topic Re: How to block malware getting executed?. in General Topics

How to block malware getting executed?.

Raja3000 — Mon, 13 Jan 2020 12:30:14 GMT

I would like to block malware files. On my gateway firewall, what filetypes should I block? . If I block only exe/DLL files getting dowloaded, will it help to avoid final malware getting executed ? What I would like to understand is, even if I allow communication with Command and Control (C2) servers, if I block executable/dll files, will it really block malware ultimate purpose?. Final payload will be only executable like exe/dll?

Re: How to block malware getting executed?.

OtakarKlier — Mon, 13 Jan 2020 17:21:46 GMT

Hello,

Unfortunately this is a complicated answer. The best defense is a multi-layered one. While the PAN is a great platform, it should not be the only defense you have. I always tell folks the following:

Use a secure DNS provider such as OpenDNS, TitanHQ, or Quad9. Even PAN has one now.
Secure your boarder, i.e. use a PAN and configure all options, App/Threat, Wildfire/ etc.
- Block all non-essential inbount traffic with Layer7
- Block all outbound non-esesntial traffic with layer7, URL filtering, ssl decryption, etc.
on the endpoint:
- Use an next gen AV product, i.e. Traps, FireAmp, etc.
- Get logging and telemetry from the endpoint, FireAMP has this built it, CB Response is another
Segment your network, zero-trust is a great option.
Get Netflow data
Use a SIEM to bring all logs together for analysis
- ELK has been doing great work in this area, they have a SIEM module now.
TEST!
- make sure you are getting logging/blocking, etc!
- Atomic RedTeam
- MonkeyIsland
- Nessus
Remember that security is not a destination, its a circular journey

I'm sure I might have missed some areas, so I'm interested in what others post as well.

Re: How to block malware getting executed?.

MP18 — Mon, 13 Jan 2020 18:08:36 GMT

Also configure the DNS sinkhole under the Anti spyware profile.

Rest mostly Okta covered.

Re: How to block malware getting executed?.

OtakarKlier — Mon, 13 Jan 2020 18:20:35 GMT

There are also applications such as CB Protect that white list what can be run/executed on a work station. That way if its not on the white list, it wont execute.

Re: How to block malware getting executed?.

RobinClayton — Tue, 14 Jan 2020 09:22:47 GMT

To elaborate on the above consider this scenario.

Your end user downloads a seemingly malignant file that the PA has no signature for [yet].

12 hours later that malignant file is found to have malicious payload and PA create a signature for it. So do Sophos, MacAfee, etc etc..

13 hours later it the file activates on your network. You don't have AV/Malware protection on the endpoints.

14 hours later your packing your desk.....

So as OtK points out, it's a multi layer approach. It's always best to block as close to "SOURCE" as possible, but there needs to be the extra layers and indeed different methods of detection, selecting products from differing vendors who may get an update to you quicker than one of your others.

Rob

Re: How to block malware getting executed?.

Raja3000 — Wed, 15 Jan 2020 16:25:30 GMT

Thanks OtakarKlier