PAN-OS 8.0: PAN-OS Phishing Attack Prevention

Problem / Solution

• Phishing attacks to obtain valid corporate credentials are one of the common factors in many breaches today.
• Obtaining valid credentials means the attacker can walk right into the enterprise network bypassing most security solutions and not arousing suspicions.
• The attackers can deceive users in a variety of ways and levels of sophistication to get users to hand over their valid company credentials. Attacks today may be as simple as luring a user to a fake enterprise login on a similar looking domain to standing up a rogue Outlook Web Access (OWA) server or creating fake single-sign on authentication pages.
• Because these more advanced enterprise phishing techniques do not include common identification mechanisms used in consumer banking and webmail phishing attacks, we cannot rely on the contents or look of the malicious page to prevent the phishing attack.

Description of the feature

• This feature extends the URL filtering capabilities to actively detect targeted credential phishing attacks through a cloud-based analytics service as well as through heuristics on the device itself.
• Functionality detects HTTP form posts containing valid corporate usernames and potential passwords. Customer can configure various actions (alert/block) in a URL-Filtering profile when a credential hit is detected for an HTTP session.

Flow diagram

Use Case
Customer is facing a credential phishing campaign using phishing webpages mimicking a corporate page, which are hosted on compromised web servers of legitimate businesses.

• Users receive links to these specifically crafted websites via webmail or corporate email.
• The customers tries to identify submissions if corporate credentials from internal users to these websites to prevent exposure of corporate credentials.

Details
There are three modes of operations:

• Group-Mapping mode: Obtains a list of usernames from one or more AD User Groups. If a HTTP POST parameter matches any of the usernames in that list, it is a credential hit.
• IP-User-Mapping mode: When the source IP address of a session has a known UserID + an HTTP POST parameter in that session mirroring the UserID mapping, there is a credential hit.
• Domain Credential mode: When the source IP address of a session has a known UserID, and a HTTP POST parameter in that session matches the password belonging to that UserID, it is a credential hit.
  • This mode (in addition to requiring a User-ID Agent), also requires a User-ID Credential Agent.

A new ACC Widget for “Hosts Visiting Malicious URLs” will Count/Graph hits for internal users who are logged visiting Malware & Phishing Sites. This widget however is for legitimate URL Category blocks & will not count nor graph hits based on credential detection.

ACC Widget

 

Configuration Workflow:
Feature integrates into existing URL Filtering Profiles

• Enhancements have been made to the Categories tab, which now includes the addition of a User Credential Submission option. Selection (when the feature is enabled) provides granular control over both category access as well as behavior for that category, If a phishing attempt is detected.

URL Filtering Profile Enhancements

• Enabling functionality is via a new Tab called “User Credential Detection.” Within this tab, you can select 1 of 3 modes, as well as the preferred log severity to be printed when a suspected phishing attempt has been detected.

User Credential Detection

• If the Group Mapping mode is selected, this unlocks an option to apply to Any Group (by default) or to select a defined Group Mapping configuration.

Use Group Mapping

 

• Group Mapping Drop-Down List is populated based on Group Mappings defined via the Device Tab >> User Identification >> Group Mapping Settings. Based on the Group Include List/Filters, you can create Custom Policies/URL Filtering Profiles, with actions relevant to a Specific Group(s).

Group Mapping

• Once User Credential Detection Mode has been selected & appropriate actions defined for the categories, the final step would be binding the object (as is the case for any URL Filtering Profile), to a Security Policy. 

Profile added 

 

• If a hit is detected (i.e., User Mapping Exists + URL Category set to block User Credential Submission w/ Credential Detection enabled), a Block Page will be presented to the user :

Block page

• Windows Agents : There are (2) agents to unlock the full functionality of this feature (allowing you to select any of the 3 User Credential Detection Modes). 
  • User-ID Agent
    • The User-ID Agent will still function as both a standard User-ID Agent as well as support Credential Detection Modes such as IP User or Group Mapping (which only requires detection of the mapped Username).

  • User-ID Credential Agent

    • The Credential Agent is utilized for fetching domain credentials (password hashes) which are fed via the User-ID Agent. The agent must reside on a Windows Server w/ Directory Services joined to the Domain as an RODC.
      • For an RODC, the Allow objects identified in the localhost RODC's PRP (password replication policy - i.e. msDS-RevealOnDemandGroup attribute) can be automatically recursively queried for users to protect.
      • Alternatively, a user supplied list of credentials can be fed into the UserID Agent as an xml file
  • Security Notes :
    • No credential or stale storage/files containing sensitive information is left anywhere on the Server where UIDAgent is running. This includes temporary files (if any), debug logs, etc.
    • The only information exported out of the UIDAgent and the Server on which the Agent is running shall be the BloomFilters and meta data of the BloomFilter (such as credential counts, username max/min string lengths), and a list of UIDs included in the BF. In no event, including troubleshooting will the UIDAgent expose or store any password hash.

Notes:
The Hosts Visiting Malicious URLs ACC Widget will NOT log hits for internal users solely blocked/logged via Credential Detection. This widget is utilized to grant visibility for all users who have been logged/blocked from URL Filtering via Category Alerts/Blocks, etc… The screenshot below shows a # of hits/blocks logged strictly for credential detection (potential phishing sites), though the ACC widget reports as “No data to display.” Had these sites been detected as “malware,” or “phishing,” then hits would have been logged & graph populated.

No data to display

• When implementing the User-ID Credential Agent to take full advantage of all modes of operation, it is highly advisable to read through Microsoft’s TechNet Doc explaining the best practices deployment options for RODC Administration.  

  An RODC IS REQUIRED when deploying the UaCredService/UaService. Failing to follow the standard steps recommended by MS, could result in failures with the Credential Agent fetching domain credentials (or assuming all connectors appear functional), the inability to retrieve group information/extract users, etc…

Limitations:

• Password credential check requires that a UserID Agent to be deployed. Agentless deployment will work, though only supporting username matches (i.e., Domain Credentials mode requires a User-ID Agent as there is a dependency w/ the Credential Service).
• Alert/block decisions are tied to URL categories. A category may not be identified in time when the parameters to be inspected is received at the firewall !
• When implementing User Credential Detection (which requires the User-ID Credential Agent), the agent MUST reside on a Windows Server w/ Directory Services joined to the Domain as an RODC.

 Debugging:

• Group mapping sync statistics/state are already shown with the ”show user user-id-agent state” CLI command. Changes however include (BF) “Bloom Filter” counters, i.e.: The last BF update and BF serial number for each UIDAgent will be added. The last BF update timestamp field is marked as disabled should a UIDAgent-side config have credential extraction option disabled. Output below is a fully functional example w/ a User-ID/Credential Agent deployment.

> show user user-id-agent state all 
 Agent: 10.46.48.104(vsys: vsys1) Host: 10.46.48.104(10.46.48.104):5007
         Status                                            : conn:idle
         Version                                           : 0x5
         num of connection tried                           : 697
         num of connection succeeded                       : 28
         num of connection failed                          : 669
         num of status msgs rcvd                           : 21080
         num of request of status msgs sent                : 21092
         num of request of ip mapping msgs sent            : 5587
         num of request of new ip mapping msgs sent        : 0
         num of request of all ip mapping msgs sent        : 52
         num of user ip mapping msgs rcvd                  : 122
         num of ip msgs rcvd but failed to proc            : 0
         num of user ip mapping add entries rcvd           : 166
         num of user ip mapping del entries rcvd           : 26
         num of bloomfilter requests sent                  : 4
         num of bloomfilter response received              : 4
         num of bloomfilter response failed to proc        : 0
         num of bloomfilter resize requests sent           : 0
         Last heard(seconds ago)                           : 1
         Messages State:
           Job ID                                          : 0
           Sent messages                                   : 26787
           Rcvd messages                                   : 21274
           Lost messages                                   : 0
           Failed to send messages                         : 0
           Queued sending msgs with priority 0             : 0
           Queued sending msgs with priority 1             : 0
           Queued rcvring msgs with priority 0             : 0
           Queued rcvring msgs with priority 1             : 0
         Credential Enforcement Status : In Sync
           Last BF digest received(seconds ago)            : 1
           Last BF request sent(seconds ago)               : 11417
           Last BF updated(seconds ago)                    : 11417
           Current BF digest : 1fbd572bdf1f5170edb13d6e4d32ba86

• When Domain credential enforcement mode is enabled in any active URL filtering profile, a list of UIDAgents where a BF is obtained from and the number of credentials is included in each BF.
• When Group-mapping enforcement mode is enabled in any active URL filtering profile, the number of usernames in the lookup trie/hash table & the min/max username string lengths are included.

> show user credential-filter statistics
Built 5 unique users table.
 toi_test_001                            : 251
 toi_test_002                            : 251
 phishing001                             : 251
 phishing002                             : 251
 bryan                                   : 251

 

•  Another pre-existing command, though now bundles info relevant to Credential Enforcement (which also shadow credential feature statistics output), i.e.: 251 URL-Filtering Profile ID’s, as well as associated Usernames:

> show user group-mapping state all
Group Mapping(vsys1, type: active-directory): PANTAC
 
        Bind DN    : administrator@pantac.local
         Base       : DC=pantac,DC=local
         Group Filter: (None)
         User Filter: (None)
         Servers    : configured 1 servers
                 10.192.0.189(389)
                         Last Action Time: 2546 secs ago(took 0 secs)
                         Next Action Time: In 1054 secs
         Number of Groups: 1
         cn=phishing_test,ou=security groups,dc=etac2008,dc=com
         Credential Enforcement: 1 URL-Filtering Profiles.
         URL-Filtering Profile IDs: 251
         Usernames:
         bryan, phishing001, phishing002, toi_test_001
         toi_test_002

Logging:
With this feature integrated into URL Filtering & User-ID, many of the same logs are also utilized.

> less mp-log useridd.log

Log now includes Credential Related Logs, as well as BF updates, i.e.:

 

2016-09-07 01:29:32.640 -0700 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:9090): UIA 10.192.0.189 error: credential enabled but no digest.
2016-09-07 01:29:37.647 -0700 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:9090): UIA 10.192.0.189 error: credential enabled but no digest.
2016-09-07 01:29:42.654 -0700 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:9090): UIA 10.192.0.189 error: credential enabled but no digest.
2016-09-07 01:29:47.661 -0700 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:9090): UIA 10.192.0.189 error: credential enabled but no digest.
2016-09-07 01:29:52.668 -0700 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:9090): UIA 10.192.0.189 error: credential enabled but no digest.
2016-09-07 01:29:57.674 -0700 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:9090): UIA 10.192.0.189 error: credential enabled but no digest.
2016-09-07 01:30:02.683 -0700 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:9090): UIA 10.192.0.189 error: credential enabled but no digest.

2016-09-07 18:07:09.640 -0700 Processed 5 ldap users for group mapping PANTAC. Added 5 unique usernames to username vector.
2016-09-07 18:07:09.667 -0700 Building userinfo.xml takes 0s
2016-09-07 18:07:42.699 -0700 Built 5 unique users table, vsys 1.
2016-09-07 18:07:42.699 -0700 Sending serialized vsys 1 credential map of 119 bytes to slots 0xffffffff.
2016-09-07 18:25:18.419 -0700 UIA 10.192.0.198 new Credential BF: digest 1fbd572bdf1f5170edb13d6e4d32ba86, 4 users, 8 KB.
2016-09-07 18:26:00.506 -0700 Sending serialized vsys 1 credential BF of 8217 bytes to slots 0xffffffff.

 

URL Filtering Logs will log based on the defined action within the URL Filtering Profile (User Credential Submission).

URL Filtering logs now include a new “Credential Detected” column that can be enabled (disabled by default).

This new flag is also visible via the Detailed Log View as well :

 

Flags

User-ID Agent Logs:

C:\Program Files (x86)\Palo Alto Networks\User-ID Agent\UaDebug.log

 

09/07/16 18:25:33:088[ Info  798]: New connection 10.46.64.91 : 53029.
09/07/16 18:25:33:103[ Info  871]: Device thread 1 with 10.46.64.91 : 53029 is started.
09/07/16 18:25:33:103[ Info 2899]: Device thread 1 accept finished
09/07/16 18:25:35:131[ Info 2688]: Sent config to UaCredService.
09/07/16 18:25:38:345[ Info 2746]: Received BF Push. Same as current one. 1fbd572bdf1f5170edb13d6e4d32ba86

User-ID Credential Agent Logs:

C:\Program Files\Palo Alto Networks\User-ID Credential Agent\UaCredDebug.log

 

09/07/16 12:42:58:568 [ Info 731]: No user in group 
09/07/16 12:43:05:448 [ Info 731]: No user in group 
09/07/16 12:43:12:296 [ Info 731]: No user in group  
 
09/07/16 12:58:01:193 [ Warn 779]: No user extracted. Domain: PANTAC, 0/4 users. 0/2 preloads. 0 lookup failed. BF version: 1, 0 Patterns, 64 Kbits, 8 KB.
09/07/16 12:58:08:307 [ Warn 779]: No user extracted. Domain: PANTAC, 0/4 users. 0/2 preloads. 0 lookup failed. BF version: 1, 0 Patterns, 64 Kbits, 8 KB.
09/07/16 12:58:17:652 [ Warn 779]: No user extracted. Domain: PANTAC, 0/4 users. 0/2 preloads. 0 lookup failed. BF version: 1, 0 Patterns, 64 Kbits, 8 KB.

09/07/16 12:58:59:876 [ Info 704]: Sent BF to UaService. 3816cb8cc68069d56f558f06709afdf7
09/07/16 12:59:16:391 [ Info 704]: Sent BF to UaService. 6b07c78ef7252377f105652dc6ad5c66
09/07/16 17:27:47:557 [ Info 704]: Sent BF to UaService. C735b0836490dc55f927ca30cb6c9aa2
 
09/07/16 18:23:45:182 [Error 707]: Failed to send BF to UaService.
09/07/16 18:23:52:265 [Error 707]: Failed to send BF to UaService.
09/07/16 18:23:59:332 [Error 707]: Failed to send BF to UaService.

 

As always, User-ID Agent will also display various log messages with the latest agent/logs now referencing BF pushes, etc…

UID Agent Logs

 

CLI debug commands :

 

> debug user-id reset group-mapping

all         all
<value>     group mapping to reset

 

• In addition to resetting group-mappings (existing behavior) this will also reset the username trie/hash table (credential in Group-mapping mode)

> debug user-id reset credential-filter

all      reset domain credential and group mapping username filters for all user-id agent
<value>  specify one agent to reset domain credential and group mapping username filter

 

• clears all MP and DP BloomFilters (Domain credential mode) and Username trie/hash table (Group-mapping mode) for Credential enforcement.

 

Tips:
Should there be any issues w/ fetching credentials/hash via RODC deployments, be sure that groups intended to be included with credential detection are added to the “Allowed RODC Password Replication Group.”

Active Directory Users and Computers

If failures are still present, be sure that these groups aren’t included (by default), in the “Denied RODC Password Replication Group. The following are a list of Group Members included in this group by default (which includes Domain Admins).

Denied RODC Password Replication Group Properties


Additional commands can be run on the DC to test whether replicating secrets for a particular user are successful.  Should there be a failure, the message Windows provides are extremely informative.

 

Syntax : 
repadmin /rodcpwdrepl [DSA_LIST] <Hub DC> <User1 DN> [<User2 DN> <User3 DN>...]

Example from this command you can find on the Windows Server Technet page :
Repadmin /rodcpwdrepl