Enhanced Coverage for Command and Control (C2) Traffic
Leverage automatically-generated C2 signatures protect your network from attacks.
Command-and-control (C2) describes when a compromised system is surreptitiously communicating with an attacker’s remote server to receive malicious commands or exfiltrate data. A new type of signature that detects C2 traffic is now generated automatically. While C2 protection is not new, previous signatures looked for an exact match to domain names in DNS queries or full URLs in HTTP client requests to identify a C2 host. The new, automatically-generated C2 signatures detect certain patterns in C2 traffic instead of the C2 host. This enables the firewall to provide more accurate, timely, and robust C2 detection even when the C2 host is unknown or changes rapidly.
To benefit from the enhanced C2 protection, you’ll need a Threat Prevention license—the new, automated C2 signatures are made available with hourly Antivirus updates, and further C2 protection continues to be delivered with the Applications and Threats updates. Additionally, both the Palo Alto Networks Threat Vault and AutoFocus are integrated with the firewall, and you can leverage these resources to immediately access more information about C2 attacks the firewall detects.
- Selectand confirm that the firewall Threat Prevention license is active.DeviceLicenses
- Selectand enable the firewall to get the latest Antivirus updates every hour.DeviceDynamic UpdatesThe extended, automated C2 protection this feature introduces is made available with the latest Antivirus updates; however, Applications and Threats content updates also continue to provide C2 protection.To enable full coverage for C2 attacks, make sure that you also enable the firewall to check for the latest Applications and Threats content every 30 minutes (see New Scheduling Options for Applications and Threat Content Updates).
- Enable the firewall to block C2 activity it detects.
- SelectandObjectsSecurity ProfilesAnti-SpywareAddor modify an Anti-Spyware profile.The default action for C2 signatures isAlert; this means that when the firewall detects C2 communication, it generates an alert that is saved to the threat log.Set up an Anti-Spyware profile to define how you want the firewall to treat C2 attacks that match the new automated C2 signatures and to make sure that the firewall is blocking all C2 attacks.
- Find out more about C2 activity the firewall detects.
Select. Events the firewall detected based on the automatically-generated spyware signatures are logged with theMonitorLogsThreatThreat Categoryautogen and theTypespyware. Add the following filter to show only log entries for these events:(subtype eq spyware) and (category-of-threatid eq autogen).
- Monitor C2 activity:
- Find out more about a specific C2 event:
- Select the spyglass icon to view in-depth details for the logged event.
- (New) Hover over a threatNameand clickExceptionto learn more about the type of threat detected and to see if the signature that detected the threat is configured as an exception to certain security policy rules.
- Hover over an IP address, URL, or domain to search for that artifact in AutoFocus—AutoFocus can reveal if the artifact is frequently found with malware, if it is associated with malware variants, and whether the artifact is targeted or pervasive throughout your network, industry, or globally. This feature requires an AutoFocus license.
Recommended For You
Recommended videos not found.