Credential Theft Prevention With a Palo Alto Networks NGFW

In the large number of best practice assessments that we’ve run, credential phishing prevention (CPP) is a high-value feature that we see with the least overall adoption. Attackers disguise phishing sites as legitimate websites with the aim to steal user information, especially the credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach into motion. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.


Credential phishing prevention is a Palo Alto Networks feature that was introduced in PANOS8.0. This feature is meant to prevent users from submitting their corporate credentials to a phishing site that is disguised as a legitimate corporate website.



Palo Alto Networks Credential Phishing – How Does It Work

Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions to known corporate credentials. You do have the ability in the URL filtering profile to select which corporate credential categories you want to allow or block. When the firewall detects someone attempting to submit their corporate credentials to a site in a URL category that you are performing a block action on, the user will be presented with either a block response page that will prevent the user from submitting their corporate credentials or a continue response page that will present a warning to the user but still allow them to submit their corporate credentials. These response pages can be customized to help coach the corporate users against reusing their corporate credentials, even on legitimate web sites.



Methods to Check for Corporate Credential Submission

There are three methods that are used to check for corporate credential submission. These methods are group-mapping, IP user mapping and domain credential filter. The benefits and drawbacks of each method are outlined below.


Credential Theft Prevention_1



Group Mapping

Group Mapping is based on LDAP group membership. While this method is simple to configure, it will only match on corporate username submission based on LDAP group membership, which can make it more prone to false positives.


IP User Mapping

IP user mapping checks if the username a user submits to a blocked site maps to the IP address of the login username. Because this method matches the IP address of the login username associated with the session against the IP address-to-username mapping table, it is an effective method for detecting corporate username submissions, but it does not detect corporate password submission. If you want to detect corporate username and password submission, you must use the domain credential filter method.


Domain Credential Filter

To detect corporate usernames and passwords, the firewall retrieves a secure bit mask called a bloom filter from a Windows user-id agent equipped with the user-id credential service add-on. This service scans your directory for username and password hashes and deconstructs them into a secure bit mask that is delivered to the user-id agent. The firewall retrieves this bloom filter from the user-id agent at regular intervals. When it detects a user submitting credentials to a blocked category, it reconstructs the bloom filter and looks for a matching username and password hash. It is recommended to use the standalone user-ID agent on a Windows read only domain controller (RODC). It is also a best practice to have this be a separate agent from the one mapping users to IP addresses.



To Configure the User-ID Agent for Domain Credential Filter


  • On the RODC server, launch the user-ID agent:
  • Select Setup and then Edit:


Credential Theft Prevention_2


Select the Credential tab, and check “Import from UserID Credential Agent”


Credential Theft Prevention_3


In the RODC directory, define the group of users for which you want to support credential submission detection.


  • Confirm that the groups that should receive credential submission enforcement are added to the Allowed RODC Password Replication Group.
  • Check that none of the groups in the Allowed RODC Password Replication Group are also in the Denied RODC Password Replication Group by default. Groups listed in both will not be subject to credential phishing enforcement.



URL Filtering Profile

The URL filtering profile is utilized for determining what URL categories will block corporate credential submission. The firewall does not check credential submissions for trusted sites, even if you enable the checks for the URL categories for these sites, to provide best performance. The trusted sites represent sites where Palo Alto Networks has not observed any malicious or phishing attacks. Updates for this trusted site list are delivered through application and threat content updates.


Credential Theft Prevention_4


The firewall uses one of three methods to detect valid credentials submitted to web pages. Each method requires User-ID which enables the firewall to compare username and password submissions to web pages against valid, corporate credentials.


Credential Phishing Block Page Example:
Note that the Palo Alto Networks block pages are contained under Device>Response pages. Block pages can be exported and customized for your environment:


Credential Theft Prevention_5


Finally, it is important to note that due to the impact of TLS encryption, you must configure the firewall to decrypt traffic that you want to monitor for user credentials.

Anthony Tanzi
Partner Architect-Palo Alto Networks-Strata | Optiv
Anthony Tanzi has more than 20 years’ experience in the networking and network security space. As a Partner Architect focused on Palo Alto Networks, Tanzi is responsible for Optiv’s pre-sales enablement and support to accelerate growth between Palo Alto Networks and Optiv in existing and new markets across the U.S. and Canada. This includes training and enablement of the pre-sales team as well as supporting them in pre-sales Palo Alto Networks conversations as well as assisting in proof of concepts, running Ultimate test drives, perform best practice assessments as well as being a technical sounding board for Optiv customers. Tanzi works directly with Optiv’s dedicated Palo Alto Channel SE to drive technical enablement as well as being an advocate for our customers. He is also focused on supporting Optiv’s post sale implementation team and working with marketing on Palo Alto specific campaigns.

Tanzi came to Optiv as part of the acquisition of the Philadelphia based integrator Comm Solutions in 2017. While at Comm Solutions for 10 years, Tanzi lead the Palo Alto Networks practice as a pre-sales engineer, post-sale implementation engineer, certified Palo Alto instructor as well as holding his own Palo Alto user groups and other marketing functions and support.

Tanzi is a member of Palo Alto Networks Cyberforce and was the first partner engineer to reach the highest level of “Cyberforce Hero” in the United States as well as being the first worldwide to be awarded “Ultimate Cyberforce Hero”.