X-Labs
July 28, 2021

Forcepoint NGFW MITRE ATT&CK simulation

Jenny Heino Principal Security Researcher

To illustrate Forcepoint’s NGFW advanced intrusion detection capabilities, I thought it might be helpful to simulate a kill chain attack to highlight layers of defense.

Intrusion Prevention with Forcepoint NGFW

In this scenario, an admin researches an issue, finds a potential solution on a forum. The solution provides a download link to PuTTY. Unfortunately, this file points to a malicious server and to a backdoored version of PuTTY.

The reverse TCP backdoor was added with msfvenom Metasploit framework using the shikata_ga_nai encoder, since it is typically difficult to detect. The attacker has a listener on his machine waiting for the executable to open a reverse TCP connection back home.

I used the MITRE ATT&CK framework to divide the simulation into sections. The following defense mechanisms are displayed during each phase:

1. Initial Access

  •  URL Filtering
  •  Deep Packet Inspection
  •  File Filtering (Sandbox)

2. Execution

  •  ECA Whitelisting
  • Snort Integration

3. Exfiltration

  •  DLP Integration

 

Here’s my kill chain video demo:


Of note: To create seamless and smooth demo, I silenced multiple defense mechanisms during deep packet inspection. A partial list of items that were not displayed in the video include:

  • IP Address lists
  •  Packet validation (IP & TCP)
  • Correlation situations
  • File reputation
  • Anti malware
  • User based restrictions
  • LS Decryption
  • Sidewinder proxy

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.

Jenny Heino

Principal Security Researcher

Jenny Heino is a Principal Security Researcher at Forcepoint, specializing in network security and based in Finland. Although she completed her master's studies in the field of Mathematical Logic, she quickly found her passion in vulnerability research and joined the research team for the...

Read more articles by Jenny Heino