Traps Advanced Endpoint Protection

March 2015

1 | 2014, Palo Alto Networks. Confidential and Proprietary.

Harsh Reality We Are More at Risk than Ever

$

91%

Increase in targeted
attacks in 2013

Launching Zero-Day
attacks is more accessible
and common

78%

Of exploit kits utilize

vulnerabilities less
than two years old

Targeted attacks can only

be solved on the endpoint

71%

Of breaches involve
a targeted user device

Attackers are well funded

and more sophisticated

Understanding the Threat

Exploit

Malicious Executable

Malformed data file that

is processed by a
legitimate app
Takes advantage of a vulnerability
in the legitimate app which allows
the attacker to run code
Tricks the legitimate application into
running the attackers code
Small payload

Malicious code that comes

in an executable file form
Does not rely on any
application vulnerability
Already executes code aims to control
the machine
Large payload

Exploit vs. Malicious Executable Whats the Difference?

A Typical Cyber Attack Life Cycle

Gather
Intelligence

Leverage
Exploit

Execute
Malware

Control
Channel

Steal Data

Plan the
Attack

Silent
Infection

Malicious File
Executed

Malware
Communicates
with Attacker

Data Theft,
Sabotage,
Destruction

Preventive Controls

Reactive Controls

Prevention of an Attack at the Earliest Stage is Critical

Traps Exploit and Malware Prevention Blocks the Attack Before Any Malicious Activity Can Initiate

Advanced Endpoint Protection Why?

Today's Harsh Reality
Traditional
Detection

Detection
and
Remediation

Network-Layer
Security

Cloud-Based
Emulation

Requires prior knowledge

Scanning vs. activity-focused
Can be reverse engineered

Malicious activity can disable detection

Remediation takes a great effort
Too much noise detection is ignored

Cant see all content

No visibility to endpoint infections
Hard to block malicious activity on legit protocols

Cant simulate all environments

Threat emulation can be identified by the malware
Cant enforce actions on the endpoint

225
Average Days
to Detect a
Targeted Attack

84%
Attacks
Discovered via
Third Party
Detection Alone
is Not a Strategy

Advanced Endpoint Protection

The Right Way to Deal with Advanced Cyber Threats
Prevent Exploits Including zero-day exploits
Prevent Malicious Executables Including
advanced and unknown malware
Collect Attempted-Attack Forensics
For further analysis
Scalable, Lightweight, Full Coverage Apply
protection to any application with minimal user impact
Integrate with Network and Cloud Security For data exchange
and cross-organization protection

PDF

Block the Core Techniques Not the Individual Attacks

Number of New Variants Each Year

Individual Attacks

Core Techniques

1,000s

2-4

Software Vulnerability Exploits

Exploitation Techniques

Thousands of new vulnerabilities and exploits

Only two to four new exploit techniques

1,000,000s

~10s

Malware

Malware Techniques

Millions of new malware variations

Tens of new malware sub-techniques

Exploit Techniques
DEP
Circumvention

Exploit Attack
1. Exploit attempt contained in a PDF
sent by known entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.

Begin
Malicious
Activitiy
Heap
Spray

Normal Application
Execution
Gaps Are
Vulnerabilities

Utilizing
OS Function

Activate key logger

Steal critical data
More

Exploit Techniques
Exploit Attack
1. Exploit attempt contained in a PDF
sent by known entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.

Traps Exploit Prevention

Modules (EPM)
1. Exploit attempt blocked. Traps
requires no prior knowledge of the
vulnerability.

No Malicious
Activity

Heap
Spray

Normal Application
Execution

Traps
EPM

Exploit Techniques
DEP
Circumvention

Exploit Attack
1. Exploit attempt contained in a PDF
sent by known entity.
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.

Traps Exploit Prevention

Modules (EPM)
1. Exploit attempt blocked. Traps
requires no prior knowledge of the
vulnerability.
2. If you turn off EPM #1, the first
technique will succeed but the next
one will be blocked, still preventing
malicious activity.

No Malicious
Activity

Heap
Spray

Normal Application
Execution

Traps
EPM

Exploit Prevention Case Study

Unknown Exploits Utilize Known Techniques

IE Zero Day
CVE-2013-3893

Adobe Reader
CVE-2013-3346

Adobe Flash
CVE-20153010/0311

ROP
Mitigation/
DLL
Security

Heap Spray

Memory
DEP
Limit Heap
Circumvention
Spray Check

UASLR

ROP/Utilizing
OS Function

Heap Spray

Memory Limit
Heap Spray
DEP
Check and
Circumvention
Shellcode
Preallocation

UASLR

Utilizing
OS Function

DLL
Security

DLL
Utilizing
Security

DLL
Security

ROP

ROP
Mitigation

JiT Spray

J01

OS Function

Prevention of One Technique in the Chain will Block the Entire Attack

Exploit Prevention User Experience

Traps

PDF

PDF

PDF

Infected document
opened by
unsuspecting user

Traps is seamlessly
injected into processes

Exploit technique is attempted

and blocked by Traps before any
malicious activity is initiated

R
R
R

Forensic
Forensic Data
Data
is
is Collected
Collected
Process
Process is
is
Terminated
Terminated
User\Admin
User\Admin
is
is Notified
Notified

Traps reports the event

and collects detailed
forensics

When an Exploitation Attempt is Made, the Exploit Hits

a Trap and Fails before Any Malicious Activity is Initiated

Preventing Malicious Executables on All Fronts

Advanced
Execution Control
Reduce surface area of
attack. Control execution
scenarios based on file
location, device, child
processes, unsigned
executables.
Local hash control allows for
granular system hardening.

WildFire Inspection
and Analysis

Malware Techniques
Mitigation

Dynamic analysis with

cloud-based threat
intelligence.

Prevent unknown malware

61% of malicious files

identified by WildFire
are not detected by the
top 6 enterprise AV
products.

with technique-based
mitigation. (Example:
Thread Injection)

The Most Comprehensive Approach to Endpoint Protection

20+ Exploit
Prevention
Modules

Local Hash
Management

Execution
Restrictions

Advanced Execution Control

WildFire
Integration

Malware
Prevention Modules

Example: Traps Kill-Points Through the Attack Life Cycle

Exploitation

Delivery

Download and Execute

Malicious

10

Exploitation
Technique 1

Exploitation
Technique 2

Exploitation
Technique 3

Execution
Restriction 1

Execution
Restriction 2

Execution
Restriction 3

Local Verdict
Check

Wildfire Verdict
Check

Wildfire
Inspection

Thread Injection

Utilization of OS
functions

JIT

Heap Spray

Child Process

Unsigned
Executable

Restricted
Location

Admin Pre-Set
Verdicts

Wildfire Known
Verdict

On Demand
Inspection

Injection Attempts
Blockage

Memory Corruption
Logic Flaws

Advanced
Execution
Control

Intelligence
and
Emulation

Traps

Traps

Exploit Protection

Malware Protection

Malicious
Behavior
Protection

Ongoing Forensics and Attack-Triggered Capture

Ongoing Recording

Attack-Related Forensics

Any Files Execution

Time of execution
File name
File HASH
User name
Computer name
IP address
OS version
Files malicious history

Exploit or Malware Hits

a Trap and Triggers
Real-Time Prevention

Time stamp and full memory dump

Triggering file (non-executable)
File source, names and paths including parents
grandparents and child processes
Prevented exploitation technique
IP address
OS version
Version of attempted vulnerable software
Components loaded to memory under
attacked process
Indications of further memory corruption activity
User name and computer name
Accessed URIs; Java
applets source URIs
Relevant DLL retrievals
with their path
Relevant files from
temp internet folders
Traps Automated Dump
Analysis Secondary
analysis indicates
techniques detected

Endpoint Security Manager (ESM)

3-Tier Management Structure
ESM Console
Database
ESM Servers
(each supports 50,000 endpoints
scales horizontally)

Endpoint Security Manager (ESM)

External
Logging
Platform

WildFire

All-in-One Management Center

Configuration management
Logging and DB query

Forensic
Folder(s)

ESM Server(s)

Admin dashboard and security

overview
Forensics captures
Integration configuration

Endpoints Running Traps

Coverage and System Requirements

Supported Operating Systems

Footprint

Workstations Physical and Virtual

Windows XP SP3
Windows Vista SP2
Windows 7
Windows 8 / 8.1

25 MB RAM

Servers Physical and Virtual

Windows Server 2003 (+R2)
Windows Server 2008 (+R2)
Windows Server 2012 (+R2)

Default Policy: 100+ processes

0.1% CPU
No Scanning

Application Coverage
Automatically detect new processes
Protect any application

Benefits

Prevent
Zero Day
Vulnerabilities
and Unknown
Malware

Install
Patches on
Your Own
Schedule

Network
and Cloud
integration
Signature-less
No Frequent
Updates
Minimal
Performance
Impact

Protect ANY
Application
From Exploits
Save Time
and Money

The Value of an Integrated Platform

Threat
Intelligence Cloud

Automated

Unknown Files
Query Verdict

CLOUD

NETWO
RK
Natively
Integrated

Next-Generation
Firewall

Extensible

ENDPOI
NT

TRAPS

Advanced Endpoint
Protection

The Value of WildFire on the Endpoint

87,036,761

UNKNOWN FIL
ES
54% OF THE MALICIOUS FILES SUBMITTED
IN THE LAST QUARTER HAVE NEVER BEEN
SEEN BEFORE BY VIRUSTOTAL

ALL
22 | 2015, Palo Alto Networks. Confidential and Proprietary.

2,353,523

54
1,277,482
%

61
1,437,808
%

MALICIOUS

UNKNOWN (VT)

UNDETECTABLE (MS)

The Value of WildFire on the Endpoint

87,036,761

UNKNOWN FIL
ES
61% ARE ZERO-DAY THREATS AND WILL
NOT BE DETECTED BY LEADING
ENTERPRISE ANTIVIRUS PRODUCTS

ALL
23 | 2015, Palo Alto Networks. Confidential and Proprietary.

2,353,523

54
1,277,482
%

61
1,437,808
%

MALICIOUS

UNKNOWN (VT)

UNDETECTABLE (MS)

The Right Way to Prevent Malicious Executables

WildFire
User Tries to Open
Executable File

Restrictions And
Executable Rules

Malware Technique
Prevention Employed

HASH Checked
Against WildFire
EXE

Examples
Child Process?
Restricted Folder
or Device?

Examples

Unknown
Malicious

Execution
Stopped

Benign

Safe

ESM

Forensics
Collected

Thread
Injection?
Create Suspend?

Wildfire Integration

ESM Console

User Tries to Open

Executable File

Override? or Revoke?
Execution
Stopped

Malicious

Malicious

Malicious

Benign

Benign

Benign
EXE

Safe

Unknown

Unknown

Changed Hash
Verdict Saved
to ESM Server

Unknown

WildFire
Local Cache

Server Cache

Unknown
File Upload

Traps vs. Microsoft EMET

Traps

EMET

Security components

Anti-exploit, anti-malware,
forensics, device control, WildFire
integration

Anti-exploit

Anti-exploit effectiveness

More than 2x more protection

modules. Enhanced to prevent
bypass.

the number of protection modules.

Some enforced only on processes
compiled to work with it. Enforcement
method vulnerable to bypass.

Centralized management, reporting,

monitoring and policy configuration

Yes

No

Self-protection mechanisms prevent

end-user disabling

Yes

No

Application coverage

Protect any application. Automatic

addition of new applications.

Protects a small number

of applications.

Integration

WildFire, SIEM, Syslog, MS SQL

Not natively integrated