Panorama Administrator’s Guide 159
Monitor Network Activity Use Case: Respond to an Incident Using Panorama
Review Threat Logs
To begin investigating the alert, use the threat ID to search the threat logs on Panorama (Monitor > Logs > Threat).
From the threat logs, you can find the IP address of the victim, export the packet capture (PCAP, has a green
arrow icon in the log entry) and use a network analyzer tool such as WireShark to review the packet details. In
the HTTP case, look for a malformed or bogus HTTP REFERER in the protocol, suspicious host, URL strings,
the user agent, the IP address and port in order to validate the incident. Data from these pcaps is also useful in
searching for similar data patterns and creating custom signatures or modifying security policy to better address
the threat in the future.
As a result of this manual review, if you feel confident about the signature, consider transitioning the signature
from an alert action to a block action for a more aggressive approach. In some cases, you may choose to add
the attacker IP to an IP block list to prevent further traffic from that IP address from reaching the internal
network.
To continue with the investigation on the incident, use the information on the attacker and the victim IP address
to find out more information, such as:
Where is the attacker located geographically? Is the IP address an individual IP address or a NATed IP
address?
Was the event caused by a user being tricked into going to a website, a download, or was it sent through an
email attachment?
Is the malware being propagated? Are there other compromised hosts/endpoints on the network?
Is it a zero-day vulnerability?
If you see a DNS-based spyware signature, the IP address of your local DNS server might display
as the
Victim IP address. Often this is because the firewall is located north of the local DNS
server, and so DNS queries show the local DNS server as the source IP rather than showing the
IP address of the client that originated the request.
If you see this issue, enable the DNS sinkholing action in the anti-spyware profile in security policy
in order to identify the infected hosts on your network. DNS sinkholing allows you to control
outbound connections to malicious domains and redirect DNS queries to an internal IP address
that is unused; the sinkhole that does not put out a response. When a compromised host initiates
a connection to a malicious domain, instead of going out to the Internet, the firewall redirects the
request to the IP address you defined and it is sinkholed. Now, reviewing the traffic logs for all
hosts that connected to the sinkhole allows you locate all compromised hosts and take remedial
action to prevent the spread.
Copyright © 2007-2014 Palo Alto Networks
(17 pages)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commentaires sur ces manuels