Post Author: Ben Randall, Senior Technical Consultant – Network Security Specialist
Review of the recent Spark London Cyber Security forum, delivered by Fuel on behalf of Palo Alto Networks
Last week saw the first ever Palo Alto Networks “Spark User Summit”, held in London on the 12th of May. The event organised by Fuel, the Palo Alto Networks user group involved a day of cyber security discussions, product developments, education, (including hands-on learning), problem solving sessions along with the sharing of security expertise and best practices.
The Spark events are designed to be a mini in-country version of “Ignite”, Palo Alto’s large end user conference held annually in Las Vegas, where their latest new product developments are announced and discussed with users in an open forum, I have personally never made it across the pond to attend their Vegas Ignite conference, so was incredibly keen to attend the local London one.
The introduction of Palo Alto Networks new Autofocus tool
The first speaker at the Spark summit was Scott Simkin, Senior Threat Intelligence Manager at Palo Alto Networks. Simkin’s presentation included the introduction of Palo Alto Networks new Autofocus tool. Autofocus is a web-based tool that provides an impressive way to quickly drill into the information provided by Wildfire, as well as from other third party feeds. The notable part of this service is that Autofocus provides access to a centralised threat database that has been collated from the Wildfire data gathered from all subscribers, along with your own. This comprehensive database can be searched in a much more granular fashion, giving you options to filter by your organisation, your industry etc, and it also has the ability to use and search via tagging references.
Simkin’s went on to discuss the ways that we can utilise the existing features better to reduce the attack surface of your network. I’m sure that many of you have already heard of the “Cyber Kill Chain” or “Cyber Attack Lifecycle”, but in short it consists of the following six steps (or variations of them):
5. Command & control
6. Actions on the objective
Items 1-3 are gaining unauthorised access to your network, while 4-6 are unauthorised use of that network.
The first step, reconnaissance, for example – is typically not even about technology – it relates to how much information you allow to leak out to the public domain which can be used against you. Information from company websites, Linked-in, job advertisements etc. can let an attacker know what technologies you use to protect your network and hence make it easier for them to tailor their attack to you.
Step two, delivery, is about how the attacker is going to deliver his exploit to your network. Known threats should already be covered by patching servers (you are up to date with patching, right?), AV and standard threat prevention, so they shouldn’t be a major concern. However, unknown exploits are another matter as they won’t be detected. This is where Palo Alto’s Wildfire comes in as it opens or runs any unknown files in a sandbox environment where their behaviour can be analysed and classified as benign or malware.
Additional steps that we ought to be taking involve looking carefully at what files we allow to come in to the network – is there really a business case for users to download or receive any of the following file types without at least some additional check or alert – .exe, .cpl, .scr, .pif, lnk etc? We can use a simple file blocking profile on the firewall to block these file types or at least put up a continue page in the web browser to prevent silent downloads from an infected website (known as a drive-by download).
Further down the chain, we can look at what happens when an exploit has been successful, after all Wildfire may identify a new piece of malware which has traversed your firewall and block further attempts to get it through, but that first instance has already got in. The newly infected machine is going to attempt to download a further piece of code or obtain instructions from command and control servers. Access to these can be prevented by correctly applying strict anti-spyware and web-filtering profiles – blocking or sinkholing DNS requests to unsafe locations and denying sites using dynamic-dns from inside the network.
Additionally, we really should be looking at what applications we are allowing out from our endpoints to the Internet. Building a policy to permit every allowed application as defined by Palo Alto, especially when so many websites using http and ssl are defined as applications in their own right can be a very daunting process. This process can be simplified using the Palo Alto Networks Migration tool, version 3.0 of which has recently been released.
Simkin went on to explain the techniques that can be used to leverage standard features within the Palo Alto Networks Firewall to mitigate the subsequent stages of the attack – the point being that if we can successfully break any stage of the attack, then the final objective, which is likely the theft of your intellectual property and/or money can be prevented.
Cyber espionage advancement
Following Simkin’s presentation, Juan Gonzalez, Consulting Engineer at Palo Alto Networks went on to give an insightful presentation on a number of recent attacks carried out by the group of cyber mercenaries known as the “Desert Falcons”. The Desert Falcons operate out of the Middle East carrying out widespread large scale cyber espionage; Gonzalez’s presentation illustrated just how diverse and technically advanced their methods have been and the impact that has been caused by their attacks.
Getting hands on with the new Palo Alto Migration Tool v3.0
Albert Estevez, Solutions Architect from Palo Alto Networks ended the session with an excellent hands-on session, demonstrating the use of the recently released Migration Tool v3.0. Delegates worked through the migration of a Cisco ASA rule set to Palo Alto, including dealing with incompatible objects and creating duplicate port-based rules to aid in the migration process. This tool can also be used to migrate your existing Palo Alto port-based configuration to an entirely App-Id layer 7 configuration to the same firewall by analysing the past traffic logs, considerably streamlining the process of properly securing your network without having to manually determine which applications are in use and desirable by going through traffic logs manually.
The overall content of the event was excellent, well delivered and informative with enough diverse content to keep the delegates engaged. The forum provided a great opportunity to meet with other Palo Alto Networks users, discuss the issues encountered and the methods in which we have used to find a solution, it also provided an opportunity to gain awareness of the new features or services available, along with future insight into road maps and development plans.
If you would like any further information on the new features available from Palo Alto Networks, please contact us on