Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Group London

Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Group London

  1. 1. LIVE COMMUNITY TEAM PRO TIPS FOR POWER USERS AND THOSE WHO ASPIRE TO BE ONE
  2. 2. PRESENTERS Kim Wens aka @kiwi Tom Piens aka @reaper
  3. 3. HTTPS://LIVE.PALOALTONETWORKS.COM
  4. 4. OBJECTIVES 1. Provide critical best practices to improve security posture 2. Give you easy steps to make magic happen 3. Show you where to find more details and where to go if you have questions
  5. 5. APPLICATION-DEFAULT • Enforces applications to use their standard ports • Prevents applications from running on rogue ports, even in a mixed security policy
  6. 6. BLOCK MALICIOUS URL CATEGORIES
  7. 7. DNS SINKHOLE • Block malware before it’s even downloaded, gain additional visibility on infected systems.
  8. 8. UNKNOWN APPLICATIONS On occasion, the firewall may report an application as unknown for the following reasons: • Incomplete data—A handshake took place, but no data packets were sent prior to the timeout. • Insufficient data—A handshake took place followed by one or more data packets; however, enough data packets were exchanged to identify the application.
  9. 9. UNKNOWN APPLICATIONS • To create a custom application, we need to collect a packetcapture and identify a useable pattern
  10. 10. UNKNOWN APPLICATIONS
  11. 11. UNKNOWN APPLICATIONS
  12. 12. UNKNOWN APPLICATIONS
  13. 13. DECRYPTION • Set no-decrypt policy for privacy sensitive categories, but still apply common sense protection • Decrypt all other sessions and discover dangers hidden from plain view
  14. 14. OVER TO KIM
  15. 15. DANGERS TODAY
  16. 16. WHY ARE ATTACKERS USING THESE ? • They are effective – big chance you are not blocking these. • Simple to make
  17. 17. ANATOMY OF AN OFFICE ATTACK Macro driven • Create payload and obfuscate • Check against existing AV signature sets • Create Macro • Check against existing AV signature sets • Craft file with social engineering tactics • Embed Macro into the Office file format • Craft email with social engineering tactics • Deliver via existing infrastucture or subcontract
  18. 18. ANATOMY OF AN OFFICE ATTACK Macro driven
  19. 19. ANATOMY OF AN OFFICE ATTACK Macro driven
  20. 20. ANATOMY OF AN OFFICE ATTACK Macro driven
  21. 21. EXPLOIT DRIVEN • Create payload • Check against existing AV signature sets • Exploit a known vulnerability
  22. 22. EXPLOIT DRIVEN MS Word intruder. Very efficient. Building exe into the actual Word document where it’s obfuscated and undetectable by many AVs.
  23. 23. EXPLOIT DRIVEN https://viruscheckmate.com/en/check/
  24. 24. HOW DOES IT WORK ? Decoy Doc Exploit Doc Backdoor Access Attacker Target
  25. 25. PACKET ENCRYPTING Octopus crypter : One of many crypters, packers, etc… takes a known exe/file, packing and changing it to a point AV won’t recognise it anymore.
  26. 26. BEST PRACTICES : FILE BLOCKING • Block • Block all PE files (.exe, .cpl, .ocx, .scr, pif) • Block : .hlp, .lnk • Reduce the attack surface ! Start and combine user-ID and different roles within the organisation • Encrypted File Types : • Block or alert on encrypted file types (.zip and .rar). Think about segmentation within the organisation. • Alert on all other file types for visibility in both directions • Options : What if I can’t block all executables ? • 1. Forward files to WildFire • 2. Continue page – possibility to break up drive-by downloads Interesting video tutorial on File Blocking : https://www.youtube.com/watch?v=RsIDpTFAKKA
  27. 27. VULNERABILITY PROTECTION There are 2 built-in profiles : • Default : applies the default action to all client and server critical, high, and medium severity vulnerabilities. It does not detect low and informational vulnerability protection events. • Strict : applies the block response to all client and server critical, high and medium severity spyware events and uses the default action for low and informational vulnerability protection events.
  28. 28. VULNERABILITY PROTECTION Example : Vulnerabilities exploited by MWI You’ll want to use a strict profile to ensure blocking of vulnerabilities exploited by malicious documents such as MS Office or RTF vulnerabilities.
  29. 29. VULNERABILITY PROTECTION At this point you’ll even be blocking vulnerabilitites before even WildFire or Traps comes into play. You’ll be scanning for known vulnerabilities.
  30. 30. WILDFIRE • Forward all PE files, office documents & urls to WildFire • WildFire AV signatures created every 5 mins • Can be enabled free of charge with 2 limitations.
  31. 31. TRAPS • Multi-Method Malware Prevention • Multi-Method Exploit Prevention Lightboard and demonstration : https://www.youtube.com/watch?v=aXkm55t2h_k
  32. 32. AUTOFOCUS/MINEMELD For those of you who are unfamiliar with AutoFocus. Simply put, the service allows you to prioritize advanced, targeted cyber attacks and will help security teams to take a more strategic approach to secure their organizations. https://autofocus.paloaltonetworks.com/ For those who don't know MineMeld, it's a threat intelligence processing framework that can be used to collect, aggregate and generate IOCs and make them available for consumption. https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld
  33. 33. AUTOFOCUS/MINEMELD
  34. 34. AUTOFOCUS/MINEMELD Correlation between AutoFocus & MineMeld (⌖) : The indicators are managed through the MineMeld application. They will be highlighted throughout AutoFocus with the ⌖ icon. This gives you high confidence that the sample is indeed bad because it is confirmed by 2 different datasets (AutoFocus & MineMeld).
  35. 35. AUTOFOCUS/MINEMELD Below are just a few of many use cases for which you might find this useful: • Use miners to get indicators from the SPAMHAUS Drop feed (which is basically a list of bad IP addresses maintained by SPAMHAUS) and transform it for enforcement by your Palo Alto Networks EDL (External Dynamic List) objects. • Use miners to get Office 365 IP addresses provided by Microsoft and dynamically created an EDL list for usage in a security policy. • Provide users the ability to create a custom IoC list from the data as collected by AutoFocus (to enrich their own SIEM or enforce it).
  36. 36. INTERESTING LINKS ON OUR BLOG https://live.paloaltonetworks.com/t5/Community-Blog/bg-p/CommunityBlog https://live.paloaltonetworks.com > Features > Welcome to Live > Community Blog

    Be the first to comment

    Login to see the comments

Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182

Views

Total views

1,113

On Slideshare

0

From embeds

0

Number of embeds

5

Actions

Downloads

24

Shares

0

Comments

0

Likes

0

×