Acting on Vulnerability threats

Thanks Sandeep for your reply,

I am still not sure how I can best use the threat feature to prevent an attack.  At what point is it safe to make an action BLOCK instead of just ALERT as I have now.

In other words I don't want to set an action as BLOCK if there is just a potential for attack.  With other tools, I have seen vulnerabilities detected which are mitigated by patches or other measures so the "vulnerabilty" is really a false positive.

If on the other hand, the threat listed in the threat log is an absolute attack of a particular vulnerability, then I of course would want to block this.

As an example of how to use, lets try this scenario:

Suppose there is a vulnerability where a specially crafted GIF file could be used to attack a system.  Does the Threat log show this vulnerability every time a GIF file is downloaded OR just when a GIF file has the specific code to attack?

If it logs for every GIF then this would be a potential threat we would have to decide when to block.  If it logs for only those GIF files that have the attack code then we could set those to block to prevent an attack.

If it logs for every GIF just because the potential is there, I don't see how I can use this to prevent an attack.  This is my area of confusion.  Is there a Best Practice document on how to use the features of the PA to maximize the threat prevention capabilities?

Thanks,

Crill

In your example, if would take the block action only if the network traffic matches what's in the threat database.

>Suppose there is a vulnerability where a specially crafted GIF file could be used to attack a system.  Does the Threat log show this >vulnerability every time a GIF file is downloaded OR just when a GIF file has the specific code to attack?

>If it logs for every GIF then this would be a potential threat we would have to decide when to block.  If it logs for only those GIF files that >have the attack code then we could set those to block to prevent an attack.

In above case, our vulnerability signature will flag ONLY when it sees the "specially crafted" GIF file (this will cause a threat log). Normal GIF files won't trigger the signature and as such you won't see a threat log.

I hope that answers your overall question.

Feel free to let us know if you have any followups,

Thanks,
Sandeep

Ok, now for an actual example that I am looking at.

In our threat log there are numerous entries for virus type event with id 648197 and a description of "worm/win32.mabezat.0806".  This threat is listed as Medium and also using ms-update application.  All of the source addresses appear in the msecn.net domain.

This looks like a false positive.  What does this threat log entry mean?

Back to one of my original questions: At what point do we use the capabilities of Palo Alto to block (i.e. prevent) an attack?

Do we set a threshold of High and Critcal or do Medium threats need to be blocked as well.  I would like to set to block for all threats that are known if that is a possible use of the Palo Alto capabilities.  Of course if I am going to potentially also block legitimate traffic that matches the threat then I would have to weigh that in the decision.

Thanks,

Crill

It very well could be a false positive. I would contact support to have them review it. Virus updates are released daily.

In the beginning, I would set the profiles to take a default action until you feel more comfortable with the definitions. There is also an option in the profiles to take a PCAP so you can review each packet in Wireshark.

>Ok, now for an actual example that I am looking at.

>

>In our threat log there are numerous entries for virus type event with id 648197 and a description of "worm/win32.mabezat.0806".  This >threat is listed as Medium and also using ms-update application.  All of the source addresses appear in the msecn.net domain.

>

>This looks like a false positive.  What does this threat log entry mean?

The threat log indicates that the device saw some file traffic that the device thought to be a virus. In your particular case, since the traffic is coming from Microsoft, it is unlikely that the files will be infected by virus. In this case, I'd go to the virus profile and put the particular threat id under "virus exception" in the antivirus profile.

>Back to one of my original questions: At what point do we use the capabilities of Palo Alto to block (i.e. prevent) an attack?

>

>Do we set a threshold of High and Critcal or do Medium threats need to be blocked as well.  I would like to set to block for all threats that >are known if that is a possible use of the Palo Alto capabilities.  Of course if I am going to potentially also block legitimate traffic that >matches the threat then I would have to weigh that in the decision.

Your question pertains to "how to tune the box" i.e., how to decide what actions are needed for vulnerability, spyware and antivirus signatures... to go with the default action or set it yourself. One way to do this is to start with the "default" settings for the signatures and if you see false positives or if you see certain alerts that should have been blocks, you can go and modify individual signature actions as well i.e., start tuning the signatures based on your network. Also, in case you see any false negatives (any attacks that we should have blocked but we didn't) please file a case with support and our engineering team can look into this.

Hope this helps,

Thanks,

Sandeep

>Thanks,

>Crill

Hi Sandeep,

I have one example where the fw detected a Microsoft Internet Explorer Vulnerabilty where the traffic after further investigation turned out to be between 2 linux hosts.  Although the fw can only look at the packets and has no way of knowing what the source or destination machines are, this is definately a false possitive.

We see similar things all the time and it is coming to the point where we stop taking the alerts serious because up till now we haven't had one alert that after investigation turned out to be a real problem.

What would be the correct approach to get rid of false possitives so that we can come to a point where an alert only happens when there is an actual problem?

rgs,

Luc

Hello Luc,

I understand your dilemma in the fullest being in the area of implementing traditional IPS systems for the last 6 years with different vendors like Tipping Point, McAfee, IBM/ISS just to name a few.

The real pain with an IPS/IDS is to sort out false positives and this is not only a one time process. In order to operate an intrusion prevention system it is mandatory to have a continous IPS policy tuning process in place, otherwise such a system is worthless.

In my opinion an ideal IPS has the ability to import information from a Vulnerability Management System like Qualys for example. The VMS scans systems for known vulnerabilities and other details like operating system, security patch level etc. and reports its findings back to the IPS. Then the IPS could correlate its attack data against the vulnerability information from the threat log for example. This way you would not see any more log entries for an attack against a vuln. for IIS just to find out that the reported destination address (victim) is an apache... Or you see threat log entries for a sendmail vuln. and you have an Exchange Server in place ...

I know that Sourcefire for example has partnered with Qualys for this reason. Also McAfee has its own IPS and a product called Foundstone for the vulnerability scanning and correlation.

I really would like to see such an approach from PAN, this would be very exciting. I know Qualys for example would be more than happy to look at this together with PAN.

I kown this is something for a long term wishlist, but I don't stop dreaming 😉

rgds

Roland

"Long term wishlist" ???

I think that if PAN want to be the best IPS on the market (as it claims to be), is not acceptable not having a passive/active VA engine integrated!

All the serious IPS have a Nessus or something like that included.

The real effectiveness depends only by a correct impact analysis, talking about IPS solutions.

I hope PAN will work on this way (quickly) if they want a customer replace his existing IPS infrastructure with PAN firewalls!

It should be one feature included in 4.0....

Luc,

If you have false positives, please call or email support with the device information (PAN-OS version, content threat version, what threat was triggered, packet capture, etc). We take false positives very seriously and will work to get them fixed.

Thanks,

Alfred

Here is an excerpt from Gartners MQ 2010 Network Intrusion Prevention Systems:

Extra-IPS Intelligence

An IPS embedded within an NGFW will have the best opportunities for interaction through tightly
coupled operation, rather than as separate products. As vulnerability research has improved, the
gap between vulnerability exploitation and IPS signatures to protect that vulnerability has closed.
Future protection improvements of significance will come from bringing intelligence into the IPS
from external sources instead — points the IPS does not normally have visibility within. Examples
include vulnerability management data, reputation data or known external sources of malware,
directories and firewalls. Vulnerability management allows for blocking to be done with knowledge
of the target (for example, no need to block an attack that the server has been patched for).
Reputation feeds can provide intelligence to the IPS in terms of the source (for example, only
malware has ever come from that location). Most extra-IPS intelligence today is provided to
operators and is not made use of automatically within the IPS decision engine. Future IPS
improvements will see better correlation through more-active use of this intelligence.

I believe this is an important point and this should be the way to go in the future for IPS. PAN can you do something ?

So to anyone that says that Intrushield and Foundstone have integrated through ePO at McAfee, I say show me.  I have done this integration and it does not do what is proposed, it merely almagamates reports or alerts, something you do with SIEM usually.

Anyway, for the integration of Qualys or Nessus, they already make XML reports, you need to check out the REST API if you want to make set or get calls to the appliance based on other information.

It's the same method for integrating wireless 802.1X user auth into the user databases, your just making a different type of call. Aruba has worked very closely with Palo Alto on this, which is the same responsability any of these VA scanning companies need to do to step up their offering with this technology, not the other way around. They do it for SIEM, if this is the way of the future they should do it for this too.

Anyway,  I'd be happy to start a thread on this for Nessus to start if you want to join me?

Can this response be further clarified please?

sjain wrote:

When you see a threat log corresponding to a vulnerability, it means that our firewall detected some network traffic that could be intended to take advantage of the corresponding vulnerability i.e., an actual attack. 

I take this to mean that just because there is traffic intended to attack a vulnerability does not mean that the system being attacked actually has that vulnerability.  Is that correct?

Thanks,

Keith