Palo Alto Networks have added a new URL filtering category called ‘command-and-control’, to identify the differences between malware and command and control (c2) URLs and domains. Until the new category is live, the URLs and domains are recorded with the malware category.
Palo Alto quote ‘This command-and-control category is defined as command-and-control URLs and domains that are used by malware or compromised systems to surreptitiously communicate with an attacker’s remote server to receive malicious commands or to exfiltrate data.’
why does this matter?
This is an important distinction by Palo Alto because an endpoint contacting a c2 server has probably already been compromised, requiring remediation and possible lateral movement of the infection throughout the IT infrastructure.
Whereas an endpoint attempting to contact a malware URL is probably the victim of a phishing or drive-by-download and is yet to be infected/compromised.
Palo Alto Networks and Teneo highly recommend that administrators update the policy action for this new command-and-control category to BLOCK on all the URL Filtering policies across the PAN estate, see the screen capture below.
Teneo best practices recommend combing this new URL category with DNS Sinkholing, granular log forwarding with email alerts and custom reporting. In doing so, the internal IT support department will have near instant visibility of a comprised endpoint on the network and can take the appropriate action to isolate and remediate the endpoint.
Please contact us if you’d like our Professional Services team to help with configuring the firewalls, to follow our recommended best practices and gain that all important visibility into compromised endpoints.
Cookies are small files containing information that enables a website to recognise you. They’re downloaded to the device you use when you visit a website and sent back to that website each time you re-visit, or sent to another website that recognises the same cookie.
Strictly necessary cookies include session cookies and persistent cookies. Session cookies keep track of your current visit and how you navigate the site. They only last for the duration of your visit and are deleted from your device when you close your Internet browser. Persistent cookies last after you’ve closed your Internet browser and enable our website to recognise you as a repeat visitor and remember your actions and preferences when you return.
Third Party Cookies
Third party cookies include performance cookies and targeting cookies. Performance cookies collect information about how you use a website, e.g. which pages you go to most often, and if you get error messages from web pages. These cookies don’t collect information that identifies you personally as a visitor, although they might collect the IP address of the device you use to access the site. Targeting cookies collect information about your browsing habits. They are usually placed by advertising networks such as Google. The cookies remember that you have visited a website and this information is shared with other organisations such as media publishers.
Keeping these cookies enabled helps us to improve our website and display content that is more relevant to you and your interests across the Google content network.
Please enable Strictly Necessary Cookies first so that we can save your preferences!