Surprising Application-Threat Analysis from Palo Alto Networks

This past week, Palo Alto Networks released its H2/2012 Application Usage and Threat Report. Actually, it’s the first time Palo Alto has integrated Application Usage and Threat Analysis. Previous reports were focused only on Application Risk. This report analyzed 12.6 petabytes of data from 3,056 networks, covering 1,395 applications. 5,307 unique threats were identified from 268 million threat logs.

Here are the four most interesting items I noted:

1. Of the 1,395 applications found, 10 were responsible for 97% of all Exploit* logs. One of these was web-browsing. This is to be expected. However, the other nine were internal applications representing 82% of the Exploit* logs!!

This proves once again that perimeter traffic security monitoring is not adequate. Internal network segmentation and threat monitoring are required.

2. Custom or Unknown UDP traffic represented only 2% of all the bandwidth analyzed, yet it accounted for 55% of the Malware* logs!!

This clearly shows the importance of minimizing unidentified application traffic. Therefore the ratio of unidentified to identified traffic is a key security performance indicator and ought to trend down over time.

3. DNS traffic total bytes was only 0.4% of traffic but 25.4% of sessions, and was 3rd for Malware* logs at 13%.

No doubt most, if not all, of this represents malicious Command & Control traffic. If you are not actively monitoring and analyzing DNS traffic, you are missing a key method of detecting compromised devices in your network.

4. 85 of the 356 applications that use SSL never use port 443.

If your firewall is not monitoring all ports for all applications all of the time, you are simply not getting complete visibility and cannot re-establish a Positive Control Model.

*If you are not familiar with Palo Alto Networks’ Threat Protection function, “Exploit” and “Malware” are the two main categories of “Threat” logs. There is a table at the top of page 4 of this AUT report that summarizes the categories and sub-categories of the 268 million Threat Logs captured and analyzed. The “Exploit” logs refer to matches against vulnerability signatures which are typical of Intrusion Prevention Systems. The “Malware” logs are for Anti-Virus and Anti-Spyware signature matches.

What is not covered in this report is Palo Alto’s cloud-based, Wildfire zero-day analysis service which analyzes files not seen before to determine if they benign or malicious. If malicious behavior is found, signatures of the appropriate types are generated in less than one hour and update Threat Protection. In addition, the appropriate IP addresses and URLs are added to their respective blacklists.

This report is well worth reading.

 

 

 

Looking for Infected Systems as Part of a Security Assessment

Looking for Infected Systems as Part of a Security AssessmentLooking for Infected Systems as Part of a Security Assessment. Lenny Seltzer describes techniques for identifying signs of malware or compromise in an enterprise setting.

Lenny mentions Damballa’s consultant-friendly licensing option, Damballa Failsafe. We partner with Seculert, who provides a cloud-based service for detecting botnet infected devices in the enterprise.


 

Lenny Zeltser on Information Security — The Use of the Modern Social Web by Malicious Software

Lenny Zeltser on Information Security — The Use of the Modern Social Web by Malicious Software.

Lenny Zeltser posted his excellent presentation on The Use of Modern Social Web by Malicious Software.

However an increasing number of organizations are seeing real benefits to the top line by engaging in the social web. Therefore simply blocking it’s usage is no longer an option. The InfoSec team must respond to the business side by mitigating the security risks of using the modern social web.

 

Panda Security goes inside the web’s black market

Panda Security Goes Inside Web’s Black Market

PandaLabs released 44 page report called, The Cyber-Crime Black Market: Uncovered. If you are not familiar with the subject, this report is very good. Here are some highlights:

The exponential growth of malware

Five years ago, there were only 92,000 strains of malware cataloged throughout the company’s 15-year history. This figure rose
to 14 million by 2008 and 60 million by 2010, which gives a good indication of the rate of growth.

At this rate is it reasonable to rely on a signature-based approach to malware detection? No mention is made of 0-day malware. We like FireEye‘s behavioral approach to complement a signature-based approach to anti-malware.

The cyber-crime professions

Panda quotes the FBI’s list of ten different professions that make up the cyber-crime black market – Programmers, Distributors, Tech Experts, Hackers, Fraudsters, Hosted systems providers, Cashiers, Money mules, Tellers, and Organization Leaders. This division of labor should give you some idea of the maturity of the cyber-crime underground.

The process

Panda does a fairly good job of documenting the process although this section of the report could have been better organized.

The black market at-a-glance

This section show just how sophisticated the black market ecosystem is. Just like the markets we engage in every day, there are promotion, try & buy offers, discounts for volume purchases, multiple payment options, and post-sale support services.

What to do and what not to do

The report closes with some common sense advice as to what to do and what not to do to minimize your risk of cyber-fraud.

Facebook scam: Guy that lives on my street killed his girlfriend today

Facebook scam: Guy that lives in my street killed his girlfriend today.

Social Engineering creativity knows no bounds.

This one has been spreading for a couple of days, posing as a news story from one of your Facebook friends that someone who lives in their street has killed his girlfriend.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take.

HIghlights from Sophos threat report

Highlights from Sophos threat report.

The recently released Sophos Threat Report claims that with more than 50 percent of companies allowing free and open access to social networking sites:

  • 67 percent of users were spammed on social networks – double from when the survey began in 2009 (33.4 percent)
  • 40 percent were sent malware
  • 43 percent were phished – more than double from when the survey began in 2009 (21 percent)

The answer is not totally blocking access to social network sites. People in marketing and sales need access, but they don’t need to be playing Farmville. Also totally blocking all aspects of social network sites might create a morale issue.

Anti-virus can play a role, but a defense-in-depth strategy is needed that includes Next Generation Firewalls.

HTML5 Tricks Hijack Browsers To Crack Passwords, Spew Spam – Andy Greenberg – The Firewall – Forbes

HTML5 Tricks Hijack Browsers To Crack Passwords, Spew Spam – Andy Greenberg – The Firewall – Forbes.

As usual, new technology spawns new threats. HTML5 will be no different.

HTML5 allows a website to run javascript processes that request data from another site, and to launch invisible scripts “in the background” on a user’s machine for long periods of time, says Kuppan. “With HTML4, after twenty seconds the browser would freeze,” he says.

And this:

Once the hacker has control of a user’s browser, it can be used to do all the same sorts of unpleasant things that botnets of malware-hijacked computers generally do: By repeatedly requesting data from another site–Kuppan says javascript can make around 10,000 requests a minute–it can overwhelm a target’s server and knock it offline. Or by creating and filling the sort of entry field typically used on corporate websites for leaving feedback, it can send mass emails to a list of addresses.

And this:

To keep users on a page longer while his scripts run, Kuppan suggests a trick that involves a clever form of “clickjacking.” Using javascript, an invisible link can be inserted wherever a user clicks on a page to open another tab with the desired destination. Since most users leave unused tabs unattended, a script can run on the original tab, potentially for hours, without the user’s knowledge.

We will need a tool which gives users better visibility into what’s going on their workstations and the ability to either automatically take actions against anomalous behavior or give users options to take actions.

Security alert: New Trojan Horse apps said to attack the Mac

Security alert: New Trojan Horse apps said to attack the Mac.

Some security mavens have long theorized that as the Mac becomes more popular, we’d start to see malware that would start targeting the platform. Sure enough, this morning’s crop of email blasts from PR firms included a few notices of trojans that are affecting Mac users.

Two Mac oriented security companies SecureMac and Intego are reporting attacks targeting Mac users. They both seem to be legitimate.

Stolen Digital Certificates Becoming Standard Malware Components | threatpost

Stolen Digital Certificates Becoming Standard Malware Components | threatpost.

One of the lesser known facts about Stuxnet is that it used two stolen digital certificates to bypass anti-malware systems.

“…many antimalware products and other security applications will whitelist binaries and files that are digitally signed. These components are simply trusted and passed along in most cases. The creators of Stuxnet obviously knew this and used it to their advantage. In the wake of the Stuxnet attack, security experts said that they expected other malware authors to follow the lead of Stuxnet and begin using digial signatures to evade security software, and that prediction is already being fulfilled.

Now that there is a new version of Zeus that’s digitally signed, it’s clear that digitally signed binaries can no longer be trusted. Will digital certificate black lists be added to anti-malware products?

Who’s Behind Stuxnet? The Americans? The Israelis? – Security Watch

Who’s Behind Stuxnet? The Americans? The Israelis? – Security Watch.

The security research community continues to marvel at the sophistication of Stuxnet. In fact, there is a growing body of opinion that Stuxnet must have been developed with government sponsorship. Since 58% of identified infections seem to have occurred in Iran, the two obvious countries attracting speculation are the United States and Israel.

Previously, I’ve written about Stuxnet on August 14September 15, and September 17.

Aside from the extremely precise targeted nature of Stuxnet, what is striking is that it took advantage of four different 0-day or unknown vulnerabilities.

If this is not a wake-up call for the need for specialized 0-day malware defenses, I don’t know what is.