Episode Transcript:
John:
Hello, and welcome back to PANCast. In today's episode, we will discuss Phishing Emails and relevant Threat Prevention features in PAN-OS. We have a special guest today to talk about this, Jithu.
Before we start Jithu, could you tell us about yourself?
Jithu:
Hey John, I’m a Principal Cybersecurity Specialist in the Threat team and have been with Palo Alto networks for about 7 
John:
Thanks Jithu, so to start with, what is Phishing?
Jithu:
Phishing is a form of social engineering where a threat actor sends one or more fraudulent communications to a user in an attempt to trick them into downloading malware onto a device or forfeit sensitive information such as login credentials, personal identifiable information (PII) or financial data. In most cases, phishing usually occurs through communication channels such as email, SMS messages, social media or phone calls (also called vishing). Today we'll be talking about phishing emails and coverages we have in PAN-OS.
John:
Great, so what coverage do we have and what are typical scenarios?
Jithu:
Phishing is a very popular initial attack vector and we'll be discussing 2 scenarios today. Before I start, I want to stress on the point that SSL Inbound inspection has to be configured in the firewall for it to be able to inspect inbound SMTP traffic running over TLS.
Scenario No 1 - Email with Phishing link passing through the firewall
This is a common scenario where an attacker sends out phishing emails with a link, with the goal of convincing the user to click on the link and provide login credentials, download and execute malware etc.
If the Wildfire Profile is attached to the security policy matching the traffic and it's configured to forward email-links, the firewall extracts the HTTP/HTTPS links and forwards it to Wildfire for Analysis. WildFire visits submitted links to determine if the corresponding web page hosts any exploits or displays phishing activity. A link that WildFire finds to be malicious or phishing is:
Now, let's move on to what happens when the user clicks the link assuming that this is a phishing attempt focusing on credential theft. Scenario where the link downloads a malware is similar to the scenario no 2 that I'll be talking about next:
Scenario No 2 - Phishing Email with malicious Attachment passing through the firewall
This is also a common scenario where an attacker sends out phishing emails with a malicious attachment with the goal of tricking the user to execute the malware.
This malicious attachment can be blocked by Wildfire Signatures, Antivirus Signature or Wildfire Inline ML. All these are configured as a part of Antivirus profile, Wildfire and Antivirus Signatures are signatures released as a part of Wildfire and Antivirus Bundle respectively. The WildFire inline ML option present in the Antivirus profile enables the firewall dataplane to apply machine learning on PE (portable executable), ELF (executable and linked format), MS Office files, PowerShell scripts and shell scripts in real-time. This protection extends to currently unknown as well as future variants of threats that match characteristics that Palo Alto Networks has identified as malicious. To keep up with the latest changes in the threat landscape, inline ML models are added or updated via content releases.
Apart from this, Wildfire profile can be attached to the security policies and Wildfire supported file types will be forwarded to Wildfire for Analysis. Wildfire will analyze the sample in the sandbox and Wildfire Submissions log will be written in the firewall with verdict 'malware'. Wildfire Submissions logs will be written irrespective of if the sample was blocked by the above mentioned features or not, the main difference is the priority of the logs:
So, if a file has passed through the firewall 5 times and was allowed 1 time and blocked 4 times, there will be 1 High priority log and 4 Informational priority logs under Wildfire Submissions. As a customer you should always review the High Priority Wildfire submissions log as these samples were not blocked by the firewall and have potentially reached the end-point.
Once Wildfire classifies a sample as Malware, a signature is released and sent to the firewall as a part of Wildfire bundle or real-time based on the configuration. This signature will eventually be released as a part of the Antivirus bundle in 24-48 hours.
You can also leverage File Blocking profiles to block unwanted files being allowed over security policy matching SMTP traffic. You should have a custom file blocking profile that's mapped to the security policy allowing SMTP traffic and should ask yourself questions like "Do I really need to allow encrypted-rar, encrypted-zip or even exe file type over SMTP?".
John:
Looks like we have strategies to counter phishing emails.
Jithu, what would be the key takeaways for today?
Jithu:
The key takeaways would be to be diligent with hardening the security profiles and making sure that the profiles are applied to the relevant security policies so that all the protections that I mentioned are applied.
I would like to reiterate the importance of having a process in place to handle High Priority Wildfire Submissions Logs.
John:
Thanks, Jithu, great info on some of our threat prevention features. You can find the transcript and some valuable links on live.paloaltonetworks.com under PANCast. Thanks again Jithu.
Jithu:
Thank you for having me, looking forward to being a part of more episodes.
John:
Hope you have learnt something today PANCasters and remember to subscribe on all popular podcast platforms. Bye for now.
Related Content:
