Advanced Threat Prevention Powered by Precision AI®
Advanced Threat Prevention Detection Services
Table of Contents
Advanced Threat Prevention Detection Services
Palo Alto Networks threat subscriptions defend against commodity and advanced persistent
threats (APTs) using multi-pronged detection to secure the entire network
landscape.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
About Advanced Threat Prevention
The Palo Alto Networks® next-generation firewall threat intrusion prevention
subscriptions protect and defend your network from commodity threats and advanced
persistent threats (APTs) using multi-pronged detection mechanisms to combat the
entire gamut of the threat landscape. Palo Alto Networks threat prevention solution
is comprised of the following subscriptions:
- Advanced Threat Prevention—The Advanced Threat Prevention cloud service uses inline deep learning and machine learning models for real-time detection of evasive and never before seen, unknown C2 threats and zero day vulnerability exploits. As an ultra low-latency native cloud service, this extensible and infinitely scalable solution is always kept up to date with model training improvements. It also supports Local Deep Learning, which complements the cloud-based Inline Cloud Analysis component of Advanced Threat Prevention by providing a mechanism to perform fast, local deep learning-based analysis of zero-day and other evasive threats. The Advanced Threat Prevention license includes all of the benefits included with Threat Prevention.
- Threat Prevention—The base Threat Prevention subscription is based on signatures generated from malicious traffic data collected from various Palo Alto Networks services. These signatures are used by the firewall to enforce security policies based on specific threats, which include: command-and-control (C2), various types of known malware, and vulnerability exploits; and combined with App-ID and User-ID identification technologies on the firewall, you can cross-reference context data to produce fine grained policies. As a part of your threat mitigation policies, you can also identify and block known or risky file types and IP addresses, of which several premade categories are available, including lists specifying bulletproof service providers and known malicious IPs. In cases where specialized tools and software are used, you can create your own vulnerability signatures to customize your intrusion prevention capabilities to your network’s unique requirements.
To maximize your threat prevention, Palo Alto Network also recommends the following
subscription services in addition to Advanced | Threat Prevention:
- Advanced DNS Security—The DNS Security cloud service designed to protect your organization from advanced DNS-based threats. By applying advanced machine learning and predictive analytics to a diverse range of threat intelligence sources, DNS Security generates an enhanced DNS signature set and provides real-time analysis of DNS requests to defend your network against newly generated malicious domains. DNS Security can detect various C2 threats, including DNS tunneling, DNS rebinding attacks, domains created using auto-generation, malware hosts, and many more. DNS Security requires and works with your Advanced Threat Prevention or Threat Prevention subscription for complete DNS threat coverage.
Advanced Threat Prevention Detection Services
Palo Alto Networks intrusion prevention subscriptions work together to provide a
comprehensive solution that intercepts and breaks the chain at various stages of the
attack process and provides visibility to prevent security infringement on your
network infrastructure.
Advanced Threat Prevention is an intrusion prevention system (IPS)
solution that can detect and block malware, vulnerability exploits, and
command-and-control (C2) across all ports and protocols, using a multi-layered
prevention system with components operating on the firewall and in the cloud. The
Threat Prevention cloud operates a multitude of detection services using the
combined threat data from Palo Alto Networks services to create signatures, each
possessing specific identifiable patterns, and are used by the firewall to enforce
security policies when matching threats and malicious behaviors are detected. These
signatures are categorized based on the threat type and are assigned unique
identifier numbers. To detect threats that correspond with these signatures, the
firewall operates analysis engines that inspect and classify network traffic
exhibiting anomalous traits.
In addition to the signature-based detection mechanism, Advanced Threat Prevention
provides an inline detection system to prevent unknown and evasive C2 threats. These
include the following:
- C2 threats developed using the Empire framework and open source Sliver C2 frameworks
- General command injection and SQL injection vulnerabilities
- DNS relay threats (also known as data exfiltration via HTTP request headers)
MITRE ATT&CK® is a curated knowledge base and model for
cyber adversary behavior. This work is reproduced and distributed with the
permission of The MITRE Corporation. The MITRE Corporation (MITRE) hereby grants you
a non-exclusive, royalty-free license to use ATT&CK® for research, development,
and commercial purposes. Any copy you make for such purposes is authorized provided
that you reproduce MITRE’s copyright designation and this license in any such
copy.
By operating cloud-based detection engines, you can access a wide array of detection
mechanisms that are updated and deployed automatically without requiring the user to
download content packages or operate process intensive, firewall-based analyzers
which consume resources. The cloud-based detection engine logic is continuously
monitored and updated using C2 traffic datasets from WildFire, with additional
support from Palo Alto Networks threat researchers who provide human intervention
for highly accurized detection enhancements. Advanced Threat Prevention’s deep
learning engines support analysis of C2-based threats over HTTP, HTTP2, SSL,
unknown-UDP, and unknown-TCP applications. Additional analysis models are delivered
through content updates, however, enhancements to existing models are performed as a
cloud-side update, requiring no firewall update.
Advanced Threat Prevention also supports Local Deep Learning, which provides a
mechanism to perform fast, local deep learning-based analysis of zero-day and other
evasive threats, as a complementary feature to the cloud-based Inline Cloud Analysis
component of Advanced Threat Prevention. Known malicious traffic that matches
against Palo Alto Networks published signature set are dropped (or have another
user-defined action applied to them); however, certain traffic that matches the
criteria for suspicious content are rerouted for analysis using the Deep Leaning
Analysis detection module. If further analysis is necessary, the traffic is sent to
the Advanced Threat Prevention cloud for additional analysis, as well as the
requisite false-positive and false-negative checks. The Deep Learning detection
module is based on the proven detection modules operating in the Advanced Threat Prevention cloud, and as such, have the same zero-day and advanced
threat detection capabilities. However, they also have the added advantage of
processing a much higher volume of traffic, without the lag associated with cloud
queries. This enables you to inspect more traffic and receive verdicts in a shorter
span of time. This is especially beneficial when faced with challenging network
conditions.
Palo Alto Networks also offers the Threat Prevention
subscription that does not include the features found in the cloud-based Advanced
Threat Prevention license.
The threat signatures used by the firewall are broadly categorized into three types:
antivirus, anti-spyware, vulnerability and are used by the corresponding security
profiles to enforce user-defined policies.
Palo Alto Networks cloud-delivered security services also generate WildFire and
DNS C2 signatures for their respective services, as well as file-format
signatures, which can designate file types in lieu of threat signatures; for
example, as signature exceptions.
- Antivirus signatures detect various types of malware and viruses, including worms, trojans, and spyware downloads.
- Anti-Spyware signatures detect C2 spyware on compromised hosts from trying to phone-home or beacon out to an external C2 server.
- Vulnerability signatures detect exploit system vulnerabilities.
Signatures have a default severity level with an associated default action; for
example, in the case of a highly malicious threat, the default action is Reset Both.
This setting is based on security recommendations from Palo Alto Networks.
In deployments where specialized internal applications or third-party intelligence
feeds using open-source Snort and Suricata rules are used, custom signatures can be created for
purpose-built protection. When the firewall is managed by a Panorama management
server, the ThreatID is mapped to the corresponding custom threat on the firewall to
enable the firewall to generate a threat log populated with the configured custom
ThreatID. Learn more by visiting our guide to Custom Application and Threat
Signatures
Firewalls receive signature updates in the form of two update packages: the daily Antivirus
Content and weekly Application and Threats Content updates. The antivirus content
updates include antivirus signatures and DNS (C2) signatures used by antivirus and
anti-spyware security profiles, respectively. Content updates for applications and
threats include vulnerability and anti-spyware signatures, used by the vulnerability
and anti-spyware security profiles, respectively. The update packages also include
additional content leveraged by other services and sub-functions. For more
information, refer to Dynamic Content Updates.