Managing High Risk and other Security Focused URL Categories
Symptom
Blocking High-risk URL category is not recommended as many sites will temporarily be set to high risk but are not malicious.
Environment
Any firewall with URL filtering and OS >= 9.0
Resolution
For High and Medium categories the recommended action is to Alert.
- This will not block the traffic but it will log the site if there is a need to go back and see what happened.
- It is recommended to alert, enforce SSL decryption for increased visibility, set a much stricter threat prevention profile, and block downloads of dangerous files (PEs, PowerShell, etc.) from high-risk sites.
- In addition, you may wish to increase logging for additional insight.
High-risk sites include:
- Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days.
- Unknown domains are classified as high-risk until PAN-DB completes site analysis and categorization.
- Sites that are associated with confirmed malicious activity. For example, a page might be high-risk if there are malicious hosts on the same domain, even if the page itself does not contain malicious content.
- Bulletproof ISP-hosted sites.
- Sites hosted on IPs from ASNs that are known to allow malicious content.
If a high-risk site is blocked then an exception list or allow list may be needed for the occasional site that does get categorized as high risk but access is still needed.
Medium-risk sites include:
- All cloud storage sites (with the URL category online-storage-and-backup).
- Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 60 days.
- Unknown IP addresses are categorized as medium-risk until PAN-DB completes site analysis and categorization.
Low-Risk
Low-Risk sites are the most common and usually will be the category seen. There is normally no reason to log these sites so allow is the recommended setting.
- Sites that are not medium or high risk are considered low risk. These sites have displayed benign activity for a minimum of 90 days.
Newly-Registered Domains
Newly registered domains are frequently malware or malicious, This is the only secondary category that should be blocked.
- Identifies sites that have been registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
Recommended Policy Action: Block
Additional Information
- For Palo Alto Networks' best practice for configuring URL Filtering security profile, please visit: https://docs.paloaltonetworks.com/advanced-url-filtering/administration/configuring-url-filtering/url-filtering-best-practices
-
When a URL previously categorized as malware, phishing, or command-and-control is determined to no longer be malicious (e.g., after being cleaned or re-analyzed), it is immediately reclassified. At this point, it is assigned a new content-based category (like Entertainment and Arts) and is also placed in the high-risk category.
-
The site will remain in the high-risk category for at least 30 days. After 30 days in high-risk, and if the site continues to show only benign activity, its risk level is lowered to medium-risk. The site will then remain in the medium-risk category for an additional 60 days.
-
After 60 days in medium-risk (totaling at least 90 days since the initial change from malware), if the site has continued to display only benign activity, it is finally moved to the low-risk category.
-
This tiered "cooldown" process ensures that sites with a history of malicious activity are treated with caution, and their risk level is only reduced after a sustained period of demonstrated good behavior. As a result, the site will remain in the high-risk category for the period mentioned above.