Advanced Threat Prevention Detection Services
Where Can I Use
This? | What Do I Need? |
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) VM-Series CN-Series
| |
Advanced Threat Prevention is an intrusion prevention
system (IPS) solution that can detect and block malware, vulnerability
exploits, and command-and-control (C2) across all ports and protocols,
using a multi-layered prevention system with components operating
on the firewall and in the cloud. The Threat Prevention cloud operates
a multitude of detection services using the combined threat data
from Palo Alto Networks services to create signatures, each possessing
specific identifiable patterns, and are used by the firewall to
enforce security policies when matching threats and malicious behaviors
are detected. These signatures are categorized based on the threat
type and are assigned unique identifier numbers. To detect threats
that correspond with these signatures, the firewall operates analysis
engines that inspect and classify network traffic exhibiting anomalous
traits.
In addition to the signature-based detection mechanism, Advanced Threat Prevention provides an
inline detection system to prevent unknown and evasive C2 threats, including those
produced through the Empire framework, as well as command injection and SQL injection
vulnerabilities. The Advanced Threat Prevention cloud operates extensible deep learning
models that enable inline analysis capabilities on the firewall, on a per-request basis
to prevent zero-day threats from entering the network as well as to distribute
protections. This allows you to prevent unknown threats using real-time traffic
inspection with inline detectors. These deep learning, ML-based detection engines in the
Advanced Threat Prevention cloud analyze traffic for unknown C2 and vulnerabilities
which utilize SQL injection and command injection to protect against zero-day threats.
To provide a threat context and comprehensive detection details, reports are generated
that can include the tools/techniques used by the attacker, the scope and impact of the
detection, as well as the corresponding cyberattack classification as defined by the
MITRE ATT&CK® framework.
MITRE ATT&CK® is a curated knowledge base and model for
cyber adversary behavior. This work is reproduced and distributed
with the permission of The MITRE Corporation. The MITRE Corporation
(MITRE) hereby grants you a non-exclusive, royalty-free license
to use ATT&CK® for research, development, and commercial purposes.
Any copy you make for such purposes is authorized provided that
you reproduce MITRE’s copyright designation and this license in
any such copy.
By operating cloud-based detection engines, you can access a wide array of detection mechanisms
that are updated and deployed automatically without requiring the user to download
content packages or operate process intensive, firewall-based analyzers which consume
resources. The cloud-based detection engine logic is continuously monitored and updated
using C2 traffic datasets from WildFire, with additional support from Palo Alto Networks
threat researchers who provide human intervention for highly accurized detection
enhancements. Advanced Threat Prevention’s deep learning engines support analysis of
C2-based threats over HTTP, HTTP2, SSL, unknown-UDP, and unknown-TCP applications.
Additional analysis models are delivered through content updates, however, enhancements
to existing models are performed as a cloud-side update, requiring no firewall
update.
Advanced Threat Prevention also supports Local Deep Learning, which provides a mechanism
to perform fast, local deep learning-based analysis of zero-day and other evasive
threats, as a complementary feature to the cloud-based Inline Cloud Analysis component
of Advanced Threat Prevention. Known malicious traffic that matches against Palo Alto
Networks published signature set are dropped (or have another user-defined action
applied to them); however, certain traffic that matches the criteria for suspicious
content are rerouted for analysis using the Deep Leaning Analysis detection module. If
further analysis is necessary, the traffic is sent to the Advanced Threat Prevention
cloud for additional analysis, as well as the requisite false-positive and
false-negative checks. The Deep Learning detection module is based on the proven
detection modules operating in the Advanced Threat Prevention cloud, and as such, have
the same zero-day and advanced threat detection capabilities. However, they also have
the added advantage of processing a much higher volume of traffic, without the lag
associated with cloud queries. This enables you to inspect more traffic and receive
verdicts in a shorter span of time. This is especially beneficial when faced with
challenging network conditions.
Palo Alto Networks also offers the Threat Prevention subscription
that does not include the features found in the cloud-based Advanced
Threat Prevention license.
The threat signatures used by the firewall are broadly categorized
into three types: antivirus, anti-spyware, vulnerability and are
used by the corresponding security profiles to enforce user-defined
policies.
Palo Alto Networks cloud-delivered security services also
generate WildFire and DNS C2 signatures for their respective services,
as well as file-format signatures, which can designate file types
in lieu of threat signatures; for example, as signature exceptions.
Antivirus signatures detect various types of malware
and viruses, including worms, trojans, and spyware downloads.
Anti-Spyware signatures detect C2 spyware on compromised
hosts from trying to phone-home or beacon out to an external C2
server.
Vulnerability signatures detect exploit system vulnerabilities.
Signatures have a default severity level with an associated default
action; for example, in the case of a highly malicious threat, the
default action is Reset Both. This setting is based on security recommendations
from Palo Alto Networks.
In deployments where specialized internal applications are present
or in cases where third-party intelligence feeds using open-source
Snort and Suricata rules,
custom signatures can
be created for purpose-built protection.
Firewalls receive signature updates in the form of two
update packages: the daily
Antivirus Content and weekly Application and Threats Content updates.
The antivirus content updates include antivirus signatures and DNS
(C2) signatures used by antivirus and anti-spyware security profiles,
respectively. Content updates for applications and threats include
vulnerability and anti-spyware signatures, used by the vulnerability
and anti-spyware security profiles, respectively. The update packages
also include additional content leveraged by other services and
sub-functions. For more information, refer to
Dynamic Content Updates.