PAN-OS 8.0: Multi-Method Threat Prevention Is Here!

Scott Simkin


Three major challenges define today’s threat environment: It is easier than ever for attackers to evade detection in virtual environments; bypassing existing command-and-control prevention methods is trivial; and the overload of threat intelligence is proving difficult to manage and turn into actionable prevention controls. The release of PAN-OS 8.0 addresses these challenges and more, removing burden from security staff, and allowing you to break out of the cat-and-mouse game that has played out for years with adversaries.

Problem: Evading VM Analysis Has Been Commoditized

Almost every major security vendor uses the same common open-source virtualization technology as the backbone of its malware analysis environments. This has allowed attackers to profile the virtual environment and craft malware that fails to execute when it is being observed, allowing them to side-step detection. Malware authors look for a variety of factors to make this determination, including:

  • Is there valid user activity, such as keyboard or mouse input?
  • What does the environment look like? Does it appear to be running in a VM on a server?
  • Is there evidence of specific virtualization technology?
  • Are they being watched with analysis instrumentation?

If malware fails to execute, security systems lose the ability to detonate, extract threat intelligence, and develop the best possible prevention mechanisms. In fact, security researchers recently found a vulnerability in most of the underlying virtual technologies behind malware analysis environments, VENOM (CVE-2015-3456), which shed light on the re-use and potential for evasion available to attackers. These telltale signs of the same open-source virtualization technology have made current security tools less effective, resulting in a high return on investment for the attacker, since one threat can be crafted to evade every major system. To successfully prevent these evasive threats, the technology and approach must be able to deal with whole classes of evasion techniques in one fell swoop.

Solution: WildFire, an All-New, Anti-Evasion Malware Analysis Environment

As part of PAN-OS 8.0, WildFire has an all-new, custom-built, anti-evasion malware analysis environment. WildFire has removed all common, open-source virtualization technology within our dynamic analysis engine, replacing it with a VM environment built from the ground-up by Palo Alto Networks. This innovation allows us to deal with entire classes of VM evasion at once, and makes successful attacks much more expensive for attackers, as they can no longer evade detection in WildFire with the same techniques they apply against other security vendors.

There is another element to this equation: No matter how advanced, detection in a virtual environment is never 100 percent for a sufficiently advanced attacker. To combat the small percent of attacks that could potentially evade dynamic analysis, the multi-method protection in WildFire has been extended to the final battleground for VM-aware malware: bare metal. Our new heuristic engine dynamically steers suspicious files to a real hardware execution environment, detecting all VM-aware malware, as the detonation occurs on a real system. These two innovations fundamentally change our ability to provide the best detection, detonation, intelligence extraction and prevention for our customers.

Problem: Ineffective Command-and-Control Prevention

Until today, security vendors generally relied on two classes of command-and-control (C2) prevention: automated and manual. With automated coverage, if an IP, URL, or domain is noted as malicious, a signature will be created and pushed out to block it. These protections cover a lot of ground, but are ultimately ineffective, as today’s malware will often flip C2 infrastructure rapidly, making the static protections invalid. This automated protection will generally be augmented by manual coverage, with a team of human researchers analyzing the payload and manually write high quality signatures. While effective at blocking C2 traffic, this is an extremely labor intensive process that is impossible to scale against the huge volume of attacks seen today.

Solution: Effectiveness With Scale

With PAN-OS 8.0, we are introducing end-to-end automation of the generation, delivery and enforcement of payload-based C2 protections, based on data from WildFire customers. Customers gain the same high-fidelity protections of manual signature generation at machine scale and speed, eliminating the trade-off between quick automated protections, based on URL or DNS, and effective, but low-scale manual signature creation that was the status quo in the security industry.

Problem: A Lot of Threat Data, and a Lack of Context

Shared threat intelligence has been a revolutionary way for security teams to protect against newly identified threats before attackers have a chance to compromise their organizations. But some threat intelligence sources provide only raw Indicators of Compromise (IOC), without the context needed to help set priority, relevance and validation. This has left security teams struggling to manage multiple sources of threat intelligence, understand where they come from, what the value is and how they all come together. It also falls on them to validate the IOCs as malicious, enrich them with necessary context and take action from them.

Solution: Automated Action Driven by Correlated Threat Intelligence

The new MineMeld application for AutoFocus allows the easy adoption of multi-source threat intelligence by aggregating any third-party intelligence source into AutoFocus for a consolidated threat feed and indicator management system. MineMeld further enables security teams to correlate, validate, add context, and drive automated prevention across the Palo Alto Networks Next-Generation Security Platform. Using MineMeld, security teams can bring order to threat intelligence, generating tailored feeds for sharing and enforcement across third-party network and endpoint systems, including an extensive partner ecosystem.

PAN-OS 8.0 includes several first-ever innovations focused on advanced threat prevention techniques. The release drives forward our ability to detect and prevent the most evasive threats, block command-and-control traffic in far more effective ways, and allow our customers to gain leverage from any threat intelligence source.

To learn more about the new advanced threat prevention techniques released as part of PAN-OS 8.0, visit:

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS