* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Firewall](https://origin-researchcenter.paloaltonetworks.com/blog/category/firewall/)
* 10 Things To Test In Your...

# 10 Things To Test In Your Future NGFW: Protect Evasive and Never-Before-Seen Attacks

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F04%2F10-things-test-future-ngfw-protect-evasive-never-seen-attacks%2F)  
[](https://twitter.com/share?text=10+Things+To+Test+In+Your+Future+NGFW%3A+Protect+Evasive+and+Never-Before-Seen+Attacks&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F04%2F10-things-test-future-ngfw-protect-evasive-never-seen-attacks%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F04%2F10-things-test-future-ngfw-protect-evasive-never-seen-attacks%2F&title=10+Things+To+Test+In+Your+Future+NGFW%3A+Protect+Evasive+and+Never-Before-Seen+Attacks&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/10-things-test-future-ngfw-protect-evasive-never-seen-attacks/&ts=markdown)  
\[\](mailto:?subject=10 Things To Test In Your Future NGFW: Protect Evasive and Never-Before-Seen Attacks)  
Link copied  
By [Eila Shargh](https://www.paloaltonetworks.com/blog/author/eila-shargh/?ts=markdown "Posts by Eila Shargh")  
Apr 13, 2018  
5 minutes  
[Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[10 things to test](https://www.paloaltonetworks.com/blog/tag/10-things-to-test/?ts=markdown)  
[Next-gen Firewall](https://www.paloaltonetworks.com/blog/tag/next-gen-firewall/?ts=markdown)  
[NGFW](https://www.paloaltonetworks.com/blog/tag/ngfw/?ts=markdown)

*This post is part of a [blog series](https://www.paloaltonetworks.com/blog/tag/10-things-to-test/)* *where we dissect the ten things to test in your future next-generation firewall. These ten points will help ensure your next firewall matches the needs of your organization in its current and future states.*

With the availability and growth of the cybercrime underground, any attacker, novice or advanced, can purchase plug-and-play threats designed to identify and avoid malware analysis environments. The ability to identify and protect against evasive malware is more crucial now than ever.

Why Should You Advocate and Test This Capability?

The SANS Institute has reported that use of malware programs capable of evading detection rose 2,000 percent between 2014 and 2015. Today, most modern malware leverages these advanced techniques, which can bypass traditional, common network security solutions to transport attacks or exploits through network security devices, firewalls and sandbox discovery tools. Although we can't build individual tools to detect every piece of evasive malware, it's critical to utilize systems that can identify evasive techniques and automatically counteract them.

Move Beyond the Status Quo

**Fight Automation with Automation**Attackers often make slight modifications to malicious code, resulting in malware variants and/or polymorphic malware. Threat signatures that rely on specific variables, such as a hash, filename or URL, get one-to-one matches only against known threats. This "new" malware is considered unknown, as protections have only been created for the original malware, not its modified variant.

Rather than use signatures based on specific attributes, NGFWs should use content-based signatures to detect variants, polymorphic malware, or command-and-control activity. Content-based signatures detect patterns that allow them to identify known malware that has been modified. This results in signatures capable of automatically preventing tens of thousands of variants created from the same malware family, rather than trying to create signatures for individual variants.

Command-and-control threats can pose a challenge, with malware authors creating C2 communications that automatically change the DNS or URL. Automated signatures based on these artifacts quickly become outdated and ineffective. C2 signatures based instead on analysis of C2 outbound communication patterns are much more effective protections that can scale at machine speed when created automatically.

**Validate with More Than One Analysis Method**More determined, skilled attackers will create entirely new threats with purely new code, the costliest method for attackers. Any such threat will be treated as an unknown and go undetected.

When an entirely unknown threat enters an organization, the clock begins ticking. Protections must be created and distributed across all security products more quickly than a threat can spread. This can be accomplished by automating various aspects of the analysis, including [static analysis with machine learning, dynamic analysis and bare metal analysis.](https://www.paloaltonetworks.com/cyberpedia/why-you-need-static-analysis-dynamic-analysis-machine-learning)­­­­ Implementing automation results in accurate identification of threats, enables rapid prevention, improves efficiency, makes better use of the talent of your specialized staff, and improves your organization's security posture.

**Create Knowledge Gaps for Attackers**Purpose-built virtual analysis environments add challenges and costs for attackers as they work to avoid discovery. The targeted environment would require different techniques from those of other commonly known analysis environments, making it more likely for you to identify the threat.

**Move Beyond Virtual Environments**There are a number of ways to counter threats built to evade analysis environments, and a modern, effective security platform should combine multiple techniques. For example, combining dynamic analysis in a sandbox environment with bare metal analysis has proven effective in countering malware that assesses the environment to determine if it is being analyzed. When employing bare metal analysis, if the file successfully evades virtual analysis, it can be steered to a real hardware environment for detonation and observation. The malicious activity of the file, which would otherwise have remained dormant in the virtual environment, will fully execute in the bare metal environment.

**Prevent the Spread of an Attack, Share Threat Intelligence**Threat intelligence sharing allows organizations to benefit not only from their own intelligence but from that of other organizations globally. Should an organization identify an entirely new threat and share that information, other organizations in the sharing network would be able to identify and treat this new threat as "known." This intelligence should come from multiple sources and be correlated and validated for necessary context, in addition to the creation and distribution of an actionable response, further contributing to rapid, automated prevention.

**Recommended RFP Questions**

*** ** * ** ***

* Does your cloud-based malware analysis system support multiple analysis techniques, including bare metal analysis for detecting evasive, sandbox-aware malware?
* Does your cloud-based malware analysis system use a custom-coded hypervisor to be effective against sandbox-aware malware?
* Does your malware analysis system, after analyzing malware, create threat prevention signatures, such as:
  * Content-based AV signatures to prevent known and unknown variants of malware
  * Pattern-based anti-spyware signatures to detect communications to known and unknown C2 infrastructure
* Does your cloud-based malware analysis system support malware analysis for file types of Windows, Android and macOS operating systems?

*** ** * ** ***

**[Learn more about the 10 things to test for in your future NGFW.](https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/test-your-firewall-overview.html)**

*** ** * ** ***

## Related Blogs

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Offer Consistent Protection](https://origin-researchcenter.paloaltonetworks.com/blog/2018/05/10-things-test-future-ngfw-offer-consistent-protection/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Prevent Successful Ransomware Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/10-things-test-future-ngfw-prevent-successful-ransomware-attacks/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Incorporate Dynamic Lists and Third-Party Threat Intelligence](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/10-things-test-future-ngfw-incorporate-dynamic-lists-third-party-threat-intelligence/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Integration Into Your Security Ecosystem](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/10-things-test-future-ngfw-integration-security-ecosystem/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Managing Your Next-Generation Firewall](https://origin-researchcenter.paloaltonetworks.com/blog/2018/03/10-things-test-future-ngfw-managing-next-generation-firewall/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Dynamic Security Policies](https://origin-researchcenter.paloaltonetworks.com/blog/2018/03/10-things-to-test-in-your-future-ngfw-dynamic-security-policies/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language