Forcepoint NGFW MITRE ATT&CK simulation
In this scenario, an admin researches an issue, finds a potential solution on a forum. The solution provides a download link to PuTTY. Unfortunately, this file points to a malicious server and to a backdoored version of PuTTY.
Intrusion Prevention with Forcepoint NGFW
I used the MITRE ATT&CK framework to divide the simulation into sections. The following defense mechanisms are displayed during each phase:
The reverse TCP backdoor was added with msfvenom Metasploit framework using the shikata_ga_nai encoder, since it is typically difficult to detect. The attacker has a listener on his machine waiting for the executable to open a reverse TCP connection back home.
- URL Filtering
- Deep Packet Inspection
- File Filtering (Sandbox)
2. Execution
1. Initial Access
- DLP Integration
Here’s my kill chain video demo:
- ECA Whitelisting
- Snort Integration
3. Exfiltration
- IP Address lists
- Packet validation (IP & TCP)
- Correlation situations
- File reputation
- Anti malware
- User based restrictions
- LS Decryption
- Sidewinder proxy
Of note: To create seamless and smooth demo, I silenced multiple defense mechanisms during deep packet inspection. A partial list of items that were not displayed in the video include:
This post was first first published on Forcepoint website by Jenny Heino. You can view it by clicking here