Palo Alto Networks Knowledgebase: Command-and-Control (C2) FAQ

Command-and-Control (C2) FAQ

(1781 Views)
Created On 09/25/18 19:30 PM - Last Updated 09/25/18 23:10 PM
Categories:  URL Filtering

Issue:


Solution:


A new category has been added to URL Filtering.  This new category will be “command-and-control” to further break out specifics from within the malware category. 

 

Full functionality, which is the live categorization of C2 URLs, occurs on Wednesday October 25th, 2017.

 

Note: Administrators should set their command-and-control category to BLOCK immediately

 

Below is an FAQ about the command-and-control category.

 

Weren’t we already protected from C2?

Yes, you have always been protected from C2.  Previously, this was categorized within malware.

 

What’s the difference between malware and C2 and why should I care?

Palo Alto Networks has broken out specifics from within the malware category with C2.  Malware generally is malicious content, executables, scripts, viruses, and code that is attempting to be delivered through your network from external to internal.  These malicious attempts are being blocked by the firewall.  With C2, endpoints are trying to connect externally to remote servers.  These connections are made from inside out.  Again, the firewall is blocking the connection to these remote servers. 

 

However, security analysts will react differently to these two distinct categories. For malware, analysts will reasonably recognize that the threat was stopped by their Palo Alto Networks Firewall and the endpoint has not been compromised.  With C2, an endpoint has most likely become compromised because it is attempting to contact a remote server and remediation is necessary for that particular endpoint as well as an assessment for lateral movement/infection.    

 

What happens if I don’t change the C2 category to BLOCK as the action?

If you do not change the default action of the C2 category to block, all attempted connections to C2-related URLs will be allowed to go through and connect. 

 

Why is C2 not set to BLOCK by default?

The functionality for Palo Alto Networks to set the default action for the default profile to BLOCK is only available in PAN-OS version 8.0.2 and later with content version 738 or newer.  All customers running PAN-OS 8.0.2+ with content 738+ will have their default action automatically set to BLOCK in the default profile.  This functionality is NOT available to early versions of PAN-OS. (Please note, for PAN-OS 8.0.2+ customers, please check to ensure that the action has been properly updated to BLOCK within the default profile.)

 

If you have multiple URL Filtering security profiles, you must update the default action to BLOCK for each of these profiles. This applies to ALL versions of PAN-OS.  

 

How is C2 defined?

Command-and-control is defined by Palo Alto Networks as URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker’s remote server to receive malicious commands or exfiltrate data.

 

What is the timeline for release of the C2 category?

Category content update is currently available on the URL Filtering database.  The command-and-control category will be visible on the administrator’s management console but will not be functional.  During this time, you can update the action to BLOCK for the command-and-control category.  When functionality is available, all C2 URLs will be categorized and blocked (if set to block) by the URL Filtering functionality. 

 

When will the C2 category be functional?

Full functionality, which is the live categorization of C2 URLs, will occur on Wednesday October 25th, 2017.  This means that you will start seeing and blocking (if policies and profiles have been updated) URLs categorized as C2 on your firewalls.  

 

Can I test the C2 category prior to full functionality?

Yes, you can test your C2 profile(s)/policies prior to full functionality release.  You can utilize this URL for testing C2 categorization:  https://urlfiltering.paloaltonetworks.com/test-command-and-control  If the profile(s)/policies are setup correctly, then access to the URL will be blocked and logged by your Firewall.  

 

Does this apply to both PAN-DB and Brightcloud for URL filtering?

No, this is only for PAN-DB URL filtering and does not currently apply to Brightcloud URL filtering.

 

Note:  It is recommended to subscribe to this FAQ for timeline updates when available. 

 

See also

Make sure Command-and-Control is recognized by PAN-DB URL Filtering

 

From Kelvin Kwan

@neg273

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZkCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: