VMware NSX Advanced Threat Prevention platform features (Malware Prevention, Network Detection and Response) provide visibility and protection against ransomware threats, allowing you to act  quickly to mitigate attacks in your network.

To resolve the attack scenario in this lab, you will use these features across four primary steps:

The lab has deployed the NSX Advanced Threat Prevention security features in detect mode only. This allows us to observe the entire multi-stage malware attack chain, from Initial access to Execution to its last phase, the Exfiltration of the stolen data. An Attacker has gained access to one of your employee’s VDI Desktop through phishing. Laterally moving through your network, the Attacker drops DarkSide executable ransomware in a customer relationship management production Database Server (CRM-DB). As a final step, the attacker exfiltrates the confidential data from the Database Server.

The following lab flow will walk you through how to navigate this scenario using the capabilities of NSX Advanced Threat Prevention.

Note: The attacks simulations are automatically generated in this lab, so you can directly start investigating the threat events.

Your first step will be to inspect the malicious files downloads captured by Malware Prevention.

NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.

Let’s start the investigation of the attack from the NSX console, using it to review the threat events.      

IDS/IPS policies help to detect and prevent unusual traffic, malicious attacks, and security breaches in the environment. Malware Prevention policies detect and prevent malicious file transfers.

IDS/IPS and Malware Prevention policies are deployed in the Detect-only mode. To prevent the attacks happening in your environment,  you should change the rules to Detect and Prevent.

Note: For this lab, users aren’t allowed to publish the rules because the access level is read-only. However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.

NSX Distributed Firewall (DFW) is a hypervisor kernel-based firewall that monitors all your East-West traffic. DFW can be applied to individual workloads like VMs and enforce a Zero-Trust security model. Micro-segmentation logically divides a department or set of applications into security segments and distribute firewalls to each VM.

In traditional data centers, high-level segmentation is built, which can help to prevent various types of workloads from communicating. But the main challenge of the legacy security model is data centers facing a lack of lateral prevention  between workloads within a tier. In other words, traffic can traverse freely inside a network segment and access the crucial information until it reaches the physical firewall to get dropped. In addition, implementing different layers of security and firewalls can cause complexity and add costs.

The main advantages of using DFW are an orchestration of policies with security groups or tags, horizontal movement reduction in data centers to minimize the risk of security breaches, and finally, reduction of capital expenditure (CAPEX) cost. Furthermore, NSX DFW not only can operate based on layer 2 to layer 4, but it can also take advantage of Layer 7 information.

DFW comes with predefined categories for firewall rules, allowing you to organize security policies.

Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated from top down.

Distributed firewall comes with predefined categories for firewall rules. Categories allow you to organize security policies.

Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated top down.

NSX micro-segmentation Network Topology: Attacker --> VDI --> CRM-DB

3.2.1 Ethernet – Layer 2 policies are the first line of defense and should be considered before layer 3 rules.

• In NSX Manager, select Security (1)
• Navigate to Distributed Firewall (2)
• Choose the Ethernet tab (3) to view category-specific rules.

3.2.2. Emergency – For emergency situations, you can employ temporary firewall rules.

Within the same Distributed Firewall location, choose the Emergency tab (1).

3.2.3. Infrastructure – On the Infrastructure tab, you can review non-application firewall rules like vCenter, ESXi, DNS, Active Directory and so on.

• Choose the Infrastructure tab (1).
• Apply the filter. Click on Basic Detail(2) , ans Select Rule Name NSXSecops-DNS-Allow(3) and click on Apply.
• Observe here that traffic is allowed for shared services—that is, NTP and DNS to the Production group—for respective context profiles.

3.2.4. Environment – In the Environment tab, you can manage high-level policy groupings like eliminating communication for test and production environments.These policy groupings can allow for more efficient security and granular traffic control with context profiles such as SSL, TLS and more.

• Choose the Environment tab (1).
• Observe that traffic here is micro-segmented for multiple environments—such as Production, Development and DMZ—that consist of various groups like VDI_Contractors, VDI_Employees and so on.

3.2.5. Application – In this tab, you can apply Application policy rules between tiers. The priority to apply rules is from top-down and left to right. Meaning, if you write a rule in Infrastructure, it has priority over a rule in Application. So, you need to place the most fundamental rules at the top of the list.

• Choose the Application tab (1).
• Observe that distributed firewall rules are applied here for tiers serving multiple applications. By setting these rules, you can achieve app isolation as well as define inter-application tiers communication such as App to DB , Users to User Db and services like MongoDB and so on.

As shown in this section, NSX micro-segmentation provides a foundational architectural shift to enable topology-agnostic, distributed-security services to applications in the evolving data center.

To complement this security approach, you can use VMware Log Insight to help  build an infrastructure-related rule base. VMware Log Insight helps you preserve your logs and gain better visibility of what’s going on in your environment. Find out more in the next section.

Using VMware Aria Operations for logs, you can view the security flow logs of the NSX Data Center 4.1 environment.  The following security features support flow logging:

• DFW micro-segmentation rules
• IDS/IPS
• Ransomware attacks

All the security verticals generate and save unified security flow logs in the Unified Security Logs format in a single log file on a node. This single log is exported to syslog server, which is configured for VMware Aria Operations for logs. VMware Aria Operations for logs will then process the logs to provide further log management, analysis, and display them by using NSX Security content pack.

Navigate to the Log Insight dashboards.

• Click the Log Insight icon (vRLI-Demo) from the desktop for auto sign-on (Active Directory login: demo1_nsxsecop).
• Click General Overview  (1) -> Overview to view all security KPIs captured.

VMware Aria Operations for logs with NSX Operations content pack provides the collection, consolidation and correlation of NSX log data. This content pack provides dashboards with information of distributed firewall, IDS/IPS rules, audit information and errors. NSX Security dashboard sort information based on user defined time intervals and the data is presented graphically for NSX admins to view the issues.