Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Credential Theft Prevention With a Palo Alto Networks NGFW
In the large number of best practice assessments that we’ve run, credential phishing prevention (CPP) is a high-value feature that we see with the least overall adoption. Attackers disguise phishing sites as legitimate websites with the aim to steal user information, especially the credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach into motion. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.
Credential phishing prevention is a Palo Alto Networks feature that was introduced in PANOS8.0. This feature is meant to prevent users from submitting their corporate credentials to a phishing site that is disguised as a legitimate corporate website.
Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions to known corporate credentials. You do have the ability in the URL filtering profile to select which corporate credential categories you want to allow or block. When the firewall detects someone attempting to submit their corporate credentials to a site in a URL category that you are performing a block action on, the user will be presented with either a block response page that will prevent the user from submitting their corporate credentials or a continue response page that will present a warning to the user but still allow them to submit their corporate credentials. These response pages can be customized to help coach the corporate users against reusing their corporate credentials, even on legitimate web sites.
There are three methods that are used to check for corporate credential submission. These methods are group-mapping, IP user mapping and domain credential filter. The benefits and drawbacks of each method are outlined below.
Group Mapping is based on LDAP group membership. While this method is simple to configure, it will only match on corporate username submission based on LDAP group membership, which can make it more prone to false positives.
IP user mapping checks if the username a user submits to a blocked site maps to the IP address of the login username. Because this method matches the IP address of the login username associated with the session against the IP address-to-username mapping table, it is an effective method for detecting corporate username submissions, but it does not detect corporate password submission. If you want to detect corporate username and password submission, you must use the domain credential filter method.
To detect corporate usernames and passwords, the firewall retrieves a secure bit mask called a bloom filter from a Windows user-id agent equipped with the user-id credential service add-on. This service scans your directory for username and password hashes and deconstructs them into a secure bit mask that is delivered to the user-id agent. The firewall retrieves this bloom filter from the user-id agent at regular intervals. When it detects a user submitting credentials to a blocked category, it reconstructs the bloom filter and looks for a matching username and password hash. It is recommended to use the standalone user-ID agent on a Windows read only domain controller (RODC). It is also a best practice to have this be a separate agent from the one mapping users to IP addresses.
Select the Credential tab, and check “Import from UserID Credential Agent”
In the RODC directory, define the group of users for which you want to support credential submission detection.
The URL filtering profile is utilized for determining what URL categories will block corporate credential submission. The firewall does not check credential submissions for trusted sites, even if you enable the checks for the URL categories for these sites, to provide best performance. The trusted sites represent sites where Palo Alto Networks has not observed any malicious or phishing attacks. Updates for this trusted site list are delivered through application and threat content updates.
The firewall uses one of three methods to detect valid credentials submitted to web pages. Each method requires User-ID which enables the firewall to compare username and password submissions to web pages against valid, corporate credentials.
Finally, it is important to note that due to the impact of TLS encryption, you must configure the firewall to decrypt traffic that you want to monitor for user credentials.
Copyright © 2023 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com
September 12, 2021
Hackers are clever and are always innovating new ways to breach cybersecurity defenses, so no single tactic is likely to afford 100% protection. But....
June 23, 2016
Recently, Optiv’s Global Threat Intelligence Center (gTIC) identified an active phishing campaign against the education sector, in which attackers are....
September 01, 2021
It’s National Cybersecurity Awareness Month – #NCSAM. So what do dodgeball and #phishing have in common? Here are the five Ds of dodgeball and the....
Let us know what you need, and we will have an Optiv professional contact you shortly.