How to block malware getting executed?.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to block malware getting executed?.

L0 Member

I would like to block malware files. On my gateway firewall, what filetypes should I block? . If I block only exe/DLL files getting dowloaded, will it help to avoid final malware getting executed ?  What I would like to understand is, even if I allow communication with Command and Control (C2) servers, if I block executable/dll files, will it really block malware ultimate purpose?. Final payload will be only executable like exe/dll?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

Unfortunately this is a complicated answer. The best defense is a multi-layered one. While the PAN is a great platform, it should not be the only defense you have. I always tell folks the following:

  • Use a secure DNS provider such as OpenDNS, TitanHQ, or Quad9. Even PAN has one now.
  • Secure your boarder, i.e. use a PAN and configure all options, App/Threat, Wildfire/ etc.
    • Block all non-essential inbount traffic with Layer7
    • Block all outbound non-esesntial traffic with layer7, URL filtering, ssl decryption, etc.
  • on the endpoint:
    • Use an next gen AV product, i.e. Traps, FireAmp, etc.
    • Get logging and telemetry from the endpoint, FireAMP has this built it, CB Response is another
  • Segment your network, zero-trust is a great option.
  • Get Netflow data
  • Use a SIEM to bring all logs together for analysis
    • ELK has been doing great work in this area, they have a SIEM module now.
  • TEST! 
    • make sure you are getting logging/blocking, etc!
    • Atomic RedTeam
    • MonkeyIsland
    • Nessus
  • Remember that security is not a destination, its a circular journey

I'm sure I might have missed some areas, so I'm interested in what others post as well.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

Unfortunately this is a complicated answer. The best defense is a multi-layered one. While the PAN is a great platform, it should not be the only defense you have. I always tell folks the following:

  • Use a secure DNS provider such as OpenDNS, TitanHQ, or Quad9. Even PAN has one now.
  • Secure your boarder, i.e. use a PAN and configure all options, App/Threat, Wildfire/ etc.
    • Block all non-essential inbount traffic with Layer7
    • Block all outbound non-esesntial traffic with layer7, URL filtering, ssl decryption, etc.
  • on the endpoint:
    • Use an next gen AV product, i.e. Traps, FireAmp, etc.
    • Get logging and telemetry from the endpoint, FireAMP has this built it, CB Response is another
  • Segment your network, zero-trust is a great option.
  • Get Netflow data
  • Use a SIEM to bring all logs together for analysis
    • ELK has been doing great work in this area, they have a SIEM module now.
  • TEST! 
    • make sure you are getting logging/blocking, etc!
    • Atomic RedTeam
    • MonkeyIsland
    • Nessus
  • Remember that security is not a destination, its a circular journey

I'm sure I might have missed some areas, so I'm interested in what others post as well.

Also configure the DNS sinkhole under the Anti spyware profile.

Rest mostly Okta covered.

MP

Help the community: Like helpful comments and mark solutions.

There are also applications such as CB Protect that white list what can be run/executed on a work station. That way if its not on the white list, it wont execute.

 

To elaborate on the above consider this scenario.

 

Your end user downloads a seemingly malignant file that the PA has no signature for [yet]. 

 

12 hours later that malignant file is found to have malicious payload and PA create a signature for it. So do Sophos, MacAfee, etc etc..

 

13 hours later it the file activates on your network. You don't have AV/Malware protection on the endpoints. 

 

14 hours later your packing your desk.....

 

So  as OtK points out, it's a multi layer approach. It's always best to block as close to "SOURCE" as possible, but there needs to be the extra layers and indeed different methods of detection, selecting products from differing vendors who may get an update to you quicker than  one of your others.

 

Rob

 

 

 

 

 

 

 

Thanks OtakarKlier

  • 1 accepted solution
  • 4307 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!