Cyber uefense Soluuons

Cyvera 1kAS | Agent-based so|unon for MS W|ndows system

Compauble wlLh servers, deskLops, vlrLual machlnes, Lermlnal sesslons, Lhlnk cllenLs, wlndows embedded sysLems
CMC | Cyvera Management Center for reports, po||cy enforcement and agents contro|
lnLernal + LxLernal (uMZ or cloud)
Method | Cbstruct ma|n vectors of targeted remote auacks rather than |dennfy them
Soware vulnerablllLy explolLs (lncludlng 0-days), memory-corrupuon-relaLed Lechnlques, loglc-ow-relaLed Lechnlques,
user-weaknesses-relaLed Lechnlques and execuuon of undeslred execuLables
keector | ost-prevennon ana|ys|s center
1wo-phases examlnauon - LxplolL SLrlpplng" Lo dlscover explolLauon ow and furLher auack emulauon
2 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
Why secur|ty so|unons fa|| to |dennfy
the unknown or ta||ored auacks
1he Inherent Ia||ure of Idennhcanon Approaches
Sensors can
always
geL turned-o

Ma||c|ous acuvlLy
musL be |n|nated

keverse
englneerlng
enables evas|on

8equlre pr|or
know|edge

3 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
DLMC
1argeted Auacks Must Inc|ude
a hase of Lvas|ve Ma|ware In[ecnon
Lxecunon of ma||c|ous executab|e h|es (by a persuaded end-user)
Cames, add-ons, Loolbars, Anu-vlruses, embedded exes
Un||z|ng !"##$%&#' )*+&,- !"# %& ' ()!*"'+)+ )#+,"*)!-
Day-to-day work|ng h|es (pdf, doc, ppL, xls, zlp, [pg)
Lxterna| Storage Lma|| Auachment Web ||nks
5 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
0 bugs |s not feas|b|e 1r|ggered 8ugs are actua||y
"Vu|nerab|||nes"
Some vu|nerab|||nes are
exp|o|tab|e
Any ma|ware on-top
of any exp|o|t
C:\
ers|stence
A llle carrles 2ero-Day exp|o|t, uullzes a
vulnerablllLy LhaL ls known only Lo Lhe auacker
A le carrles man|pu|ated exp|o|t uullzes a
vulnerablllLy LhaL ls known Lo Lhe world
8ypasses SecurlLy SulLes and hlLs unpatched
systems
8ypasses SecurlLy SulLes and hlLs even
patched systems
6 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
LvLn1 nAML WPLn MeLhod/ 8esulLs
nlghL uragon 2010-resenL
Lxp|o|tanon | Clobal operauon Lo conLrol energy resources
SLuxneL 2009-resenL
Lxp|o|tanon | 1argeLed operauon Lo conLrol nuclear cenLrlfuges
Coogle (Cperauon Aurora) 2009-2010
Lxp|o|tanon | Access Lo source code reposlLorles of hlgh Lech, securlLy
and defense conLracLor companles
8SA 2011

Lxp|o|tanon | Securelu compromlsed (exposed 40 M cllenLs Lo
Cyber rlsks)

23 uou conLracLors 2011
Lxp|o|tanon | zero-day explolL ln Adobe reader. unknown damage
(classled)
In most recent h|gh-proh|e cases
1he auack was |n|nated by exp|o|nng sohware vu|nerab|||ty
CVLkA SUCCLSSIULL S1CLD LVLk U8LISnLD WINDCWS-8ASLD 2LkCDA SINCL MAkCn 2012
Luropean Aerospace (lnfecLor)
2012
Lxp|o|tanon | Lwo slgnlcanL zero-days ln lnLerneL Lxplorer and MS
omce
nASA\ norLel 2012
Lxp|o|tanon | perslsLenL campalgn - compromlsed boLh l
and physlcal asseLs.
WaLerlng-Pole auacks
2013
Lxp|o|tanon | lour slgnlcanL zero-days used hlgh-prole sLaLe-
sponsored campalgns.
7 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
Idennhcanon and kesponse
!
Cbstrucnon and Decepnon
"
1argeted kemote Auack revennon System
8 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
Cyvera's Concept
Cbstruct auack's core techn|ques, |nterrupt auack's cr|nca| path, obv|ate auacker's
too|box.
re||m|nary
research of
exp|o|tanon
structure
kesearch outcome:
~20 Lxp|o|tanon
1echn|ques conta|ned
a|ternanve|y |n 99 of
auacks
Deve|opment of exp|o|t
m|nganon techn|ques
un||z|ng nW and SW
gener|c qua||nes to
|nterrupt auack ow,
rather than |dennfy |t
Deve|opment of
enforcement
capab|||nes to cover
a|| processes of CS
and 3
rd
party
sohware
9 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
Lxp|o|tanon Core 1echn|ques Lvo|unon
Vu|nerab|||nes Growth Lxp|o|ts Growth (k) Core 1echn|ques Growth
8uer
Cverow
neap
Spray
kC
ay|oad
She||code
ay|oad
ost
Lxp|o|tanon
revennon of one ||nk |n the cha|n = Lnnre auack 8|ocked
Lxample Lo explolL crlucal paLh
10 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
Cyvera Core | Ma|n ko|es
Lnforcement
capab|||nes on a||
processes\ p|auorms
Des|gnated propr|etary
|n[ecnon methods
Sohware |og|c fau|ts
exp|o|tanon prevennon
Memory Corrupnon
exp|o|tanon
prevennon
kea|-nme b|ock]nonfy
based on externa|
|nd|cators
Layer 1 | Ann Lxp|o|tanon - 19 des|gnated modu|es (7 paLenLs pendlng)
Layer 2 | Ann Ma|ware Lxecunon - ex|b|e |nfrastructure (2 paLenLs pendlng)
Lmbedded exe h|es and
other restr|cted
executab|es
kestr|cted execunon
from spec|hc fo|ders or
network shares
kestr|cted execunon
from spec|hc dev|ces
lolders creauon\access, key reglsLry access, PASPs, llle name, locauon, le aurlbuLes (hldden, noL slgned, archlved eLc.)
11 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
revennon 1ypes (ow-based)
Stage I - reparanon Stage II - 1r|gger|ng Stage III - Lxp|o|tanon
Stage IV - ost
Heap-spray method A
Heap-spray method B
JIT Spray
.

Use After Free
Heap Corruption
DLL Hijacking
.

ROP
Stack Pivoting
Execution from Hack
.

Utilizing OS Functions
Sandbox Escaping
Execution from Hack
.

Stage V (or stage 0) - ma||c|ous acnv|ty
Files Dropping Files Execution
Rootkit deployment .
12 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
Lxp|o|tanon Core 1echn|ques (noL exhausuve)
8C
SLack lvoung
Lxecuuon from Lhe sLack/heap
Peap-sprays
null-polnLer dereference
SLP-handler overwrlLe
Peap-corrupuon
Memory-Corrupnon-ke|ated M|nganons
Connecuon Lo CS funcuons
use aer free lmplemenLauons
uouble free lmplemenLauons
Sandboxed escaplng (malnly !ava, buL adopLable Lo oLhers)
Wlndows loglc vulnerablllues (l.e., Lnk)
Wlndows kernel vulnerablllues (l.e., fonLs)
uLL Pl[acklng
Lmbedded execuLables (l.e., ln ppL, doc, pdf)
Macros LhaL leads Lo execuuon
Log|c-I|ows-ke|ated M|nganons
8esLrlcLed folders and lnLerneL sources
8esLrlcLed devlce (deep devlce conLrol)
AurlbuLes: hldden and\or recenLly wrluen and\or un-slgned
User-Interacnon that |nvo|ves executab|es
13 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
In-Crgan|zanon Arch|tecture
nybr|d revennon (Centra||zed + Lnd-po|nt-based)
vlrLual Machlnes
ueskLop\
servers
1ermlnals
1ableLs\ SmarLphones
Cyvera
ManagemenL CenLer
Cyvera Cloud monlLorlng servlces
SlLM/ SCC/ Syslog
Cyvera
8eecLor
(SLrlpplng+analysls)
14 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
18AS agenL
(Wlndows ueskLop
and Servers)
Cyvera
ManagemenL CenLer
Cloud ManagemenL
And osL-prevenuon
analysls
Cyvera
8eecLor for
osL-prevenuon analysls
" "
Cyvera 18AS enhancemenL
" "
CLher Cperaung SysLems
& moblle & lnLegrauon
2014
15 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
Secur|ty updates lmplemenLauon can be safe|y
postponed for boLh ueskLops and servers
No need for denluons and s|gnatures update
(raLher Lhan few updaLes a year)
8esponse Lo ldenucauon and ulsasLer recovery
ls mlugaLed, I1 overhead |s saved
An emclenL a|ternanve to m|ngate
"Adm|n|stranon pr|v||eges" LhreaLs
lree of access - noL lnLruslve, very perm|ss|ve ln
Lerms of users' allowed acuons
keeps your sensluve daLa asseLs and manufacLurlng lnfrasLrucLure secured even from Lhe mosL
lnnovauve auacks and save dlrecL nance damages and repuLauon-relaLed damages
Gener|c so|unon LhaL proLecLs a|| processes,
does noL requlred compllcaLed congurauon
8equlres less Lhen 0.1 CU resources on
process runume
Compauble wlLh all wlndows-based plauorm,
lncludlng term|na|s, VDIs and VMs.
16 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.
1hanks.

.)) /0!) 1 22234&5)!'340/

60#7'47 "* 1 8#90:4&5)!'340/
17 | 2014, Palo Alto Networks, Inc. Confidential and Proprietary.