Advanced Threat Prevention Detection Services
Palo Alto Networks intrusion prevention subscriptions work together to provide a
comprehensive solution that intercepts and breaks the chain at various stages of the
attack process and provides visibility to prevent security infringement on your
network infrastructure.
Advanced Threat Prevention is an intrusion prevention system (IPS)
solution that can detect and block malware, vulnerability exploits, and
command-and-control (C2) across all ports and protocols, using a multi-layered
prevention system with components operating on the firewall and in the cloud. The
Threat Prevention cloud operates a multitude of detection services using the
combined threat data from Palo Alto Networks services to create signatures, each
possessing specific identifiable patterns, and are used by the firewall to enforce
security policies when matching threats and malicious behaviors are detected. These
signatures are categorized based on the threat type and are assigned unique
identifier numbers. To detect threats that correspond with these signatures, the
firewall operates analysis engines that inspect and classify network traffic
exhibiting anomalous traits.
In addition to the signature-based detection mechanism,
Advanced Threat Prevention
provides an inline detection system to prevent unknown and evasive C2 threats. These
include the following:
C2 threats developed using the Empire framework and open source Sliver C2
frameworks
General command injection and SQL injection vulnerabilities
DNS relay threats (also known as data exfiltration via HTTP request
headers)
The
Advanced Threat Prevention cloud operates extensible deep learning models
that enable inline analysis capabilities on the firewall, on a per-request basis to
prevent zero-day threats from entering the network as well as to distribute
protections. This allows you to prevent unknown threats using real-time traffic
inspection with inline detectors. These deep learning, ML-based detection engines in
the Advanced Threat Prevention cloud analyze traffic for unknown C2 and
vulnerabilities which utilize SQL injection and command injection to protect against
zero-day threats. To provide a threat context and comprehensive detection details,
reports are generated that can include the tools/techniques used by the attacker,
the scope and impact of the detection, as well as the corresponding cyberattack
classification as defined by the MITRE ATT&CK® framework.
MITRE ATT&CK® is a curated knowledge base and model for
cyber adversary behavior. This work is reproduced and distributed with the
permission of The MITRE Corporation. The MITRE Corporation (MITRE) hereby grants you
a non-exclusive, royalty-free license to use ATT&CK® for research, development,
and commercial purposes. Any copy you make for such purposes is authorized provided
that you reproduce MITRE’s copyright designation and this license in any such
copy.
By operating cloud-based detection engines, you can access a wide array of detection
mechanisms that are updated and deployed automatically without requiring the user to
download content packages or operate process intensive, firewall-based analyzers
which consume resources. The cloud-based detection engine logic is continuously
monitored and updated using C2 traffic datasets from WildFire, with additional
support from Palo Alto Networks threat researchers who provide human intervention
for highly accurized detection enhancements. Advanced Threat Prevention’s deep
learning engines support analysis of C2-based threats over HTTP, HTTP2, SSL,
unknown-UDP, and unknown-TCP applications. Additional analysis models are delivered
through content updates, however, enhancements to existing models are performed as a
cloud-side update, requiring no firewall update.
Advanced Threat Prevention also supports Local Deep Learning, which provides a
mechanism to perform fast, local deep learning-based analysis of zero-day and other
evasive threats, as a complementary feature to the cloud-based Inline Cloud Analysis
component of Advanced Threat Prevention. Known malicious traffic that matches
against Palo Alto Networks published signature set are dropped (or have another
user-defined action applied to them); however, certain traffic that matches the
criteria for suspicious content are rerouted for analysis using the Deep Leaning
Analysis detection module. If further analysis is necessary, the traffic is sent to
the Advanced Threat Prevention cloud for additional analysis, as well as the
requisite false-positive and false-negative checks. The Deep Learning detection
module is based on the proven detection modules operating in the Advanced Threat Prevention cloud, and as such, have the same zero-day and advanced
threat detection capabilities. However, they also have the added advantage of
processing a much higher volume of traffic, without the lag associated with cloud
queries. This enables you to inspect more traffic and receive verdicts in a shorter
span of time. This is especially beneficial when faced with challenging network
conditions.
Palo Alto Networks also offers the Threat Prevention
subscription that does not include the features found in the cloud-based Advanced
Threat Prevention license.
The threat signatures used by the firewall are broadly categorized into three types:
antivirus, anti-spyware, vulnerability and are used by the corresponding security
profiles to enforce user-defined policies.
Palo Alto Networks cloud-delivered security services also generate WildFire and
DNS C2 signatures for their respective services, as well as file-format
signatures, which can designate file types in lieu of threat signatures; for
example, as signature exceptions.
Antivirus signatures detect various types of malware and viruses, including
worms, trojans, and spyware downloads.
Anti-Spyware signatures detect C2 spyware on compromised hosts from trying to
phone-home or beacon out to an external C2 server.
Vulnerability signatures detect exploit system vulnerabilities.
Signatures have a default severity level with an associated default action; for
example, in the case of a highly malicious threat, the default action is Reset Both.
This setting is based on security recommendations from Palo Alto Networks.
In deployments where specialized internal applications or third-party intelligence
feeds using open-source Snort and Suricata rules are used,
custom signatures can be created for
purpose-built protection. When the firewall is managed by a Panorama management
server, the ThreatID is mapped to the corresponding custom threat on the firewall to
enable the firewall to generate a threat log populated with the configured custom
ThreatID. Learn more by visiting our guide to
Custom Application and Threat
SignaturesFirewalls receive signature updates in the form of two
update packages: the daily Antivirus
Content and weekly Application and Threats Content updates. The antivirus content
updates include antivirus signatures and DNS (C2) signatures used by antivirus and
anti-spyware security profiles, respectively. Content updates for applications and
threats include vulnerability and anti-spyware signatures, used by the vulnerability
and anti-spyware security profiles, respectively. The update packages also include
additional content leveraged by other services and sub-functions. For more
information, refer to
Dynamic Content Updates.
