Connect with us

Hi, what are you looking for?


Network Security

Palo Alto Networks Discusses Strategy for Fighting Zero-Day Malware

LAS VEGAS – Visibility was a commonly heard word at Palo Alto Networks‘ Ignite conference this week in Las Vegas as customers described the requirements of their network and what they need to enable users to deploy the applications they want without compromising security.

LAS VEGAS – Visibility was a commonly heard word at Palo Alto Networks‘ Ignite conference this week in Las Vegas as customers described the requirements of their network and what they need to enable users to deploy the applications they want without compromising security.

Enter WildFire, Palo Alto Networks’ answer to the challenge of advanced malware targeting enterprises. WildFire leverages the visibility of the vendor’s firewalls to stop suspicious files at the gateway and push them into the cloud for analysis. Once there, the malware would be allowed to execute in a sandbox free from any impact on a customer’s network.

Palo Alto Networks HQThis week, the company decided to move from using the service as a defensive mechanism to a proactive one through a new paid subscription service that pushes out malware signatures to the company’s customers within an hour – something the company says will make a difference in the fight against zero-day malware.

“By definition if you are looking for something that is an unknown, you don’t know if it’s good or bad, you don’t know where to look for it yet,” said Wade Williamson, senior security analyst at Palo Alto Networks. “You’re going to have to look at all traffic so that you see the thing in the first place.”

Executables that are not recognized are – according to the policies set by the user – are sent to the cloud to be analyzed in WildFire’s virtualized sandbox while the firewall continues to enforce security.

“What goes up here (to the cloud) is decided completely by the user, by the customer, by the admin,” explained Chris King, director of product marketing at Palo Alto. “They could have a policy that says, ‘send no files’ – which is the default. Then they could have a policy that says, ‘ok if it’s a collaboration application…if it’s email, if it’s webmail, if it’s a file transfer application…send any content you’ve never seen before to WildFire’.”

By focusing on how malware communicates with its command and control infrastructure (C&C), the company is trying to respond to moves by malware authors to dodge security researchers by using new URLs to disguise the C&C. As part of its strategy, Palo Alto passively analyzes DNS queries to block communication from infected systems. This in turn, helps the vendor develop what officials called “true signatures” for the malware.

“The thing that the malware developers don’t change a lot is how those things communicate,” King said. “Because if you look at it, I can change URLs and files easily – I can actually do some polymorphism here to change the executable on a regular basis…like changing the order in which they call Windows services. It’s the same executables, but they are changing in which they call services so it looks different.”

Advertisement. Scroll to continue reading.

“When you get down to the way the malware behaves of the network – it does this kind of DNS, they use the such and such peer-to-peer network, it does these kinds of command and control actions, that’s where you start to get to really small numbers (of signatures).”

By observing the DNS behavior of the malware and the URLs it uses, the vendor can leverage that information to augment network defenses beyond creating a signature for the malware itself by for example using the information to bolster URL filtering.  

The technology is in no way meant to replace antivirus, Williamson said, noting that there is always going to be value in having antivirus on the device.

“The thing that I think that is important, if you think about kind of where security has been done in the past…IPS has always been doing security in the network and AV guys have been on the endpoint,” Williamson said. “In the past 5 to 10 years…malware has become a very networked application. It uses the network for command and control, it communicates back and forth. If it couldn’t use the network it wouldn’t be as powerful as it is.”

“So what we’re at least coming back and saying is that malware is absolutely a part of this network-based attack. So what we can do, we’d better [do] if we’re going to be in the job of controlling a network-based attack, we at least need to be cognizant of malware at the network level,” he said.

Disclosure: Travel and accommodations for SecurityWeek to attend the Ignite Conference were provided by Palo Alto Networks, under the condition that no coverage was guaranteed, nor would positive coverage be guaranteed.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...