Malware’s typical network behaviour makes it easier to spot: Palo Alto


“If an enterprise isn’t going to own the phone and things are connecting into the environment, the only thing they can control is the traffic. You can at least say that ‘this is my traffic’ and it’s going to have the same levels of quality and security applied at every step.”

The hardest part of maintaining a security defence is figuring out the things we don’t know – but by applying monitoring to all network traffic and simplifying accessibility to analytics tools, it’s easier than ever to ferret out new malware and seal perimeters that have been compromised by mobile devices, a Palo Alto Networks analyst has advised.

While the security solutions market has been flooded with new options for identifying and dealing with malware, “you need to be able to feed it into something that’s actionable, and is going to help the business and actually give you some protection,” Williamson told CSO Australia after his presentation at the AusCERT 2013 security conference.

“Many people have relied on basic firewall rules that said ‘I’m going to open this port and presumably the things that are supposed to come through that port, come in,” he explained. “But most people – and firewalls – didn’t really understand what they were looking at.”

Palo Alto Networks has positioned its WildFire platform to resolve this issue, by providing what Williamson calls a “classify everything” view of all data coming into and going out of the network. This next-generation firewall (NGFW) approach is designed to facilitate the early classification of traffic behaviour, allowing the establishment of organisational baselines that make it easier to spot malware-driven anomalies when they later arise.

Such anomalies aren’t as hard to spot as many companies may think, given the right view of actual network traffic. A recent Palo Alto Networks analysis of more than 26,000 malware samples found that 97% of malware FTP sessions used non-standard FTP ports – 237 different ones – that avoided antivirus detection. Ten percent of Web-browsing malware was delivered over 90 different non-standard Web ports.

Analysis of 839 different pieces of malware, and 204 million logs, also found that 55% of all malware uses custom UDP (User Datagram Protocol) packets to communicate with command-and-control (C&C) servers; therefore, when a scan of network activity shows that 1.5% of traffic is comprised of unknown UDP packets, Williamson said, it’s not hard to figure out where it’s coming from.

Other common signature behaviours of malware include visits to an unregistered domain (24.38% of cases), the sending of emails (20.46%), contacting an IP country different from the host top-level domain (6.92%), downloading a file with an incorrect file extension (4.53%), visiting a recently registered domain (1.87%), and more.

The use of the POST method in HTTP, used by 12.38% of malware infections, is also a telltale sign – even though the technique is also used heavily by cloud-based applications. However, while cloud-based applications communicate with the same legitimate domains on a regular basis, behaviour-changing malware will typically connect to many new domains on a rotating basis.

“You’re not going to have an unknown domain that is a reputable Web app,” Williamson says. “”You can always create an exception if you need to, but you can also set a rule that says ‘if I see an HTTP post to new domains, that is something worth investigating’. It’s all about being able to pull all of these things together and saying ‘in the context of all of these things, does this make sense or not?’”
Better control. Picking out such changes can help a company pinpoint the source of infection, and increase its confidence that threats are being spotted and dealt with no matter what their attack vector.

This confidence, says Palo Alto Networks’ ANZ country manager Armando Dacal, often translates into a better business-IT alignment because the security team can ensure the business will be protected through highly-granular control over applications and user behaviour.
Such control will pave the way for higher business and IT confidence around the influx of smartphones and tablets as companies, many grudgingly, give in to the realities of bring your own device (BYOD) policies. BYOD adoption is flooding many organisations with usually unmanaged devices that could easily become infected with malware and spread it because they are designed to circumvent normal network controls.

“Most organisations have really strong security around the physical perimeter, but for mobile devices they have something that is much less,” Williamson says. “If an enterprise isn’t going to own the phone and things are connecting into the environment, the only thing they can control is the traffic. You can at least say that ‘this is my traffic’ and it’s going to have the same levels of quality and security applied at every step.”

In many cases, that knowledge is paving the way for far more-productive relationships between the risk-sensitive IT department and the functionally-focused executive.
“The IT department has gotten very good over the last few years at saying ‘no’,” Dacal explains. “But users wanted to leverage the power in the devices – and now IT can have a discussion with the business around which users should have access to which applications, and how it can be done safely.”

“We’ve got a number of customers where the CISOs might be sitting down with the head of marketing and sales on a monthly basis to talk about which applications the user population should have.”
Palo Alto’s platform allows new rules to be created using natural-language input, which makes it easier to configure for a broad range of customer environments. Rule definitions – including specifications of what files, ports and packet types are to be watched – can therefore be built up in a way that “saves people scads of time,” Williamson said.

Of course, malicious hackers aren’t the only source of problematic traffic. Once a networked system is infected with malware, it may just as easily focus its efforts inside the network, jumping from one host to another on an opportunistic basis. Such behaviour will be invisible to a pure perimeter gateway, but will become clear through regular monitoring of internal as well as external traffic.

“We’re dealing with creative [malware authors],” Williamson says, “and we’re in a world where we’re going to have to be looking at what’s coming in – and be engaged, creatively, about what’s going on. This protection can be done in a box, but it still takes investigation and creativity to find out what it is that you want to put in the box.”

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about ANZ Banking GroupCSOPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts