In the large number of best practice assessments that we’ve run, credential phishing prevention (CPP) is a high-value feature that we see with the least overall adoption. Attackers disguise phishing sites as legitimate websites with the aim to steal user information, especially the credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach into motion. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.

Credential phishing prevention is a Palo Alto Networks feature that was introduced in PANOS8.0. This feature is meant to prevent users from submitting their corporate credentials to a phishing site that is disguised as a legitimate corporate website.

Palo Alto Networks Credential Phishing – How Does It Work

Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions to known corporate credentials. You do have the ability in the URL filtering profile to select which corporate credential categories you want to allow or block. When the firewall detects someone attempting to submit their corporate credentials to a site in a URL category that you are performing a block action on, the user will be presented with either a block response page that will prevent the user from submitting their corporate credentials or a continue response page that will present a warning to the user but still allow them to submit their corporate credentials. These response pages can be customized to help coach the corporate users against reusing their corporate credentials, even on legitimate web sites.

Methods to Check for Corporate Credential Submission

There are three methods that are used to check for corporate credential submission. These methods are group-mapping, IP user mapping and domain credential filter. The benefits and drawbacks of each method are outlined below.

Image

Group Mapping is based on LDAP group membership. While this method is simple to configure, it will only match on corporate username submission based on LDAP group membership, which can make it more prone to false positives.

IP user mapping checks if the username a user submits to a blocked site maps to the IP address of the login username. Because this method matches the IP address of the login username associated with the session against the IP address-to-username mapping table, it is an effective method for detecting corporate username submissions, but it does not detect corporate password submission. If you want to detect corporate username and password submission, you must use the domain credential filter method.

To detect corporate usernames and passwords, the firewall retrieves a secure bit mask called a bloom filter from a Windows user-id agent equipped with the user-id credential service add-on. This service scans your directory for username and password hashes and deconstructs them into a secure bit mask that is delivered to the user-id agent. The firewall retrieves this bloom filter from the user-id agent at regular intervals. When it detects a user submitting credentials to a blocked category, it reconstructs the bloom filter and looks for a matching username and password hash. It is recommended to use the standalone user-ID agent on a Windows read only domain controller (RODC). It is also a best practice to have this be a separate agent from the one mapping users to IP addresses.

To Configure the User-ID Agent for Domain Credential Filter

Image

Select the Credential tab, and check “Import from UserID Credential Agent”

Image

In the RODC directory, define the group of users for which you want to support credential submission detection.

URL Filtering Profile

The URL filtering profile is utilized for determining what URL categories will block corporate credential submission. The firewall does not check credential submissions for trusted sites, even if you enable the checks for the URL categories for these sites, to provide best performance. The trusted sites represent sites where Palo Alto Networks has not observed any malicious or phishing attacks. Updates for this trusted site list are delivered through application and threat content updates.

Image

The firewall uses one of three methods to detect valid credentials submitted to web pages. Each method requires User-ID which enables the firewall to compare username and password submissions to web pages against valid, corporate credentials.

Image

Finally, it is important to note that due to the impact of TLS encryption, you must configure the firewall to decrypt traffic that you want to monitor for user credentials.