Get a Break from the Chaos of RSA and Meet with Forcepoint at the St. Regis.

Close
X-Labs
Luglio 28, 2021

Forcepoint NGFW MITRE ATT&CK simulation

To illustrate Forcepoint’s NGFW advanced intrusion detection capabilities, I thought it might be helpful to simulate a kill chain attack to highlight layers of defense.

Intrusion Prevention with Forcepoint NGFW

In this scenario, an admin researches an issue, finds a potential solution on a forum. The solution provides a download link to PuTTY. Unfortunately, this file points to a malicious server and to a backdoored version of PuTTY.

The reverse TCP backdoor was added with msfvenom Metasploit framework using the shikata_ga_nai encoder, since it is typically difficult to detect. The attacker has a listener on his machine waiting for the executable to open a reverse TCP connection back home.

I used the MITRE ATT&CK framework to divide the simulation into sections. The following defense mechanisms are displayed during each phase:

1. Initial Access

  •  URL Filtering
  •  Deep Packet Inspection
  •  File Filtering (Sandbox)

2. Execution

  •  ECA Whitelisting
  • Snort Integration

3. Exfiltration

  •  DLP Integration

 

Here’s my kill chain video demo:


Of note: To create seamless and smooth demo, I silenced multiple defense mechanisms during deep packet inspection. A partial list of items that were not displayed in the video include:

  • IP Address lists
  •  Packet validation (IP & TCP)
  • Correlation situations
  • File reputation
  • Anti malware
  • User based restrictions
  • LS Decryption
  • Sidewinder proxy

Informazioni su Forcepoint

Forcepoint è l'azienda leader nel settore della sicurezza informatica per la protezione degli utenti e dei dati. La sua missione è tutelare le aziende e guidare la crescita e la trasformazione digitale. Le nostre soluzioni armonizzate si adattano in tempo reale al modo in cui le persone interagiscono con i dati, forniscono un accesso sicuro e, allo stesso tempo, consentono ai dipendenti di creare valore.