Sun Tzu Series #7 of 10. “In Ancient Times Those Known….” Palo Alto Networks-New Champion in the Malware Wars.
As the famous military strategist Sun Tzu said in his Art of War written 2,400 years ago: “In ancient times those known as good warriors prevailed when it was easy to prevail.” Fifteen years ago it was easy for a good programmer to build a good firewall. It is no longer easy to prevail in the malware wars. Malware has become a profitable business.
On Monday, June 4, 2012, as a guest of Bank Leumi USA, I attended the Cyber Defense Symposium in Santa Clara. Having just finished cleaning up two (2) separate malware attacks on my website and blog, I was very interested in the current state of cyber defense.
The most innovative and engaging presentation was by Nir Zuk, the Founder and CTO of Palo Alto Network. His talk was on Modern Malware: The Evolving Threat Landscape.
Nir Zuk Background? Previously, Nir was CTO at NetScreen Technologies (acquired by Juniper Networks), Co-Founder & CTO at OneSecure, and principal engineer at Check Point Software Technologies.
His Radical Concept.The traditional firewall is obsolete. Its sole purpose is to keep a network secure by analyzing the data packets in the incoming and outgoing network traffic and determining whether the packets should be allowed through or not based on a predetermined set of rules. The old firewalls (most of the ones in use currently) identify the traffic by the port # or the IP address, but popular ports, #80 and #443, for example, are no longer traffic specific. You are going to need new hardware and new software. Nir’s new firewall needs identifies the user, identifies the application and figures out what the user is doing with the application based on the application content because every document coming into an organization can be an attack. Nir’s firewall scans every document coming into an organization based on content (specifically looks for credit card numbers, social security numbers or other financial data) and automatically generates multiple signatures which can be delivered within an hour.
Anatomy of a Modern Attack according to Nir. The attacker attacks by taking over the end-user’s machine by following five (5) steps:
- bait an end user using a PDF file which may arrive by Skype or some other trusted source (note the malware does not arrive in an email)
- exploit a vulnerability (put the attack in a PDF document of interest to the end user and send it from a trusted source)
- download a backdoor (the enemy code is very small and it’s sole purpose is to create a backdoor)
- establish a back channel
- the enemy can now enter at will and explore and steal