Forcepoint NGFW MITRE ATT&CK simulation
To illustrate Forcepoint’s NGFW advanced intrusion detection capabilities, I thought it might be helpful to simulate a kill chain attack to highlight layers of defense.
Intrusion Prevention with Forcepoint NGFW
In this scenario, an admin researches an issue, finds a potential solution on a forum. The solution provides a download link to PuTTY. Unfortunately, this file points to a malicious server and to a backdoored version of PuTTY.
The reverse TCP backdoor was added with msfvenom Metasploit framework using the shikata_ga_nai encoder, since it is typically difficult to detect. The attacker has a listener on his machine waiting for the executable to open a reverse TCP connection back home.
I used the MITRE ATT&CK framework to divide the simulation into sections. The following defense mechanisms are displayed during each phase:
1. Initial Access
- URL Filtering
- Deep Packet Inspection
- File Filtering (Sandbox)
2. Execution
- ECA Whitelisting
- Snort Integration
3. Exfiltration
- DLP Integration
Here’s my kill chain video demo:
Of note: To create seamless and smooth demo, I silenced multiple defense mechanisms during deep packet inspection. A partial list of items that were not displayed in the video include:
- IP Address lists
- Packet validation (IP & TCP)
- Correlation situations
- File reputation
- Anti malware
- User based restrictions
- LS Decryption
- Sidewinder proxy