The Evolution of IPS to Advanced Threat Prevention: Preventing Unknown Command and Control Attacks in Real-Time

May 19, 2022
5 minutes

As network defenders, we all know how hard it can be to effectively stop a sophisticated and persistent attacker. Here at Palo Alto Networks, we monitor the threat landscape closely. Our research indicates that the most effective way for intruders to get past network defenses is to use malleable and unknown command and control (C2). Since C2 is the last opportunity before the adversary completes their action on the objectives, it is key for security professionals to detect and prevent it quickly and effectively – stopping modern cyber attacks in their tracks.

As part of our six-part webinar series, our second episode will cover how modern attackers are leveraging automated hack tools to evade traditional security controls. We’ll conduct a demo and show exactly how organizations can stop unknown C2 inline using an intrusion prevention system (IPS).

If you didn’t catch episode one, you can check it out here: Industry Firsts in NGFW Design and Security for Internet Edge, Campus, and Data Centers.

Adversaries Using C2 to Their Advantage

For some time, attackers have enjoyed an advantage when it comes to C2. With the increased use of automation and purpose built tools, adversaries have been able to emulate legitimate network payloads and real world traffic. When combined with evasive techniques such as encryption and encoding, it’s becoming easier for threat actors to circumvent signature based controls and bypass security defenses.

Our Unit 42 Threat Intelligence Team has observed more than a 70% increase in the use of these red team tools, such as Cobalt Strike. And many recent high profile attacks have taken this exact same path. In May 2021, the Darkside ransomware-as-a-service group leveraged evasive and previously unknown C2 as part of their playbook. Unit 42 and other researchers also observed Cobalt Strike beacons being utilized in the later stage of the attack in the Solarwinds breach and being delivered as payloads in connection with exploits to the recent Log4j vulnerability.

As this method of attack continues to emerge, it’s clear that enabling security defenses to detect and prevent unknown C2 attacks is essential.

IPS Solutions Cannot Keep Up

Most IPS solutions on the market today use signature-based detections to block known threats. Once observed, the tactics/techniques used by a threat a research team to develop sophisticated signatures preventing it in the future. Signatures are very efficient, providing robust coverage for known attacks and serving as foundational building blocks for any cyber security solution. However, this doesn’t address the problem with patient zero as modern C2 tools are designed to evade traditional signature based defenses by easily changing their methods to be new and unfamiliar. Consequently, signatures are always playing catch up and they can not effectively address zero-day attacks and evasive communication channels.

It’s clear that modern IPS solutions must evolve. Not only do we need the ability to stop known attacks, we also need the ability to detect unknown attacks and block them in real-time. IPS solutions need to be able to detect these evasive C2 tools with little to no False Positives so that it does not impede productivity.

Preventing Unknown C2 in Real Time

With PAN-OS 10.2 Nebula, we have launched Advanced Threat Prevention – the industry’s first IPS with an inline deep learning cloud engine to detect and prevent evasive C2 tactics and techniques in real-time. Advanced Threat Prevention analyzes suspicious network sessions to provide a near real-time verdict on unknown C2 traffic and block the session inline. By situating our deep learning models in the cloud, we take advantage of cloud scale and custom data processing faster than you can blink, in order to prevent threats in real-time.

How did we do it?

At Palo Alto Networks, we have the largest malware analysis engine in the industry, WildFire. We utilized its high fidelity dataset from malware communications observed during cloud analysis, coupled with Unit 42 intelligence, to train our models to precision. And with these new detection capabilities, we prevent 97% of one of the most difficult to detect Cobalt Strike C2 techniques in use today, web-based cobalt strike. We have also observed a 48% increase in detection of previously unknown C2 communications that can also be blocked inline.

Get Ahead of The Unknown

As threats continue to evolve in sophistication and evasion, security must also. We’ve moved beyond offline and on the box analysis. We’ve taken deep learning and placed it inline, allowing us to detect and prevent new and unknown threats instantly. This is a huge step for our customers in preventing patient zero and safeguarding against modern threats – including file-based threats, command-and-control, and web-based threats like phishing and sophisticated dynamic threats that use DNS to launch attacks.

To see a live demonstration and learn more about how Advanced Threat Prevention stops unknown C2 inline by using machine learning and deep learning models, register for our second episode in our series: Evolution of IPS to Advanced Threat Prevention.

Check Out Our Previous Episodes

In episode one, we covered the nitty gritty of our new NGFW and security infrastructure that redefines what was thought possible – the prevention of advanced evasive threats as they happen. If you missed it, you can check out episode one: Industry Firsts in NGFW Design and Security for Internet Edge, Campus, and Data Centers.

Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.