Enhanced Coverage for Command and Control (C2) Traffic

Command-and-control (C2) describes when a compromised system is surreptitiously communicating with an attacker’s remote server to receive malicious commands or exfiltrate data. A new type of signature that detects C2 traffic is now generated automatically. While C2 protection is not new, previous signatures looked for an exact match to domain names in DNS queries or full URLs in HTTP client requests to identify a C2 host. The new, automatically-generated C2 signatures detect certain patterns in C2 traffic instead of the C2 host. This enables the firewall to provide more accurate, timely, and robust C2 detection even when the C2 host is unknown or changes rapidly.
To benefit from the enhanced C2 protection, you’ll need a Threat Prevention license—the new, automated C2 signatures are made available with hourly Antivirus updates, and further C2 protection continues to be delivered with the Applications and Threats updates. Additionally, both the Palo Alto Networks Threat Vault and AutoFocus are integrated with the firewall, and you can leverage these resources to immediately access more information about C2 attacks the firewall detects.
  1. Select DeviceLicenses and confirm that the firewall Threat Prevention license is active.
  2. Select DeviceDynamic Updates and enable the firewall to get the latest Antivirus updates every hour.
    The extended, automated C2 protection this feature introduces is made available with the latest Antivirus updates; however, Applications and Threats content updates also continue to provide C2 protection.
    To enable full coverage for C2 attacks, make sure that you also enable the firewall to check for the latest Applications and Threats content every 30 minutes (see New Scheduling Options for Application and Threat Content Updates ).
  3. Enable the firewall to block C2 activity it detects.
    1. Select ObjectsSecurity ProfilesAntivirus and Add or modify an Antivirus profile .
      The default action for C2 signatures is Reset Client; this means that when the firewall detects C2 communication, it resets the client-side TCP connection or drops the UDP connection.
      Setting up an Antivirus profile defines how you want the firewall to treat C2 attacks that match the new automated C2 signatures—also set up an Anti-Spyware profile to make sure that the firewall is blocking all C2 attacks.
    2. Attach the Antivirus profile (and Anti-Spyware profile) to a security policy rule:
      1. Select PoliciesSecurity and Add or modify a security policy rule.
      2. Select Actions and in the Profile Settings, set the Profile Type to Profiles.
      3. Select the Anti-Spyware profile you want to apply to traffic matched to this rule.
      4. Click OK.
  4. Find out more about C2 activity the firewall detects.
    • Monitor C2 activity:
    Select MonitorLogsThreat. Events the firewall detected based on the automatically-generated spyware signatures are logged with the Threat Category autogen and the Type spyware. Add the following filter to show only log entries for these events: (subtype eq spyware) and (category-of-threatid eq autogen).
    • Find out more about a specific C2 event:
    • Select the spyglass icon to view in-depth details for the logged event.
    • (New) Hover over a threat Name and click Exception to learn more about the type of threat detected and to see if the signature that detected the threat is configured as an exception to certain security policy rules.
    8.0-nfg-c2-exception.png
    Learn more about how you can use Globally Unique Threat IDs to gain context for a threat signature or create a threat exception.
    • Hover over an IP address, URL, or domain to search for that artifact in AutoFocus—AutoFocus can reveal if the artifact is frequently found with malware, if it is associated with malware variants, and whether the artifact is targeted or pervasive throughout your network, industry, or globally. This feature requires an AutoFocus license.

Related Documentation