Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
5. OBJECTIVES
1. Provide critical best practices to improve security posture
2. Give you easy steps to make magic happen
3. Show you where to find more details and where to go if
you have questions
8. DNS SINKHOLE
• Block malware before it’s even downloaded, gain
additional visibility on infected systems.
9. UNKNOWN APPLICATIONS
On occasion, the firewall may report an application as
unknown for the following reasons:
• Incomplete data—A handshake took place, but no data
packets were sent prior to the timeout.
• Insufficient data—A handshake took place followed by
one or more data packets; however, enough data
packets were exchanged to identify the application.
10. UNKNOWN APPLICATIONS
• To create a custom application, we need to collect a
packetcapture and identify a useable pattern
14. DECRYPTION
• Set no-decrypt policy for privacy sensitive categories, but
still apply common sense protection
• Decrypt all other sessions and discover dangers hidden
from plain view
17. WHY ARE ATTACKERS USING THESE ?
• They are effective – big chance you are not blocking these.
• Simple to make
18. ANATOMY OF AN OFFICE ATTACK
Macro driven
• Create payload and obfuscate
• Check against existing AV signature sets
• Create Macro
• Check against existing AV signature sets
• Craft file with social engineering tactics
• Embed Macro into the Office file format
• Craft email with social engineering tactics
• Deliver via existing infrastucture or subcontract
25. HOW DOES IT WORK ?
Decoy
Doc
Exploit Doc
Backdoor
Access
Attacker Target
26. PACKET ENCRYPTING
Octopus crypter : One of many crypters, packers, etc… takes a
known exe/file, packing and changing it to a point AV won’t
recognise it anymore.
27. BEST PRACTICES : FILE BLOCKING
• Block
• Block all PE files (.exe, .cpl, .ocx, .scr, pif)
• Block : .hlp, .lnk
• Reduce the attack surface ! Start and combine user-ID and
different roles within the organisation
• Encrypted File Types :
• Block or alert on encrypted file types (.zip and .rar). Think about
segmentation within the organisation.
• Alert on all other file types for visibility in both directions
• Options : What if I can’t block all executables ?
• 1. Forward files to WildFire
• 2. Continue page – possibility to break up drive-by downloads
Interesting video tutorial on File Blocking :
https://www.youtube.com/watch?v=RsIDpTFAKKA
28. VULNERABILITY PROTECTION
There are 2 built-in profiles :
• Default : applies the default action to all client and server critical,
high, and medium severity vulnerabilities. It does not detect low and
informational vulnerability protection events.
• Strict : applies the block response to all client and server critical, high
and medium severity spyware events and uses the default action for
low and informational vulnerability protection events.
29. VULNERABILITY PROTECTION
Example : Vulnerabilities exploited by MWI
You’ll want to use a strict profile to ensure blocking of vulnerabilities exploited
by malicious documents such as MS Office or RTF vulnerabilities.
30. VULNERABILITY PROTECTION
At this point you’ll even be blocking vulnerabilitites before even
WildFire or Traps comes into play. You’ll be scanning for known
vulnerabilities.
31. WILDFIRE
• Forward all PE files, office documents & urls to WildFire
• WildFire AV signatures created every 5 mins
• Can be enabled free of charge with 2 limitations.
33. AUTOFOCUS/MINEMELD
For those of you who are unfamiliar with AutoFocus. Simply put, the
service allows you to prioritize advanced, targeted cyber attacks and will
help security teams to take a more strategic approach to secure their
organizations.
https://autofocus.paloaltonetworks.com/
For those who don't know MineMeld, it's a threat intelligence processing
framework that can be used to collect, aggregate and generate IOCs and
make them available for consumption.
https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld
35. AUTOFOCUS/MINEMELD
Correlation between AutoFocus & MineMeld (⌖) :
The indicators are managed through the MineMeld application. They will
be highlighted throughout AutoFocus with the ⌖ icon. This gives you high
confidence that the sample is indeed bad because it is confirmed by 2
different datasets (AutoFocus & MineMeld).
36. AUTOFOCUS/MINEMELD
Below are just a few of many use cases for which you might find this
useful:
• Use miners to get indicators from the SPAMHAUS Drop feed (which
is basically a list of bad IP addresses maintained by SPAMHAUS)
and transform it for enforcement by your Palo Alto Networks EDL
(External Dynamic List) objects.
• Use miners to get Office 365 IP addresses provided by Microsoft and
dynamically created an EDL list for usage in a security policy.
• Provide users the ability to create a custom IoC list from the data as
collected by AutoFocus (to enrich their own SIEM or enforce it).
37. INTERESTING LINKS ON OUR BLOG
https://live.paloaltonetworks.com/t5/Community-Blog/bg-p/CommunityBlog
https://live.paloaltonetworks.com > Features > Welcome to Live > Community Blog
Notes de l'éditeur
Part of the Global Customer support organization
Technical content
Technical discussion area
Traditional firewall http + ssl = unencrypted browsing on port 443
http + ssh = browsing on port 22, ssh on port 80
The best practice URL Filtering profile sets all known dangerous URL categories to block. These include malware, phishing, dynamic DNS, unknown, proxy-avoidance-and-anonymizers, questionable, extremism, copyright-infringement, and parked. Failure to block these dangerous categories puts you at risk for exploit infiltration, malware download, command and control activity, and data exfiltration.
-Revisit old profiles as sinkhole used to be disabled by default, modern new profiles have sinkhole enabled
-You can also add your own External Dynamic List
-allows for easy tracking of infected hosts in logs
Best practice is to block all unknown-udp/unknown-tcp as you are not sure what kind of sessions these are and they could be malicious.
For the following example, I will use the HEX value of "2f69 6e66 6f3f 7478 7441 6972 506c 6179 2674 7874 5241 4f50" which is the clear text equivalent of "/info?txtAirPlay&txtRAOP" in my packetcapture.
Properties and characteristics so it will match application filter, reporting, ACC
Scanning ONLY if no app override is enabled : pattern match required
If no pattern is available and only port matches, AppID will likely match different app : most accurate match
A HEX pattern is prefixed with \x to indicate a HEX pattern
-In cleartext regex all special characters need to be prefixed by a forward slash to indicate literal match
-qualifier http-method GET to limit location of the string
-Common contexts include 'unknown-req-tcp-payload', 'unknown-rsp-tcp-payload', 'http-req-host-headers' and several others where -req- stands for client requests, and -rsp- are server replies
No decryption for privacy sensitive sessions like financial services
-apply checks for ‘suspicious’ expired certificates or untrusted issuers
Decrypt and block suspicious certificates