PCNSE Prep - Functions and Concepts of WildFire

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] greetings I'm Mitch tensley from the Palo Alto Networks education delivery department and I'm here to talk to you today about the functions and concepts of wildfire the big feature with wildfire is to turn unknown malware into known malware the reason this is important is because zero-day or unknown malware is so new that most network security and endpoint security products are incapable of detecting and blocking the propagation of this unknown malware the scenario was simple a user downloads a file he thinks is benign but turns out as malicious and then that file is able to spread throughout the network without any impedance when we introduce a Palo Alto Networks next-generation firewall into the environment when the user attempts to download that same file the firewall can take a copy of that file in order to appropriately see this file you might need to deploy SSL decryption in order to open up tunnels and see the contents inside then based on the configuration of a wildfire analysis profile that file can be sent up to the wildfire public cloud for analysis there are multiple forms of analysis that can occur first static analysis involves looking for particular bit patterns that might be indicative of malware then dynamic analysis is actually running the file and observing its attack behavior against the host some malware is particularly evasive for sandboxing and so we can flag that malware for analysis on a bare metal system after the analysis is complete and the malware has attacked the sandbox system this file is now considered known malware now that it is known malware we can generate antivirus signatures to block the propagation of this file after the signatures have been created they're handed over to the Palo Alto Networks update server at a 5 minute interval after which time a firewall with an active wildfire subscription can download these signatures and then use them to block the spread of this file to other hosts within the network to recap wildfire turns unknown malware into known malware the execution or prevention of the spread of malware is not done by the wildfire analysis profile it is implemented using the antivirus profile the wildfire analysis profile turns the unknown malware to known malware the antivirus security profile would then block the spread of that malware based on antivirus signatures and wildfire signatures one thing to keep in mind however in this scenario wildfire did not interrupt the initial user from downloading the file and thus the initial user became infected however wildfire can inform the firewall administrator that that user who downloaded the file did receive a malicious file that way administrators can follow up and clean the infection on the endpoint after the fact wildfire isn't just capable of detecting malicious files it can be used to detect malicious links and URLs also in this scenario we have an attacker who sends an email to a target user and that email contains a link which looks benign however the firewall takes a copy of that link and based on the wildfire analysis profile we'll send that link up to the wildfire public cloud where then a virtual machine doing dynamic analysis will browse to the address in that link based on the behavior of the site browse to if it sends malicious payload back to the sandbox then this link is considered malicious wildfire will then send the URL from the link over to the pandb cloud servers such that when the target victim user clicks on the link in the email and attempts to browse to the attackers servers the firewall can query pandb cloud to look up the categorization of that URL if pandb says that that URL is malicious then the users browser session can be blocked using a URL filtering profile so to recap a wildfire analysis security profile can also detect malicious links the URL filtering security profile can prevent a user from browsing to or accessing that malicious URL and depending on the timing it could even block the initial target user trying to go to that malicious site let's look at the high-level functionality of wildfire shall we first the firewall receives a file then the firewall checks to see if the file has been signed by a trusted digital signature if it has then the file would be allowed if it has not then the fire will will take a hash of the file then it will check against wildfire to see if that hash has been seen before if that hash has been seen before then there will be a verdict associated benign gray where and gray where is not technically malicious but it's not great either then there's phishing or malware verdicts however if wildfire has not seen this file before then the fire will check to see if the file size is smaller than the configured maximum thresholds if the file is too large then the firewall has no option but to allow the file however if the file is not too large then it can be submitted up to wildfire for analysis once the analysis is complete a verdict will be generated based on the characteristics and behavior of the file and that verdict would be again benign gray where phishing or malware after that then wildfire will inform the submitting firewall of this verdict and this will appear within the wildfire submissions log after which wildfire will generate malware signatures and make them available for firewalls to download if your firewall has a valid wildfire subscription you can immediately download the signature once it's placed on the update server after about a five minute period if your firewall does not have a wildfire subscription you still benefit from the submission of this file during the next days antivirus update now not all administrators would be comfortable sending every type of file into a public cloud environment for this reason we make available the WUF 500 which we call a private cloud analysis system the private cloud analysis system can detect malicious files and malicious links and generate signatures to block their propagation the signatures are made available for the firewall to pull on an every five minute basis also the WF 500 has an XML API which you can programmatically interact with to do a lot of the same functionality now depending on the situation you might want to employ the use of both the public cloud and a private cloud analysis system we call this a hybrid cloud scenario where the administrator configure files of a sensitive nature to be sent to a WF 500 for analysis and files with no sensitivity to be sent up to the public cloud for analysis note that not all file types can be analyzed on a WF 500 but all file types can be analyzed within the Wildfire public cloud let's look at the configuration of these settings so on the device tab setup wildfire tab you can come into the general settings click on the gear and this is where you can add your WF 500 address it could be its host name or IP also this is where you can see the different file types supported as well as the place where you can configure their file size limitations in a moment I'll show you the range of options available but at the moment you can see the default values also if you wish the wildfire submissions log to contain information about files detected as benign where files detected as great where check these two boxes and click OK also if you scroll down you can see the session information settings window where you can turn on or off different data elements that will appear about sessions within the wildfire submissions log now speaking about the file types the first one I want to introduce to you is a PE or portable executable a portable executable is a name that encompasses multiple file types for example exe s specific types of object code dll's or dynamic link libraries as well as font files with no Wildfire subscription license every Palo Alto Networks firewall is able to submit PE s up for analysis and any PE submitted that is malicious could be blocked using the antivirus signatures downloaded the next day if you do have a wildfire subscription license however you have the ability to submit all of the remaining filetypes apks archive file types emails flash jar Linux file types Mac OS office documents as well as PDFs note not all file types can be analyzed and have signatures created on a WF 500 private cloud so pick carefully which file types you would send to the private cloud versus the public cloud also you can see on the bottom right on a per file type basis what the maximum range value option is as well as the default the configuration of a wildfire analysis security profile is fairly straightforward I like in the wildfire analysis security profile to a vacuum you tell it what things you want to suck up and where you want them to be analyzed and then after analysis a verdict would be passed back down if you want to block files that have been determined to be malicious you would do so using an anti-virus security profile notice within the antivirus security profile there are two columns for action first the action column in the middle references the daily or 24-hour downloaded antivirus database whereas the Wildfire action references the wildfire database which will be made available via the update server every five minutes and your firewall can be configured to download this database on as little as a one minute interval now for malicious links we would use the URL filtering security profile you have three categories command and control malware and phishing which are directly related to the wildfire analysis of URLs you can set their access to block if you wish you can also create custom URL categories and import lists of other known malicious URLs that may be wildfire hasn't analyzed to see the full list of URL categories supported by Palo Alto Networks I direct you to the URL at the bottom of the screen in order to make full use of wildfire it does require subscription license the license allows you to submit all supported file types via your firewall or via the wildfire API also it allows you to download and install wildfire virus signatures to do this best you would configure your fire to check with the update server every minute for a new wildfire signatures they will be provided from the wildfire server to the update server on a 5-minute interval finally we cannot guarantee that you will receive a verdict or a signature within the first 5 minute interval after submitting your file this really depends on several factors like sandbox evasiveness but you might I hope you found this video informative thank you for watching
Info
Channel: Palo Alto Networks LIVEcommunity
Views: 17,930
Rating: undefined out of 5
Keywords: Security Profiles, WildFire, Antivirus, unknown threats, known threats, sandboxing
Id: xK8cRFCVlrQ
Channel Id: undefined
Length: 11min 44sec (704 seconds)
Published: Tue Jul 31 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.