File Block,antivirus,vulnerability,antispyware,wildfire,anti spyware,url filtering - Best Practice Security
Create Best Practice Security Profiles for the Internet Gateway
Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable applications you must scan all traffic allowed into the network for threats. To do this, attach security profiles to all Security policy rules that allow traffic so that you can detect threats—both known and unknown—in your network traffic. The following are the recommended best practice settings for each of the security profiles that you should attach to every Security policy rule on your internet gateway policy rulebase.
Consider adding the best practice security profiles to a default security profile group so that it will automatically attach to any new Security policy rules you create.
You can attach a File Blocking profile to a Security policy rule (Policies > Security ) to block users from uploading or downloading specified file types or to generate an alert when a user attempts to upload or download specified file types.
Enter a profile name (up to 31 characters). This name appears in the list of file blocking profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description
Enter a description for the profile (up to 255 characters).
Shared
Select this option if you want the profile to be available to:
Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the Virtual System selected in the Objects tab.
Every device group on Panorama. If you clear this selection, the profile will be available only to the Device Group selected in the Objects tab.
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this File Blocking profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
Rules
Define one or more rules to specify the action taken (if any) for the selected file types. To add a rule, specify the following and click Add:
Name—Enter a rule name (up to 31 characters).
Applications—Select the applications the rule applies to or select any.
File Types—Click in the file types field and then click Add to view a list of supported file types. Click a file type to add it to the profile and continue to add additional file types as needed. If you select Any, the defined action is taken on all supported file types.
Direction—Select the direction of the file transfer (Upload, Download, or Both).
Action—Select the action taken when the selected file types are detected:
alert—An entry is added to the threat log.
block—The file is blocked.
continue—A message to the user indicates that a download has been requested and asks the user to confirm whether to continue. The purpose is to warn the user of a possible unknown download (also known as a drive-by-download) and to give the user the option of continuing or stopping the download.
When you create a file blocking profile with the action continue, you can only choose the application web-browsing. If you choose any other application, traffic that matches the Security policy rule will not flow through the firewall due to the fact that the users will not be prompted with a continue page.
Best Practice Internet Gateway File Blocking Profile
You can now quickly and easily enforce the best practice File Blocking settings on your Security policy allow rules using two new predefined File Blocking profiles . For most traffic (including traffic on your internal network) you will want to block files that are known to carry threats or that have no real use case for upload/download to ensure that malware is not sneaking into your network or that sensitive data is not being exfiltrated out of your network in legitimate traffic.
The new profiles are intended a starting point that you can use to clone and modify per your specific business requirements:
basic file blocking—Attach this profile to the Security policy rules that allow traffic to and from less sensitive applications to block files that are commonly included in malware attack campaigns or that have no real use case for upload/download. It blocks upload and download of PE files (.scr, .cpl, .dll, .ocx, .pif, .exe), Java files (.class, .jar), Help files (.chm, .hlp) and other potentially malicious file types, including .vbe, .hta, .wsf, .torrent, .7z, .rar, .bat. Additionally, it prompts users to acknowledge when they attempt to download encrypted-rar or encrypted-zip files. This rule alerts on all other file types to give you complete visibility into all file types coming in and out of your network.
strict file blocking—Use this stricter profile on the Security policy rules that allow access to your most sensitive applications. This profile blocks the same file types as the other profile, and additionally blocks flash, .tar, multi-level encoding, .cab, .msi, encrypted-rar, and encrypted-zip files.
Use the predefined strict file blocking profile to block files that are commonly included in malware attack campaigns or that have no real use case for upload/download. The predefined strict profile blocks batch files, DLLs, Java class files, help files, Windows shortcuts (.lnk), and BitTorrent files as well as Windows Portable Executable (PE) files, which include .exe, .cpl, .dll, .ocx, .sys, .scr, .drv, .efi, .fon, and .pif files. This profile allows download/upload of executables and archive files (.zip and .rar), but forces users to click continue before transferring a file to give them pause. The predefined profile alerts on all other file types for visibility into what other file transfers are happening so that you can determine if you need to make policy changes.
Why do I need this profile?
There are many ways for attackers to deliver malicious files: as attachments or links in corporate email or in webmail, links or IMs in social media, Exploit Kits, through file sharing applications (such as FTP, Google Drive, or Dropbox), or on USB drives. Attaching the strict file blocking profile reduces your attack surface by preventing these types of attacks.
What if I can’t block all of the file types covered in the predefined strict profile?
If you have mission-critical applications that prevent you from blocking all of the file types included in the predefined strict profile, you can clone the profile and modify it for those users who must transfer a file type covered by the predefined profile. If you choose not to block all PE files per the recommendation, make sure you send all unknown files to WildFire for analysis. Additionally, set the Action to continue to prevent drive-by downloads, which is when an end user downloads content that installs malicious files, such as Java applets or executables, without knowing they are doing it. Drive-by downloads can occur when users visit web sites, view email messages, or click into pop-up windows meant to deceive them. Educate your users that if they are prompted to continue with a file transfer they didn’t knowingly initiate, they may be subject to a malicious download. In addition, using file blocking in conjunction with URL filtering to limit the categories in which users can transfer files is another good way to reduce the attack surface when you find it necessary to allow file types that may carry threats.
Best Practice Internet Gateway Antivirus Profile
Attach an Antivirus profile to all allowed traffic to detect and prevent viruses and malware from being transferred over the HTTP, SMTP, IMAP, POP3, FTP, and SMB protocols. The best practice Antivirus profile uses the default action when it detects traffic that matches either an Antivirus signature or a WildFire signature. The default action differs for each protocol and follows the most up-to-date recommendation from Palo Alto Networks for how to best prevent malware in each type of protocol from propagating.
By default, the firewall alerts on viruses found in SMTP traffic. However, if you don’t have a dedicated Antivirus gateway solution in place for your SMTP traffic, define a stricter action for this protocol to protect against infected email content. Use the reset-both action to return a 541 response to the sending SMTP server to prevent it from resending the blocked message.
Why do I need this profile?
By attaching Antivirus profiles to all Security rules you can block known malicious files (malware, ransomware bots, and viruses) as they are coming into the network. Common ways for users to receive malicious files include malicious attachments in email, links to download malicious files, or silent compromise with Exploit Kits that exploit a vulnerability and then automatically deliver malicious payloads to the end user.
Best Practice Internet Gateway Vulnerability Protection Profile
Attach a Vulnerability Protection profile to all allowed traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities. The best practice profile is a clone of the predefined Strict profile, with packet capture settings enabled to help you track down the source of any potential attacks.
Why do I need this profile?
Without strict vulnerability protection, attackers can leverage client- and server-side vulnerabilities to compromise end-users. For example, an attacker could leverage a vulnerability to install malicious code on client systems or use an Exploit Kit (Angler , Nuclear, Fiesta, KaiXin) to automatically deliver malicious payloads to the end user. Vulnerability Protection profiles also prevent an attacker from using vulnerabilities on internal hosts to move laterally within your network.
Best Practice Internet Gateway Anti-Spyware Profile
Attach an Anti-Spyware profile to all allowed traffic to detect command and control traffic (C2) initiated from spyware installed on a server or endpoint and prevents compromised systems from establishing an outbound connection from your network. The best practice Anti-Spyware profile resets the connection when the firewall detects a medium, high, or critical severity threat and blocks or sinkholes any DNS queries for known malicious domains.
To create this profile, clone the predefined strict profile and make sure to enable DNS sinkhole and packet capture to help you track down the endpoint that attempted to resolve the malicious domain.
After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories your users are accessing. With this information, you are now ready to create custom URL filtering profiles and attach them to the security policy rule(s) that allow web access. In addition to managing web access with a URL Filtering profile, and if you have User-ID configured, you can also manage the sites to which users can submit corporate credentials.
Create a URL Filtering profile.
If you have not done so already, configure a best practice URL Filtering profile to ensure protection against URLs that have been observed hosting malware or exploitive content.
Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
Define site access for each URL category.
Select Categories and set the Site Access for each URL category:
Allow traffic to the URL category. Allowed traffic is not logged.
Select alert to have visibility into sites users are accessing. Matching traffic is allowed, but a URL Filtering log is generated to record when a user accesses a site in the category.
Select block to deny access to traffic that matches the category and to enable logging of the blocked traffic.
Select continue to display a page to users with a warning and require them to click Continue to proceed to a site in the category.
To only allow access if users provide a configured password, select override. For more details on this setting, see Allow Password Access to Certain Sites .
Configure the URL Filtering profile to detect corporate credential submissions to websites that are in allowed URL categories.
The firewall automatically skips checking credential submissions for App-IDs associated with sites that have never been observed hosting malware or phishing content to ensure the best performance and a low false positive rate even if you enable checks in the corresponding category. The list of sites on which the firewall will skip credential checking is automatically updated via Application and Threat content updates.
Use IP User Mapping—Checks for valid corporate username submissions and verifies that the username matches the user logged in the source IP address of the session. To use this method, the firewall matches the submitted username against its IP-address-to-username mapping table. To use this method you can use any of the user mapping methods described in Map IP Addresses to Users .
Use Domain Credential Filter—Checks for valid corporate usernames and password submissions verifies that the username maps to the IP address of the logged in user. See Configure User Mapping Using the Windows User-ID Agent for instructions on how to set up User-ID to enable this method.
Use Group Mapping—Checks for valid username submissions based on the user-to-group mapping table populated when you configure the firewall to Map Users to Groups .
With group mapping, you can apply credential detection to any part of the directory, or specific group, such as groups like IT that have access to your most sensitive applications.
This method is prone to false positives in environments that do not have uniquely structured usernames. Because of this, you should only use this method to protect your high-value user accounts.
Set the Valid Username Detected Log Severity the firewall uses to log detection of corporate credential submissions. By default, the firewall logs these events as medium severity.
Allow or block users from submitting corporate credentials to sites based on URL category to Prevent Credential Phishing .
The firewall automatically skips checking credential submissions for App-IDs associated with sites that have never been observed hosting malware or phishing content to ensure the best performance and a low false positive rate even if you enable checks in the corresponding category. The list of sites on which the firewall will skip credential checking is automatically updated via Application and Threat content updates.
For each URL category to which Site Access is allowed, select how you want to treat User Credential Submissions:
alert—Allow users to submit credentials to the website, but generate a URL Filtering alert log each time a user submits credentials to sites in this URL category.
allow—(default) Allow users to submit credentials to the website.
block—Displays the Anti Phishing Block Page to block users from submitting credentials to the website.
Define URL Category Exception Lists to specify websites that should always be blocked or allowed, regardless of URL category.
For example, to reduce URL Filtering logs, you may want add you corporate websites in the allow list, so no logs will be generated for those sites. Or, if there is a website this is being overly used and is not work related in any way, you can add it to the block list.
Items in the block list will always be blocked regardless of the action for the associated category, and URLs in the allow list will always be allowed.
Select URL Filtering Settings. The Log container page only option is enabled by default so that only the main page that matches the category is logged, not subsequent pages/categories that may be loaded within the container page.
To enable logging for all pages/categories, clear the Log container page only check box.
Enable HTTP Header Logging for one or more of the supported HTTP header fields.
Select URL Filtering Settings and select one or more of the following fields to log:
User-Agent
Referer
X-Forwarded-For
Save the URL Filtering profile and commit your changes.
Click OK.
Click Commit.
To test the URL filtering configuration, simply access a website in a category that is set to block or continue to see if the appropriate action is performed.
Best Practice Internet Gateway URL Filtering Profile
As a best practice, use PAN-DB URL filtering to prevent access to web content that is at high-risk for being malicious. Attach a URL Filtering profile to all rules that allow access to web-based applications to protect against URLs that have been observed hosting malware or exploitive content.
The best practice URL Filtering profile sets all known dangerous URL categories to block. These include command-and-control, copyright-infringement, dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers, unknown, and parked. Failure to block these dangerous categories puts you at risk for exploit infiltration, malware download, command and control activity, and data exfiltration.
In addition to blocking known bad categories, you should also alert on all other categories so that you have visibility into the sites your users are visiting. If you need to phase in a block policy, set categories to continue and create a custom response page to educate users on your acceptable use policies and alert them to the fact that they are visiting a site that may pose a threat. This will pave the way for you to outright block the categories after a monitoring period.
What if I can’t block all of the recommended categories?
If you find that users need access to sites in the blocked categories, consider creating an allow list for just the specific sites, if you feel the risk is justified. On categories you decide to allow, make sure you set up credential phishing prevention to ensure that users aren’t submitting their corporate credentials to a site that may be hosting a phishing attack.
Allowing traffic to a recommended block category poses the following risks:
malware—Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
phishing—Known to host credential phishing pages or phishing for personal identification.
dynamic-dns—Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
unknown—Sites that have not yet been identified by PAN-DB, perhaps because they were just registered. However, oftentimes these are sites that are generated by domain generation algorithms and are later found to exhibit malicious behavior.
command-and-control—Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
proxy-avoidance-and-anonymizers—URLs and services often used to bypass content filtering products.
copyright-infringement—Domains with illegal content, such as content that allows illegal download of software or other intellectual property. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
extremism—Websites promoting terrorism, racism, fascism or other extremist views discriminating people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry.
parked—Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
Best Practice Internet Gateway WildFire Analysis Profile
While the rest of the best practice security profiles significantly reduce the attack surface on your network by detecting and blocking known threats, the threat landscape is ever changing and the risk of unknown threats lurking in the files we use daily—PDFs, Microsoft Office documents (.doc and .xls files)—is ever growing. And, because these unknown threats are increasingly sophisticated and targeted, they often go undetected until long after a successful attack. To protect your network from unknown threats, you must configure the firewall to forward files to WildFire for analysis. Without this protection, attackers have free reign to infiltrate your network and exploit vulnerabilities in the applications your employees use everyday. Because WildFire protects against unknown threats, it is your greatest defense against advanced persistent threats (APTs).
The best practice WildFire Analysis profile sends all files in both directions (upload and download) to WildFire for analysis. Specifically, make sure you are sending all PE files (if you’re not blocking them per the file blocking best practice), Adobe Flash and Reader files (PDF, SWF), Microsoft Office files (PowerPoint, Excel, Word, RTF), Java files (Java, .CLASS), and Android files (.APK).
Data Filtering Best Practices
Two signatures exist for data filtering:
Credit Card: the device will look for 16 digit numbers and will run thru a hash algorithm. It must match the hash algorithm before detecting this as a Credit Card number. This method has less false positive.
Social Security Number: is detected as any 9 digit number, regardless of format. This is prone to false positive.
It is important to determine which types of documents in which to look for credit card and social security numbers.
Attached to this document are two PDF files that can be used to test the policy. One has fake social security numbers and the other fake credit card numbers.
Set up a profile to detect the two key words and trigger an alert. The second condition -- if the device sees any file that has 10 nine-digit numbers or 10 Credit Card numbers or a combination of both that total to 10.
Set up the custom Data Patterns.
Set up the data pattern profile.
Set up the data pattern in the security profile.
The custom data pattern is set the following way:
Set the weight of the custom data pattern to 10.
Set the social security and credit card to 1 (see screenshot below).
Set the Data Filtering profile to trigger on 10 (see screenshot below).
Add this profile to the security rule. This rule will look for the data pattern and alert on the above condition. This should prevent some of the false detection.
Monitor Data Filter Log
The green arrow next to a log entry is a packet capture of the single packet that triggered the data filtering.
To protect the data contained in the packetcaptures, Dta Protection can be enabled which password protects all the packetcaptures. The password can be set from the Device > Setup > Content-ID > Manage Data Protection
Note: Attached to this KB document are two test files that can be used to confirm that the policy is working.
owner: wtam
TIPS :
File Blocking Rulebase and Action Precedence
Issue
In some instances, File Blocking profile rules are not following a top-down order of operations when applying actions.
Cause
Overlapping File Blocking Profile rules exist with different actions. The File Blocking Profile rulebase does not follow a normal "top-down" approach when applying rule actions. When a file is seen in a traffic flow matching a Security policy with a File Blocking Profile applied, it will be checked against the configured File Blocking policy. When there is a single match, action is taken accordingly. In the case of multiple matches, the highest precedence action will be used. The options to move rules up/down the list are used purely for organization and cosmetic reason.
Action Precedence
There are five actions that can be applied to File Blocking Profile rules. The order of precedence among the actions in PAN-OS 6.1 and earlier is as follows:
continue-forward
forward
continue
block
alert
For example, if you configure rules with "alert" and "continue-forward", the "continue-forward" action takes precedence and will be the action that is applied.
Having said that let us say, for example, if an e-mail contains both email-link and PNG/JPG file, email-link will take the continue-and-forward Action and PNG/JPG file will take the alert Action, as the firewall can forward only the following file formats to WildFire cloud.
apk—Android Application Package (APK)
email-link—HTTP/HTTPS
flash—Adobe Flash applets
jar—Java applets
ms-office—Microsoft Office files
pe—Portable Executable (PE) files
pdf—Portable Document Format
Best Practices for Ransomware Prevention
What Is Ransomware?
Ransomware is a family of malware which attempts to encrypt files on end user computers and then demands some form of e-payment to recover the encrypted files.
Ransomware is one of the more common threats in the modern threat landscape; there are many different variants, an infection can cost a lot of money to recover from, and the actors responsible for the infections are driven to generate as much revenue as possible by extorting their victims.
This article will serve as a general guideline for some best practices to help keep a network free of ransomware infections.
How Is Ransomware Delivered?
Ransomware is delivered to targets primarily through these avenues:
Phishing emails may contain malicious attachments. These attachments are not always delivered in executable form; as security vendors and security best practices dictate that receiving executables via email is, in general, something we want to prevent, threat actors have to adapt to the changing landscape. This can be done by indirect delivery mechanisms. In Windows, for example, a malicious actor may opt for a less direct method of delivery: embed an obfuscated JavaScript file into an archive, and rely on the end user for the rest. Opening a .JS file on a Windows host will launch the default browser, and the JavaScript can then reach out to an external URL to grab an executable, deliver it to the victim, and execute it. At this point, preventing users from receiving executables via email is no longer effective, as the executable is delivered via HTTP.
Exploit kits (such as Angler, or Neutrino) have been known to deliver ransomware to users by exploiting vulnerable web servers and hosting malicious web scripts on them which exploit visitors when certain criteria are met, and then delivering a malicious payload (Angler Exploit Kit article @ Unit42)
Targeted ransomware has been noted and tracked recently, in which organizations had external facing web servers compromised by malicious actors in order to gain a foothold, who proceeded to map the environment out, and deployed the file cryptor en masse. (Evolution of SamSa Malware article @ Unit42)
Preventing Ransomware Attacks — Security Profiles
PAN-OS has protections at various points in the kill-chain to address ransomware infection and keep it from entering a network. A general overview of security profiles and their purpose is available here: Security policy fundamentals
1) To combat exploit kits and known vulnerabilities, numerous Vulnerability signatures exist in PAN-OS content. In order to protect users against these exploits, usage of a "strict" vulnerability protection policy can assist and is recommended. At the very minimum, ensuring signatures are enabled with preventative action against critical severity signatures is necessary. A strict stance on vulnerability protection profiles will help prevent exploit kit exposure, and help keep external facing web servers safe from exploitation of known vulnerabilities.
Some potentially relevant signatures include the exploit-kit labeled signatures (see Reference 1 below), Malware XOR Obfuscation Detection, Microsoft Windows OLE Remote Code Execution, Malicious PE Detection, and JavaScript Obfuscation Detection.
Additionally, as JavaScript is an unsupported file type for file blocking, it is beneficial to investigate actions on signatures 39002 and 39003, which inspect for the presence of JavaScript files within SMTP flows.
In order to improve security posture we recommend creating an exception for the threat ID's below. Setting them to “deny” which would block traffic matching these signatures.
However, we recommend testing in your environment prior with an “alert” setting to ensure legitimate traffic is not blocked, although there are not many legitimate uses for .js files sent in an email.
Threat ID
Description
38353
This signature indicates a malicious MSO file is detected
38590
This signature indicates a malicious MSO file is detected
38591
This signature indicates a malicious MSO file is detected
39002
This signature detects a .js .wsf or .hta file directly sent in an email
39003
This signature detects a .js .wsf or .hta file in a ZIP folder sent in an email
For more data regarding available Vulnerability signatures, please reference ThreatVault 2.0.
2) To prevent the delivery of malicious payloads, PAN-OS has an Anti-Virus scanning engine which can inspect supported protocols on which viral content most commonly is transferred, including: http, smtp, imap, pop3, ftp, and smb. Ensuring an Anti-Virus profile with preventative action is assigned to any Security rule which permits traffic that is commonly targeted (Web browsing to the internet, and email access for example) should ideally have an Anti-Virus profile assigned to it with preventative actions configured for both the Action and Wildfire-Action column for protocols on which it is supported. (See the Prevention - Dynamic Updates section for details on what the difference is). (Antivirus Profiles)
3) URL Filtering can be configured to block access to URLs in suspicious categories such as Malware/Phishing/Unknown/Dynamic DNS/Proxy-avoidance/Questionable/Parked, which will prevent a host from reaching out via HTTP to a web server Palo Alto Networks has seen host suspicious content/malware. (From the Experts: URL filtering implementation and troubleshooting)
4) Use the File Blocking functionality of the PAN-OS appliance. PAN-OS is capable of identifying supported file types in data streams and taking action depending on how you have them configured. One common tactic of ransomware (and malware authors in general) is to stand up new infrastructure for delivery, use it for a short amount of time, and then retire it. This prevents reputational based filtering, as by the time security vendors can classify infrastructure as known malicious, clever threat actors have retired it and are operating elsewhere. One solution to this is to combine File Blocking of common malicious payload types (such as Flash, PDF, Executable, and Office documents) with a security rule with the Service/URL Category set to "Unknown" and the destination being the public internet. This effectively prevents transfer of common payload types regardless of AV detection simply because your PAN-OS device does not know the source of the file.
Please note that policy changes of this type should be carefully configured to ensure legitimate traffic is not impacted. As Palo Alto Networks cannot scan company intranet sites, it is important to make sure the URL filtering logs for Unknown category activity are reviewed before enacting a block of this kind to prevent causing a service outage for internal users. Creating custom URL categories for sites that are not currently categorized currently by the Palo Alto Networks firewall can prepare you for this step.
Additionally, it may also be relevant to consider blocking certain file types over SMTP, since a significant portion of Ransomware campaigns leverage phishing emails with malicious attachments as an infection vector.
Relevant file types include: All PE file types (exe, cpl, dll, ocx, sys, scr, drv, efi, fon, pif), HLP, LNK, CHM, BAT, VBE.
Blocking or alerting on encrypted file types can also assist in reducing exposure (encrypted-zip).
Alerting on all file types that are not blocked for visibility and log analysis can be useful.
5) Some variants of ransomware reach out to external infrastructure to receive data (such as input from stated infrastructure to generate encryption keys to encrypt your files); as such, it is important to configure an Anti-Spyware profile with a "strict" setting and ensure that it is applied to security rules in which traffic egresses to the public internet.
Additionally, the Anti-Spyware profile contains actions for when Suspicious DNS Queries are detected. The Anti-Virus and Wildfire content contains a list of domains Palo Alto Networks has identified as being potentially associated with malicious traffic; network administrators can block DNS requests to these domains with this profile, or choose to sinkhole the traffic to an internal IP address they have configured for further analysis. Truly dedicated administrators will see the potential here to do some interesting configuration; once one has hijacked DNS and redirected it to a sinkhole, standing up a web server at that IP address can allow the administrator to inspect what may have resulted from a successful DNS lookup. (How to Configure DNS Sinkhole | How to Verify DNS Sinkhole Function is Working|Video Tutorial: How to Configure DNS Sinkhole)
6) If licensed, Wildfire submissions should be configured to allow submission of supported file types to the Wildfire cloud for evaluation. This will allow the Palo Alto Networks firewall to identify new malware variants, create a signature for them, and deliver them in our content updates (See the Prevention - Dynamic Updates section for details on content delivery) (Submit Files for WildFire Analysis| Wildfire Configuration, Testing, and Monitoring )
7) PAN-OS supports the usage of External Dynamic Lists for use in a security rule to prevent communication with destinations based on external reputational sources. While Palo Alto Networks does not currently curate their own list of approved sources, there is an aggregated list of resources for customer consumption available here.(Use a Dynamic Block List in Policy| How to Configure Dynamic Block List (DBL) or External Block List (EBL) )
8) Usage of SSL Decryption is an important factor to consider when implementing best practices; none of the above preventions can occur if the data streams traversing the firewall are encrypted and cannot be decrypted for inspection. Anti-Virus inspection will not function on HTTPS streams or encrypted email; URL Filtering is best effort against the common name/SNI on the certificate assigned to the web server; File Blocking cannot occur if PAN-OS cannot identify files due to the protocol they are traversing being encrypted; Wildfire submissions cannot occur if PAN-OS cannot identify supported file types for forwarding due to the protocol they are traversing being encrypted; Vulnerability and Spyware profiles cannot inspect and compare traffic against known signatures if the traffic is encrypted. This makes SSL decryption an integral part of ensuring a network does not have blind spots. (SSL decryption resource list)
9) As much as possible, allow specific application in the security rule. If possible, consider blocking 'unknown-tcp' and 'unknown-udp' traffic and create custom applications for internal applications if needed.
10) AutoFocus (autofocus.paloaltonetworks.com) can be used to better understand the behavior patterns of a particular variant of ransomware. When ransomware detonates, the artifacts it generates both on the host and network side are often unique enough to help identify which type of ransomware it is; this can include file extension of the encrypted files, format of the ransom notes that are left with recovery instructions, and C2 traffic to external web hosts, just to name a few. Reviewing common ransomware family tags in AutoFocus can illustrate what is unique to what variant and can help users understand what each variant looks like. Being armed with this knowledge will make a network administrator better armed to address a potential infection.
AutoFocus can also lend context as to what ransomwares are targeting which organizations, industries, or their peers. This can allow some measure of pro-active data gathering prior to any incident and better prepare administrators to strengthen their defenses in preparation for any future attack.
Along with properly configuring PAN-OS security profiles, ensuring that the latest content is available on the device will help keep a network safe from the latest threats. (Manage Content Updates)
Palo Alto Networks provides content in numerous forms:
For URL Filtering, PAN-DB/BrightCloud lookups occur as URLs are accessed (with caching of them that expires after a period). As such, no scheduled update is required for URL filtering.
Anti-Virus updates occur roughly once every 24 hours, publishing early AM PST (Please note that this is an estimate, and the time can shift depending on quality assurance processes). As such, configuring a PAN-OS device to update the Anti-Virus content at least once a day is recommended. Anti-Virus content contains signatures for known malicious files, and the content is generated as a result of Wildfire sandbox analysis of submitted samples. This content ties into the Anti-Virus security profile under the "Action" column.
Wildfire updates (if licensed) are available about every 15 minutes. As such, configuring a PAN-OS device to update the Wildfire content as often as possible is recommended; this will ensure the device has the latest signatures at any given time, and keep prevention capabilities up to date. This content ties into the Anti-Virus security profile in the "Wildfire Action" column.
Applications and Threats updates occur roughly once every 7 days, releasing Tuesday evening into Wednesday morning (there might be an occasional Emergency Content Update as well between two regular weekly releases). As such, configuring a PAN-OS device to update Applications and Threats at least once a week is recommended. Please note that these packages contain updates to application identification capabilities and it is recommended that administrators thoroughly review release notes to fully understand any potential impact or configuration changes required before installing the content. The "Threats" portion of this package contain updates to Vulnerability signatures (tying into the Vulnerability protection security profile) and updates to Spyware signatures (tying into the Anti-Spyware security profile).
As a closing note, it is worth mentioning that backups are the best defense against serious impact on a network that has been infected by ransomware. So long as up-to-date and secured backup data is available, remediation after infection will have significantly less strain on afflicted parties and organizations.
No comments:
Post a Comment