Auto-Tagging to Automate Security Actions (Episode 32) Learning Happy Hour UPDATED!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Applause] [Music] all right welcome back to the learning happy hour my name is luke teeters i'm a systems engineer for palo alto networks covering major accounts and i am patrick brandley i am a security training engineer covering our partners awesome so today we're going to come at you with a use case using our built-in tags in panos i'm going to come with one use case patrick is going to have a second use case with two different uh results so i'm actually running panos 10.0 we just recently um released that to the wild and uh patrick is actually running panos 9.1 so a little a little bit about my use case is i'm going to be leveraging the builds and actions in pain os to tag a destination that fails to be decrypted so patrick what's your use case going to be so i'm going to leverage the built-in action to quarantine potentially infected hosts awesome so this is something that is built into panos that anyone can leverage and basically we're just looking at the logs we create a filter and we basically match on the filter and say if we see this let's go ahead and take a built in action let's go ahead and tag the destination or the source ip we can do a duration do we want to tag forever do we want to tag it for an hour so you know basically let your creative mind wander um anything that you see in the logs we can we can go ahead and tag on so i'm gonna go ahead and share my lab firewall here so this is panos 10.0 and i went ahead and installed it on my pa220 here in my home lab so to start off this use case i'm going to go ahead and navigate to the objects tab and go to tags as you can see i have a tag called decrypt dash air i'm going to open it up and as you can see i added red dash orange color and i just put ssl forward proxy air under comments but notice it is decrypt dash air awesome so let's go ahead and go to address groups and let's take a look at this dynamic address group that i created called decryption bypass and as you can see i'm looking for decrypt dash air tag okay all right so now uh this is uh going to uh navigate to the log forwarding of my firewall here and as you can see i have a log forwarding profile created let's go ahead and take a look i went ahead and created an entry here called decrypt dash bypass let's go ahead and open it up and as you can see i'm actually looking at the traffic log type and i built a filter this filter says if session and reason equals decrypt unsupported parameter or session and reason equals decrypt dash air or session end reason equals decrypt cert validation so if any of these match and actually i can do this little drop down in my filter builder here and actually look at the live logs on this firewall okay it's going to go ahead and do the search and as you can see i have some matches so this is good my filter looks good this is where the magic happens built-in actions so right here i went ahead and created decrypt dash bypass and if we go ahead and hop in there remember i mentioned my use case is to tag the destination address so imagine a workstation tries to hit something on the internet i'm decrypting all my traffic and for some reason one of those session end reasons occurs right decrypt error well i would like to add a tag to the destination address of decrypt air and as i already showed you decrypt dash air is in a dynamic address group and we'll more on that in a moment okay so the timeout i have set for 15 minutes but you can actually set this to zero for infinite you can set this for 60 minutes you could set this for whatever duration you would like and go ahead and click ok the other nice thing here is we also have other actions we could take so yeah you know tagging the destination and bypassing it is great but you'd have to go look at that often to see what's being bypassed decryption what you could also do is add a http get to a you know integrated server open a ticket you could you could send yourself an email that this happened you could do a snmp trap you know so you have other actions to basically notify yourself that this actually occurred basically what patrick and i are showing you here is you know something happened identified in the logs and we're going to take an action to either exclude it from description or go ahead and prevent it from hitting the internet all right so this looks good um so basically the configuration up to this point is we've created a tag a dynamic address group and we went ahead and added a filter and a log forwarding profile and we leverage that tag for the built in action so now the other thing we need to do is go to policies i'm going to go ahead and navigate to dick uh decryption policy right and i will go ahead and show you what i have configured so the first rule here no decrypt is basically saying inside to outside if it's financial services government health care military and shopping let's go ahead and do a no decrypt um i don't want to decrypt any of these url categories and that's the pci all the all the ones we're not supposed to be looking at right so yeah exactly and actually this is part of our best practice guide this second uh secure decryption policy is decrypt dash bypass and as you can see it's also set to no decrypt action but look what i'm referencing decryption dash bypass this is that dag right dynamic address group otherwise known as dag below that is you know this is the actual um decrypt so decrypt the lab and actually have decrypt home but i'm just referencing um one of my devices here on the network my ipad okay so basically i'm saying again if i'm on the inside going to the outside and and i'm going to one of these destination addresses i tagged let's go ahead and exclude it from decryption okay okay so what i'm going to do is navigate back to objects navigate back to address groups and i'm going to show you addresses there's nothing there's no members right now of this dynamic address group so on the side here i'm actually going to visit a site that has a broken um it's basically going to trigger a decryption error so i'm going to go ahead and go there now awesome so let's go ahead and navigate to addresses here for more and as you can see i tried to visit a site and it was it was tagged it's now excluded it's uh it's a registered ip i think i had it set for 15 minutes but as of right now this address will not be decrypted so any of my users trying to go to this resource it's actually not going to be decrypted and the reason why is as you saw in my filter something happened um for session and reason it was probably decrypt error or something like that right one of the factors you put in there because there was multiple so yeah yeah so um that's really it i mean this use case i've seen large companies leverage the reason why is getting to a full decryption is hard right you can't just turn on decryption and everyone be happy when you turn it on it's going to be a phased approach and even if you start decrypting specific user groups or specific subnets you're going to run into problems eventually based on certificate pinning based on different things yeah if you've ever had to build that you know the pain it just things are going to break and you have to kind of sift through it so this would be very helpful in giving you exactly which ones are having the problem which destinations so i think it would be very helpful exactly so i'm gonna go ahead and stop sharing and we're gonna have patrick go ahead and share his lab and he's gonna walk us through his use case okay so before i go to the firewall i just want to review the sinkhole operation right so let's say you have an infected host on your network right so we can see over there on the left side effective host a now infected host a wants to talk to the command and control host that's on the top right dfb.7 which sounds sketchy right so what infected host a is going to do is send a query to be able to determine what the ip address is of this particular domain now the reason for this would be that this name could change ip addresses to be able to avoid being part of a list right of of known malicious ip addresses so it has to rely on dns right so it's going to send this query to the local dns server well the local dns server doesn't know what dfb.7rz.ru is so it's going to send its query out to the remote dns server which we can see is right there below the the c2 host name so it sends its query well the firewall is going to see that it's trying to query a malicious domain so the firewall has a record of malicious dns signatures so when you detect it detects this rather than send it out to that remote dns server we can give it a sinkhole address which could be anything and it's represented here by 1.2.3.4 but it really is whatever we want it to be so what the firewall does in effect is become a proxy for dns and it sends the sinkhole address in this case it can also block it can do other things but in the case of sinkhole it's going to send an address back which will then inform the local dns server the address is actually what the firewall tells it it is so that the infected host receives the wrong ip address and cannot contact the host it's trying to contact so for my use case i'm not trying to determine destinations i want to quarantine the source so i want to take the infected hosts potentially my network and put them in a group and control their traffic until i have a chance to go and take care of whatever you know remove whatever malware is on it okay so now we're looking at my firewall running panos 9.1 and the first place i'm going to go is objects okay now i've got a very basic configuration on this firewall allowing traffic out and uh i've configured as you can see here a anti-spyware profile that i will add to my my security policy role here but first i want to go to my address groups and i'm going to create a dynamic address group so we'll call this infected hosts and then i'm going to change it to that dynamic just like we saw before and then i'm going to add a match criteria in this case i'm going to add the infected host tag all right so that's the first thing then i'm going to come down here to we already have my tags built so i'm going to come down now to my log forwarding and i'm going to add a log forwarding profile and we'll call this uh infected host as well that's fine and then down here i'm going to add my tagging so what i'm going to do is we'll call this tag infected host or something of that nature just so we can differentiate i'm going to use the threat log and then i'm going to filter and i'll build my filter for a very specific thing i just want to use an action that equals is it pulls up sinkhole and then i will add it here all right now i can view the filtered logs but i probably won't see anything yet because i haven't actually activated the sinkhole yet so for me it'll have to be after the fact so i'm going to hit okay so now i have that built now i got to go to my built-in actions so i hit add and i'll call this you know uh let me say but that's all right it can it can have the same name all right now i'm going to do source address right so i'm going to say source and then i will choose local and then i'm going to choose that tag which is infected hosts all right so now when it sees the the dynamic address group it sees the sinkhole whatever gets sinkhold will be tagged with this tag and then it should move it to that group right so the the last few steps here is that i need to build my sinkhole so i'm going to go back into ana spyware and i'm going to come down to this one i've already pre-built and i'm going to move to this tag of dns signatures now i need an external dynamic list right so i'm going to grab one that i've already built it's called dns sinkhole i'm going to set the action to sinkhole and for the ip that i want to do i'm not really worried about ipv6 in this lab so i'm going to use v4 and i'm just going to leave it as sinkhole.palo out to networks.com okay and we'll see that address when it comes up later so now that i have sinkhole turned on the last steps are going to be go to my policy i'm going to go into my egress outside which is my basic rule i am going to add the profile of anti-spyware and then i'm going to add my log forwarding for infected hosts okay now the last step is i want to create a rule so i'm going to go ahead and clone this rule and put it on the top and i want this rule to effectively quarantine my devices now there's a lot of ways to do this right so uh i could call this block infected devices quarantine infected devices or whatever i want to call it but what i want to do in fact i can even change the tag here to infected hosts right so inside source address will be my dynamic address group infected hosts destination outside any is fine application any now i could leave it as application default but since i'm denying it i could do any and then i will set i'll actually turn this off on this one because i don't need that go ahead and deny this and actually i don't actually need that as well here so now i'm just gonna make it a simple deny rule again i don't have to be so broad i could make this so it can't talk to critical servers or other critical services i could get really granular about it but for our purposes let's just block it out right okay all right so now that i have this set up i will hit commit now while we're waiting for the commit the external dynamic list i actually just have a very basic list here so if we look at the list i just have three addresses and they're actually taken from an actual malware list but just for testing purposes there they are okay so when this is done committing i can then go do an ns lookup and i can look to see what it tells me is the ip address of that domain okay and it should be the one that we tell it through sinkhole right all right so the next step then would be to test it right using nslookup so we can take one of the one of the three addresses on my edl here right so golfsource.us tourindia.ion or vip projects so let's just do golf source.us all right so okay now we can see here that we see that it says sinkhole.palo alto networks.com and 72 565 111 which is the sinkhole address of balance networks now it has an alias of golf source.us so we could also do the other one which is tour india.ian so if i can type and now we see it's timing out right so rather than being able to do a dns lookup now it's just blocked out right why is that because that's what we told it to do and i can look right here and see the value of my infected hosts here and there we see that the device that i'm using 192.168.1.2 is now registered as a source address in this infected groups dag and it is of course denying that traffic so that's a great test right there now to see it as well we can look at the monitor look at the threat log and we can see that there's the the one sinkhole that happened right the golf source right if you wanted to see the tour india we'd have to really look at the traffic log to see it blocked right because now it's just a blocked outright blocked uh traffic as a matter of fact all my traffic is blocked so this this uh workstation is effectively quarantined can't go anywhere so that's how you do it awesome hey there's one other thing i wanted to mention patrick so if you navigate back to your spyware profile okay your objects and spyware anti-spyware yeah take a look at the lab a s okay and if you go to the dns signatures so patrick did something really interesting he actually added an external dynamic list for these specific use cases but there are two other address lists above that one is the content dns signatures that is included in your daily 24-hour update on the firewall if you are a dns security subscriber that is the the list below in the center there and that is a real time list where pan os actually queries every dns query real time on the wire to the the the dns security cloud service so those are actually hosted by palo alto networks those are all thread intel lists so just wanted to clarify that patrick's list was an edl which gives you the ability to ingest your own threat intelligence right and actually you bring up a very good point that uh my edl is a very basic example and not the kind of edl i would want to use because i would have to keep it up to date because it's just a text file so yeah in the real world example we would want to use dynamic actually dynamic list whether it's coming through palo alto networks or maybe some kind of third party source that that updates it regularly so the firewall can be updated rather than manual update which would be well terrible yeah exactly and we also have the mindmeld open source project which can actually correlate a bunch of different lists and feed it to an edl and for those of you who don't know what edl is it's an external dynamic list that is hosted on http or https that can be digested by the firewall right so you can build different types there's iplist there's url list there's domain lists so quite a bit of use uh that's a whole other episode yeah that's a whole other episode that's quite a bit of use cases for for external dynamic lists and also a way to you know expand your threat uh you know posture by giving you many more resources so yep yep all right awesome well thanks a lot for joining us today thank you patrick for showing us this use case um i i think this is something very useful for users of os to understand these capabilities because you know once you get the firewall in place it's doing a traffic inspection you're building your policies you basically would like to start automating things you don't want to just constantly respond to service desk calls that i can't get to this website because the decryption's feeling or you get the call to do you know incident response that a box was compromised it was reaching out to a bad domain that could have otherwise been sinkholed and prevented right so any other comments patrick um i think this about does it for us today i think so you know this is kind of a fun one just because i i love sort of the the nerdy aspect of being able to automate and kind of take things a little further than just your basic blocking and you know and allowing of traffic so this was a lot of fun glad i hope hopefully it's very helpful for all of you out there and uh gives you just another glimpse at some of the other capabilities that the firewall and the security platform has awesome well thanks patrick and we'll catch you guys next time all right thanks take care and be safe [Music] [Music] [Applause] [Music] you
Info
Channel: Palo Alto Networks LIVEcommunity
Views: 3,913
Rating: undefined out of 5
Keywords:
Id: WgG6Hi0T73g
Channel Id: undefined
Length: 23min 21sec (1401 seconds)
Published: Wed Aug 12 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.