I recently shared examples of how App-ID and User-ID can dramatically reduce the attack surface and provide granular controls to allow exactly what traffic you want on your network. Permitting traffic based on specific applications and users will allow for least privilege controls. This least privilege model also applies to attackers, reducing the potential ways for the attacker to infiltrate and exfiltrate the network.
All of the permitted traffic that gets through needs to be inspected for malicious activity that can be categorized as known and unknown. Known malicious activity includes threats that we as a community already know about and can therefore prevent using some form of a signature, which can be static or dynamic. Unknown malicious activity includes threats that the security vendor and/or community have never seen before. In this post we will provide an example of how threat prevention features in Palo Alto Networks next-generation security platform can help prevent both known and unknown attacks.
To put our example into perspective, let’s look at the taxonomy of how attacks work, also called the attack life cycle, or attack chain. Think of it like you would any other chain: each link represents an opportunity for an attacker – and also an opportunity for you to break the sequence. Each of the five phases covered below offers several opportunities to cut links in the attack chain. Just one cut in the chain will cause that particular attack to fail.
During the first phase, the attacker needs to be able to run commands on the initial target system.
The most common way the initial malware, or dropper, is delivered is through phishing attacks. This may include an email with a malicious attachment, or a link to a malicious website that exploits the system just by visiting it. Delivery could also be accomplished by compromising a known and trusted website that the attacker knows the user will visit. The compromised website will be configured to load a malicious website in addition to the legitimate one.
The first stage of the attack will be thwarted by our security platform using:
Once the initial payload has been delivered to the target the attacker will need to exploit a vulnerability on the system to elevate privileges and allow the attacker to run more commands for the next phase. The attacker may have a good exploit for a certain version of a document viewer, a web browser, an email client, etc. For a widespread attack, the attacker will likely include several of these attacks to increase their odds. In a targeted attack, the attacker may be more specific in the exploit they use.
The second stage of the attack will be thwarted by our security platform using:
SSL Decryption, which provides visibility into the traffic if it is encrypted.
For the persistent attacker, the third phase of the attack is to fetch and install a secondary payload of more robust software. Once installed this command & control (C2) software will provide the attacker with a communications pathway to the compromised system. The pathway is often web based, but we’ve also seen instances where social media has been used. And historically Internet Relay Chat has been used to communicate with the compromised systems.
The third stage of the attack will be thwarted by our security platform using:
The second to last stage is for the attacker to establish a pathway of communication between themselves and the compromised host, otherwise referred to as command & control, or C2. Once the command & control software is installed in the previous stage it will establish the communication channel out of the network. The network traffic will often look like web-browsing or otherwise mangled HTTP, SSL encrypted, unknown/custom TCP or UDP, DNS, or even commonly used SaaS applications like Dropbox and Gmail. With communication established, the attacker will be able to perform their desired tasks; keylogging, password stealing, document stealing, etc.
The fourth stage of the attack will be thwarted by our security platform using:
Finally the attacker can do whatever it planned to do with the host; use it as a spam bot, capture the user or application passwords, steal credit card or social security data, you get the idea.
The fifth stage of the attack will be thwarted by our security platform using:
All of those steps are required to compromise a single system. The initial system may be a laptop that doesn’t have the targeted data on it. This is the point where the attacker will need to move laterally in the environment to find a system that can provide elevated access. This could mean the attacker has to go through all of these steps several times to get to the target.
The effects of having a platform like Palo Alto Networks is that each stage of the attack has a very good probability of being prevented. When our platform has not seen any component of the attack before, WildFire will turn that unknown into a known within five minutes, cutting the attacker off at any of the stages.
Now is the time to take inventory of your environment. Do you have a system to deal with each of these phases in an automated way today? Protecting our digital way of life is important, and that means protecting our data.. Even the companies we work for store our names, addresses, social security/insurance numbers, bank account information, emergency contacts, and the list goes on. We all have something to protect.
Take a look at our in depth guide to learn how to configure your Palo Alto Networks appliances to take advantage of what I shared above. If you would like to see how your network is currently standing up against today’s threats, please allow us to demonstrate at no charge by signing up for your free security risk assessment.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.