X-Labs
July 28, 2021

Forcepoint NGFW MITRE ATT&CK simulation

To illustrate Forcepoint’s NGFW advanced intrusion detection capabilities, I thought it might be helpful to simulate a kill chain attack to highlight layers of defense.

Intrusion Prevention with Forcepoint NGFW

In this scenario, an admin researches an issue, finds a potential solution on a forum. The solution provides a download link to PuTTY. Unfortunately, this file points to a malicious server and to a backdoored version of PuTTY.

The reverse TCP backdoor was added with msfvenom Metasploit framework using the shikata_ga_nai encoder, since it is typically difficult to detect. The attacker has a listener on his machine waiting for the executable to open a reverse TCP connection back home.

I used the MITRE ATT&CK framework to divide the simulation into sections. The following defense mechanisms are displayed during each phase:

1. Initial Access

  •  URL Filtering
  •  Deep Packet Inspection
  •  File Filtering (Sandbox)

2. Execution

  •  ECA Whitelisting
  • Snort Integration

3. Exfiltration

  •  DLP Integration

 

Here’s my kill chain video demo:


Of note: To create seamless and smooth demo, I silenced multiple defense mechanisms during deep packet inspection. A partial list of items that were not displayed in the video include:

  • IP Address lists
  •  Packet validation (IP & TCP)
  • Correlation situations
  • File reputation
  • Anti malware
  • User based restrictions
  • LS Decryption
  • Sidewinder proxy

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.