Command-and-Control (C2) FAQ

by on ‎09-25-2017 04:47 PM - edited on ‎10-24-2017 09:37 AM by (27,346 Views)

A new category has been added to URL Filtering.  This new category will be “command-and-control” to further break out specifics from within the malware category. 

 

Full functionality, which is the live categorization of C2 URLs, occurs on Wednesday October 25th, 2017.

 

Note: Administrators should set their command-and-control category to BLOCK immediately

 

Below is an FAQ about the command-and-control category.

 

Weren’t we already protected from C2?

Yes, you have always been protected from C2.  Previously, this was categorized within malware.

 

What’s the difference between malware and C2 and why should I care?

Palo Alto Networks has broken out specifics from within the malware category with C2.  Malware generally is malicious content, executables, scripts, viruses, and code that is attempting to be delivered through your network from external to internal.  These malicious attempts are being blocked by the firewall.  With C2, endpoints are trying to connect externally to remote servers.  These connections are made from inside out.  Again, the firewall is blocking the connection to these remote servers. 

 

However, security analysts will react differently to these two distinct categories. For malware, analysts will reasonably recognize that the threat was stopped by their Palo Alto Networks Firewall and the endpoint has not been compromised.  With C2, an endpoint has most likely become compromised because it is attempting to contact a remote server and remediation is necessary for that particular endpoint as well as an assessment for lateral movement/infection.    

 

What happens if I don’t change the C2 category to BLOCK as the action?

If you do not change the default action of the C2 category to block, all attempted connections to C2-related URLs will be allowed to go through and connect. 

 

Why is C2 not set to BLOCK by default?

The functionality for Palo Alto Networks to set the default action for the default profile to BLOCK is only available in PAN-OS version 8.0.2 and later with content version 738 or newer.  All customers running PAN-OS 8.0.2+ with content 738+ will have their default action automatically set to BLOCK in the default profile.  This functionality is NOT available to early versions of PAN-OS. (Please note, for PAN-OS 8.0.2+ customers, please check to ensure that the action has been properly updated to BLOCK within the default profile.)

 

If you have multiple URL Filtering security profiles, you must update the default action to BLOCK for each of these profiles. This applies to ALL versions of PAN-OS.  

 

How is C2 defined?

Command-and-control is defined by Palo Alto Networks as URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker’s remote server to receive malicious commands or exfiltrate data.

 

What is the timeline for release of the C2 category?

Category content update is currently available on the URL Filtering database.  The command-and-control category will be visible on the administrator’s management console but will not be functional.  During this time, you can update the action to BLOCK for the command-and-control category.  When functionality is available, all C2 URLs will be categorized and blocked (if set to block) by the URL Filtering functionality. 

 

When will the C2 category be functional?

Full functionality, which is the live categorization of C2 URLs, will occur on Wednesday October 25th, 2017.  This means that you will start seeing and blocking (if policies and profiles have been updated) URLs categorized as C2 on your firewalls.  

 

Can I test the C2 category prior to full functionality?

Yes, you can test your C2 profile(s)/policies prior to full functionality release.  You can utilize this URL for testing C2 categorization:  https://urlfiltering.paloaltonetworks.com/test-command-and-control  If the profile(s)/policies are setup correctly, then access to the URL will be blocked and logged by your Firewall.  

 

Does this apply to both PAN-DB and Brightcloud for URL filtering?

No, this is only for PAN-DB URL filtering and does not currently apply to Brightcloud URL filtering.

 

Note:  It is recommended to subscribe to this FAQ for timeline updates when available. 

 

See also

Make sure Command-and-Control is recognized by PAN-DB URL Filtering

 

From Kelvin Kwan

@neg273

Comments
by anwhite
on ‎09-28-2017 09:00 AM

1.Are you just migrating some of the sites from Malware and Spyware to the new Category? 
2. How are you verifying the correct sites are being moved? 
3. Will sites sit in 2 groups for the time being during the roll out or will it be a straight cut?

by neg273
on ‎09-28-2017 03:36 PM
anwhite wrote:

2 hours ago

1.Are you just migrating some of the sites from Malware and Spyware to the new Category? 
2. How are you verifying the correct sites are being moved? 
3. Will sites sit in 2 groups for the time being during the roll out or will it be a straight cut?


 

Hi, I can't answer your questions inline directly in the message, so please see my response below:

  1. Yes, we are migrating a limited set of URLs that reside in malware currently to the new C2 category. We had started to categorize C2 internally going back a couple of months.  Those C2 URLs are currently categorized as malware, but will be migrated to C2 once full functionality is released.
  2. Verification of the URLs being migrated to C2 is based on a myriad of checks. One of which is information gathered from Palo Alto Networks’ cloud-based threat analysis service, WildFire. 
  3. It will be a straight cut when the C2 category is released for full functionality.
by EDV-BBG
on ‎09-29-2017 01:22 AM

Which license is necessary to get the new C2-Category functionable?

Actual are these threats handled by maleware protection, or? 

Is in future a license for URL filtering necessary to get protection for C2-Category?

by KlausGroeger
on ‎09-29-2017 01:34 AM

Hello EDV-BBG,

 

this is just an additional, automated URL category. One needs the PAN-DB URL filter license. From my understanding this will not impact the Anti-Spyware functionality which comes with Threat Prevention license.

This category is an additional one like the three introduces last year: Extremism, Copyright infringement, Insufficient content

 

https://live.paloaltonetworks.com/t5/Management-Articles/New-PAN-DB-Categories-Extremism-Copyright-I...

by PJalcaraz
on ‎10-10-2017 07:41 PM

Do you have any tentative date for the functionality of this new feature? Thanks

by CyberNinja
on ‎10-11-2017 06:57 AM

If the device does not contain the URL Filtering license, the assumption here is that the device is left vulnerable to C2 unless another device is currently blocking the threats correct?

by
on ‎10-11-2017 07:49 AM

Hi @CyberNinja

not entirely, without the URL filtering license web requests to C2 domains would not be blocked, but with a valid ThreatPrevention license we'd still be able to block malicious payload

by Ruben.King
‎10-11-2017 08:25 AM - edited ‎10-11-2017 08:27 AM

@reaper you mention PAN-OS 8.0.2 or higher is required. Can you confirm which OS versions are affected please? Some articles mention 7.x, and I see the category on a production 6.1 box.

by
‎10-11-2017 08:50 AM - edited ‎10-11-2017 09:35 AM

@Ruben.King my bad, I misread! This will work on any PAN-OS

 

by
‎10-11-2017 09:34 AM - edited ‎10-11-2017 01:30 PM

@PJalcaraz @Ruben.KingThe best tentative date we can provide at this time is very soon for full functionality of the C2 category. (Full functionality = URLs are categorized as C2 by PAN-DB and being blocked.) Please subscribe to this FAQ for timeline updates when available.

by ecasbas
on ‎10-17-2017 03:28 AM

And what about Brightcloud?, those who are using Brightcloud are affected in some way with this change?. Many thanks!.

by
on ‎10-17-2017 03:37 AM

@ecasbas this change does not apply to BrightCloud

by MarcosEspina
on ‎10-20-2017 05:34 AM

by
on ‎10-20-2017 05:45 AM

@MarcosEspina the new category is populated by downloading content update 738 or later, the PAN-DB database is a collection of most popular URL's to prepopulate your cache (it does not contain the URL categories)

by MarcosEspina
on ‎10-20-2017 07:02 AM

Yes the version of the content was the issue, once updated the C2 category is selectable. Thanks @reaper 

 

by MuhammedSaeed
on ‎11-08-2017 04:58 AM

Hello,

 

I have panorama with only Premium Partner Support, and 50+ firewalls managed by it.

 

The firewalls have PAN-DB License.

 

On each firewall I can see the new C&C category, but on Panorama I can't see it.

 

Security Profiles are configured by Panorama, so the changes must be done on Panorama.

 

I can download App and Threats Updates on Panorama and I have the latest.

 

Do I need to have PAN-DB license for Panorama to see the new category?

by
on ‎11-08-2017 05:33 AM

panorama needs to be set to PAN-DB and needs to have the latest apps&threats, that is the only requirement to get the Command & Control category

 

 

show system info should return something like this:

 

> show system info

hostname: Aviary204
...
app-version: 748-4315
...
url-db: paloaltonetworks
by MuhammedSaeed
on ‎11-09-2017 12:42 AM

Thank you reaper  for your reply.

 

I run the command:

 

> show system info

 

app-version: 748-4315

url-db: brightcloud

 

I run the command

> set system setting url-database paloaltonetworks

 

 and now it shows:

 

url-db: paloaltonetworks

 

But I don't have PAN-DB license, and I can't see the new category, do I need PAN-DB License?

by MuhammedSaeed
on ‎11-09-2017 01:39 AM

Never mind, I can see it now.

 

I was using command line and couldn't see it, but in GUI I can see it.

 

Thanks for your help.

Ignite 2018
Ask Questions Get Answers Join the Live Community