Scribd Logo
Carica

Benvenuto in Scribd!

  • Traps - Latest Release: Peter Lechman, Jakub Jiricek

    Caricato da

    Yura Zver
    49 visualizzazioni20 pagine
    The document discusses Traps, a software that provides endpoint security. Traps prevents both simple and advanced malware through capabilities like policy controls, execution restrictions, and WildFire threat intelligence. It also protects against zero-day exploits and contains the impact when something is missed. The latest version of Traps integrates directly with an application framework and logging service. It can now protect Linux, MacOS, and Windows endpoints from a new cloud-based management system. Traps also enhances prevention by uploading unknown files to WildFire for analysis and signature creation.

    Descrizione originale:

    Traps Laboratory

    Titolo originale

    s Tarnowski

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document discusses Traps, a software that provides endpoint security. Traps prevents both simple and advanced malware through capabilities like policy controls, execution restrictions, and WildFire threat intelligence. It also protects against zero-day exploits and contains the impact when something is missed. The latest version of Traps integrates directly with an application framework and logging service. It can now protect Linux, MacOS, and Windows endpoints from a new cloud-based management system. Traps also enhances prevention by uploading unknown files to WildFire for analysis and signature creation.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    49 visualizzazioni20 pagine

    Traps - Latest Release: Peter Lechman, Jakub Jiricek

    Caricato da

    Yura Zver
    The document discusses Traps, a software that provides endpoint security. Traps prevents both simple and advanced malware through capabilities like policy controls, execution restrictions, and WildFire threat intelligence. It also protects against zero-day exploits and contains the impact when something is missed. The latest version of Traps integrates directly with an application framework and logging service. It can now protect Linux, MacOS, and Windows endpoints from a new cloud-based management system. Traps also enhances prevention by uploading unknown files to WildFire for analysis and signature creation.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 20

    Traps – latest release

    Peter Lechman, Jakub Jiricek


    Belgrade, 13.3.2018
    Attackers need to control the endpoint

    Attackers objectives require


    leveraging the endpoint

    RAPIDLY CHANGE
    MACROS,
    TARGETED
    EXECUTE MALWARE
    & MORPH MALWARE
    SCRIPTS,
    MALWAREETC.

    3
    Attackers need to control the endpoint

    Attackers objectives require EXPLOIT SOFTWARE


    leveraging the endpoint VULNERABILITIES

    FILE-LESS ATTACKS

    EXECUTE MALWARE RAPIDLY CHANGE TARGETED MACROS,


    & MORPH MALWARE MALWARE SCRIPTS, ETC.

    4
    Traps - Best of breed endpoint security
    Provides prevention capabilities that cover all stages of the attack
    life cycle

    Protects against unknown malware and zero-day exploits

    Contain the impact quickly and automatically when something is


    missed

    Minimize operational overhead, for users and administrators

    5
    Other solutions optimize for only one aspect…
    Signature-based solutions can’t prevent unseen malware

    Machine learning solutions cannot detect targeted


    malware
    Most solutions have minimal, if any, exploit
    prevention capabilities

    Detection causes event and IR overload


    Traps prevents both simple and advanced malware

    MALWARE REDUCES THE ATTACK SURFACE


    Policy controls, execution and child processes restrictions

    EXPLOIT SOFTWARE
    VULNERABILITIES PREVENTS KNOWN MALWARE
    MORPHING WildFire threat intelligence

    PREVENTS UNKNOWN MALWARE


    Local analysis via machine learning, ransomware behavior
    FILE-LESS ATTACK
    TARGETED
    DETECTS ADVANCED THREATS
    WildFire inspection & analysis, automated response

    MACROS / SCRIPTS

    7
    And prevents exploitation of even zero-day vulnerabilities

    RECONNAISSANCE PREVENTION
    MALWARE
    Fingerprinting prevention

    MEMORY CORRUPTION PREVENTION EXPLOIT SOFTWARE


    JIT Mitigation, Brute Force Prevention VULNERABILITIES
    MORPHING

    CODE EXECUTION PREVENTION


    ROP Mitigation, DLL Security
    FILE-LESS ATTACK TARGETED

    KERNEL PROTECTION
    Privilege Escalation Protection, APC Protection
    MACROS / SCRIPTS

    8
    Traps in “real life” – The NotPetya Attack

    OR
    Compromised Software Exploit MS Office Spread via SMB Exploit
    Included a malicious DLL CVE-2017-0199 Using CVE-2017-0144/0145
    DoublePulsar
    Used to inject the payload

    Initial Victim
    Attempt to Spread

    Encrypt files Spread via Credential Theft


    Using Mimikatz
    Drop NotPetya Payload

    Encrypt MBR

    9
    NotPetya - Prevention Opportunities with Traps

    OR
    Compromised Software Exploit MS Office Spread via SMB Exploit
    DLL Malware Child Process
    Included a malicious DLL CVE-2017-0199 Using CVE-2017-0144/0145
    Prevention Protection
    DoublePulsar
    Kernel APC DLL Malware
    Used toProtection
    inject the payload Prevention

    Initial Victim
    Attempt to Spread

    Encrypt files Spread via Credential Theft


    Ransomware WildFire-based
    Using Mimikatz
    Prevention PreventionLocal DLL Malware
    Analysis DropChild Process
    NotPetya
    Protection
    Payload
    Prevention

    Encrypt MBR

    10
    Ask not (only) what the Platform can do for Traps…

    Traps acts as an additional enforcement


    point, on the endpoint, preventing
    malicious files that the firewall cannot
    identify from executing

    By uploading never-seen-before files to


    WildFire, Traps allows creating signatures
    that will enhance prevention capabilities,
    even during an attack

    11
    14
    So what’s next…
    15
    Traps 5.0 (Hogwarts Release)

    New cloud management service


    Eliminates operational overhead
    Provides a scalable service, accommodating millions of endpoints
    Redesigned user interface for more intuitive experience

    Ability to now protect Linux servers, in addition to MacOS


    and Windows

    Directly built into the Application Framework, storing all


    data in the logging service
    22
    Traps 5.0 (Hogwarts Release)

    New cloud management service


    Eliminates operational overhead
    Provides a scalable service accommodating millions of endpoints
    Redesigned user interface for more intuitive experience

    Ability to now protect Linux servers, in addition to MacOS


    and Windows

    Directly built into the Application Framework, storing all


    data in the logging service
    PALO ALTO NETWORKS APPS 3RD PARTY PARTNERS APPS CUSTOMER APPS

    APPLICATION FRAMEWORK

    Addition of endpoint
    activity from Traps
    LOGGING SERVICE THREAT INTEL DATA

    PUBLIC DATA CENTER / INTERNET MOBILE MOBILE


    SAAS ENDPOINTS
    CLOUD PRIVATE CLOUD GATEWAY USERS NETWORKS
    24
    Data collection

    Full recording of all launched executables, macro-


    enabled Word and Excel documents and DLLs
    loaded into sensitive processes

    Recording of executable, DLLs, macro enabled Word


    and Excel files at rest via scanning feature

    Storage of all data in Logging Service alongside


    network activity
    25
    Detection capabilities

    Detection of evasive malware via WildFire with post-


    detection alerts in Traps

    Data will be available to other applications, such as


    Magnifier, via the application framework, providing
    the foundation for significant new detection and
    response capabilities
    26
    To Summarize…

    Traps provides unmatched, advanced prevention


    capability on the endpoint, including the ability to prevent
    attacks never seen before

    Traps now acts as the endpoint sensor for the Application


    Framework, collecting endpoint information to the
    Logging Service, alongside network and cloud data

    The Application Framework can now provide the


    foundation for new detection, investigation and response
    capabilities
    THANK YOU

    Email: plechman@paloaltonetworks.com,jjiricek@paloaltonetworks.coml
    Twitter: @PaloAltoNtwks

    Potrebbero piacerti anche