LIVE COMMUNITY TEAM

PRO TIPS FOR POWER USERS AND

THOSE WHO ASPIRE TO BE ONE

PRESENTERS

Kim Wens aka

@kiwi

Tom Piens aka

@reaper

HTTPS://LIVE.PALOALTONETWORKS.COM

OBJECTIVES

1. Provide critical best practices to improve security posture

2. Give you easy steps to make magic happen

3. Show you where to find more details and where to go if

you have questions

APPLICATION-DEFAULT

• Enforces applications to use their standard ports

• Prevents applications from running on rogue ports, even

in a mixed security policy

BLOCK MALICIOUS URL CATEGORIES

DNS SINKHOLE

• Block malware before it’s even downloaded, gain

additional visibility on infected systems.

UNKNOWN APPLICATIONSOn occasion, the firewall may report an application as

unknown for the following reasons:

• Incomplete data—A handshake took place, but no data

packets were sent prior to the timeout.

• Insufficient data—A handshake took place followed by

one or more data packets; however, enough data

packets were exchanged to identify the application.

UNKNOWN APPLICATIONS• To create a custom application, we need to collect a

packetcapture and identify a useable pattern

UNKNOWN APPLICATIONS

UNKNOWN APPLICATIONS

UNKNOWN APPLICATIONS

DECRYPTION• Set no-decrypt policy for privacy sensitive categories, but

still apply common sense protection

• Decrypt all other sessions and discover dangers hidden

from plain view

OVER TO KIM

DANGERS TODAY

WHY ARE ATTACKERS USING THESE ?

• They are effective – big chance you are not blocking these.

• Simple to make

ANATOMY OF AN OFFICE ATTACKMacro driven

• Create payload and obfuscate

• Check against existing AV signature sets

• Create Macro

• Check against existing AV signature sets

• Craft file with social engineering tactics

• Embed Macro into the Office file format

• Craft email with social engineering tactics

• Deliver via existing infrastucture or subcontract

ANATOMY OF AN OFFICE ATTACKMacro driven

ANATOMY OF AN OFFICE ATTACKMacro driven

ANATOMY OF AN OFFICE ATTACKMacro driven

EXPLOIT DRIVEN

• Create payload

• Check against existing AV signature sets

• Exploit a known vulnerability

EXPLOIT DRIVEN

MS Word intruder. Very efficient. Building exe into the

actual Word document where it’s obfuscated and

undetectable by many AVs.

EXPLOIT DRIVEN

https://viruscheckmate.com/en/check/

HOW DOES IT WORK ?

Decoy

Doc

Exploit Doc

Backdoor

Access

Attacker Target

PACKET ENCRYPTING

Octopus crypter : One of many crypters, packers, etc… takes a

known exe/file, packing and changing it to a point AV won’t

recognise it anymore.

BEST PRACTICES : FILE BLOCKING

• Block

• Block all PE files (.exe, .cpl, .ocx, .scr, pif)

• Block : .hlp, .lnk

• Reduce the attack surface ! Start and combine user-ID and

different roles within the organisation

• Encrypted File Types :

• Block or alert on encrypted file types (.zip and .rar). Think about

segmentation within the organisation.

• Alert on all other file types for visibility in both directions

• Options : What if I can’t block all executables ?

• 1. Forward files to WildFire

• 2. Continue page – possibility to break up drive-by downloads

Interesting video tutorial on File Blocking :

https://www.youtube.com/watch?v=RsIDpTFAKKA

VULNERABILITY PROTECTION

There are 2 built-in profiles :

• Default : applies the default action to all client and server critical,

high, and medium severity vulnerabilities. It does not detect low and

informational vulnerability protection events.

• Strict : applies the block response to all client and server critical, high

and medium severity spyware events and uses the default action for

low and informational vulnerability protection events.

VULNERABILITY PROTECTION

Example : Vulnerabilities exploited by MWI

You’ll want to use a strict profile to ensure blocking of vulnerabilities exploited

by malicious documents such as MS Office or RTF vulnerabilities.

VULNERABILITY PROTECTION

At this point you’ll even be blocking vulnerabilitites before even

WildFire or Traps comes into play. You’ll be scanning for known

vulnerabilities.

WILDFIRE

• Forward all PE files, office documents & urls to WildFire

• WildFire AV signatures created every 5 mins

• Can be enabled free of charge with 2 limitations.

TRAPS

• Multi-Method Malware Prevention

• Multi-Method Exploit Prevention

Lightboard and demonstration :

https://www.youtube.com/watch?v=aXkm55t2h_k

AUTOFOCUS/MINEMELD

For those of you who are unfamiliar with AutoFocus. Simply put, the

service allows you to prioritize advanced, targeted cyber attacks and will

help security teams to take a more strategic approach to secure their

organizations.

https://autofocus.paloaltonetworks.com/

For those who don't know MineMeld, it's a threat intelligence processing

framework that can be used to collect, aggregate and generate IOCs and

make them available for consumption.

https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

AUTOFOCUS/MINEMELD

AUTOFOCUS/MINEMELDCorrelation between AutoFocus & MineMeld (⌖) :

The indicators are managed through the MineMeld application. They will

be highlighted throughout AutoFocus with the ⌖ icon. This gives you high

confidence that the sample is indeed bad because it is confirmed by 2

different datasets (AutoFocus & MineMeld).

AUTOFOCUS/MINEMELD

Below are just a few of many use cases for which you might find this

useful:

• Use miners to get indicators from the SPAMHAUS Drop feed (which

is basically a list of bad IP addresses maintained by SPAMHAUS)

and transform it for enforcement by your Palo Alto Networks EDL

(External Dynamic List) objects.

• Use miners to get Office 365 IP addresses provided by Microsoft and

dynamically created an EDL list for usage in a security policy.

• Provide users the ability to create a custom IoC list from the data as

collected by AutoFocus (to enrich their own SIEM or enforce it).

INTERESTING LINKS ON OUR BLOG

https://live.paloaltonetworks.com/t5/Community-Blog/bg-p/CommunityBlog

https://live.paloaltonetworks.com > Features > Welcome to Live > Community Blog