04/24/2024 | Press release | Distributed by Public on 04/24/2024 08:07
The goal of this blog is to offer Gigamon customers guidance on how they can leverage the observability Gigamon Application Metadata Intelligence (AMI) provides to enhance best practices in their organizations. We will cover recent challenges, tactical elements for CVE-2024-3400, and best practices for AMI metadata that go beyond any specific incident.
On Friday, April 12, Palo Alto Networks published an advisory for a CVSSv3 severity 10 zero-day vulnerability of several PAN-OS versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1, the operating system for Palo Alto Networks (PANW) firewalls, which has been under exploitation for at least two weeks. This is an example of an attack on firewalls, email appliances, managed file transfer facilities, and other IT infrastructure which were not traditional targets for adversarial attention and is part of a broader trend where threat actors have been focusing less on attacking servers and endpoints-both of which have received much security attention in recent years-and are moving on to attacking appliances, infrastructure, and services to evade detection.
This recent attack has exposed a severe vulnerability, formally known as CVE-2024-3400,in Palo Alto next-generation firewalls (NGFW). This vulnerability facilitates the installation of code into the firewall, including backdoors and other malicious software, without any authentication. Using such code, attackers can execute lateral movement that bypasses the firewall and could potentially penetrate the organization. Affected versions of firewall software cannot self-detect these intrusions, making network telemetry crucial for identifying breaches. Currently only one threat actor group, generically known as UTA0218, has been publicly documented exploiting this vulnerability. But now that the vulnerability's existence and general nature are publicly known, it is likely that others may leverage the details and create exploits.
Gigamon Application Metadata Intelligence (AMI) empowers observability, security information and event management (SIEM), and network performance monitoring tools with critical metadata attributes across thousands of business, consumer, and IT applications and services. This helps rapidly pinpoint performance bottlenecks, quality issues, and potential network security risks. Application Metadata Intelligence expands upon application layer visibility derived from Gigamon Application Visualization and Filtering and supports a comprehensive approach to obtaining application behavior. Whether organizations deploy their workloads on-prem or in the cloud, they can acquire critical details about flows, reduce false positives by separating signals from noise, identify nefarious data exfiltration, and accelerate threat detection through proactive, real-time traffic monitoring and troubleshooting forensics. AMI uses deep packet inspection to provide summarized and context-aware information about raw network packets based on Layers 2-7. It enables tools to measure performance, troubleshoot issues, spot security events, and improve effectiveness.
Using AMI, you can detect traffic targeting a network device, such as a firewall, as well as outbound traffic originating from it. In this use case, you will look for traffic that is targeting or originating from the NGFW, including:
[Link]Figure 1. Gigamon reporting on Wget in Elastic.
Things to look for inside the network:
[Link] Figure 2. Enabling SMB visibility in AMI. [Link] Figure 3. Enabling Remote Desktop in AMI.
These are some best practices we recommend with AMI, whether pre- or post-breach, for this vulnerability and other attacks, such as ransomware and data exfiltration.
Deep observability can greatly aid in detection, forensics, and remediation for many problems ranging from performance, outages, or compromise. Any enterprise can benefit from detecting traffic originating from or to network appliances and subsequent visibility of lateral movement by adding decryption and application and protocol visibility to network logging. Since the visibility is external to the compromised system, it's extremely challenging for an attacker to evade it, as it's outside of the blast radius of their compromise. This means behavior is observed, recorded, and logged outside the device regardless of its state. Appliances experiencing congestion or compromise may not accurately or completely log; routers and firewalls are often single sources of truth. External observation and metadata-enriched logging can help meet many security and Zero Trust requirements.
To learn more about AMI, visit the webpage, read the data sheet or tech brief, or request a demo.
If you are a current Gigamon customer and need help with optimal tap placement for firewalls or turning on the correct detections, you can contact support or submit a ticket in the Gigamon VÜE Community.
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.
People are talking about this in the Gigamon Community's Security group.
Share your thoughts today