URL Filtering and Credential Theft Prevention

Overview

Palo Alto Networks' URL Filtering feature not only controls access to web content based on categories but also plays a crucial role in preventing credential theft. By integrating Credential Phishing Prevention with URL Filtering, organizations can detect and block attempts to submit corporate credentials to malicious or untrusted websites.

Credential Phishing Prevention Mechanism

Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow or block corporate credential submissions to based on the URL category of the website. When a user attempts to submit credentials to a site in a category you have restricted, either a block response page prevents the user from submitting credentials or a continue page warns users against submitting credentials to sites in certain URL categories, but still allows them to continue with the submission.

Reference: Credential Phishing Prevention - Palo Alto Networks

How URL Filtering Aids in Credential Theft Prevention

Credential Phishing Prevention works by monitoring credential submissions to websites and comparing them against known corporate credentials. URL Filtering profiles can be configured to specify actions (allow, alert, block, continue) for credential submissions based on URL categories. This allows administrators to:

Block users from submitting credentials to high-risk or untrusted sites.
Allow credential submissions only to trusted corporate sites.
Alert or warn users when submitting credentials to sites that may pose a risk.

This integration ensures that even if users access a phishing site, the firewall can prevent them from inadvertently compromising corporate credentials.

Credential Detection Methods

Palo Alto Networks offers several methods to detect credential submissions:

IP User Mapping: Matches the submitted username with the IP address of the user session.
Group Mapping: Checks if the submitted username belongs to a specific user group.
Domain Credential Filter: Utilizes a bloom filter derived from corporate credentials to detect exact username and password matches. This method requires the Windows User-ID agent and the User-ID credential service add-on installed on a Read-Only Domain Controller (RODC).

Each method offers varying levels of detection accuracy and administrative overhead.

Understanding Bloom Filters in Credential Phishing Prevention

Palo Alto Networks utilizes Bloom Filters within the Domain Credential Filter method to securely detect the submission of corporate credentials on web pages. A Bloom Filter is a compact, probabilistic data structure that allows the firewall to check if a username and password pair matches known corporate credentials without storing or exposing the actual credentials.

This method requires the deployment of the Windows User-ID agent along with the User-ID Credential Service add-on on a Read-Only Domain Controller (RODC). The Credential Service scans the directory for usernames and password hashes of group members specified in the RODC's Password Replication Policy (PRP). It then constructs a Bloom Filter from this data and forwards it to the User-ID agent. The firewall retrieves the latest Bloom Filter from the User-ID agent at regular intervals to detect credential submissions.

Sequence Diagrams Illustrating Bloom Filter Workflow

1. Bloom Filter Generation and Distribution

sequenceDiagram
    participant RODC
    participant CredentialService
    participant UserIDAgent
    participant Firewall

    RODC->>CredentialService: Provide user credentials (usernames and password hashes)
    CredentialService->>CredentialService: Generate Bloom Filter
    CredentialService->>UserIDAgent: Send Bloom Filter
    Firewall->>UserIDAgent: Request Bloom Filter
    UserIDAgent->>Firewall: Provide Bloom Filter

2. Credential Submission Detection

sequenceDiagram
    participant User
    participant Website
    participant Firewall
    participant BloomFilter
    participant IPUserMapping

    User->>Website: Submit username and password
    Website->>Firewall: Forward credentials
    Firewall->>BloomFilter: Check credentials against Bloom Filter
    BloomFilter-->>Firewall: Match/No Match
    Firewall->>IPUserMapping: Verify username-IP association
    IPUserMapping-->>Firewall: Confirm association
    Firewall->>User: Allow/Block/Alert based on policy

Configuration Steps

To set up Credential Phishing Prevention:

Ensure SSL decryption is enabled for the traffic you want to monitor.
Configure the desired credential detection method.
Create or modify a URL Filtering profile:
- Navigate to Objects > Security Profiles > URL Filtering .
- Select or create a profile and configure the User Credential Detection settings.
- Specify actions (allow, alert, block, continue) for credential submissions based on URL categories.
Apply the URL Filtering profile to the appropriate security policy rules.

For detailed guidance, refer to the official documentation: Set Up Credential Phishing Prevention .

Best Practices

Regularly update the firewall's content and threat databases to ensure the latest threat intelligence.
Customize response pages to educate users about the dangers of phishing.
Monitor logs for credential submission attempts to identify potential security incidents.
Combine Credential Phishing Prevention with other security measures like Multi-Factor Authentication (MFA) and user training for comprehensive protection.

Credential Detection Methods – Sequence Diagrams

1. Group Mapping

sequenceDiagram
    participant User
    participant Website
    participant Firewall
    participant GroupMappingTable

    User->>Website: Submit Username
    Website->>Firewall: Forward Submission
    Firewall->>GroupMappingTable: Check Username
    GroupMappingTable-->>Firewall: Return Match/No Match
    Firewall->>User: Allow/Block/Alert based on result

2. IP-User Mapping

sequenceDiagram
    participant User
    participant Website
    participant Firewall
    participant IPUserMappingTable

    User->>Website: Submit Username
    Website->>Firewall: Forward Submission
    Firewall->>IPUserMappingTable: Verify Username-IP Association
    IPUserMappingTable-->>Firewall: Return Match/No Match
    Firewall->>User: Allow/Block/Alert based on result

3. Domain Credential Filter

sequenceDiagram
    participant User
    participant Website
    participant Firewall
    participant UserIDAgent
    participant BloomFilter
    participant IPUserMappingTable

    User->>Website: Submit Username & Password
    Website->>Firewall: Forward Submission
    Firewall->>UserIDAgent: Retrieve Bloom Filter
    UserIDAgent-->>Firewall: Provide Bloom Filter
    Firewall->>BloomFilter: Check Credentials
    BloomFilter-->>Firewall: Return Match/No Match
    Firewall->>IPUserMappingTable: Verify Username-IP Association
    IPUserMappingTable-->>Firewall: Return Match/No Match
    Firewall->>User: Allow/Block/Alert based on result