2022 SecureIQLab: Command and Control Comparative Report

The Palo Alto Networks Unit 42 threat research team has observed more than a 73% increase in the use of Red Team tools such as Cobalt Strike by threat actors¹. These tools are purpose-built to obfuscate network payloads and emulate real-world traffic to avoid detection. It is imperative that organizations today employ security solutions to protect against these kinds of sophisticated threats.

In an effort to understand the breadth of coverage for attacks conducted by red team tools, SecureIQLab was commissioned to test the ability of next-generation firewalls to block the command-and-control capabilities of the Cobalt Strike attack suite. In this report, the Palo Alto Networks Advanced Threat Prevention subscription was compared to CheckPoint, Cisco and Fortinet solutions.

About the Report

• SecureIQLab tested the ability of next-generation firewalls to block the command-and-control capabilities of the Cobalt Strike attack suite, which is popular among adversaries
• Four physical and two virtual firewalls were tested: Check Point SG5100, Cisco Secure Firewall 4110, Fortinet FG-301E, Fortinet FG-VM04V, Palo Alto Networks PA-460, and Palo Alto Networks PA-VM-Flex
• The test measured the block rate of each firewall in six attack scenarios: Basic attack, random attack, custom attack, nonstandard ports-based attack, HTTPS attack, hostname change attack
• All scenarios except for the basic attack scenario leveraged "malleable C2 profiles" which are highly customized attack profiles. This technique allows adversaries to modify Cobalt Strike to evade signature-based detections

* https://paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-network-threat-research-report-vol1.pdf