LIVE COMMUNITY TEAM
PRO TIPS FOR POWER USERS AND
THOSE WHO ASPIRE TO BE ONE
PRESENTERS
Kim Wens aka
@kiwi
Tom Piens aka
@reaper
HTTPS://LIVE.PALOALTONETWORKS.COM
OBJECTIVES
1. Provide critical best practices to improve security posture
2. Give you easy steps to make magic happen
3. Show you where to find more details and where to go if
you have questions
APPLICATION-DEFAULT
• Enforces applications to use their standard ports
• Prevents applications from running on rogue ports, even
in a mixed security policy
BLOCK MALICIOUS URL CATEGORIES
DNS SINKHOLE
• Block malware before it’s even downloaded, gain
additional visibility on infected systems.
UNKNOWN APPLICATIONSOn occasion, the firewall may report an application as
unknown for the following reasons:
• Incomplete data—A handshake took place, but no data
packets were sent prior to the timeout.
• Insufficient data—A handshake took place followed by
one or more data packets; however, enough data
packets were exchanged to identify the application.
UNKNOWN APPLICATIONS• To create a custom application, we need to collect a
packetcapture and identify a useable pattern
UNKNOWN APPLICATIONS
UNKNOWN APPLICATIONS
UNKNOWN APPLICATIONS
DECRYPTION• Set no-decrypt policy for privacy sensitive categories, but
still apply common sense protection
• Decrypt all other sessions and discover dangers hidden
from plain view
OVER TO KIM
DANGERS TODAY
WHY ARE ATTACKERS USING THESE ?
• They are effective – big chance you are not blocking these.
• Simple to make
ANATOMY OF AN OFFICE ATTACKMacro driven
• Create payload and obfuscate
• Check against existing AV signature sets
• Create Macro
• Check against existing AV signature sets
• Craft file with social engineering tactics
• Embed Macro into the Office file format
• Craft email with social engineering tactics
• Deliver via existing infrastucture or subcontract
ANATOMY OF AN OFFICE ATTACKMacro driven
ANATOMY OF AN OFFICE ATTACKMacro driven
ANATOMY OF AN OFFICE ATTACKMacro driven
EXPLOIT DRIVEN
• Create payload
• Check against existing AV signature sets
• Exploit a known vulnerability
EXPLOIT DRIVEN
MS Word intruder. Very efficient. Building exe into the
actual Word document where it’s obfuscated and
undetectable by many AVs.
EXPLOIT DRIVEN
https://viruscheckmate.com/en/check/
HOW DOES IT WORK ?
Decoy
Doc
Exploit Doc
Backdoor
Access
Attacker Target
PACKET ENCRYPTING
Octopus crypter : One of many crypters, packers, etc… takes a
known exe/file, packing and changing it to a point AV won’t
recognise it anymore.
BEST PRACTICES : FILE BLOCKING
• Block
• Block all PE files (.exe, .cpl, .ocx, .scr, pif)
• Block : .hlp, .lnk
• Reduce the attack surface ! Start and combine user-ID and
different roles within the organisation
• Encrypted File Types :
• Block or alert on encrypted file types (.zip and .rar). Think about
segmentation within the organisation.
• Alert on all other file types for visibility in both directions
• Options : What if I can’t block all executables ?
• 1. Forward files to WildFire
• 2. Continue page – possibility to break up drive-by downloads
Interesting video tutorial on File Blocking :
https://www.youtube.com/watch?v=RsIDpTFAKKA
VULNERABILITY PROTECTION
There are 2 built-in profiles :
• Default : applies the default action to all client and server critical,
high, and medium severity vulnerabilities. It does not detect low and
informational vulnerability protection events.
• Strict : applies the block response to all client and server critical, high
and medium severity spyware events and uses the default action for
low and informational vulnerability protection events.
VULNERABILITY PROTECTION
Example : Vulnerabilities exploited by MWI
You’ll want to use a strict profile to ensure blocking of vulnerabilities exploited
by malicious documents such as MS Office or RTF vulnerabilities.
VULNERABILITY PROTECTION
At this point you’ll even be blocking vulnerabilitites before even
WildFire or Traps comes into play. You’ll be scanning for known
vulnerabilities.
WILDFIRE
• Forward all PE files, office documents & urls to WildFire
• WildFire AV signatures created every 5 mins
• Can be enabled free of charge with 2 limitations.
TRAPS
• Multi-Method Malware Prevention
• Multi-Method Exploit Prevention
Lightboard and demonstration :
https://www.youtube.com/watch?v=aXkm55t2h_k
AUTOFOCUS/MINEMELD
For those of you who are unfamiliar with AutoFocus. Simply put, the
service allows you to prioritize advanced, targeted cyber attacks and will
help security teams to take a more strategic approach to secure their
organizations.
https://autofocus.paloaltonetworks.com/
For those who don't know MineMeld, it's a threat intelligence processing
framework that can be used to collect, aggregate and generate IOCs and
make them available for consumption.
https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld
AUTOFOCUS/MINEMELD
AUTOFOCUS/MINEMELDCorrelation between AutoFocus & MineMeld (⌖) :
The indicators are managed through the MineMeld application. They will
be highlighted throughout AutoFocus with the ⌖ icon. This gives you high
confidence that the sample is indeed bad because it is confirmed by 2
different datasets (AutoFocus & MineMeld).
AUTOFOCUS/MINEMELD
Below are just a few of many use cases for which you might find this
useful:
• Use miners to get indicators from the SPAMHAUS Drop feed (which
is basically a list of bad IP addresses maintained by SPAMHAUS)
and transform it for enforcement by your Palo Alto Networks EDL
(External Dynamic List) objects.
• Use miners to get Office 365 IP addresses provided by Microsoft and
dynamically created an EDL list for usage in a security policy.
• Provide users the ability to create a custom IoC list from the data as
collected by AutoFocus (to enrich their own SIEM or enforce it).
INTERESTING LINKS ON OUR BLOG
https://live.paloaltonetworks.com/t5/Community-Blog/bg-p/CommunityBlog
https://live.paloaltonetworks.com > Features > Welcome to Live > Community Blog