Malware’s typical network behaviour makes it easier to spot: Palo Alto


“If an enterprise isn’t going to own the phone and things are connecting into the environment, the only thing they can control is the traffic. You can at least say that ‘this is my traffic’ and it’s going to have the same levels of quality and security applied at every step.”

The hardest part of maintaining a security defence is figuring out the things we don’t know – but by applying monitoring to all network traffic and simplifying accessibility to analytics tools, it’s easier than ever to ferret out new malware and seal perimeters that have been compromised by mobile devices, a Palo Alto Networks analyst has advised.

While the security solutions market has been flooded with new options for identifying and dealing with malware, “you need to be able to feed it into something that’s actionable, and is going to help the business and actually give you some protection,” Williamson told CSO Australia after his presentation at the AusCERT 2013 security conference.

“Many people have relied on basic firewall rules that said ‘I’m going to open this port and presumably the things that are supposed to come through that port, come in,” he explained. “But most people – and firewalls – didn’t really understand what they were looking at.”

Palo Alto Networks has positioned its WildFire platform to resolve this issue, by providing what Williamson calls a “classify everything” view of all data coming into and going out of the network. This next-generation firewall (NGFW) approach is designed to facilitate the early classification of traffic behaviour, allowing the establishment of organisational baselines that make it easier to spot malware-driven anomalies when they later arise.

Such anomalies aren’t as hard to spot as many companies may think, given the right view of actual network traffic. A recent Palo Alto Networks analysis of more than 26,000 malware samples found that 97% of malware FTP sessions used non-standard FTP ports – 237 different ones – that avoided antivirus detection. Ten percent of Web-browsing malware was delivered over 90 different non-standard Web ports.

Analysis of 839 different pieces of malware, and 204 million logs, also found that 55% of all malware uses custom UDP (User Datagram Protocol) packets to communicate with command-and-control (C&C) servers; therefore, when a scan of network activity shows that 1.5% of traffic is comprised of unknown UDP packets, Williamson said, it’s not hard to figure out where it’s coming from.

Other common signature behaviours of malware include visits to an unregistered domain (24.38% of cases), the sending of emails (20.46%), contacting an IP country different from the host top-level domain (6.92%), downloading a file with an incorrect file extension (4.53%), visiting a recently registered domain (1.87%), and more.

The use of the POST method in HTTP, used by 12.38% of malware infections, is also a telltale sign – even though the technique is also used heavily by cloud-based applications. However, while cloud-based applications communicate with the same legitimate domains on a regular basis, behaviour-changing malware will typically connect to many new domains on a rotating basis.

“You’re not going to have an unknown domain that is a reputable Web app,” Williamson says. “”You can always create an exception if you need to, but you can also set a rule that says ‘if I see an HTTP post to new domains, that is something worth investigating’. It’s all about being able to pull all of these things together and saying ‘in the context of all of these things, does this make sense or not?’”
Better control. Picking out such changes can help a company pinpoint the source of infection, and increase its confidence that threats are being spotted and dealt with no matter what their attack vector.

This confidence, says Palo Alto Networks’ ANZ country manager Armando Dacal, often translates into a better business-IT alignment because the security team can ensure the business will be protected through highly-granular control over applications and user behaviour.
Such control will pave the way for higher business and IT confidence around the influx of smartphones and tablets as companies, many grudgingly, give in to the realities of bring your own device (BYOD) policies. BYOD adoption is flooding many organisations with usually unmanaged devices that could easily become infected with malware and spread it because they are designed to circumvent normal network controls.

“Most organisations have really strong security around the physical perimeter, but for mobile devices they have something that is much less,” Williamson says. “If an enterprise isn’t going to own the phone and things are connecting into the environment, the only thing they can control is the traffic. You can at least say that ‘this is my traffic’ and it’s going to have the same levels of quality and security applied at every step.”

In many cases, that knowledge is paving the way for far more-productive relationships between the risk-sensitive IT department and the functionally-focused executive.
“The IT department has gotten very good over the last few years at saying ‘no’,” Dacal explains. “But users wanted to leverage the power in the devices – and now IT can have a discussion with the business around which users should have access to which applications, and how it can be done safely.”

“We’ve got a number of customers where the CISOs might be sitting down with the head of marketing and sales on a monthly basis to talk about which applications the user population should have.”
Palo Alto’s platform allows new rules to be created using natural-language input, which makes it easier to configure for a broad range of customer environments. Rule definitions – including specifications of what files, ports and packet types are to be watched – can therefore be built up in a way that “saves people scads of time,” Williamson said.

Of course, malicious hackers aren’t the only source of problematic traffic. Once a networked system is infected with malware, it may just as easily focus its efforts inside the network, jumping from one host to another on an opportunistic basis. Such behaviour will be invisible to a pure perimeter gateway, but will become clear through regular monitoring of internal as well as external traffic.

“We’re dealing with creative [malware authors],” Williamson says, “and we’re in a world where we’re going to have to be looking at what’s coming in – and be engaged, creatively, about what’s going on. This protection can be done in a box, but it still takes investigation and creativity to find out what it is that you want to put in the box.”

Join the CSO newsletter!

Error: Please check your email address.

More about ANZ Banking GroupCSOPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts