End-of-Life (EoL)

Enhanced Coverage for Command and Control (C2) Traffic

Leverage automatically-generated C2 signatures protect your network from attacks.
Command-and-control (C2) describes when a compromised system is surreptitiously communicating with an attacker’s remote server to receive malicious commands or exfiltrate data. A new type of signature that detects C2 traffic is now generated automatically. While C2 protection is not new, previous signatures looked for an exact match to domain names in DNS queries or full URLs in HTTP client requests to identify a C2 host. The new, automatically-generated C2 signatures detect certain patterns in C2 traffic instead of the C2 host. This enables the firewall to provide more accurate, timely, and robust C2 detection even when the C2 host is unknown or changes rapidly.
To benefit from the enhanced C2 protection, you’ll need a Threat Prevention license—the new, automated C2 signatures are made available with hourly Antivirus updates, and further C2 protection continues to be delivered with the Applications and Threats updates. Additionally, both the Palo Alto Networks Threat Vault and AutoFocus are integrated with the firewall, and you can leverage these resources to immediately access more information about C2 attacks the firewall detects.
  1. Select
    Device
    Licenses
    and confirm that the firewall Threat Prevention license is active.
  2. Select
    Device
    Dynamic Updates
    and enable the firewall to get the latest Antivirus updates every hour.
    The extended, automated C2 protection this feature introduces is made available with the latest Antivirus updates; however, Applications and Threats content updates also continue to provide C2 protection.
    To enable full coverage for C2 attacks, make sure that you also enable the firewall to check for the latest Applications and Threats content every 30 minutes (see New Scheduling Options for Applications and Threat Content Updates).
  3. Enable the firewall to block C2 activity it detects.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      and
      Add
      or modify an Anti-Spyware profile.
      The default action for C2 signatures is
      Alert
      ; this means that when the firewall detects C2 communication, it generates an alert that is saved to the threat log.
      Set up an Anti-Spyware profile to define how you want the firewall to treat C2 attacks that match the new automated C2 signatures and to make sure that the firewall is blocking all C2 attacks.
      1. Select
        Policies
        Security
        and
        Add
        or modify a security policy rule.
      2. Select
        Actions
        and in the Profile Settings, set the Profile Type to
        Profiles
        .
      3. Select the Anti-Spyware profile you want to apply to traffic matched to this rule.
      4. Click
        OK
        .
  4. Find out more about C2 activity the firewall detects.
    • Monitor C2 activity:
    Select
    Monitor
    Logs
    Threat
    . Events the firewall detected based on the automatically-generated spyware signatures are logged with the
    Threat Category
    autogen and the
    Type
    spyware. Add the following filter to show only log entries for these events:
    (subtype eq spyware) and (category-of-threatid eq autogen)
    .
    • Find out more about a specific C2 event:
    • Select the spyglass icon to view in-depth details for the logged event.
    • (
      New
      ) Hover over a threat
      Name
      and click
      Exception
      to learn more about the type of threat detected and to see if the signature that detected the threat is configured as an exception to certain security policy rules.
    Learn more about how you can use Globally Unique Threat IDs to gain context for a threat signature or create a threat exception.
    • Hover over an IP address, URL, or domain to search for that artifact in AutoFocus—AutoFocus can reveal if the artifact is frequently found with malware, if it is associated with malware variants, and whether the artifact is targeted or pervasive throughout your network, industry, or globally. This feature requires an AutoFocus license.

Recommended For You