Use of stolen credentials
A new feature for preventing credential based attacks was released through PAN-OS 8.0.
Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. An administrator can choose what websites to either allow, alert on, or block corporate credential submissions to, based on the URL category of the website. Alternatively, the firewall can be configured to present a page that warns users against submitting credentials to sites classified in certain URL categories. The solution also provides logging visibility into credential submission activity.
Please reference this resource for more information:
Use of Remote Desktop Protocol to administer the distribution server remotely
Palo Alto Networks App-ID provides the ability to safely enable applications and provides granular control over allowing approved app traffic in and out of the network. App-ID can be enforced in security policy for remote administration protocols such as RDP to ensure that only authorized users and sources are allowed access to network resources.
GlobalProtect can be used to enable remote users to safely access network resources remotely as well:
Copying suspicious file types such as EXEs and BAT files within the network
Efficient segmentation of the network can help with controlling traffic and getting visibility into traffic traversing different segments of the network. Different interface types and security zones can be configured on the firewall to achieve this:
Additionally, PAN-OS provides the ability to configure blocking of specific file types. The file blocking profile can be used to ensure only approved file types traverse sensitive segments of the network. A video covering the feature and its configuration is available at:
Delivery of malicious Disttrack executable
In addition to file blocking, WildFire and AntiVirus Signatures provide detection of and prevention against malicious files.
Dynamic updates should be configured to make sure the firewall always receives and installs the latest IPS and antivirus definitions:
Other features to aid visibility and enforcement
Lastly, configuration of other features such as SSL decryption, URL filtering, Dynamic block lists etc. can provide additional visibility into the traffic and provide additional enforcement capabilities during different stages of the attack lifecycle.
Some of these recommendations are detailed in the following article:
Although the above article is written with a focus on ransomware infection prevention, the different threat prevention features and their configuration listed in this article can greatly help reduce the attack surface and provide increased visibility into and prevention of any malicious activity.