Community Blog

Wall's Week - September 17th

by kwall00 on ‎09-17-2018 01:35 PM - last edited on ‎12-14-2018 08:10 AM by (4,749 Views)

Palo Alto Networks Live Community delivers information on product updates and new tools. Read about the Streamcast event, our virtual firewall vs. public cloud security, our cybersecurity canon, new migration tools and much more. Find useful links and some important Tech Tips for MineMeld and Xbash.

 

 

 

Summary

Streamcast Event: Your Move to the Cloud, Secured

Differences Between Palo Alto Networks Virtual Firewall and Public Cloud Security Groups

The Cybersecurity Canon

GlobalProtect App and iOS 12

New Migration Tool Released

New Applications Arriving on Sept 18th

Panorama Interconnect Plug-in Now Available

Tech Tip: MineMeld Parameter Feeds API

Tech Tip: Use Emergency Updates to Improve Situational Awareness

 

 

Streamcast Event: Your Move to the Cloud, Secured

Join us on September 20th at 11:00 a.m. This one hour event will feature customers, partners, and Palo Alto Networks sharing real-world experiences on how to securely move to the public cloud. Hear Palo Alto Networks founder, Nir Zuk, as well as Google’s Product Manager of Security & Privacy, Maya Kaczorowski. Customer experiences from Moody’s, FTD, and Walmart Labs. The online event may be accessed from this link.

 

 

Differences Between Palo Alto Networks Virtual Firewall and Public Cloud Security Groups

If you have begun moving workloads into the public cloud, you no doubt are familiar with the built-in security controls available within the cloud providers. There are important differences between these built-in mechanisms and deploying a Palo Alto Networks virtual firewall in the public cloud. I wrote this article to help customers understand these differences and how public cloud security is a shared responsibility. Comparing the built-in security groups with Palo Alto Networks virtual firewall is more of an apples-to-oranges comparison.

 

 

Cybersecurity Canon

If you’re an avid cybersecurity reader, you should check out our canon of recommended readings. The books that make it into the canon are the ones that have met specific criteria such as the need for the content being timeless, trueness and preciseness, high quality content, and is a must read for the cybersecurity professional. Check it out here.

 

 

GlobalProtect App and iOS 12

Today, Sept. 17th, Apple is expected to release version 12 of its iOS operating system. It is important to note that GlobalProtect 4.1.x and older are not compatible with iOS 12. If you have deployed GlobalProtect on iOS devices, you will want to upgrade to GlobalProtect 5.0, which is available now in the iTunes Store. GlobalProtect 5.0 fully supports iOS versions 10, 11, and 12 and has a completely new GUI for more of a native iOS look and feel. For more information, see the Live article here.

 

 

New Migration Tool Released

The new Migration Tool has been relabeled as EXPEDITION. If you’re not familiar with EXPEDITION, it is a free utility available from Palo Alto Networks to assist in migrating from other technologies (Cisco ASA, CheckPoint, Fortinet, etc) to a Palo Alto Networks firewall. It allows for a like-for-like migration as well as being able to fully configure App-ID within the tool before exporting for deployment. Some of EXPEDITION's new features include:

  • Imported configurations now also support:
    • CheckPoint R80
    • IBM Proventia XGS
    • PAN-OS 8.x
  • Redesigned GUI (faster and easier)
  • Faster import time by up to 50%
    • Changed to PHP7
    • Improved all of the backend code to be more efficient
    • Added a Queue system to control the background jobs
    • Implemented an RBAC system to allow multiple user roles
    • RADIUS and LDAP authentication integration
  • Best Practices Assessment feature added
  • Added machine learning functions to transform security policies and suggest new ones based on traffic logs (think Algosec-like features)

The Expedition tool is a free VM. You can find it here.

 

 

New Applications Arriving on Sept 18th

In addition to new App-IDs, the formerly released placeholder App-ID, paloalto-shared-services, will be activated. Be sure you understand the potential impact this new App-ID may have in your environment. For a list of all of the new applications (20 of them), you can see this Live article.

 

 

Panorama Interconnect Plug-in Now Available

If you have a large deployment of Palo Alto Networks firewalls (1,000+), there is now a plug-in available for Panorama to allow a single Panorama to manage multiple Panoramas to be able to scale up to tens of thousands of firewalls. This new plug-in is called Interconnect. For more information, see the Panorama datasheet.

 

 

Tech Tip: MineMeld Parameter Feeds API

If you are dealing with threat feeds in a manual fashion, why not let MineMeld automate some of these tasks for you? MineMeld will bring in as many threat feeds as you wish (FBI, DHS, ThreatCare, ISAC’s, etc.), remove duplicates, and create output lists which can be dynamically consumed by threat tools, such as SIEM or Palo Alto Networks firewalls (through the use of external dynamic lists, or EDLs). The Palo Alto Networks firewall does not allow for prepended data on the lines of the threat feeds (i.e., HTTP:// or HTTPS://). MineMeld can help by removing the unwanted prepended data using regex patterns (see my custom MineMeld article below). Alternatively, when you enter the URL list of the MineMeld feed, you can use the API feature of MineMeld to remove the unwanted data from all of the feeds at once on the output file as the firewall retrieves it.

 

Let’s say you have feeds coming into MineMeld (through miners) and are output in a single feed URL owned by MineMeld: https://minemeld-URL/OutputFeeds1. You can ensure that the results are returned in a format compatible with PAN-OS EDLs by adding the following API command: ‘v=panosurl’. The final URL you enter on the firewall will look like this: https://minemeld-URL/OutputFeeds1?v=panosurl. This is a more scalable choice than using regex on the ingress of each individual feed, although, in some cases, you may still need the regex feature. The firewall can read these lists as often as every five minutes. An EDL may be used in security rules (i.e. block the entire list), custom URL objects, and even in threat signatures.

 

Download the free MineMeld tool here.

How to create a custom MineMeld Miner here.

Parameter feeds API info here.

 

 

Tech Tip: Use Emergency Updates to Improve Situational Awareness

You might have noticed that the emergency threat content released on Sept. 10th (number 8062) contained two new anti-spyware signatures (i.e. command and control) called Xbash. This activity was discovered by the smart folks within our Unit 42 organization. If you took the time to Google this threat, you probably didn’t find much useful information. That is, unless you were interested in the Croatia JAM festival. To keep an eye out for more information, you could subscribe to the Unit 42 blog for future writeups and the IoCs. Having the signature is a necessary and great start but proactively hunting for the IoCs is equally important. 

 

Using AutoFocus is a good way to get a head start on Xbash while more information awaits on the Unit 42 blog site. Simply browse AutoFocus and search by the tag “xbash.” Click on the tag for details. You’ll see the tag was created by Unit 42 on Sept. 10th, which was the same day the emergency content signature was released. At the time of this blog, I noticed the last “hit” was two days ago, meaning it is an active malware. From the description, I can learn that this is a database destroyer (MySQL, PostgreSQL, MongoDB, etc.) that demands Bitcoins but does not offer a way to recover your data. It is self-propagating, written in Python but converts into a native executable. It has recon built-in to spread laterally within an organization’s network.

 

What else can I see in AutoFocus? IoCs! I can see the relevant hashes, file types, DNS activity, and HTTP activity. With this information, I can begin hunting within my environment. When the Unit 42 blog on Xbash comes out, there may be even more details, but for now, I have enough to react (hunt for Xbash fingerprints) and be proactive (ensure the signature is applied and has the correct action assigned as well as use any relevant IoCs on my endpoint agent if required—unless you have Traps, then the signature is automatically shared with every endpoint).

 

By the way, I can also see in AutoFocus that the first protective signature for this malware family was created on Friday, Sept. 7th at 10:24 p.m. and distributed via a five-minute WildFire update while most of us would have been far removed from our jobs at that hour. For customers with only a Threat subscription and no WildFire subscription, there would have been a delay until Monday, Sept. 10th before they received the emergency signature. In our current world where threats can spread laterally within minutes (think NotPetya), 48+ hours is way too long to wait for protection. Having the latest threat protections dynamically updated to all of my firewalls every five minutes is the safest posture and requires zero effort or IT overhead ☺

 

**Update ** Unit 42 has posted their blog on Xbash here.

Ask Questions Get Answers Join the Live Community
Labels