Episode Transcript:
John:
Welcome back to another episode of PANCast™.
Today we welcome back Faiz Azmi, who is part of the Threat Support team. Faiz joined us in an episode previously that discusses Anti Virus and an overview of Threat logs. Today he is back for more related to this topic. Welcome back Faiz. Can you give us a quick recap of the previous episode?
Recapping the Previous Episode
Faiz:
Thanks John.
Faiz Azmi is a Staff Cybersecurity Specialist at Palo Alto Networks part of Global Customer Services Support team, Singapore. SME in supporting and assisting our customers in Threat and Wildfire related cases. He is passionate about learning and certified with CISSP, CISM, GCIH, GXPN and GREM.
To recap on the previous episode, our AV capabilities protect users from downloading and uploading malicious files, software, office documents and etcetera. The files are being forwarded and inspected by Wildfire that leads to the creation of an AV signature once malicious verdict is determined. The signatures (which is a byte string pattern) downloaded and installed through Palo Alto Networks AV Content Updates or retrieved via the Wildfire package periodically.
We discussed the differences of the threat logs and we reviewed the concept of True Positives, False Positives and Signature Collision and how to approach each scenario.
John:
Thanks Faiz. So what are we talking about today?
What is Spyware and Vulnerability Protection?
Faiz:
As most probably already know, our App and Threat Dynamic Updates include the new and modified App-IDs (which is the Application Portion). The Threat Portion however, includes the new and modified Threat signatures that provide protection through our Vulnerability and Anti-Spyware Profiles.
As the name suggests, the Vulnerability Profiles include protection for your vulnerable systems and application. It includes exploit patterns and signatures (for example, the famous vulnerability such as Log4j or Microsoft Outlook privilege escalation CVE-2023-23397).
Distinctively, there are 2 portions in the Anti-Spyware profile configuration. One, the signatures that are available to protect against malicious Malware Covert Channel or Command and Control traffic pattern or payload. Another, is specific to DNS protocol configurable under DNS Policies tab.
The DNS Policies settings (within Anti-Spyware Profile) perhaps is a discussion for the next episode. We will explore the differences in the DNS Content vs DNS Security and how it works.
John:
That would be interesting. Circling back on vulnerability and anti-spyware protection. Do our customers need to have decryption enabled to be able to protect vulnerable applications and systems as well as detecting covert channels?
Faiz:
That's a great question. We receive this question often. Most of the exploit happens due to lack of visibility where the Threat Actor is able to establish a foothold in the network by exploiting vulnerable systems. Hence it is important to have decryption enabled.
Once the traffic payload matches the signature, the firewall is able to detect and the action defined in the security profile is taken (Whether to reset, drop or allow such traffic).
John:
Thanks Faiz. Let’s say as a firewall administrator, I often see Threat logs. May be it is a specific vulnerability, threat ID or maybe brute force protection.
When I checked the source IP address and the destination IP address, I considered them as trusted devices. Does that mean that there was an attempt to exploit the system?
Troubleshooting with Vulnerability Logs
Faiz:
Another good question John. Similarly when we discussed the AV logs in the previous episode, we need to have a further understanding of the network and traffic pattern. Although the source and destination may be trusted, our signatures are pattern based with respect to the exploit/vulnerability. Our IPS decoder engine would perform some checking to the payload eventually triggering the signature. There could be a case for False Positives as well as True Positives.
What we often advise our customers is to perform packet capture and review the payload. Once that is done, you may need to work closely with the application owner to understand if the request or response is expected. There’s a possibility that it could be false positive and we need to improve on our signature. If that's the case, please open a Support ticket with Palo Alto TAC.
In the event of true positives, the payload may be matching with a known exploit. For example, a Confluence server that is vulnerable to the OGNL (Object Graph Navigation language - CVE-2022-26134) which allows an unauthenticated attacker to execute code. With the packet capture, you can see the payload if its matching publicly available PoC (Proof-of-Concept). Regardless of where the traffic originated (whether internally, externally or even a trusted IP address), its worth investigating. Take note, IP address can be spoofed to trick administrators that it could be coming from a trusted network.
John:
Does the same approach apply to Anti-Spyware Threat IDs as well? Where can I find more information related to the signatures?
How Do I Approach False-Positive Signatures (Anti-Spyware)?
Faiz:
Yes. The same approach applies. Packet capture is required to understand the traffic payload. In the event of traffic being encrypted, we can either enable Decryption Mirroring or Enable the Extended Threat Capture on the firewall. If you are not aware, Decryption Mirroring requires you to activate it through Customer Support Portal without any additional cost.
The information on all the signatures is available in our ThreatVault by searching by the Threat ID, Threat Name or CVE number.
John:
Great information, thank you Faiz. So to wrap up, what are the key takeaways?
Episode Key Takeaways
Faiz:
It's important to understand and validate the traffic payload to determine if it's a True Positives or False Positives.
Packet capture for the relevant traffic can be helpful in understanding that.
If the packet is encrypted, enable Extended Threat Capture or Decryption Mirroring.
John:
Thanks again Faiz, that was a very informative session. PANCasters, as always for more information related to PANCast, the written transcript and referenced links head to live.paloaltonetworks.com.
Make sure to subscribe and stay tuned as we will have Faiz back in the near future to discuss other types of threat logs.
Bye for now.
