsigned
Executable
Restricted
Location
Admin Pre-Set
Verdicts
Wildfire Known
Verdict
On Demand
Inspection
Injection Attempts
Blockage
Memory Corruption
Logic Flaws
Advanced
Execution
Control
Intelligence
and
Emulation
Traps
Traps
Exploit Protection
Malware Protection
Malicious
Behavior
Protection
Attack-Related Forensics
External
Logging
Platform
WildFire
Forensic
Folder(s)
ESM Server(s)
overview
Forensics captures
Integration configuration
Footprint
25 MB RAM
0.1% CPU
No Scanning
Application Coverage
Automatically detect new processes
Protect any application
Benefits
Prevent
Zero Day
Vulnerabilities
and Unknown
Malware
Install
Patches on
Your Own
Schedule
Network
and Cloud
integration
Signature-less
No Frequent
Updates
Minimal
Performance
Impact
Protect ANY
Application
From Exploits
Save Time
and Money
Automated
Unknown Files
Query Verdict
CLOUD
NETWO
RK
Natively
Integrated
Next-Generation
Firewall
Extensible
ENDPOI
NT
TRAPS
Advanced Endpoint
Protection
UNKNOWN FIL
ES
54% OF THE MALICIOUS FILES SUBMITTED
IN THE LAST QUARTER HAVE NEVER BEEN
SEEN BEFORE BY VIRUSTOTAL
ALL
22 | 2015, Palo Alto Networks. Confidential and Proprietary.
2,353,523
54
1,277,482
%
61
1,437,808
%
MALICIOUS
UNKNOWN (VT)
UNDETECTABLE (MS)
UNKNOWN FIL
ES
61% ARE ZERO-DAY THREATS AND WILL
NOT BE DETECTED BY LEADING
ENTERPRISE ANTIVIRUS PRODUCTS
ALL
23 | 2015, Palo Alto Networks. Confidential and Proprietary.
2,353,523
54
1,277,482
%
61
1,437,808
%
MALICIOUS
UNKNOWN (VT)
UNDETECTABLE (MS)
Restrictions And
Executable Rules
Malware Technique
Prevention Employed
HASH Checked
Against WildFire
EXE
Examples
Child Process?
Restricted Folder
or Device?
Examples
Unknown
Malicious
Execution
Stopped
Benign
Safe
ESM
Forensics
Collected
Thread
Injection?
Create Suspend?
Wildfire Integration
ESM Console
Override? or Revoke?
Execution
Stopped
Malicious
Malicious
Malicious
Benign
Benign
Benign
EXE
Safe
Unknown
Unknown
Changed Hash
Verdict Saved
to ESM Server
Unknown
WildFire
Local Cache
Server Cache
Unknown
File Upload
EMET
Security components
Anti-exploit, anti-malware,
forensics, device control, WildFire
integration
Anti-exploit
Anti-exploit effectiveness
Yes
No
Yes
No
Application coverage
Integration