To illustrate Forcepoint’s NGFW advanced intrusion detection capabilities, I thought it might be helpful to simulate a kill chain attack to highlight layers of defense.
Intrusion Prevention with Forcepoint NGFW
In this scenario, an admin researches an issue, finds a potential solution on a forum. The solution provides a download link to PuTTY. Unfortunately, this file points to a malicious server and to a backdoored version of PuTTY.
The reverse TCP backdoor was added with msfvenom Metasploit framework using the shikata_ga_nai encoder, since it is typically difficult to detect. The attacker has a listener on his machine waiting for the executable to open a reverse TCP connection back home.
I used the MITRE ATT@CK framework to divide the simulation into sections. The following defense mechanisms are displayed during each phase:
1. Initial Access
- URL Filtering
- Deep Packet Inspection
- File Filtering (Sandbox)
2. Execution
- ECA Whitelisting
- Snort Integration
3. Exfiltration
- DLP Integration
Here’s my kill chain video demo:
Of note: To create seamless and smooth demo, I silenced multiple defense mechanisms during deep packet inspection. A partial list of items that were not displayed in the video include:
- IP Address lists
- Packet validation (IP & TCP)
- Correlation situations
- File reputation
- Anti malware
- User based restrictions
- LS Decryption
- Sidewinder proxy
Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.
Jenny Heino
Principal Security Researcher
Jenny Heino is a Principal Security Researcher at Forcepoint, specializing in network security and based in Finland. Although she completed her master's studies in the field of Mathematical Logic, she quickly found her passion in vulnerability research and joined the research team for the...