{"id":41155,"date":"2017-09-19T05:00:01","date_gmt":"2017-09-19T12:00:01","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=41155"},"modified":"2017-09-19T07:41:54","modified_gmt":"2017-09-19T14:41:54","slug":"traps-4-1","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2017\/09\/traps-4-1\/","title":{"rendered":"Traps: Expanding Ransomware Protection for Current and Future Threats"},"content":{"rendered":"<p>Today\u00a0<a href=\"https:\/\/www.paloaltonetworks.com\/company\/press\/2017\/palo-alto-networks-strengthens-ransomware-prevention-capabilities-with-new-traps-advanced-endpoint-functionality\">we announced the next iteration of Traps advanced endpoint protection<\/a>, Traps 4.1. With this release, we continue to develop our innovative, multi-method prevention approach to endpoint security with a specific focus on preventing ransomware.<\/p>\n<p>Many estimates put the total value of ransoms paid out in 2016 at more than $1 billion<sup>1<\/sup>, but the ransom payout itself often pales in comparison to the frustration that follows\u2026<\/p>\n<ul>\n<li>Engaging disaster recovery on a massive scale<\/li>\n<li>Bringing user machines back, and larger production and operation systems back online<\/li>\n<li>Dealing with low employee morale, loss of productivity and potential breach notifications<\/li>\n<li>Figuring out how to prevent an attack from happening again<\/li>\n<li>Determining whether the organization is still vulnerable<\/li>\n<\/ul>\n<p>The majority of ransomware causes damage in less than a minute<sup>2<\/sup>, far too quickly for endpoint detection and response or manual intervention to counter it. For that matter, neither will fix the underlying issue: ransomware has compromised user machines, and the organization is still vulnerable to additional and ongoing attacks. Compounding concerns, those relying on signature updates have large windows of vulnerability. While the speed of signature updates has improved, if an organization in a signature-based threat-sharing community is infected, it can take hours or days to create and distribute a signature from \u201cpatient zero\u201d \u2013 much longer than the minutes ransomware needs to spread to other machines. Additionally, the ransomware market itself continues to evolve. \u201cRansomware as a service\u201d has sprung up, giving even novice attackers access to advanced techniques. Furthermore, recent leaks, along with the re-emergence of exploits to circumvent the need for user action, have given rise to script-based and file-less attacks that pose issues for products or tools that rely heavily on analyzing file characteristics.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Key New Features in Traps 4.1<\/strong><\/h2>\n<blockquote><p><em>\u201cIt has been exciting to see the evolution of Traps. Red Sky is proud to be an early adopter of the technology and has been heavily integrated with the product development lifecycle. With the new game changing additions of anti-ransomware for Windows and static analysis on macOS, Traps has been lab tested and proven to be an industry leader in prevention based endpoint protection.\u201d<\/em><\/p>\n<p>Phil Wong\u00a0\u00a0| \u00a0Security Practice Lead at Red Sky<\/p><\/blockquote>\n<h2><strong>New Exploits and Ransomware<\/strong><\/h2>\n<p>While thousands of exploits exist, only a handful of exploit techniques are used. Traps focuses on these techniques to effectively shut down exploit-based attacks, rather than relying on signatures or attempting to chase each exploit. Recently, a new technique was seen in both WannaCry and NotPetya that directly exploits and utilizes the kernel. Despite Microsoft delivering a patch of the discovered Server Message Block vulnerability in Windows, many organizations were vulnerable to the first step of attack \u2013 exploiting the SMB \u2013 simply because they hadn\u2019t patched their systems. The second step installs the now-infamous DoublePulsar, a powerful backdoor tool that runs in kernel mode and can load shellcode from the kernel into process memory, calling legitimate processes to run the shellcode and potentially leading to a file-less attack.<\/p>\n<p><strong>Enhanced kernel exploit protection<\/strong>: While Traps was already capable of blocking actions aimed at gaining kernel access through privilege escalation, this new kernel exploit prevention protects against exploit techniques used to execute malicious payloads, such as those seen in WannaCry and NotPetya. By blocking processes from accessing injected malicious code, Traps is now able to prevent the attacks early in the attack lifecycle without impacting legitimate processes.<\/p>\n<p><strong>Behavior-based ransomware protection<\/strong>: In this release, we\u2019ve introduced a capability solely focused on ransomware, rather than malware in general. In addition to existing preventions, Traps will now monitor specifically for ransomware behavior and, upon detection, block the attack and encryption of customer data without interfering with legitimate encryption tools.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Script-Based and File-Less Attacks<\/strong><\/h2>\n<p>Many approaches to malware prevention, both legacy and next-generation, have revolved around analyzing features and characteristics of a file. However, attackers have learned to manipulate legitimate processes and engage in script-based attacks that may not involve files.<\/p>\n<p><strong>Granular child process protection and malicious DLL prevention: <\/strong>With 4.1, Traps enhances its ability to ensure legitimate processes are running how and when they should, adding command-line evaluation of a process to its existing blacklisting and whitelisting abilities to prevent this emerging breed of attack. Additionally, attacks are increasingly utilizing DLLs, rather than traditional executable files, to run their malicious endeavors. To counter this, we\u2019ve added the examination of DLLs to both our local and cloud-based WildFire analysis techniques for known and unknown malware.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>The Rise of Mac Malware<\/strong><\/h2>\n<p>Though malware on macOS is still a growing field, attackers know that where there\u2019s an assumption of safety, there\u2019s opportunity for profit. As an example, in early May 2017, a well-known Windows backdoor malware, Snake, was ported to Mac for the first time. As Mac use continues to grow throughout enterprises, it\u2019s important that security teams take actions to ensure users are safe.<\/p>\n<p><strong>Local analysis on macOS<\/strong>: Traps continues to take a multi-method prevention approach to securing customers\u2019 Mac endpoints. With 4.0, Traps delivered exploit protection specific to macOS, as well as enhanced Gatekeeper protection and WildFire integration for known malware. With 4.1, we\u2019ve added local analysis capabilities to detect and prevent unknown variants on macOS, further securing our customers.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Where Can I Learn More?<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/www.eiseverywhere.com\/ehome\/270986\" rel=\"nofollow,noopener\" >Sign-up for a live demo<\/a> of Traps.<\/li>\n<li>Check out how Traps prevents popular attacks such as <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2017\/07\/how-traps-protects-against-astrum\/\">Astrum<\/a>, <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2017\/06\/traps-sniffs-ursnif-banking-trojan\/\">Ursnif<\/a>, and <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2017\/04\/traps-prevents-cerber-ransomwares-bite\/\">Cerber<\/a>.<\/li>\n<li><a href=\"http:\/\/go.paloaltonetworks.com\/IDCTechSpotlight\">Read-up on the \u201cpatient zero\u201d problem<\/a> in an IDC white paper that examines modern endpoint protection and how the evolution of malware has created a need for a modern approach to endpoint protection.<\/li>\n<li>Check out the <a href=\"https:\/\/www.paloaltonetworks.com\/documentation\/41\/endpoint\/newfeaturesguide.html\">New Feature Guide<\/a> for details on our new capabilities<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>1: <a href=\"https:\/\/www.nbcnews.com\/tech\/security\/ransomware-now-billion-dollar-year-crime-growing-n704646\" rel=\"nofollow,noopener\" >https:\/\/www.nbcnews.com\/tech\/security\/ransomware-now-billion-dollar-year-crime-growing-n704646<\/a><\/p>\n<p>2: <a href=\"https:\/\/blog.barkly.com\/how-fast-does-ransomware-encrypt-files\" rel=\"nofollow,noopener\" >https:\/\/blog.barkly.com\/how-fast-does-ransomware-encrypt-files<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introducing Traps 4.1: expanding ransomware protection for current and future threats.<\/p>\n","protected":false},"author":409,"featured_media":42457,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[308,598],"tags":[603,778,4372],"coauthors":[4369],"class_list":["post-41155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-endpoint-2","tag-advanced-endpoint-protection","tag-traps","tag-traps-4-1"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/09\/LinkedIn520x320.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/41155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/409"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=41155"}],"version-history":[{"count":12,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/41155\/revisions"}],"predecessor-version":[{"id":42571,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/41155\/revisions\/42571"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/42457"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=41155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=41155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=41155"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=41155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}