This article explains how the IPS security service protects your network from suspicious and malicious extensions for the Chrome browser.
Chrome extensions give users lots of features and functionality, however, organizations then face the challenge of protecting against attackers who exploit typically trusted Chrome extensions through a variety of attack vectors. The Anti-Malware service can't distinguish between benign and malicious extensions, and leaves organizations vulnerable to attacks. Cato's IPS service provides coverage for these network vulnerabilities through advanced techniques that identify potentially malicious extensions, and offer unique and valuable protection for your organization.
Protections for Chrome extensions are included in the IPS license. For more about purchasing the IPS license, please contact your Cato representative
The IPS service must be enabled and set to the Block action for Chrome extension protections functionality
Malicious Chrome extensions may abuse their permission level on the infected host to drop malware and compromise the host. This exposes the entire network to threats such as ransomware, data leaks, resource exhaustion, and so on. The IPS service leverages innovative techniques for maintaining, developing, and fine-tuning threat intelligence feeds to make it possible to identify suspicious activity associated with Chrome extensions.
Once the IPS service detects that a host is connected to the Cato Cloud and is using a suspicious Chrome extension, the service blocks the HTTP/S connection on that network flow. This stops the host from using the suspicious extension, and blocks connectivity to the extension to prevent it from getting updates, sending data, and so on.
Note: Suspicious and malicious extensions are only blocked according to the IPS Protection Scope settings. For example, if the WAN Traffic scope is set to Monitor or Allow, then that scope will not be protected from malicious Chrome extensions.
You can review Security events in Monitoring > Events and find the IPS block events related to Chrome extensions.
This is an example of an event for a blocked Chrome extension:
These are the IPS event fields for a suspicious Chrome extension event:
Event Type - Security
Event Sub-Type - IPS
MITRE ATT&CK® Techniques - Command and Scripting Interpreter (T1059)
Threat Type - PuP
Threat Name - Low credibility Chrome extension
These are examples of Signature ID for a Chrome extension event:
For more information about event logs, see Analyzing Events in Your Network.
After Cato blocks a Chrome extension, we recommend that the IT manager inspect all Chrome extensions in use and remove any that are unfamiliar. Further, because malicious Chrome extensions can infect legitimate extensions to exploit their permissions, the best practice is to remove all existing browser extensions and reset Chrome to default settings.