Threat Prevention or Threat Prevention License
Advanced Threat Prevention is an intrusion prevention
system (IPS) solution that can detect and block malware, vulnerability
exploits, and command-and-control (C2) across all ports and protocols,
using a multi-layered prevention system with components operating
on the firewall and in the cloud. The Threat Prevention cloud operates
a multitude of detection services using the combined threat data
from Palo Alto Networks services to create signatures, each possessing
specific identifiable patterns, and are used by the firewall to
enforce security policies when matching threats and malicious behaviors
are detected. These signatures are categorized based on the threat
type and are assigned unique identifier numbers. To detect threats
that correspond with these signatures, the firewall operates analysis
engines that inspect and classify network traffic exhibiting anomalous
In addition to the signature-based detection mechanism, Advanced Threat Prevention provides an
inline detection system to prevent unknown and evasive C2 threats, including those
produced through the Empire framework, as well as command injection and SQL injection
vulnerabilities. The Advanced Threat Prevention cloud operates extensible deep learning
models that enable inline analysis capabilities on the firewall, on a per-request basis
to prevent zero-day threats from entering the network as well as to distribute
protections. This allows you to prevent unknown threats using real-time traffic
inspection with inline detectors. These deep learning, ML-based detection engines in the
Advanced Threat Prevention cloud analyze traffic for unknown C2 and vulnerabilities
which utilize SQL injection and command injection to protect against zero-day threats.
To provide a threat context and comprehensive detection details, reports are generated
that can include the tools/techniques used by the attacker, the scope and impact of the
detection, as well as the corresponding cyberattack classification as defined by the
MITRE ATT&CK® framework.
MITRE ATT&CK® is a curated knowledge base and model for
cyber adversary behavior. This work is reproduced and distributed
with the permission of The MITRE Corporation. The MITRE Corporation
(MITRE) hereby grants you a non-exclusive, royalty-free license
to use ATT&CK® for research, development, and commercial purposes.
Any copy you make for such purposes is authorized provided that
you reproduce MITRE’s copyright designation and this license in
any such copy.
By operating cloud-based detection engines, you can access a
wide array of detection mechanisms that are updated and deployed
automatically without requiring the user to download content packages
or operate process intensive, firewall-based analyzers which consume
resources. The cloud-based detection engine logic is continuously
monitored and updated using C2 traffic datasets from WildFire, with
additional support from Palo Alto Networks threat researchers who
provide human intervention for highly accurized detection enhancements.
Advanced Threat Prevention’s deep learning engines support analysis
of C2-based threats over HTTP, HTTP2, SSL, unknown-UDP, and unknown-TCP
applications. Additional analysis models are delivered through content
updates, however, enhancements to existing models are performed
as a cloud-side update, requiring no firewall update. Advanced Threat
Prevention is enabled and configured under the Inline Cloud Analysis tab
located in the anti-spyware security profile.
Palo Alto Networks also offers the Threat Prevention subscription
that does not include the features found in the cloud-based Advanced
Threat Prevention license.
The threat signatures used by the firewall are broadly categorized
into three types: antivirus, anti-spyware, vulnerability and are
used by the corresponding security profiles to enforce user-defined
Palo Alto Networks cloud-delivered security services also
generate WildFire and DNS C2 signatures for their respective services,
as well as file-format signatures, which can designate file types
in lieu of threat signatures; for example, as signature exceptions.
Antivirus signatures detect various types of malware
and viruses, including worms, trojans, and spyware downloads.
Anti-Spyware signatures detect C2 spyware on compromised
hosts from trying to phone-home or beacon out to an external C2
Vulnerability signatures detect exploit system vulnerabilities.
Signatures have a default severity level with an associated default
action; for example, in the case of a highly malicious threat, the
default action is Reset Both. This setting is based on security recommendations
from Palo Alto Networks.
In deployments where specialized internal applications are present
or in cases where third-party intelligence feeds using open-source
Snort and Suricata rules, custom signatures can
be created for purpose-built protection.
Firewalls receive signature updates in the form of two update packages: the daily
Antivirus Content and weekly Application and Threats Content updates.
The antivirus content updates include antivirus signatures and DNS
(C2) signatures used by antivirus and anti-spyware security profiles,
respectively. Content updates for applications and threats include
vulnerability and anti-spyware signatures, used by the vulnerability
and anti-spyware security profiles, respectively. The update packages
also include additional content leveraged by other services and
sub-functions. For more information, refer to Dynamic Content Updates.