| Title | Zscaler Active Defense (Deception Technology) with Fortinet Firewall |
| Objective | Auto-Containment for Immediate Blocking |
| Requirements | Windows 10 Lab Machine A C2 platform running with .NetZscaler Active DefenseFortinet Fortigate Firewall |
| Scope | One windows machine One attacker’s machineInternal Segment Attack Simulation |
| MITRE Techniques ID | Execution – T1059.001 Defense Evasion – T1562.001 |
Executive Summary
Technically, ASK4Key will take its own initiatives to come out with an evaluation of each of the cybersecurity tools prior servicing its customers. The evaluation made is to ensure the effectiveness of the tool to be always on a top-notch in protecting and detecting any cyber threats.
Before we proceed further, we should be knowing what is deception technology is all about. In a simple understanding is that, deception technology is an effective cybersecurity defense that detect any threats early with the objective of seeing low false positives and minimal network performance impact. The technology creates realistic decoy assets such active directories, servers, applications, files, credentials, domains, databases, sessions and few others which to be deployed in the network alongside real assets to act as lures for cyber attackers.
This time around, we had a chance to assessed one of the latest deception technologies produced by Zscaler which is known as Zscaler Active Defense.
To conduct this attack simulation, we deployed a Windows 10 with intention to be compromised. As for Zscaler Active Defense, the platform was integrated with a Fortinet Firewall for a containment purpose. Shall any attacks triggered; the Fortinet Firewall should be able to contain compromised machine as immediate possible.
This activity was performed to identify attacker’s behaviour on Zscaler Active Defense with the aim of this was to contain the victim’s machine from infecting other machines under the same segment.
How to integrate Zscaler Active Defense and Fortinet Firewall
Integrating Zscaler Active Defense with Fortinet Firewall is pretty straight forward. Once we logged into Zscaler Deception Admin Portal, we can navigate to Orchestrate > Containment.
Then, go to edit button for Fortinet (Threat Feeds – Attacker IPs) or Fortinet (Threat Feeds – Attacker Domains)
From here, we switch the toggle to enable the integration.
Not to forget, we need to specify expiry time (In hours) or check for infinite expiry checkbox. This value keeps IP addresses/hostnames in the list for a specified number of hours.
Once saved, Illusionblack URL will be generated. This URL contains IP address/domain names of systems to be contained by Fortinet. The list can be viewed by clicking the View/Edit List button.
On the Fortinet Firewall, setup an external threat feed and point it to the URL generated.
Now, we have to hop over to Fortinet Firewall for a quick setup. Once logged in, navigate to security fabric then go to External Connectors.
Then, copy and paste the URL we obtained from Zscaler Deception Admin Portal under containment section.
Click Save and Complete. It will take few seconds to be completely active.
Real Attacks Simulation
Now, the interesting part. As we mentioned earlier, we will perform a real simulation attack on the machine we deployed. This machine has been backdoored by ASK4Key team to ensure that it has a C2 callback which can be remotely controlled by our team.
We created the Powershell script as our fileless malware execution. The payload is encoded just to bypass the Microsoft Defender.
After executed successfully, we will try to have a look for another possible endpoint protection. From here, from an attacker point of view, it looks like a legit process.
From here, we kill the process to avoid being detected. Then, we looked for a sensitive file in victim’s machine and finally we found a confidential folder and downloaded it.
The common thing attacker basically do is to find a way to bypass any security tools and kill any security tools process in order to avoid being detected, and then they will proceed with their objective which in this case is to get sensitive file or folder.
Zscaler Active Defense Malicious Activity Lookup
Now, let’s have a look what Zscaler Active Defense can see from the attacks activity and what are their capabilities in detecting this attacker’s behaviour.
A rule of containment is also required to ensure the containment is working as expected.
Fortinet Firewall Threat Lookup
Here we will see updated list of IP address that is sent by Zscaler Active Defense for containment.
And the policy we created.
Now, we tried to access the compromised machine via RDP and see whether it is successful or not.
Voila, it was contained by the Fortinet and we can’t log in as it should.
To conclude this, the attacker also will not be able to remotely control the compromised machine and cannot perform further attacks such as Kerberoasting, DCSync or even Mimikatz for credential stealing and many others.
References:
https://www.zscaler.com/resources/solution-briefs/zscaler-deception.pdf