Panos: Credential Theft And Encryption

Palo Alto Networks' PAN-OS offers a credential phishing prevention feature that scans username and password submissions to websites, comparing them to known corporate credentials. This feature is meant to prevent users from submitting their corporate credentials to a phishing site that is disguised as a legitimate corporate website. To enable this feature, the firewall must be configured to decrypt traffic that is to be monitored for user credentials. This involves creating a decryption policy rule that defines the traffic to be decrypted based on source, destination, service, and URL category.

Group mapping

To set up group mapping, you need to map users to groups. This method allows you to apply credential detection to any part of the directory or specific groups that have access to sensitive applications. It is recommended to use group mapping to protect high-value user accounts.

When setting up credential phishing prevention, you must also configure User-ID and URL Filtering. User-ID detects when users submit valid corporate credentials to a site, differentiating them from personal credentials. URL Filtering specifies the URL categories in which you want to prevent users from entering their corporate credentials.

Additionally, to effectively prevent corporate credential theft, you need to have decryption enabled. Decryption allows you to reveal encrypted threats and enforce policies on encrypted traffic. By decrypting traffic, you can prevent malicious content from entering your network and sensitive content from leaving your network disguised as encrypted traffic.

IP user mapping

To set up IP user mapping, you must first enable User-ID. Then, you can map IP addresses to users. This will allow you to detect whether a user is submitting a valid corporate username and that the username matches the login username.

Once IP user mapping is set up correctly, you can enable "Use IP User Mapping" in the User Credential Detection section of URL filtering. This will allow you to block or alert on credential submissions to specific categories of websites.

It's important to note that IP user mapping requires consistent domain prefixes to function properly. Inconsistent domain prefixes may cause users to hit the wrong security policy.

Domain credential filter

The domain credential filter method is one of the methods to check for corporate credential submissions. It detects whether a user is submitting a valid username and password and that those credentials belong to the logged-in user.

To enable the domain credential filter method, you need to configure credential detection with the Windows-based User-ID Agent and map IP addresses to users. This requires installing the User-ID agent and the User Agent Credential service on a read-only domain controller (RODC). The User-ID agent scans the directory for usernames and password hashes of group members listed in the RODC password replication policy (PRP). The collected data is then deconstructed into a bloom filter, which is a type of bit mask that provides a secure method to check if an element (a username or password hash) is a member of a set of approved credentials. The bloom filter is forwarded to the Windows User-ID agent, which is retrieved by the firewall at regular intervals to detect username and password submissions.

The effectiveness of credential phishing detection depends on the RODC setup, so it is important to review best practices and recommendations for RODC administration. Additionally, it is recommended to deploy a separate agent for credential detection and not use the same agent for mapping IP addresses to users.

Once the domain credential filter method is configured, you can select how you want to treat user credential submissions on allowed sites. The options include alert, allow, block, and continue. Alert allows the submission but generates a log, allow permits the submission without any further action, block prevents the submission and displays a block page, and continue presents a warning page but still allows the submission.

It is worth noting that the domain credential filter method is supported only with the Windows User-ID agent and not with the PAN-OS integrated User-ID agent.

User-ID configuration

• Enable User-ID: The first step is to ensure that User-ID is enabled on your firewall. This forms the foundation for detecting and preventing credential phishing attempts.
• Choose a Method for Corporate Credential Submission Checking: There are three primary methods available: Group Mapping, IP User Mapping, and Domain Credential Filter. Each method has its benefits and drawbacks, and the selection depends on your specific requirements.

• Group Mapping: This method is based on LDAP group membership. It is simple to configure but may result in false positives as it only matches corporate username submissions based on LDAP group membership.
• IP User Mapping: This method checks if the username submitted to a blocked site matches the IP address of the login username. It effectively detects corporate username submissions but does not detect password submissions.
• Domain Credential Filter: This method detects both corporate usernames and passwords. It requires the Windows User-ID agent and the User-ID credential service add-on installed on a read-only domain controller (RODC).

Configure User-ID Agent for Domain Credential Filter:

• Install the Windows User-ID agent on an RODC, which is a Microsoft Windows server with a read-only copy of the Active Directory database. This provides local authentication services and enhances security by keeping the directory contents secure on the domain controller.
• Launch the User-ID agent and select "Setup" and then "Edit."
• Select the "Credential" tab and enable "Import from UserID Credential Agent."
• Define the group of users for which you want to support credential submission detection in the RODC directory.
• Ensure that the groups receiving credential submission enforcement are added to the Allowed RODC Password Replication Group, and they are not listed in the Denied RODC Password Replication Group.

• Map Users to Groups or IP Addresses: Depending on the chosen method for corporate credential submission checking, you may need to map users to groups or IP addresses. For Group Mapping, configure the firewall to map users to groups. For IP User Mapping, map IP addresses to users.
• Configure URL Filtering: Specify the URL categories in which you want to prevent users from entering their corporate credentials. This allows you to block users from submitting credentials to untrusted sites while allowing submissions to corporate and sanctioned sites.
• Decryption: To monitor user credentials effectively, you must configure the firewall to decrypt traffic. This involves preparing the necessary keys and certificates, creating decryption profiles and policies, and setting up decryption port mirroring.
• Customize Response Pages: You can customize the block and continue response pages that users see when attempting to submit credentials. This provides an opportunity to educate users about the risks of reusing corporate credentials, even on legitimate websites.

Decryption policy rules

Understanding the Threat

Phishing attacks often involve disguising malicious websites as legitimate ones to trick users into submitting their credentials. By gaining access to user credentials, attackers can breach secure networks and compromise sensitive information.

Methods to Check for Corporate Credential Submissions

There are several methods available to detect and prevent credential phishing:

• Group Mapping Method: Detects if a user is submitting a valid corporate username based on the user-to-group mapping table. This method is suitable for protecting high-value user accounts but may result in false positives in environments without uniquely structured usernames.
• IP User Mapping Method: Detects if a user is submitting a valid corporate username and verifies that the username matches the login username and the source IP address of the session.
• Domain Credential Filter Method: Detects if a user is submitting a valid username and password and verifies that the credentials belong to the logged-in user. This method requires configuring the Windows-based User-ID Agent.

Configuring Decryption Policy Rules

When creating decryption policy rules, consider the following:

• Rule Specificity: Decryption policy rules are compared against traffic in sequence, so more specific rules must come before more general ones.
• Traffic Decryption: You can define the traffic you want to decrypt based on factors such as URL categorization.
• Certificate Management: For SSL forward proxy decryption, configure a trusted certificate to be presented to the user if the server's certificate is signed by a CA trusted by the firewall.
• Application Exclusions: The firewall won't decrypt applications that break decryption technically, such as those using pinned certificates or client authentication. Refer to the list of excluded applications provided by the firewall vendor.

Implementing the Policy

After configuring the decryption policy rules, apply them to your security policy rules. This ensures that the decryption policies are enforced and monitored by the firewall.

By following these steps and considerations, organizations can effectively prevent credential phishing and protect their sensitive information and networks.

Frequently asked questions