Wall's Week - January 29th, 2019

L4 Transporter

Read about DNS Flag Day, how to build an IPSec tunnel between firewalls, email alerting with Traps TMS, why consider Mitre's ATT&CK Framework and some good tips.




DNS Flag Day is Feb 1st – Are You Ready?

How to Build an IPSec Tunnel Between Two Palo Alto Networks Firewalls

Email Alerting Now Available with Traps TMS

Why Consider Mitre’s ATT&CK Framework?

TIP: What Does TTP and TLP: Green/Red/Amber Mean Anyway?

TIP: Passphrases and Entropy



DNS Flag Day is Feb 1st – Are You ready?

The short explanation is that many DNS servers today don't completely conform to DNS standards that were established a long time ago. These servers have poor response times and are prone to misuse or attacks. We’ve seen it many times. On (or around) Feb 1st, DNS providers (listed here) will no longer accommodate non-compliant DNS implementations. The supported extended DNS will be referred to as EDNS. Again, this has been around for many years, but it was never really enforced by the larger DNS providers until now.


There are a couple areas where this could potentially affect your organization—your authoritative DNS server and your perimeter firewall. You can test both of these in just a couple of minutes.


To test your domain’s DNS resolver, click here, go to “I’m a domain holder” and enter your company’s domain to test. If you get the green light, there is no need to be concerned because your public DNS resolver is set for EDNS. You might receive a warning, meaning you are good to go with EDNS, but you may not be able to implement advanced EDNS security moving forward. Obviously, you could also receive a failed result. In any case, you will be provided with a link to see the details that may need to be resolved.


The other area to test is the perimeter firewall. The concern here is whether or not your firewall supports DNS packets larger than 512 bytes. This is because EDNS supports much larger packets (8192 bytes). Some firewalls may fragment or worse, it drops these larger EDNS packets. But don’t worry if you are on a Palo Alto Networks release of 8.0 or greater, as the larger EDNS packets are supported.


There are a couple of ways to test through your firewall:

  • Use dig on a MAC or Linux host
    • dig +short rs.dns-oarc.net TXT
      • If the results are good, you will see something similar to the following (a reply much greater than 512 bytes):
        • DNS reply size limit is at least 8192
  • Use NS Lookup on a Windows host (two options listed below)
    1. nslookup -type=TXT rs.dns-oarc.net
      • If the results are good, you will see something similar to the following (a reply much greater than 512 bytes):
        • DNS reply size limit is at least 8192
      • You could see results stating that EDNS is limited (much smaller than 8192 bytes):
        • DNS reply size limit is at least 1382 bytes
      • If the results are not good (replies at 512 bytes max):
        • lacks EDNS, defaults to 512
    2. nslookup -type=TXT rs.dns-oarc.net.
      • Again, a good result might look something this:
        • DNS reply size limit is at least 4694



How to Build an IPSec Tunnel Between Two Palo Alto Networks Firewalls

I came across an article written by a FUEL User Group member and wanted to pass it along. It is a step-by-step configuration example with screenshots. Many new customers of Palo Alto Networks have this need on day one and will find it useful.

Click here for the article.



Email Alerting Now Available with Traps TMS

Email alerting is now live and available for Traps TMS. The configuration for these alerts is not performed in Traps, but it's in the application portal from the Log Forwarding app. During the configuration, you can select Traps for the Log Vendor. Then provide detailed filters for the alerts you wish to receive.

See the documentation for step-by-step instructions along with screenshots.



Why Consider Mitre’s ATT&CK Framework?

You may be wondering why Mitre chose the “&” instead of the letter “A”? It seems that “Mitre Attack” was already a registered trademark for a soccer ball (different Mitre – mitre.com vs mitre.org). What is Mitre’s ATT&CK framework and why should companies adapt it? The letters give us some explanation as to what it is:

  • A – Adversary
  • T – Tactic
  • T – Technique
  • &CK – And Common Knowledge


Tactics and Techniques are used by Adversaries and are different than the information presented by Lockheed Martin’s Kill Chain. The Kill Chain is high level and is not ordinal (i.e., do step 1, then step 2, then step 3) even though the Kill Chain implies an order. There are many ways malware can be delivered.


Tactics answer the question, “how is an attacker doing something?” Initial access. How are they getting inside the network? Persistence. How are they able to maintain their presence and keep malware running? Privilege escalation. How do they move from one privilege to another level? The Kill Chain maps to the "Initial Access Tactic" in the ATT&CK model. Mitre defines ~10 techniques for this specific tactic: spear phishing with an attachment, modifying a device to allow hardware to be added to it (recent board assemblies in China etc), spear phishing with a link, drive-by compromise (watering hole) and more.


Mitre provides a description of what it is as well as examples and reporting. Overall, about 190 techniques are defined. More will be added as we learn new attack techniques. This helps with automation when everyone is using the same terms. Nearly everyone works with Mitre with no competition between them, so they make for a good neutral source. For example, Lockheed Martin came up with the Kill Chain but then copyrighted it so every vendor calls it something different! This is not good for automation and sharing as the terms are not unified.


While ATT&CK is lower level than the Kill Chain, it is not as specific as individual IOCs (clues attackers leave behind during an attack). Attackers may use the same techniques but leave very different IOCs behind. For example, spear phishing with a link  (that link will be very different between attackers). Both IOCs and well defined techniques are important.


Why use Mitre’s ATT&CK?

  • It is important to use the same terminology for you and all of your vendors.
  • Helps you understand your security gap analysis.
    • If you are aware of the playbook of techniques your adversary is using, you can then compare with how well you are defending those techniques (i.e., network, SaaS, host, public cloud).
    • Do you have the right controls in place to protect or, better yet, block those activities? At a minimum, you need the visibility to detect.
  • It makes it easier to see the common attack techniques.
    • The more we learn about our attackers’ techniques, the easier it becomes to see the commonality between them. Then you can get to the point where you are “blocking these 5 techniques” vs “blocking these 10,000 IOCs.”


For more information on Mitre’s ATT&CK, see this wiki. For the complete Mitre ATT&CK podcast with Rick Howard and Ryan Olson, see the Unit42’s Don’t Panic Podcast.



TIP: What Does TTP and TLP: Green/Red/Amber Mean Anyway?

We’ve all heard the terms TTPs and TLPs. But I have been asked on several occasions what these terms actually mean. This usually comes up when a customer is implementing MineMeld, the incredibly useful and versatile free tool from Palo Alto Networks. The terms come from the NIST publication 800-150.


TTP is tactics, techniques and procedures. These describe the way malicious actors work to compromise systems, disrupt services, commit financial fraud and expose or steal intellectual property and other sensitive information. Examples of this type of information include indicators (system artifacts or IOCs), security alerts, threat intelligence reports and recommended security tool configurations. Hopefully, this sounds familiar to you if you have read about the Mitre ATT&CK framework above. It is increasingly important for organizations to share this type of threat intel between them, but, in a way, that does not compromise the ones doing the sharing.


TLP is Traffic Light Protocol (red, amber, green, white). It is designed to make sharing threat information easy. Red means “stop don’t share.” Amber means “be careful sharing.” Green means “ok to share to limited parties.” White means “ok to share without limitation.” These designations identify unclassified information that may not be suitable for public release and may require special handling. A designation applied to threat information can communicate specific handling requirements and identify data elements that are considered sensitive and should be redacted prior to sharing (e.g., TLP:Amber). Likewise, recipients of threat information should observe the handling, attribution, dissemination and storage requirements expressed in the source organization’s handling guidance.


You may want to bring in threat feeds to MineMeld, de-duplicate them and use them in an External Dynamic List (EDL) within the Palo Alto Networks firewall. These feeds may contain indicators (TTPs) along with a respective TLP color. These feeds can come from a variety of sources (FBI, ISACS, Department of Homeland Security, CERTS, CSIRTS, etc.). MineMeld understands TTPs (IP addresses, domains, URLs) as well as TLPs to provide actionable and automated responses while taking the TLP colors into account.



NIST 800-150 publication.



TIP: Passphrases and Entropy

I came across a comic recently that I wanted to use as an introduction to this passphrase concept. It is a technique that I have successfully used for years. I’m sure there will be some strong opinions that make their way back to me as a result of this post, and that’s okay! There is more than one way to be secure when it comes to passphrases, for sure.

Click here to view the comic.


The idea is to be both secure (hard to crack or guess) and easy to remember. I believe you can have both. Obviously, when it comes to passphrases used in IPSec VPNs, data encryption or routing protocols, you don’t necessarily need to remember the passphrase, just remember to keep it someplace secure should you need it in the future. Hint: a piece of paper in a desk drawer is not secure—unless that desk resides in Fort Knox, then maybe.


Here’s where the potential controversy comes in. The vast majority of users have been led to believe that by using special characters in familiar words ensures the highest level of a secure password. For example, password becomes p@ssw0rd (we all have done this). While this does add a bit of entropy for password-guessing algorithms, it does not add as much as you would think. Adding a random character in this fashion only adds about 10-bits of entropy per character. Better passphrases are not only a little longer, but they take into account the entropy of password guessing algorithms. If you stick with 5- to 6-letter words and use 5 to 6 words, you can easily have entropies of 64 to 77 bits. What does this mean exactly? It can be calculated as follows (as seen in the comic):

  • An 11-character password with letters, numbers and a special character equates to ~28 bits of entropy
    • 2^28 = 3 days at 1,000 guesses per second. This would qualify as “easy to guess.”
  • A passphrase of 4-random words totaling 25 letters equates to ~44 bits of entropy
    • 2^44 = 550 years at 1,000 guesses per second. This qualifies as “hard to guess.”


The trick to easily remembered, strong passphrases is to use enough easily remembered words (5 to 6) with 5 to 6 characters each to get the entropy high enough to make it harder to crack. The words are ordered so that they make sense to the user but would never be found in that order in a sentence. Again, I think the comic makes this illustration quite nicely.


Password entropy is a measurement of how unpredictable a password or passphrase is and how it is usually expressed in terms of bits. When calculating entropy on a per-character basis, the math is simple: use log base 2 of the number of characters in the character set used, multiplied by the number of characters in the password/passphrase itself.


The math used in this example is all about entropy rather than merely substituting @ for A. Personally, I am more likely to remember (and use) a longer passphrase over a hard-to-remember password with special characters. Your mileage may vary!


Regardless of the password/phrase policies in use, we all know that users will find a way to use corporate credentials on non-authorized public sites. If you are on PAN-OS version 8.0 or higher and are not familiar with the credential theft prevention features, here's your chance to get up to speed. Take a moment to learn how to use one of the three methods to block users from entering corporate IDs and passwords on just any and every public site they choose. If you think about it, there are only a handful (if that many) public-facing sites where it should be allowed to use corporate credentials (your company's single-sign-on site will be the main one).

Ask Questions Get Answers Join the Live Community