To login to the environment, perform the following steps:

• First, open a web browser of your choice (Incognito recommended) and navigate to vmtestdrive.com. Select LOG IN. 

• If you are signing in for the first time and don’t have a TestDrive account, click GET STARTED and follow the instructions for creating your TestDrive portal account. See this guide.

• Enter your TestDrive Username and Password and select ENTER.

• Locate the VMware NSX Security product under the Intrinsic Security tab and click Launch. Make sure that you open NSX 4.1 Security Lab guide and refer it on a separate tab.

*In case of long idle or got disconnected, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox.  

• Click LAUNCH

• A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
• Note: Please provide the short username (not your email ID) and password to login.

• Click on Apps section and search for the NSX Security desktop and launch it.

• Now you'll be on the NSX Security desktop. At this point you can begin the walk-through steps listed in the next section.

The console is accessed through a supported supported web browser Chrome. Login to NSX Manager:

• Click on NSX-MGR Auto-logon shortcut on the Desktop. Shortcut will open the URL to NSX: https://nsx-mgr.vmwdp.com/
• Username/Password: Sign in is automated, so please don't touch the keyboard/mouse during 15s of process. If you do so, please close all Chrome windows and reopen the link again.
• In case you prefer using manual login, please click on NSX-MGR icon inside Lab Access folder. Username and Passwords are available in the Lab-Credentials file in the Desktop

In the lab, to simulate an enterprise environment, the following VMs have been deployed: a VDI Desktop , Application server and a production data base server.  These three VMs are connected to NSX overlay segments.

A supplementary VM has been deployed to play the role of an attacker, an external resource from where the attacks are initiated. This VM is attached to a VLAN type port group to a virtual distributed switch. Agent operating system (OS) type and roles are as follows:

                                                                                    NSX Ransomware Lab Topology

The goal of the NSX Security stack is to provide visibility and enforcement across the attack chain for any workload form factor across multiple clouds. The distributed Firewall in essence is a L2 to L7 Firewall that is transparently applied to the network interface of a workload, VMs of course, but also containers and physical bare metal servers. This enables customers to implement any level of segmentation without needing to make network changes, For example isolate production from development workloads, or micro-segment a multi-tier application. NSX Advanced Threat Prevention consists of IDS/IPS, Malware Prevention, Network Traffic Analysis and Network Detection and Response. NSX Intelligence provides complete East-West flow visibility and automated Firewall rule recommendations. For North-South protection, NSX Gateway Firewall is a software-only, layer 2-7 Firewall that enables you to achieve consistent network security coverage and unified management for all of your workloads, regardless of whether they’re running on physical servers, in a private or public cloud environment or in containers.

The console is accessed through a supported supported web browser Chrome. Login to NSX Manager:

• Click on NSX-MGR Auto Logon shortcut on the Desktop. Shortcut will open the URL to NSX: https://nsx-mgr.vmwdp.com/
• Username/Password: Sign-in is automated, so please don't touch the keyboard/mouse during 15s of process. If you do so, please close all Chrome windows and reopen the link again.
• In case you prefer using manual login, please click on NSX icon inside Lab Access folder and enter the below username and password.
• Username - demo1_nsxsecop/Password - VMware1!VMware1!

1. Your first step will be to inspect the application traffic flow in NSX Intelligence.

Click on Plan & Troubleshoot(1), Here we are looking at the Plan & Troubleshoot  page and this shows a high-level overview of existing workload groups and flows between them. Green lines indicate flows that are matching an existing segmentation policy in NSX while the red dotted lines indicate unprotected flows.

• Click on the filter(2) to select the Computers that makes up the acme multi-tier application

    VDI-02, acme-web01, acme-app01, acme-cart, acme-db01,acme-db02,acme-users. Click on Apply(3)

• Change the timeline from NOW to Last 2 Weeks(4) as highlighted in the above image

2 Click on Apply filter and Under Suspicious Traffic Select Impact Score(1).

3.  Apply a additional filter to review the Suspicious Traffic flows with more Impact Score.

• Click on Apply filter. Scroll down to Suspicious Traffic Section.
• Select Impact Score as a option. In Custom Range Prompt add Min = 64 and Max = 100(2). Click on Apply(3).

1. We can see that workloads with an exclamation mark. This indicates that we've depicted a threat affecting these workloads. Review the Threat events for a individual Virtual Machine.

• Right click on the VM acme-db01 and select Suspicious Network Activities.

2. Find the event with Impact score 65(1) under Threat Detection. Expand the event by clicking on button > next to it. Review the suspicious activity.

• As you can observe the Event Command and Control Domain Generation Algorithm(DGA).
• DGAs are psuedo-random generators that construct a random sequence of characters used to form domain names. DGAs provide malware with new domains in order to evade security countermeasures.
• Its an Anomaly in the DNS lookup performed by an internal host. The highlighted campaign in the event details indicates that it is not an individual detection instead there are multiple events across multiple assets.

NSX Advanced Threat Prevention leverages enhanced net flow data and layer 7 flow information to build a baseline of what's normal for every workload and then uses both unsupervised machine learning and supervised machine learning with threat centric models to identify deviations from normal that are securely relevant.

The detection with the highest stress score here in the case that we've detected the use of a domain generation algorithm.

Click on the campaign link(2) available in this event. It will redirect to NSX Network Detection and Response(NDR) window. We will learn more about NDR in the following sections.

The next step is to inspect the NSX Network Detection and Response(NDR) campaign. NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks, that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.

A Campaign is correlated set of incidents that affect one or more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attacks.

Let’s start the investigation of the attack from the NDR console, to review the threat events. 

1.You can now observe that we've detected and correlated more than just the DGA anomaly on the acme database workload. We've detected a malicious file downloads on three different workloads and a series of other threat events. The various incidents are classified according to the different phases of the MITRE ATT&CK framework.

2. Under the Campaign , you’ll find details and an interactive graphical blueprint for that campaign.

• View the THREATS widget (1) for current threats that NSX NDR has detected. The severity of threat is color-coded Red for High, Yellow for Medium, and Blue for Low.
• View the HOSTS widget (2) to see current hosts affected. The severity of threat is color-coded the same as threats. Note: The host is defined as any device with an IP address, not a hypervisor in this context.
• View the Attack Stages widget (top right) to find the current campaign attack stages mapped with the MITRE ATT&CK framework. Mouse hover on the each attack stage to view detailed information of each attack stage.

3. View the Campaign blueprint widget for an interactive graphical representation of the campaign.

• The NDR campaign blueprint maps each threat detection along with techniques for greater understanding of key events in the campaign.
• Drag the icons with your mouse to match the placement of icons suggested as above.

4  The Hosts tab (1) displays a list of hosts affected with threat information so you can observe the latest activity for attack stages

1. The Timeline view shows the threats detected by NSX Network Detection and Response in Threat Cards.

• Click Timeline(1). Each threat cards under timeline have a host that is connected to a threat, calculated Threat score, Threat name , class and other actions.
• Select Sort by Earliest (by start time)(2) to arrange the threat cards in the sequence of attacks with their timeline.

• Observe the timeline on each threat card, event date and time and IP address.
• Expand the icon to view the related evidence summary about the threat, as shown in the following table. To better understand the threat, not the evidence of malware identified and overview of how the malware behaved.

2.  Expand the Magnitude EK(1). Magnitude exploits various java and adobe flash vulnerabilities to compromise the victim's computer in order to install malware. This was also detected from the VDI desktop.

Click on Network Interactions and Network IOCs IP address(3) to get additional context.We can also click on the detector, and in this case an IDPS signature (2), to learn more about this detection.

Click on the IP address of the affected workload.we can see that this is associated with the VDI-02 desktop

3. Expand the Malicious File Download event and click on the file name to get additional context. You can see that this file has been identified as containing the cryptowall ransomware and has performed suspicious Geo-location queries.

Cryptowall is a ransomware malware that encrypts files on an infected computer using and demands a ransom in exchange for a decryption key. Cryptowall is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.

Click on the Analyst Report to find more details

4. You can see some of the key characteristics we've observed when we've dynamically analyzed this file in our sandbox. Click on close to go back to the timeline view.

5. Above events are sequentially detected in the VDI Desktop where the attacker attempted Initial Exploitation in to the environment.

6.  Expand Cryptowall(1) and DGA Activity(2) to see that we've observed command and control activity associated with cryptowall and this has also been detected by means of an IDPS signature.

After gaining the initial access , Attackers use lateral movement to gain access to additional systems, escalate privileges and ex-filtrate sensitive data. Lets review the Lateral movement and Data Exfiltration events detected by NDR.

1. Expand Anomalous Psexec Interaction (1) , that was followed by the detection of an anomalous interaction between our VDI desktop and another workload in our environment.

This activity was mapped to the lateral movement technique of the MITRE Attack Framework and was used by the malicious actor to pivot the attack from the VDI desktop to the target workload with the IP address of Acme-App-01 VM.

2. Expand the DGA Activity, We have detected the Domain generation algorithm anomaly that we looked at earlier from the discovery and planning view in NSX This is the atomic event we started our investigation.This indicates that suspicious domains used by malware were running on our infected machine.

Click on Anomaly dga to find more details. These domains were identified using anomaly detection techniques that characterize domain and resolution patterns that are typical of malware using the main generation algorithms

3. Expand Empire Agent and you will see that around the same time by means of an IDPS detector we identified network activity related to the empire agent on the compromised acme-app01 workload.

Empire is a post-exploitation framework offering a wide array of modules. It can be used to perform a variety of malicious activities on a compromised host. This was followed by the download of the same malicious file containing Cryptowall on the acme-app01 workload

4. The next phase of the attack, where the attacker used windows remote task scheduling to pivot the attack once more and target another workload in our environment the production database VM. Click on the Expand icon to find more details. Around the same time we observed an attempt at credential harvesting using Kerberos ticket granting tickets initiated from acme-app01  VM to acme-db workload. On the workload we saw additional remote task scheduling after that followed by the same domain generation algorithm, empire agent and cryptowall detection's.

5. Scroll down to see same set of Command and Control activities are detected in the acme-db01 VM. Finally we detected the use of DNSCAT on the network indicating exfiltration of data from the prod acme-db workload. This was confirmed by means of three distinct IDPS signatures.As we have analyzed  the campaign and reviewed all the intrusion events, We can review the IDS/IPS & DFW rules to reduce the attack surface and to mitigate the risk of intrusions in the production environment.

Navigate back to NSX Manager. We will proceed further to learn about NSX Intelligence  Micro-Segmentation Rule Recommendations.

1. The T1-Gateways,  T1_Production and T1_VDI are activated with IDS/IPS Malware prevention features for North South Traffic.

In this demo we will observe how the Malware File download events in Virtual Machines are Detected and Prevented in the environment.

The Firewall uses sandboxing techniques to analyze traffic and detect malware. Sandboxing allows the Firewall to run suspicious traffic in a controlled environment, where it can be observed and analyzed for malicious behavior

2. We will Activate IDS/IPS and Malware Prevention features on the T1 Gateways for North South Traffic.

• Click on Security and Select IDS/IPS & Malware Prevention under Policy Management.
• Click on Settings and Scroll to the end to see the available settings.

3.  We can find that T1_VDI & T1_Production T1 Gateways are Activated with features IDS/IPS and Malware Prevention.

4. Once the features are activated on the T1 Gateway. Gateway Specific rules has to be configured with Security profiles for Malware Detection & Prevention.

• Click on Gateway Rules and Select Gateway Specific rules
• Click on Drop down and Select Gateway T1_VDI
• A policy has been added for the Gateway with Default Malware Profile. For the demo purpose the Mode is configured as Detect Only. It can be changed Detect & Prevent to block the Malware traffic.

5. To review the Malware Prevention alerts detected by the NSX Gateway Firewall.

• Click on Security(1).
• Navigate to Malware Prevention(2) under Threat Detection & Response Section.
• Change the timeline to Last 14 days (3)
• Expand the Malware with crytodef Malware Family.  Click on the Total Inspections (4) to see the detection's on Gateway Firewall.

Malicious events are captured by the Gateway Firewall. At this point we can see the Event Verdict , Source server and destination client where Malware is downloaded. Click on close(1) after reviewing the events.

The NSX Gateway Firewall is an essential tool for any organization looking to protect their virtualized environments and sensitive data. It provides a comprehensive security solution that can be tailored to the unique needs of the organization, and can help to protect against a wide range of security threats. With this feature, organizations can secure their virtual networks and protect against a wide range of security threats, making it an important tool for any organization looking to protect their sensitive data.