In this section we will walk through VMware NSX-T Advanced Threat Prevention platform features
Ransomware Attack with NSX ATP Use-case
VMware NSX-T Advanced Threat Prevention platform features (Malware Prevention, Network Detection and Response) provide visibility and protection against ransomware threats, allowing you to act quickly to mitigate attacks in your network.
To resolve the attack scenario in this lab, you will use these features across four primary steps as shown above:
The lab has deployed the NSX Advanced Threat Prevention security features in detect mode only. This allows us to observe the entire multi-stage malware attack chain, from Initial access to Execution to its last phase, the Exfiltration of the stolen data. An Attacker has gained access to one of your employees VDI Desktop through phishing. Laterally moving through your network, the Attacker drops DarkSide executable ransomware in a customer relationship management production Database Server (CRM-DB). As a final step, the attacker exfiltrates the confidential data from the Database Server.
The following lab flow will walk you through how to navigate this scenario using the capabilities of NSX-T Advanced Threat Prevention.
Note: The attacks simulations are automatically generated in this lab, so you can directly start investigating the threat events.
Investigate malicious file downloads
Your first step will be to inspect the malicious files downloads captured by Malware Prevention.
NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.
Lets start the investigation of the attack from the NSX-T console, using it to review the threat events.
Malware Prevention Timeline
1. Navigate to Malware Prevention to start investigating the compromised VDI Desktop & Database workload.
- Click on Security (1) in NSX-T manager
- Click on Malware Prevention (2) under Threat Detection & Response.
- Change the Timeline (3) to Last 14 Days.
Observe Potential Malware
Under Potential Malware, observe that a malicious file has been detected in inspected files. Click the
expand icon (1) to investigate. These are the details you will find:
- DarkSide malware is downloaded from Attacker to VDI Desktop and the Database Server.
- Attacker (188.8.131.52xx) --> VDI Desktop (192.168.100.1xx)
- Attacker (184.108.40.206xx) --> CRM Database Server (192.168.20.xx)
Note: IP addresses in the lab will be different from the lab guide but subnet of the each VM will be the same.
- Click the number next to Total Inspections (2). Youll see the malicious files activity detected by the NSX deployed on NSX Edge Nodes. The Darkside.exe file has been downloaded from the server (220.127.116.11xx) to the VDI Desktop (192.168.100.1xx) and Database Server (192.168.20.x)
- Select View Reports (3).
- Click CLOSE (1) once youve reviewed the file activity.
- The malicious file Analysis Overview provides quick access to understand the malicious file type and its threat level. In this scenario, the malicious file was delivered inside a Zip-type archive. You will see the files first submission time as well as different hashes calculated for the Zip archive.
- Next, scroll down to Threat Level.
- Under Threat Level, youll find the complete risk assessment including the antivirus family and class, malware family, and the maliciousness score for the identified malware. The risk score for the detected malware artifact is set to high, which indicates a critical risk and that action should be prioritized.
- Click Report
Advanced Malware Analysis NSX Sandbox - 1
- With the Advanced Malware Analysis NSX Sandbox, tou can investigate the file further. The sandbox provides a dynamic analysis of the file with full-system emulation to enable accurate detection and prevention of unknown and advanced threats.
- To access the dynamic analysis report, click on link icon as highlighted under Score details.
Advanced Malware Analysis NSX Sandbox - 2
- Inside the NSX Sandbox, you can access analysis of the malware artifacts complete behavior and a list of actions observed during the dynamic analysis. The malware activity types are mapped to the MITTRE ATT&CK technique for a better understanding of the malware attack chain.
- Click CLOSE (1) after viewing the threat level report.
NSX Network Detection and Response (NDR)
2. NSX Network Detection and Response (NDR) enables you to visualize complete campaign blueprint.
A Campaign is a correlated set of incidents that affect one more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attack occured.
To access the campaign blueprint:
- Click Security Overview.
- Under Security Overview, click Threat Detection & Response.
- Select Last 2 weeks from the filter dropdown menu
- Click Go To Campaigns, It will open a new tab NSX NDR Network Detection and Response Tab in your browser.
NSX Security campaign
3. The NSX Security campaign page displays campaign. On these cards you'll find informnation like Campaign ID, calculated threat score, latest attack stage, hosts affected, number of threats and status of campaign
- Click Campaign ID to explore further details.
Note: Select the campaign that's at the EXFILTRATION stage.
Select the campaign ID
4. When you select the campaign ID, youll find details and an interactive graphical blueprint for that campaign.
- View the THREATS widget (1) for current threats that NSX NDR has detected. The severity of threat is color-coded Red for High, Yellow for Medium, and Blue for Low.
- View the HOSTS widget (2) to see current hosts affected. The severity of threat is color-coded the same as threats. Note: The host is defined as any device with an IP address, not a hypervisor in this context.
Attack Stages widget
View the Attack Stages widget (top right) to find the current campaign attack stages mapped with the MITRE ATT&CK framework. Mouse hover on the each attack stage to view detailed information of each attack stage.
Campaign blueprint widget
View the Campaign blueprint widget for an interactive graphical representation of the campaign. It highlights hosts involved in the campaign (both internal and external to the network) and threats that affected the hosts.
NDR campaign blueprint
- The NDR campaign blueprint maps each threat detection along with techniques for greater understanding key events in the campaign.
- Drag the icons with your mouse to match (the placement of icons suggested as above
- Inspect it to map each step described in detail, as shown in the following table.
5. The Hosts tab (1) displays a list of hosts affected with threat information so you can observe the latest activity for attack stages
6. The Timeline view shows the threats detected by NSX Network detection and Response in Threat Cards:
- Click Timeline. Each threat cards under timeline have a host that is connected to a threat, calculated Threat score, Threat name, Class, and other actions.
- Select Sort by Earliest (by start time) (2) to arrange the threat cards in the sequence of attacks with their timeline.
Observing the timelines
- Observe the timeline on each threat card, event date and time, and IP address.
- Expand the icon > (3) to view the related evidence summary about the threat, as shown in the following table. To better understand the threat, note the evidence of malware identified and overview of how the malware behaved.
Once the analysis is completed, close the NSX NDR tab and switch to the NSX-T Manager browser window.
Next, you'll need to determine how to prevent future incidents by following the steps in the following section to configure the IDS/IPS and Malware Prevention policies.
Attack Prevention with IDS/IPS
IDS/IPS policies help to detect and prevent unusual traffic, malicious attacks, and security breaches in the environment. Malware Prevention policies detect and prevent malicious file transfers.
IDS/IPS and Malware Prevention policies are deployed in the Detect-only mode. To prevent the attacks happening in your environment, you should change the rules to Detect and Prevent.
Note: For this lab, users arent allowed to publish the rules because the access level is read-only. However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.
1. Validate the Mode of the rules configured in IDS/IPS & Malware Prevention.
- Click on Security.
- Under Policy Management, click on IDS/IPS & Malware Prevention.
- To validate the currently configured rules, click Distributed Rules (3).
Expand VDI (1) to check the mode of the rules for IDS-Employees (2) and Malware Detection-Employees (3). You will see that both rules are configured in Detect-only mode.
Detect and Prevent mode
2. Change the IDS/IPS & Malware Prevention rules to Detect and Prevent mode.
- In the same Distributed Rules view, select IDS-Employees (1).
- Click the dropdown menu for the mode and change to Detect and Prevent.
- Follow the same steps for the Malware Detection-Employee (2).
- Once the changes are made, click PUBLISH (3) to apply the rules.
In the following section, youll learn about NSX-T Distributed Firewall, which provides visibility and control for virtualized workloads and networks. The section will take you through the methods to prevent attackers from moving laterally within the environment using micro-segmentation of East-West communication between workloads.