By: Nina Smith
Watch this short video to learn how to enable ATP with Inline Cloud Analysis and prevent unknown C2 traffic.
Note: PAN-OS 10.2, an ATP license, and a consistent cloud connection are required.
Attackers are constantly evolving—making today’s cyber threats more elusive than ever. Among the most difficult to detect is highly evasive, malleable Command and Control (C2) traffic.
This stealthy communication stems from compromised systems trying to "phone home" to external C2 servers. Red-team tools, such as Cobalt Strike and Empire, created for penetration testing, are designed with features that generate customizable traffic profiles, allowing malicious activity to blend in with legitimate network traffic and bypass traditional security defenses.
So, how can organizations stay ahead of these advanced threats? The answer lies in the power of Palo Alto Networks Next-Generation Firewalls—leveraging our Advanced Threat Prevention (ATP) service to detect and block even the most sophisticated C2 techniques.
Since its inception, Threat Prevention on Next-Generation Firewalls (NGFWs) has relied on signature-based detection to identify known Command and Control (C2) traffic. While effective against familiar/known threats, this method struggles to detect "malleable profiles"—customized C2 communications specifically designed to bypass traditional signatures.
That’s where Advanced Threat Prevention (ATP), introduced in PAN-OS 10.2, comes in—changing the game in C2 threat detection. Enabling Inline Cloud Analysis within the Anti-Spyware profile unlocks powerful, real-time detection capabilities that stop even the most evasive C2 threats before they can cause harm.
When Inline Cloud Analysis is enabled, suspicious traffic is sent to globally distributed, cloud-hosted machine learning and deep learning models for additional, in-depth inspection.
The “inline” element is key. The firewall intelligently holds the last byte of traffic until the cloud-based analysis is complete. Thanks to ATP’s use of geographically distributed cloud locations, verdicts are returned to the firewall at lightning speed– enabling real-time inspection without impacting the end-user experience. This seamless, instantaneous analysis is what truly makes the analysis inline.
With PAN-OS version 10.2, your firewall gains the ability to detect malleable profiles generated by sophisticated C2 tools like Cobalt Strike. Upgrading to PAN-OS 11.1 takes this capability even further, adding detection for malleable profiles from C2 frameworks, including Empire.
Activating this critical protection is simple–whether you're managing your environment through Strata Cloud Manager (SCM), the firewall UI, or Panorama.
Activate Strata Cloud Manager (SCM):
Activate Firewall UI or Panorama:
Once ATP with Inline Cloud Analysis is enabled, your organization gains advanced protection against highly evasive and malleable, unknown C2 threats– including those using advanced tools like Cobalt Strike and Empire.
In addition, threat logs for such detections will include a comprehensive cloud report. This report explains the detection logic and provides valuable context, including CVE (Common Vulnerabilities and Exposures) and MITRE ATT&CK framework mapping, giving your security team deeper insights into the nature and behavior of each threat, empowering you with the information you need to make informed security decisions.
To truly safeguard your organization from the most advanced and evasive command and control threats, enabling Advanced Threat Prevention (ATP) on your Palo Alto Networks firewall is not just recommended, it's essential. Take the step to unmask the invisible and strengthen your security posture against today’s most sophisticated threats.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 5 Likes | |
| 5 Likes | |
| 4 Likes | |
| 4 Likes | |
| 2 Likes |
