The Power of Palo Alto Networks Threat Prevention Across the Cyberattack Lifecycle

I recently shared examples of how App-ID and User-ID can dramatically reduce the attack surface and provide granular controls to allow exactly what traffic you want on your network. Permitting traffic based on specific applications and users will allow for least privilege controls. This least privilege model also applies to attackers, reducing the potential ways for the attacker to infiltrate and exfiltrate the network.

All of the permitted traffic that gets through needs to be inspected for malicious activity that can be categorized as known and unknown. Known malicious activity includes threats that we as a community already know about and can therefore prevent using some form of a signature, which can be static or dynamic. Unknown malicious activity includes threats that the security vendor and/or community have never seen before. In this post we will provide an example of how threat prevention features in Palo Alto Networks next-generation security platform can help prevent both known and unknown attacks.

To put our example into perspective, let’s look at the taxonomy of how attacks work, also called the attack life cycle, or attack chain. Think of it like you would any other chain: each link represents an opportunity for an attacker – and also an opportunity for you to break the sequence. Each of the five phases covered below offers several opportunities to cut links in the attack chain. Just one cut in the chain will cause that particular attack to fail.

Phase 1: Delivery

During the first phase, the attacker needs to be able to run commands on the initial target system.

The most common way the initial malware, or dropper, is delivered is through phishing attacks. This may include an email with a malicious attachment, or a link to a malicious website that exploits the system just by visiting it. Delivery could also be accomplished by compromising a known and trusted website that the attacker knows the user will visit. The compromised website will be configured to load a malicious website in addition to the legitimate one.

The first stage of the attack will be thwarted by our security platform using:

  • SSL Decryption, which provides visibility into the traffic if it is encrypted. Otherwise we wouldn’t even be able to see if something known and bad is happening.
  • App-ID, which identifies if the attack requires the user to use a specific application that is not permitted, such as a high-risk webmail service.
  • URL Filtering (PANDB), which prevents the user from visiting URLs known to host malicious websites.
  • Threat Prevention anti-virus and anti-spyware, which blocks file attachments that are known to be malicious.
  • DNS sinkhole, which takes the resolution of the malicious server and automatically routes it to an address inside the corporate network. This ensures the target computer can’t get to the IP address of the malicious server.
  • Wildfire, which takes the attached files and website links and detonates them in a sandbox, effectively going through all of the phases of this attack and analyzing all aspects statically and dynamically. All malicious activity that was once unknown is now considered known and each component (URL Filtering, Threat Prevention, DNS Sinkhole, etc) is updated on every Palo Alto Networks appliance.

Phase 2: Exploitation

Once the initial payload has been delivered to the target the attacker will need to exploit a vulnerability on the system to elevate privileges and allow the attacker to run more commands for the next phase. The attacker may have a good exploit for a certain version of a document viewer, a web browser, an email client, etc. For a widespread attack, the attacker will likely include several of these attacks to increase their odds. In a targeted attack, the attacker may be more specific in the exploit they use.

The second stage of the attack will be thwarted by our security platform using:

SSL Decryption, which provides visibility into the traffic if it is encrypted.

  • Threat Prevention vulnerability protection, which blocks the known exploit as it traverses the network.
  • Traps, which, if running on the endpoint, blocks any exploit against a vulnerability.

Phase 3: Installation

For the persistent attacker, the third phase of the attack is to fetch and install a secondary payload of more robust software. Once installed this command & control (C2) software will provide the attacker with a communications pathway to the compromised system. The pathway is often web based, but we’ve also seen instances where social media has been used. And historically Internet Relay Chat has been used to communicate with the compromised systems.

The third stage of the attack will be thwarted by our security platform using:

  • SSL Decryption, which provides visibility into the traffic if it is encrypted.
  • DNS sinkhole, which takes the resolution of the malicious server and automatically routes it to an address inside the corporate network. This ensures the target computer can’t get to the IP address of the malicious server.
  • URL Filtering, which blocks the download website of the command & control software.
  • Threat Prevention vulnerability protection, which blocks further known exploits as they traverse the network.
  • Threat Prevention anti-virus and anti-spyware, which blocks known command & control software downloads as they traverse the network.

Phase 4: Command & Control

The second to last stage is for the attacker to establish a pathway of communication between themselves and the compromised host, otherwise referred to as command & control, or C2. Once the command & control software is installed in the previous stage it will establish the communication channel out of the network. The network traffic will often look like web-browsing or otherwise mangled HTTP, SSL encrypted, unknown/custom TCP or UDP, DNS, or even commonly used SaaS applications like Dropbox and Gmail. With communication established, the attacker will be able to perform their desired tasks; keylogging, password stealing, document stealing, etc.

The fourth stage of the attack will be thwarted by our security platform using:

  • SSL Decryption, which provides visibility into the traffic if it is encrypted.
  • DNS sinkhole, which takes the resolution of the malicious server and automatically routes it to an address inside the corporate network. This ensures the target computer can’t get to the IP address of the malicious server.
  • URL Filtering, which blocks the known command & control server address.
  • Threat Prevention anti-virus and anti-spyware, which blocks known command & control software traffic as it traverses the network.

Phase 5: Actions on Objectives

Finally the attacker can do whatever it planned to do with the host; use it as a spam bot, capture the user or application passwords, steal credit card or social security data, you get the idea.

The fifth stage of the attack will be thwarted by our security platform using:

  • SSL Decryption, which provides visibility into the traffic if it is encrypted.
  • DNS sinkhole, which takes the resolution of the malicious server and automatically routes it to an address inside the corporate network. This ensures the target computer can’t get to the IP address of the malicious server.
  • URL Filtering, which blocks the known command & control server address.
  • Proper egress security policies, which prevent the traffic from leaving the environment. For example the attacker may attempt to use FTP (yes, it still happens all the time) to copy large volumes of data out of the environment. If the FTP application isn’t explicitly allowed, the data dump will fail, even if they try to use another TCP port to make the connection.
  • Threat Prevention anti-virus and anti-spyware, which blocks known command & control software traffic as it traverses the network.
  • Data Filtering, which alerts and/or prevents data leaving the environment under certain conditions. If we see a single social security number over web browsing, that may be a user doing something personal. If we see 20 or more, that is likely someone stealing the social security numbers of our employees.

Rinse and Repeat

All of those steps are required to compromise a single system. The initial system may be a laptop that doesn’t have the targeted data on it. This is the point where the attacker will need to move laterally in the environment to find a system that can provide elevated access. This could mean the attacker has to go through all of these steps several times to get to the target.

The effects of having a platform like Palo Alto Networks is that each stage of the attack has a very good probability of being prevented. When our platform has not seen any component of the attack before, WildFire will turn that unknown into a known within five minutes, cutting the attacker off at any of the stages.

Now is the time to take inventory of your environment. Do you have a system to deal with each of these phases in an automated way today? Protecting our digital way of life is important, and that means protecting our data.. Even the companies we work for store our names, addresses, social security/insurance numbers, bank account information, emergency contacts, and the list goes on. We all have something to protect.

Take a look at our in depth guide to learn how to configure your Palo Alto Networks appliances to take advantage of what I shared above. If you would like to see how your network is currently standing up against today’s threats, please allow us to demonstrate at no charge by signing up for your free security risk assessment.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS