Threat content 555 new features: exploit kit and phishing vulnerability profile categories

by rcole on ‎02-05-2016 10:26 AM - edited on ‎02-19-2016 08:08 AM by EmmaF (11,273 Views)

Content 555 released on February 3rd, 2016, has introduced two new categories to help categorize phishing attacks and exploits kits (like Angler, Rig, Nuclear, Magnitude, and Fiesta).

 

Please note that querying by these added categories only functions in PAN OS 7.0.x +.

 

When creating a new Vulnerability Profile, it is now possible to select the category "exploit-kit" and "phishing" to limit the profile to detect and enforce only threats within these categories.

 

Let's go through creating a vulnerability profile for only preventing exploit kits and phishing signature triggers, with an action of Reset Both.

 

  1. Log in to the PAN-OS WebGUI.
  2. Navigate to Objects.1.PNG
  3. Navigate to Security Profiles > Vulnerability Protection.
    5.PNG
  4. Click Add in the bottom left corner.
  5. Name the profile in the Name box.
  6. Click Add to create a new rule.
  7. Name the rule. Let's use "Exploit Kits" for the example.
  8. Set the Action to "Reset Both."
  9. Set the category to "exploit-kit."
  10. Set packet capture to "extended-capture." Exploit kits represent an extreme threat to any customer, and it's critical to see as much data as possible related to the signature triggers.
  11. The rule should look like this.2.PNG
  12. Click OK to save the rule.
  13. Click Add to create a new rule, which we will use for Phishing.
  14. Name the rule. Let's use, "Phishing" for the example.
  15. Set the Action to Reset Both.
  16. Set the category to "phishing."
  17. The rule should appear similar to the below screenshot:3.PNG
    The profile should look like this:4.PNGTo gain visibility into which signatures any specific rule within the profile relates to, check the box next to the rule name and click Find Matching Signatures; this will display a list of all signatures that match that rule. This will help to lend confidence that the profile is only applying the reset-both action to the signatures desired.
  18. Click OK.

 

There is now a vulnerability protection profile named "Exploit Kit and Phishing" that can be applied to any security policy on which it is applicable.

 

When investigating signature triggers in the future, querying the Threat log by category type can be useful:

 

q1.PNG

Comments
by jcritch
on ‎02-11-2016 09:46 AM

On our Palo Alto 3020 appliances, after updating, the ability to set Action to 'Reset Both' is NOT available.  Is the article wrong or is there a problem with our Palo Alto systems?

by emr_
on ‎02-11-2016 04:08 PM

Hi jcritch,

Which PAN-OS version are you using? 'reset both' is available from 7.0 and higher.

by Grubbsy
on ‎02-22-2016 06:01 AM

Can you make any recommendations on which security policy to add these new vulnerability protection profile?  Should they simply be added to an existing profile or should a new one be created from untrust to trust?

by Lucky
on ‎03-12-2016 04:52 AM
Hello Grubbsy, this article demonstrates possibility of granulation of vulnerability profiles that is a new option in configuration. Most vulnerability profiles do not granulate / distinguish rules by category, they usually fall back onto severity itself - such as default profiles. In that case, as far as I can tell at the moment - all vulnerabilities from category exploit-kit have critical severity, meaning - if you are using default profiles, your action is already set to reset-both. As for the Phishing attacks - some are high, critical, low - depending what they are. If you wish to still reset-both on both types, than you can edit your existing vulnerability profile and add vulnerability profile rule. In any case, actually, you can customize your profile by just adding those rules - by no means you need to discard your old policies. This helps you just granulate more if needed and enforce stricter/looser rules in particular cases.
by rabolfathi
on ‎03-16-2016 04:39 PM

When I commit the change, it says that only the fist packet will be captured, even though extended-capture has been selected.

by Lucky
on ‎03-17-2016 07:07 AM

rabolfathi -  it is so because you have drop action selected - after the offending packet everything else will be dropped. You need "alert" to be able to do extended caps. I am not sure I would do it in production - I certanly do it in profiles for myself but I do know what am I doing and what am I clicking; for average user - I would still keep it at blocking.

 

 

by stcrye
on ‎04-25-2016 12:23 PM

When I select either the Exploit Kits or Phishing rules and click Find Matching Signatures,  nothing is found. It seems to be just searching through the 8412 rules for this match: (rule eq 'Phishing') or (rule eq 'Exploit Kits') . Because the names of the rules we created using your example are arbitrary, I don't see how any match would have meaning. For example, I could have named the exploit-kit rule "Bubba."

 

Also. can't figure out how to see any matches in the logs, or to determine exactly what criteria the firewall applies when looking for a phishing attack.

 

Steve

Ignite 2018
Ask Questions Get Answers Join the Live Community
Contributors