PAN-OS 8.0: Preventing Credential-Based Attacks With the Platform


By: Brian Tokuyoshi
Category: Security Platform
Tags: PAN-OS 8.0, credential theft, threat prevention

When looking at the spectrum of breaches, there are some that are fairly exotic, requiring the use of sophisticated techniques that would make Rube Goldberg proud. These types of efforts require a hundred things to go right in order to succeed and typically require the time, patience and financial backing of an advanced threat actor.

PAN-OS 8.0: Preventing Credential-Based Attacks With the Platform


One might think that sophisticated threat actors prefer sophisticated techniques. On the contrary, although a sophisticated adversary may have the capability to pull off a complicated attack, most people are surprised to learn that the majority of breaches still rely on stolen credentials. It is far easier to steal credentials and use them for covert activities than it is to locate a zero-day vulnerability in an external-facing system. And attackers will take the easiest path to their objectives.

Stolen credentials provide many advantages in the attack lifecycle. Effectiveness goes up, and the risk of getting caught goes down. It is more effective because the attacker doesn’t have to spend as much time getting past security countermeasures designed to stop intruders. The attack does not require getting malware into the environment or finding a way to execute it. The adversary simply uses the stolen credentials to take on the appearance of a trusted user, which reduces the risk of getting caught.

There is no shortage of advice on what to do about password risks, but to date, most of them have focused on a problem space that bears little resemblance to the targeted attack. The advice to use filtering solutions to stop malicious links to credential phishing sites in email presumes that the security team knows it’s malicious before the user clicks. It also presumes that the link is coming via email. In a targeted credential phishing attack, one cannot assume either to be true, for there are many ways to hide a site’s true nature, and many ways to get a link to the victim other than email.

The common practice of using multi-factor authentication to address the threat of stolen passwords is a good idea but hard to implement at enterprise scale. In most cases, organizations encounter both political and technological difficulty when trying to deploy multi-factor authentication across their application landscape. Political issues crop up when the security teams ask the application owners to make changes to their authentication methods. Application owners care about uptime and functionality, and it can be a hard sell to get them to add more security. Technological issues crop up when dealing with the myriad of resources that use passwords, many of which have little support for third-party authentication servers or plugins.

We’re pleased to announce support for new features that help organizations take new steps toward the attacker’s ability to use stolen credentials. These new capabilities layer into the platform’s approach of layering in protections, making it incredibly difficult to steal and use credentials in a successful attack. One of the new innovations that we’ve added to the platform is to stop the leakage of credentials to an unauthorized website. This is because in-line inspection of network traffic by the platform makes it possible to implement policies that restrict the sites to which users can submit their corporate credentials. These measures are important, for they act as the safety net to stop credentials from being submitted to credential phishing sites, including ones that have never been seen before.

In addition, the platform goes a step further to disrupt an attacker’s ability to use a set of stolen credentials to access critical applications. The next-generation firewall enforces multi-factor authentication policy in the network, thus keeping the adversary away from any interaction with the application at all. This is a revolutionary approach to multi-factor authentication, for it strengthens security without having to make direct changes to the application itself, thus making implementation easier without the pain that can derail pervasive enforcement of multi-factor authentication policy.

Both of these key technologies are preventive measures to stop credential-based attacks that organizations can deploy with their Palo Alto Networks firewalls. As an integral part of the platform, now organizations can cut their exposure to the risk of targeted credential phishing and the use of stolen credentials for lateral movement.

Learn More About Preventing Credential-Based Attacks