Professional Documents
Culture Documents
Lab Guide
© 2020 Forcepoint Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public
1
Credentials to Access Machines
Machine Credentials
FSM (192.168.122.21) demo\Administrator / Forcepoint1
DC (192.168.122.11) demo\Administrator / Forcepoint1
Client-machine demo\tmuller / Forcepoint1
(192.168.122.44) demo\Administrator / Forcepoint1
random-prefix4.txt \\192.168.122.44\apdata-files\credit-cards\
HANDS-ON LAB
Predefined Policies - Credit Card
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
As a prerequisite to this lab please locate the file random-prefix4.txt. This file
contains 10000 random numbers (all of them have 16-digits and start with digit “4”).
This file is located on
`\\192.168.122.44\apdata-files\credit-cards\random-prefix4.txt`.
**Objective:** Compare two varieties of Credit Card classifiers. One is “PCI Audit”
(Predefined classifier that respects configuration of 6-digit prefixes – IINs/BINs).
Another is “Credit Cards(Wide)” – i.e. a Luhn check (plus some requirements
regarding the first digit).
1. Predefined policy “PCI Audit” and custom policy with “Credit Cards (Wide)”
classifier.
2. Email file with random 16-digit numbers. Inspect incidents.
Predefined policy “PCI Audit”
1 Run predefined policy import wizard
1. In *FSM* navigate to **Data > Main > DLP Policies > Manage Policies**. Click
**Add > Predefined Policy**. If there is a policy selection wizard, mark all the regions
and all the industries.
2. In the predefined policy selection page expand “Regulations Compliance and
Standards”, then “PCI”, then check “PCI Audit”, and click Use Policies.
3. In the “Manage Policies” screen, expand the “PCI Audit” (the predefined policy you
just added). Initially all its rules are disabled. Select one rule – namely “PCI Audit: CCN
User-Defined IINs (wide)”. Click Edit, check Enabled and save.
Custom policy “Credit Cards (Wide)”
1 Create custom policy “CCN” 2 Add Credit Cards (Wide) classifier
1. In *FSM* navigate to Data > Main > DLP Policies > Manage Policies. Select **Add >
Custom Policy**. Enter CCN as the name of the policy and the rule. Click **Next**.
2. Under tab Condition pick **Add > Patterns & Phrases**. In the text window “Filter
by” enter `Credit Cards (Wide)`, click on the magnifying glass to search. Pick `Credit
Cards (Wide)` and click OK. Leave the threshold equal to 1. Click **Next**.
3. Under **Severity&Action** pick `Block All` as action plan. Leave the default values
everywhere else. Click **Finish** to create a policy rule. Click **Deploy**.
Email Testfile and Inspect Incidents
1 Send random numbers
as an email attachment
Note: The 10000 random numbers (all starting by “4”, i.e. their external appearance
looks like Visa-issued Payment Card numbers) violated “Credit Cards (Wide)” 972
times. This is approximately 10% - which corresponds to the Luhn check (a checksum
criterion for credit cards). The predefined policy “PCI Audit” is pickier. Not only does it
verify the Luhn check, but also – the 6-digit prefix (IIN or BIN – Bank issued number).
It has to come from the list CCN_IIN_Valid.csv.
File Resource Location
common-health-conditions.docx \\My_Share\apdata-files\health-forms
HANDS-ON LAB
Dictionary Classifiers
**Goal:** In this lab we show how to learn the content of a predefined dictionary. To
achieve this we send to a Policy Engine a large list of words and see, which trigger the
policy match with this dictionary.
Scenario
1. Configure “Common Health Terms (English)” as the only classifier in the DLP rule. Leave threshold
equal to 1.
2. Use PolicyEngineClient.exe to send file common-health-conditions.docx to the Policy Engine on
FSM. Inspect the Violation Triggers. What is the approximate percentage of health conditions and
disease names that trigger this classifier?
3. Optional: To avoid triggering the dictionary classifier on very large files (which could contain
disease names even though the file is not primarily about the health), use “Transaction Size”
classifier to create the following policy:
𝑇 = 1, if 𝑠𝑖𝑧𝑒 𝑡𝑥𝑛 < 1MiB
ቊ
𝑇 = 2, otherwise
(I.e. for transactions that are 1MiB or larger we expect 2 health terms to trigger the policy.)
8
File Resource Location
karlsruhe-phones.txt \\192.168.122.44\apdata-files\regex
random-prefix4.txt \\192.168.122.44\apdata-files\credit-cards
HANDS-ON LAB
Regular Expressions
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
We build one regex classifier (it starts with (?s) modifier, i.e. the strings it can match
could span multiple lines (and be divided by newline `\n` characters).
It is tested in two ways – `Karlsruhe-phones.txt` contains some variations of these
data.
**Goal:** Given the country code and area code (and two different ways to write the
phone number), create a regex classifier that would capture all such phone numbers.
Phone numbers in Karlsruhe, Germany are written either as +49 72 DDDDDD or 072
DDDDDD. Create a regular expression that will match all such phone numbers
regardless of whether the country code (+49) or the leading zero is used. Do not use
word boundaries \b – at the beginning and at the end of your regex – they are, in fact
assumed. (In some cases word boundary should ensure that there are no
alphanumeric characters immediately before and after the phone number itself, i.e. it
is separated from the remaining text by spaces or by punctuation.)
Create a Regex Classifier and a Policy Rule
Syntax errors in regular expressions are noticed at the moment when policies
using those rules are being deployed.
Regular Expression classifiers may be syntactically wrong, but deployed/active
policy rules cannot use such classifiers.
Note: If regular expression classifier contains a syntax error, it will show up only if a
policy rule using that regex is being deployed. Error message (which also appears in
all Policy Engine logs) indicates the problem. For example, “Invalid content of repeat
range” (unless you are experienced with such messages, it is not immediately clear,
what kind of classifier is affected). In such cases you can disable one or more policy
rules to see, which policy rule caused the deployment to fail. It is also a good practice
to test regular expressions before using them in DLP.
**Note:** Since error messages sometimes do not point to the location of policy
error, it is usually better to add policies gradually – deploying after every small
change. Then it is easier to see what caused that error. If for some reason you lose
track of the cause of the error, the only thing that remains is “binary search”. It
proceeds as follows:
(a) You can disable half of the existing policy rules, see if the deployment error
disappears.
(b) If it does not, disable half of the remaining rules. If it does disappear, re-enable
half of the previously disabled rules.
Repeating steps (a) and (b) you will locate the problematic rule (and it will be much
faster than doing exhaustive search).
Test with Phone Numbers and with Much Else
file290.txt \\192.168.122.44\apdata-files\file-classifiers
file400.txt \\192.168.122.44\apdata-files\file-classifiers
HANDS-ON LAB
File Classifiers
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
In this lab you will do some tests with files (in particular, file sizes, and file types).
These experiments let us learn about some nuances, and
There are many nuances that are important to understand exactly, but are easier to
learn by doing simple experiments (rather than studying the manual). In these
examples we try to accumulate various "surprises" that clarify the product’s behavior.
File Classifiers by Size
Base64 transformation:
To avoid special characters, 8-bit
bytes are represented by 6-bit
bytes.
1
File size multiplies by 1
3
Is applied to the individual files
and also to the transaction.
File size classifier may surprise users, if it is applied to emails with attachments.
1. Create a file size classifier that detects files of size between 390 and 410 Kilobytes.
2. Make a custom policy rule that blocks all the files in this size range. Deploy that
policy.
Example: If you send a file attachment of size about 300KiB (and the email message
itself is short), the attachment is Base64-encoded – and the email message size
becomes 400KiB. Such an attachment would trigger file size classifier in two different
ways:
1. If file size classifier is interval [290KiB, 310KiB], message triggers the rule because
of the 300KiB attachment
2. If file size classifier is interval [390KiB, 410KiB], message triggers the rule because
of the 400KiB size of the whole message.
Occasionally you need to have classifiers to detect file types that are not included in
the default DLP product. In this case you need to contact TechSupport, provide the
description of the file type you want to identify, and some sample files.
Test File Size Rule
As email attachments from the MS Outlook (user tmuller at Client-Win10
(192.168.122.44)) or from PolicyEngineClient send these 4 files (all should have been
unzipped in \\192.168.122.21\My_Share\apdata-files\file-classifiers – Slide 1):
download.jpg (binary file of size 297KiB – should trigger 400KiB rule, if it is an email
attachment, because it is Base64 encoded)
file290.txt (plaintext file of size 290KiB – also should trigger the same 400KiB rule;
it is also Base64 encoded).
file400.txt (plaintext file of size 400KiB – should trigger the same 400KiB rule
files290-400.zip (Zip file containing both above files – should trigger the same
400KiB rule, but only once – because of file400.txt).
This step should demonstrate the filetype identification by DLP. The file-size
experiment should illustrate how the size classifier is applied to every attachment
(and also to the email message as a whole). Plus – file size expansion as it is being
encoded with Base64 (file size is multiplied by a factor 4/3).
File Resource Location
cumulative-rule.zip \\192.168.122.44\apdata-files\cumulative-rules\
HANDS-ON LAB
Cumulative Rules
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
You would need 10 small text files (containing one credit card number each) and also
a BAT script that submits all these files with predefined time intervals to the Policy
Engine. All these files are contained in cumulative-rule.zip.
**Lab Objective:** Configure a rule that detects “Credit Card Number (Wide)”; allow
< 3 CCNs in any 5-minute window. Test by running `PolicyEngineClient.exe`.
Phase 1.
: Configure Policy with CCN (Wide)
Phase 2.
: Use the CLI tools to test. Test the CLI tool simulating extractor. Run the script
simulating CCN leaks
Configure Policy with CCN (Wide)
1 Delete or disable all previously created CCN-rules
1. Delete any previous CCN policy rules. If you have custom CCN policy or predefined
PCI policies defined (as in the Lab “Credit Card Classifiers”), please delete these rules.
For the cumulative rules lab it is important to see, what happens with CCN
transactions before the counter exceeds the threshold (and they are not stopped by
any other rule).
2. Configure Cumulative Rule for Credit Card Numbers
a. Connect to the **FSM (192.168.122.21)** machine, log into *FSM*.
b. Open **Data > Main > Policy Management > DLP Policies > Manage Policies**.
c. Select **Add > Custom Policy**.
d. Create a policy with a single rule; pick the `Credit Cards (Wide)` classifier.
e. Under **Severity&Action** configure the cumulative settings (screenshot #2).
f. Save policy changes and click **Deploy**.
Inspect the Cumulative Incidents
1 Extract files with CCNs 2 Place ccn-test.bat next to PolicyEngineClient.exe
In order to distinguish the incident order, consider visiting the list of incidents: **Data
> Main > Data Loss Prevention > Incidents (last 7 days)**. Pick the icon Table
Properties, and add Event Time.
HANDS-ON LAB
Combining Classifiers and Custom
Logic
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
In this homework you will do several experiments and answer to some qualitative
(yes/no type) questions.
There are many nuances that are important to understand exactly, but are easier to
learn by doing simple experiments (rather than studying the manual). In these
examples we try to accumulate various "surprises" that clarify the product’s behavior.
Borderline Behaviors of Dictionaries and Keyphrases
Set up a rule with 4 names from the "Harry Potter" novels (Gryffindor, Hufflepuff,
Ravenclaw, Slytherin).
Create a Keyword classifier with "Internal use only" keyphrase.
Create a rule that reacts to one keyphrase "Internal use only" and 2 instances of "Harry
Potter" words.
T1: Leak a text with "Internal Use Only" and "XXGryffindorZZ", "00Hufflepuff11"
(i.e. try surrounding dictionary terms with extra characters).
T2: Leak a text with
"Internal Use Only" separated by several whitespace characters.
T3: Leak a text with "Internal-Use-Only" separated by hyphens.
Expected result:
Only T3 should match the rule.
**Note:** `testfile1.
HANDS-ON LAB
Policy Exceptions
Some DLP policies should have special action plans for certain sources or
destinations. Assume that we want to block all emails with `gmail.com` as the
destination.
The Phases:
1. Create a new policy “AnyGmail” with a single rule of the same name.
a. In tab “Condition” select Add > Patterns & Phrases… Create a regular expression
“MatchEverything” with a value .* (i.e. any characters repeated any number of
times).
b. In tab **Destination** click **Edit** button under **Network email**. Select
`*.gmail.com`. (If this domain does not exist, you can add it under **Data > Main >
Resources > Domains**).
Phase 4: Create a Policy Exception
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
**Note:** If ImDisk Virtual Disk Driver is tricky to use, there is also a command-line
tool associated with ImDisk. E.g.
```
imdisk -a -t harddrive -f C:\tmp\image.bin -s 100M -p "/fs:ntfs /q /y" -o rw -m #:
```
Phase 1: Action Plan with User-Encrypt Action
1 Create Action Plan named User-Encrypt 3 Install ImDisk on Client-Win10
(192.168.122.44)
34
2 Save decrypted file
Phase 5: Try to Use Decryption Tool
1 Run Decryption Utility
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
Data Endpoint is a software that does not make sense in isolation from other DLP
components. It needs an DLP Manager to be deployed. Also a separate
Supplementary DLP server is recommended to be Endpoint Server (unless this is a
small demo environment, where DLP Manager itself can become an Endpoint Server).
All these deployment steps are covered in Modules 1 and 2. This lab only covers how
to deploy endpoint software, if the DLP deployment is already done.
There are various “environmental forces” that affect the installation and setup of the
Data Endpoint:
1. Data Endpoint is supported on multiple platforms (on 32-bit and 64-bit Windows –
including servers and workstations, on OS x, on Linux), in multiple languages (alert
messages can be displayed in Dutch, English, French, Italian, Japanese, Korean,
Portugese, Russian, Simplified and Traditional Chinese, Spanish – and you can add
more message texts in these and other languages). There are interactive and stealth
modes, regular and discovery-only version of the software. To avoid having different
Endpoint installers for all these situations, there is a single Package Builder, which is a
bootstrap to create the installer package that fits customer’s needs.
2. Data Endpoint is designed to be tamper resistant. Some users may try to interfere
with this software – either to avoid being detected or simply to get rid of services
that they do not fully understand. For this reason Endpoint service has to be difficult
to uninstall or to stop.
3. Data Endpoint might need to be monitored both from the target machine (unless it
is a stealth installation) and from the *FSM*.
Data Endpoint itself has quite an interesting story on how it can be deployed on
target machines. This lab tells this story – how to download the software (phase 1),
how to run package builder (phase 2), how to create and how to use the installation
file (phase 3). We also explain the client console (how to inspect Endpoint’s behavior
from the client’s machine), and the Endpoint Status screen (how to inspect multiple
endpoints from the Forcepoint FSM), assigning some useful global parameters for the
endpoint, temporary disable and even attempt to uninstall (phases 4, 5 and 6). This
first lab does not create incidents, but rather explains how to get the infrastructure
running properly.
36
Phase 1: Download EP Package Builder for v8.2.0 and v8.2.5
1 EITHER download from mywebsense.com 2 OR download from 85.254.250.28
**Note:** Password (e.g. `Forcepoint1`) could be entered and would cause no harm.
But it makes sense only for Web Endpoint; so it is useless to specify it during this
package builder phase. If you specify it here, but do not specify password with Data
Endpoint Global Settings (see *\hyperref[lab-m6-a-deploying-and-managing-
endpoints]{Phase 5}* of this Lab), Endpoint can be uninstalled by admin user without
any password being asked.
Phase 3: Save the Installation Package and Install Manually
1 Finish the installer creation
2 Install manually and reboot
The client can be deployed via software deployment tools such as Microsoft’s System
Center Configuration Manager (SCCM), Active Directory’s Group Policy Objects (GPO)
or installed manually on any computer. The entire installation package created by the
Endpoint Builder tool should be used by the deployment system. There are two
installers that have the same functionality:
WebsenseDataEndpoint.msi - should be used with Microsoft-based systems (SCCM
and GPO).
Setup.exe - for deployment systems which require an executable.
Each deployment system has its own requirements and functionality; the .msi should
be deployed using the following command: “msiexec /package “Websense Data
Endpoint.msi” /quiet /norestart”.
In order for the Data Endpoint to be “Active” on the user’s computer, you must
restart. Set restart as the last action in the deployment script.
Note: See Deployment and Installation Guide for more information on utilizing
network-based deployment tools.
Phase 4: Check Endpoint Status
2 Check Endpoint Status, find the client
1 Data Endpoint Client Console
41
Phase 5: Apply Global Endpoint Settings 2 Set protected domain and email direction
1 Set update interval and unstall password
\label{lab-m6-a-deploying-and-managing-endpoints-phase5}
1. Log into *FSM*. Navigate to **Data > Settings > Deployment > Endpoint Profiles**.
Open tab General.
a. Next to “Check for updates every” select 30 minutes.
b. Make sure that administrator (uninstall) password is checked. Enter password
`Forcepoint1` two times.
2. Open tab Email Domain.
a. Add domain demo.com to the internal email domains.
b. Select **Outbound** checkbox. Optionally also **Internal** checkbox.
c. Click **Save**, and then **Deploy**.
2 Click Bypass Endpoint, enter Bypass ID
Phase 6: Temporary Bypass
1 Click Disable in Endpoint Client UI
1. Click Disable:
a. Log in to **Client-Win10 (192.168.122.44)** as tmuller.
b. From the system tray open the endpoint UI console.
c. Click on Disable button, write down the Bypass ID (4-digit number)
2. Generate bypass code:
a. Log in to **FSM (192.168.122.21)**, open *FSM*.
b. Open **Data > Main > Status > Endpoint Status**.
c. Select the client machine `192.168.122.44`, click button Bypass Endpoint
d. Enter the Bypass ID (obtained in the previous step), generate bypass code.
3. Return to **Client-Win10 (192.168.122.44)**, enter the bypass code. Click
**OK**.
4. Try to uninstall Data Endpoint:
a. On **Client-Win10 (192.168.122.44)** open **Start > Control Panel**.
b. Write Add or remove programs in the search window and open this dialogue.
c. Select Forcepoint One Endpoint, right-click it and pick Uninstall.
d. Verify that there is a pop-up screen that asks to enter password (same as you
configured in the previous phase). Do not proceed with uninstallation, press
**Cancel**.
**Note:** In many situations you need to keep track of the time-spans the endpoints
have been disabled (in particular, if the disabling is longer than 1hr; when it is not just
to allow the user to complete one specific ativity). The record-keeping should happen
outside the **Data > Main > Status > Endpoint Status** screen, because there we can
only see the current status of the endpoint (not the time when it will be enabled
again).
43
HANDS-ON LAB
EP Incidents and Unhooking
Applications
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
The Phases:
Unhooking Applications.
: Application unhooking (or excluding) means that Data Endpoint does not monitor
them via the hooking DLL. It can be configured among the Data Endpoint global
settings.
44
Phase 1: Endpoint HTTP/HTTPS Incidents
1 Test Plain Web form on Firefox 2 Test AJAX Application on Firefox
Before running these tests make sure that there is a DLP policy to detect keyword
“FactoryTestKeyWord”, and the Action Plan for it is Block All.
45
Phase 2: Endpoint Email Incidents
2 Use Outlook Web Access
1 Send email causing and incident
1. Send email from *MS Outlook* (Instead of Using the Outlook, please login to
192.168.122.1:5006 with user name: tmuller@demo.com & Password: Forcepoint1)
a. Log into **Client-Win10 (192.168.122.44)** as `tmuller\Forcepoint1`.
b. Open *MS Outlook* application, create a new mail message to an external (non-
demo.com) recipient; include “FactoryTestKeyWord” in that message.
c. Observe that email is not sent, and there is alert.
2. Send email via Outlook Web Access.
a. Open browser, navigate to \url{https://192.168.122.11/owa}
b. Log in as `tmuller\Forcepoint1`
c. Create a new mail message to any email address (even internal), write
“FactoryTestKeyWord” in that message. Try to send.
d. The message should cause error and an alert (this time it is Web alert).
Phase 3: Enable Contols for Printing, LAN, App Control, PrtScr
1 Enable LAN channel control; block screen capture 3 Block Screen Capture
2
Add all applications
for some DLP policy
rule Copyright © 2018 Forcepoint. All rights reserved.
48
Phase 5: Unhooking/Excluding an Application
1 Display list of DLLs 3 Deploy, synchronize, reboot
1. Run Tasklist to see DLLs used by notepad.exe (before adding it to the exclusion list)
a. On **Client-Win10 (192.168.122.44)** machine open notepad.exe editor. Leave
it open, the editor pane can stay empty.
b. On **Client-Win10 (192.168.122.44)** run **Start > cmd** to see command-
line window. Copy-paste this command:
```
tasklist /m /fi "imagename eq notepad.exe"
```
c. Copy-paste the output of this command somewhere.
2. Add notepad.exe to the Excluded List:
a. On **FSM (192.168.122.21)** machine log into Forcepoint FSM.
b. Open **Data > Settings > Endpoint Profiles > Settings**; open **Advanced**
tab.
c. In the text field write a name of executable (notepad.exe), click Add. Click Save in
the bottom right corner.
3. Deploy, synchronize, reboot
a. Stay on the **FSM (192.168.122.21)** machine. After notepad.exe is added to
the excluded list in TRITON UI, the Deploy button becomes active(yellow). Click it to
deploy the change to the Endpoint Server (in our case it is DLP Manager itself, but in
most deployments would be a different machine).
b. On **Client-Win10 (192.168.122.44)** machine, open Endpoint Client console
and click Update to manually synchronize the settings with the Endpoint Server (this
happens by default at regular intervals – see “Apply Global Endpoint Settings” from
the Lab 5a – but this time we want the synchronization to happen immediately.)
c. On **Client-Win10 (192.168.122.44)** machine, open a command-line window
and type the command “shutdown -r“.
4. Re-run the tasklist to display DLLs again:
a. After **Client-Win10 (192.168.122.44)** is rebooted log into this machine as
tmuller again.
b. Open `notepad.exe` editor, leave it open and empty.
c. Open cmd window. Repeat the same “tasklist…” command as in Step 1 to list
DLLs associated with the notepad.exe application.
d. It should now display a different (smaller) list of DLLs. In particular, QIPCAP64.dll
is no longer among the DLLs.
**Note:** After adding notepad.exe to the exclusion list, the following 4 DLLs
disappear:
`QIPCAP64.dll`, `DNSAPI.dll`, `WS2_32.dll`, `NSI.dll`.
49
Phase 6: Re-Test Copy-Paste in Office Applications
1 Printing from notepad.exe is now 3 Click PrtScr while notepad.exe is running
possible
50
HANDS-ON LAB
Alerts & Notifications
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 For c epoi nt
1. Alerts allow you to determine which DLP Manager conditions will trigger messages
to be sent to the system log (syslog) or to one or more administrator email addresses.
To set up alerts, follow the steps below.
2. Get to the Alerts configuration page
a. In the TRITON console, click **Data > Settings > General > System > Alerts**
b. Review the email alert options, then on the System > Alerts toolbar
c. Click tab **Email Properties**, specify sender = administrator@demo.com
d. Also specify recipient: click Edit, Display = Directory Entries, check next to
tmuller, and click arrow to move this user to the right-side pane.
e. Click OK at the bottom of the page. Click the yellow button Deploy.
f. Click Mail Server Settings. Configure the Outgoing Mail Server:
g. IP address or hostname = 192.168.122.21, Port = 25
h. Click the Test Connection button on the **System > Alerts > Mail Servers**
configuration page; enter address `tmuller@demo.com`. This should send a test mail
to that address.
Phase 3b: Set up Alerts
1 Check the SMTP configuration success 2 Check that the email was delivered.
and save it.
1. Check that the connection is successful. Click OK to save the Outgoing Mail Server
settings.
2. Log to **Client-Win10** machine as tmuller and open MS Outlook. See that it has
received an email from the MS Exchange.
Note: “Incoming Mail Server” settings are only relevant if you need to set up email-
based incident workflow; this setting can be left empty for now. Incident workflows
will be discussed in Session 3.
Phase 4a: Set up Notifications
1 Go to Default notifications
3 Configure outbound server for notifications
Configure
Notifications
template
Notifications are emails to inform about DLP incidents. They need recipients and
templates.
In the TRITON console, click Data > Main > Policy Management > Resources >
Notifications and then in the table of available notification templates, click Default
notification.
Configure the Notification with the following parameters:
Sender name = DLP Manager Notification
Sender email Address = administrator@demo.com
Subject = Data breach at %Incident Time%
Click button Mail Server Settings. This should refer to the same outgoing SMTP
settings that you configured in Phase 3. The SMTP configuration should be already set
to their correct values (Outgoing mail server = ******** or ********; Port = 25 )
Phase 4b: Set up Notifications
1. Add tmuller as a recipient (Select the Edit button, pick Display = “Directory entries”,
find and move ’tmuller’ to the right-hand side). Click OK.
2. Select the Notification Body tab and review the default selections and the message
text that will be sent to the recipient. Click OK and then Close. You do not need to
change anything in the Notification Body.
Phase 5: Set up Release Gateway
1 Set the Release Gateway to ESG, port 25
(Optional) Configure
2
syslog settings
Release GW is used to release emails from quarantine to their destinations (e.g. false
positives captured by our DLP policies).
1. Set release gateway to 192.168.122.24 – the P1 of ESG. You can also use the DNS
name of the ESG host.
a. In the TRITON Console, click **Data > Settings > General > Remediation** and go
to the **Release Gateway** section.
b. Configure the Release Gateway with the following parameters: IP address or host
name = `192.168.122.24`; **Port** = `25`
c. Click OK at the bottom of the page. Note green message (“Your changes were
saved”).
2. If you wish, also configure Syslog settings, e.g. set it to `192.168.122.21`, leave the
port to `514` (by default this is UDP port, not TCP port!). Click **Test Connection** -
it should send a message to the Syslog server, if it exists. These settings will be used
in the SIEM configuration: *\hyperref[lab-m8-b-integration-with-splunk]{Lab M8-b:
Integration with Splunk}*.
**Note:** Since Syslog uses connectionless UDP protocol, this “Test Connection” will
always display green success message. The only way to test, if the connection actually
succeeded, is to verify, that the “Websense Syslog Test Message” has arrived to a
Syslog console.
56
HANDS-ON LAB
Remediation Script (Incident
Management Script “CopyFiles”)
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 For c epoi nt
58
HANDS-ON LAB
Force-Release Feature
**Goal:** In this lab we configure force-release feature that enables anyone who
receives notification about an email incident – to release it from quarantine by
pressing just two buttons **Reply** and **Send**. It has been made easy on
purpose, so that even admins or managers who are not sitting at the computer (but
accessing email on their smartphones) can release incidents quickly. As a result,
Forcepoint DLP (even in the case of false positives, if they are blocked by some DLP
rule) does not delay legitimate business transactions; and incident processing costs
are reduced.
**The Phases**
Manual Release.
: Verify that there is some policy rule that is easy to trigger via email channel, and the
matching transactions can be blocked. (We will use the `FactoryTestKeyWord` policy
rule that was created in the Key Words and Phrases lab.) Check that incidents can be
created and released.
Configure Notification.
: Configure a new notification template that sends notifications from a force release
mailbox in your domain, e.g. `ApDataNotificationsMBX@demo.com` (i.e. a service
email account that is not used by any person) to some actual users, e.g. Administrator
or tmuller.
59
Phase 1: Test Manual Incident Release
1. Locate the policy FTKW and a rule of the same name inside it. Set the action plan
for this rule to Block.
2. Log in to Client-W7 as mdean. From the MS Outlook send a mail message to an
external email address. The mail message should contain FactoryTestKeyWord.
3. Verify that the email is not delivered, and an incident is created under TRITON Data
> Main > Data Loss Prevention > Incidents (last 7 days). Select the checkbox near this
incident, click Remediate > Release... Enter a comment for release and click OK.
4. Verify that the email is now delivered, i.e. the release gateway is configured
correctly.
**Note:** If incident is not released, please review Data > Settings > Remediation.
Make sure that the Release Gateway is filled in with data similar to the screenshot.
Phase 2: Configure a Notification Template
Notification sender is:
ApDataNotificationsMBX1@demo.com
1. Open another tab – Notification Body. Inspect the default values there. The
checkbox “Allow recipients to release quarantined email by replying to the
notification” should be marked.
2. In this step one should use a valid internal email address (here `demo.com` is our
protected email domain). This is the name and address that will be shown in the
**From:** field of the notification email message.
Phase 3: Contact in a Non-Resolvable Domain
1 Open Exchange Management on DC 3 Pick New Contact, click Next
Firstname, Name,
and Alias are all
ApDataNotificationsMBX2,
Email domain is
demo.com
Note: The new contact can have any name or email address, but the email should be
one that cannot be resolved by DNS. It can be routed out of the Exchange and
through the TRITON Data Security to be processed. Please note that the email alias
**ApDataNotificationsMBX2** is not identical to **ApDataNotificationsMBX1**
(specified in the previous step). On the other hand, these email aliases are also
mutually related: one would forward to the other.
Phase 4a: User for Force Release Mailbox
1 3
4
2
In the Users folder of the Active Directory Users and Computers console, create a
user with the email address of the notification sender that was configured in the
Phase 2.
1
2
Set actions
for channels
1. On the TRITON APX Server log into the TRITON Data Security. Edit the rule
`FactoryTestKeyWord`. Select the tab **Severity & Action**. Click an icon showing a
clean page (Add a new action plan).
2. Assign a name to the custom action plan, e.g. **My Action**. Open tab **Data
Loss Prevention**. Select action **Quarantine** for channels **Email** and
**Mobile Email**. Select action **Block** for other channels.
3. Near the bottom of the same **Action Plan Details** window, pick **My
Notification** as the template for the email notification (the one created in Phase 2)
4. Click **OK** to save the action plan settings. Click **OK** again to save the policy
rule. Click **Deploy**.
Phase 6: Test the Force Release Feature
1. Log into Client-W7 as mdean. Open Microsoft Outlook. Send an email message to
your own email address containing FactoryTestKeyWord. Log out of Client-W7.
2. Log into Client-W7 as tmuller. Check that there is a notification message. Near the
bottom of the notification message there should be an instruction how to release a
message along with the release code.
3. Reply to this message without changing anything in the message body or the email
address. I.e. ship it back to the sender – to the email
`ApDataNotificationsMBX1@demo.com`.
In some scenarios, where false positives are likely to occur, you may need to notify
the sender that his/her outbound email has been released from the quarantine and
has reached the intended recipient. This feature is configured directly in the
database.
```
USE "wbsn-data-security";
GO
BEGIN TRANSACTION;
GO
UPDATE PA_CONFIG_PROPERTIES SET VALUE='true'
WHERE NAME='notifyOriginalSenderOnRelease';
GO
COMMIT TRANSACTION;
GO
```
1. Log to **Client-Win10** as **mdean**. Send one more message that will trigger a
My Keywords (FactoryTestKeyWord) policy and will create a quarantined email.
2. Log to **Client-Win10** as **tmuller**. Release the incident by responding to the
notification message.
3. Log to **Client-Win10** as **mdean** again. Check that there is a notification
message, which notifies the sender that the message was released.
67
HANDS-ON LAB
Manage Policy Levels
**Goal:** In this lab we configure force-release feature that enables anyone who
receives notification about an email incident – to release it from quarantine by
pressing just two buttons **Reply** and **Send**. It has been made easy on
purpose, so that even admins or managers who are not sitting at the computer (but
accessing email on their smartphones) can release incidents quickly. As a result,
Forcepoint DLP (even in the case of false positives, if they are blocked by some DLP
rule) does not delay legitimate business transactions; and incident processing costs
are reduced.
**The Phases**
Manual Release.
: Verify that there is some policy rule that is easy to trigger via email channel, and the
matching transactions can be blocked. (We will use the `FactoryTestKeyWord` policy
rule that was created in the Key Words and Phrases lab.) Check that incidents can be
created and released.
Configure Notification.
: Configure a new notification template that sends notifications from a force release
mailbox in your domain, e.g. `ApDataNotificationsMBX@demo.com` (i.e. a service
email account that is not used by any person) to some actual users, e.g. Administrator
or tmuller.
68
Policy Levels
When you create policies, you can assign them a level that indicates execution
priority order. The tree structure demonstrates the hierarchy that has been assigned.
You can have as many levels as you wish. When you create a policy level, you assign it
a name and an execution order. For example, you may create 3 levels called High,
Medium, and Low, where high-level policies are executed first, medium-level policies
second, and low-level policies last. If there is a match when data is scanned according
to the high-level policies, no scanning is performed on other levels. (Policies on the
high level are still checked.) If there is no match, data is scanned according to
medium-level policies, and so on.
Policy Levels Example
Above is an example of two Policy Levels. If a match will be found at the ‘High Priority
Policies’ level’s policies then policies within the lower level ‘Default Priority Level’ will
not be checked.
File Resource Location
Sensitive content: books\ \\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured
business-plans\
non-english-language\
Ignore Section: \\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured
not-fingerprinted\Full
License.txt
Tests:
Gullivers Travels.txt \\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured\books\
War of the Worlds.txt \\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured\
HANDS-ON LAB
File Fingerprinting
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 For c epoi nt
First we fingerprint 3 directories with files in the “sensitive content” mode; test that
FPR classifier by sending two testfiles:
(a) Gullivers Travels.txt is an intended match (in fact it is identical to one of the
fingerprinted files; but you can also try out a copy-pasted fragment of some book).
(b) War of the Worlds.txt is an unintended match (in a sense – a false positive); it was
detected just because it contains a shared “License” from Project Gutenberg.
In the second part of the test we fingerprint the Full License.txt as “Ignored Section”
(and re-deploy the policy). And send both test files again. This time War of the
Worlds.txt should not be detected, as it overlaps with the fingerprinted documents
only in the “Ignored Section” (i.e. the license).
The Phases
71
Scenario for Lab M5-a
Sensitive Content
DLP Crawler 1 FPR
Build File FPR Repository
1 4
Classifier
(Sensitive Content)
2 Deploy
File FPR Policy and
the repository
Sensitive Content
In this lab exercise we send two test emails (same to e-books) before and after the
Ignored Section has been configured.
Phase 1: Create File FPR Classifier
1 Content Classifiers > File Fingerprinting 2 Under Scanned Files click Edit
1. Create a new Custom Policy with a single policy rule of the same name. Under the
Condition tab select **Add > Fingerprinting**. Select which classifier it refered to.
2. Under **Severity&Action** pick **Action Plan** = `Block All`.
Phase 3: Test File FPR Policy
1 Send two e-books (in plaintext) as attachments 1 Inspect both incidents
1. Send two books – `Gullivers Travels.txt` and also `The War of the Worlds.txt`.
2. Inspect the incidents. In case of Gullivers Travels we should get 1 policy match. In
case of War of the Worlds we should get 4 policy matches (surprisingly – 3 with books
in Portugese; and 1 with a book in Finnish). They are caused not by any similarity in
the core text, but by an overlap of Gutenberg’s project license.
Phase 4: Configure Ignored Section and Test Again
1 Select the Root Directory for Ignored Section 3 Select the only file in the ignored section:
Full License.txt
HANDS-ON LAB
Database Fingerprinting of a CSV File
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 For c epoi nt
In this lab we start with a CSV file – in this case the database (data structured in a
table) is small, but there are no DB connectivity issues. It is also easier to inspect the
plaintext file to see why one or another combination of data caused a policy match.
Phase 1:
: Inspect CSV; change encoding to UTF-8.
Phase 2:
: Create Classifier.
Phase 3:
: Traind the Classifier.
Phase 4:
: Configure Database Fingerprinting policy.
Phase 5:
: Test Database Fingerprinting policy.
77
Scenario for Lab 4b
Train
DLP Crawler DB FPR
CustomerID SSN ContactName Address CreditCard (on Manager or Classifier
MRSRV)
… … … … … 3 FPR
Repository
1 Change encoding to UTF-8
No 2 records:
5 Not a match
AP-EMAIL
2 full records:
5 A match
In this lab we first prepare the data as a UTF-8 encoded CSV file (step 1). Then read it
into DLP Crawler - there may be multiple crawlers in the deployment, we can pick any
one (step 2). This file is then processed into a DB FPR classifier that is a part of FPR
repository (step 3). Then we develop a DLP policy with this classifier and deploy it to
the system modules including AP-EMAIL (step 4). Finally we send a few tests – one of
them should not trigger the policy (no 2 leaked records), the other should (because
there are
Phase 1: Inspect CSV; Change Encoding to UTF8
1 Open Customer Records.csv 2 In a new text editor panel switch
encoding to UTF-8
**Note:** Large files may be difficult to convert into UTF-8 with a text editor
application. In these cases the UTF-8 encoding should be ensured by the exporting
procedure. (Or you should use database connection instead of CSV.)
Phase 2: Configure Classifier
1 Pick New > CSV File Fingerprinting 3 Copy the network location of
Customer Records.utf8.csv
created in the previous step.
2 Select a Name
4 Enter the credentials for the data source
1. Log into *FSM*. Go to **Data > Main > Policy Management > Classifiers >
Database Fingerprinting**. Select **New > CSV File Fingerprinting**.
2. Enter the name of the DB fingerprinting classifier – e.g. `MyDBFpr` (you can also
select which crawler to use, in case if you have many).
Phase 3: Complete the Classifier and Train It
1 Pick data fields; disable scheduler 2 Pick data fields; disable scheduler
1. Create a new custom policy, write its name, click Next>. Under Condition tab select
**Add > Fingerprinting**. Select the classifier `MyDBFpr` created in the previous
step, select 2 fields (CustomerID, SSN).
2. Edit the threshold – pick value “at least 2”. (When matching just 2 DB fields, it is
recommended to have threshold at least 3, but here we are just experimenting.) Click
**Next>**. Set action to `Block All` and finish creating the rule.
**Note:** It is common to add the same DB Fingerprint classifier and pick another
set of database fields (and add another threshold). So the full condition of such DLP
rule becomes
Phase 5: Test DB Fingerprinting Policy
Send 2 test
messages:
Message1
1. Send 2 email messages from the to your personal mailbox. Use these email bodies:
a. `ALFKI, 564-32-6547, ANTON, 536-23-5673` (Message 1)
b. `ALFKI, 463-23-6477, ANATR, 564-32-6547` (Message 2)
2. Inspect the incidents, see the forensics and see the violation triggers (there are 2
matches that meets the threshold = 2 – i.e. there was attempt to leak 2 records).
**Note:** Only Message2 should trigger an incident (it contains 2 valid combinations
of CustomerID+SSN), while Message1 contains two CustomerIDs and two SSNs, but
each data item is taken from a different row.
HANDS-ON LAB
Network Discovery
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 For c epoi nt
1. Open **Main > Policy Management > Discovery Policies > Manage Policies**.
Select from the menu **Add > Custom Policy**.
2. Enter Policy name = `US SSN`, leave **Use the policy name for the rule name**.
Click **Next**.
3. Select **Add > Patterns \& Phrases**, enter **Filter by:** = `SSN`. Leave threshold
`1`. Click **Next**.
4. Leave `Medium` severity and **Audit Only** action plan. Click **Finish**.
5. Also add a policy to detect instances of `FactoryTestKeyWord`. Deploy the changes.
Phase 1b: Add “FactoryTestKeyWord” as a Discovery Rule
1. In *FSM* open **Data > Main > Policy Management > Discovery Policies > Manage
Policies**.
2. Click **Add > Custom Policy**, enter **Policy Name** = `FactoryTestKeyWord`,
leave **Use the policy name for the rule name**, click **Next**.
3. Under **Condition** tab, click **Add > Patterns & Phrases …**, in the dialogue
that opens, enter **Filter by:** = `FactoryTestKeyWord`, click **OK**. Click
**Next**.
4. Under **Severity and Action** pick **Action Plan** = `Block All’. (This predefined
action plan does not have any meaning for discovery policies yet; unless we associate
it with some remediation script.)
Phase 2: Configure a Network Discovery Task
1 Define IP range 192.168.122.[1-200] 2 File System Discovery task 3 Enter folder and credentials
1. Open **Policy Management > Resources > Networks**. Enter a new IP address
range from `192.168.122.1` to `192.168.122.200`.
2. Open **Policy Management > Discovery Policies > Network Discovery Tasks**.
From the menu pick **New > File Discovery > File System Task**.
3. In **General** tab enter the name `My Discovery`. Select `Crawler fsm` as the
crawler. Click **Next >**
4. Select **Display:** = `Networks`. Check next to `Server Farm`, press the arrow to
move it to the right pane. Click **OK**, click **Next >**.
Phase 3: Select Schedule, Policies, File Filter, Advanced Settings
1 2 Set schedule = Once 4 Pick “Filter by Type” and select all “Office” file types.
Enter the folder
5
Set preserve
Access time
1. In TRITON navigate to **Data > Main > Policy Management > Discovery Policies >
Network Discovery Tasks**. Open the task created during the previous step. Click on
the link **Completed with errors**. It should display the machines in the configured
network that do not contain the shared folder (e.g. `\My_Share\apdata_files`) that
was required on all the servers in the network.
2. Also click on **Download Discovery Report** button. Unzip and view the report. It
should display the files that were visited.
3. In *FSM* navigate to **Data > Settings > Deployment > System Modules**. Click
on **Load Balancing** button, select **Crawler fsm**. Make sure that it uses **All
available policy engines** (i.e. part of the traffic is analyzed also on **MRSRV**).
Trouble 1: Task is Stuck Forever
1 Discovery task is stuck forever
1. Try to edit the task, change the root folder (or file filters), or leave as it is. Set
scheduling to “Once”. Save the discovery task. Select the saved task, click on
**Start** button.
Trouble 2: Crashed Crawler and Deleting Discovery Tasks
1 Crawler crashes and discovery task
cannot be re-started
2 Reminder to clean out the Discovery Job
1. Log onto the machine that should perform the discovery task (**FSM
(192.168.122.21)** or **MRSRV**).
2. Move to `%DLP-HOME%\DiscoveryJobs`. Open every `discovery.xml`, look at the
first line. As soon as you see XML outer element with **name**=`MyDiscovery` (or
whatever name you used). Look at the **id** attribute of this element. For example:
`id="3178b4f9-96fe-4554-ad1d-eaa29fa23374"`
3. Run the manual deletion command:
a. Open `cmd`, move to `%DLP-HOME%\packages\Services`
b. Run the following command:
```
Python WorkSchedulerWebServiceClient.pyc -o startWorkerScheduler
Python WorkSchedulerWebServiceClient.pyc -o deleteJob -j #jobId#
```
This command could issue an error message, and the discovery job does not exist
anymore. It may still show up in **Data > Main > Policy Management > Discovery
Policies > Network Discovery Tasks** - even after it is deleted from the crawler’s
machine.
91
HANDS-ON LAB
Endpoint Discovery
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 For c epoi nt
93
File Resource Location
jena300-training.zip \\192.168.122.21\My_Share\apdata-files\machine-learning\
jena300-testing-flat.zip \\192.168.122.21\My_Share\apdata-files\machine-learning\
ml-test.bat \\192.168.122.21\My_Share\apdata-files\machine-learning\
HANDS-ON LAB
Machine Learning
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 For c epoi nt
Resource description:
Lab Objective: Configure and test Machine Learning classifier using Java source code.
In order to get a higher-level view on what is detected by the Machine Learning
classifier, we test it by an automated test script that submits about 200 files to the
Policy Engine – to see, how many of them were detected.
All the Java files used for testing are from the same Apache Jena project as the Java
files in the positive/training set. But they are NOT the same files – training and testing
file sets do not overlap. This demonstrates an important principle of Machine
Learning – it creates policy matches not upon copy-paste, but upon (lexical) similarity
of the target file with the set of positive examples. Clearly, files in the same Java
project share certain identificators, library names, etc. But unlike fingerprinting, the
confidence is not absolute. There might be false positives and false negatives. In fact,
about 20% of the testing-set files are not detected by the classifier (which is still OK,
because ML classifier would still detect any massive leak of source code of a Java
project).
94
Scenario for Lab 4c
Apache Jena Project:
https://jena.apache.org/download/index.cgi DLP Manager
Crawler + ML PolicyEngineClient
Java files in same project split generator
into two parts: Unpack and Run BAT Script
Check Path 2 File System to Test Policy
1st part – build ML classifier Names 3
2nd part – test ML classifier
Policy Engine
Machine Learning is often used to protect source code, so this lab starts with a real-
life Java project (Apache Jena 3.0). The Java files in this project are divided into two
approximately equal parts (training set and testing set). Training set is used as
“positive examples”. Machine Learning classifier also needs “negative examples” –
but these are supplied by DLP product itself.
Phase 1: Prepare Training/Testing Sets; Set ML File Share
1 Unzip directories with training set and testing set 3 Select the file share for the classifier:
1. Log into *FSM*. Go to the **Data > Main > Policy Management > DLP Policies >
Manage Policies**. Select **Add > Custom Policy**. Select **Policy Name** =
`JenaML.` Click **Next>**
2. Under “Condition” tab click Add > Machine Learning. Pick the only classifier that
was created in the previous step. Click OK. Under Severity&Action tab select Action
=Block All. Finish creating the rule. Deploy the policy changes.
Phase 4: Run the Automated Test Script
1 Run test-ml.bat
**Goal:** Analytics Engine is meant to highlight incidents with the highest perceived
risk (using the AE built-in heuristics). This lab is near the beginning of the class on
purpose. As we create various incidents during this course, it may be interesting to
compare their respective risk ranks.
Check the HW before Installing Analytics Engine
192.168.122.55 root/Forcepoint1!
Find out the distro and release name, and also the kernel version (for BOTH server and
target):
cat /etc/*-release
uname -a
Check hardware parameters for the Investigative Server. (Check that hard drive is about
100GiB, RAM memory is about 8GiB, at least 4 CPU cores. Type these commands:
fdisk –l
df -H
free
nproc
lscpu
http://www.websense.com/content/support/library/data/v83/install/install_dss.pdf
These are commands to create CentOS partition (in the increased space configured
by VMWare) that will be used to install Analytics Engine:
```
parted /dev/sda
mkpart primary ext4 22GB 100GB
cat /proc/partitions
/sbin/mkfs -t ext4 /dev/sda3
e2label /dev/sda3 /work
mkdir /work
```
```
(this includes yum -y update kernel)
```
101
Prepare CentOS Environment
yum clean all
yum update
yum -y install apr apr-util perl-Switch unixODBC
Enable EPEL:
yum install epel-release
yum install freetds
yum install wget
cd /tmp
wget http://participant:roadshow@85.254.250.28/downloads/dlp-course/v83-
software/AnalyticsEngine83
chmod u+x AnalyticsEngine83
./AnalyticsEngine83
If you need to re-run the installer wizard, log into CentOS machine again and run
these commands:
```
source /etc/profile.d/ae_env.sh
wizard
```
Running AE Registration Wizard
source /etc/profile.d/ae_env.sh
wizard
(enter IP = 192.168.122.21, user = admin, password = Forcepoint1! )
**Logging**
Configuration for the `AEClient.log` file and log itself can be found here:
```
/opt/websense/AnalyticsEngine/conf/AnalyticsEngine.log.config
/opt/websense/AnalyticsEngine/Logs
```
**Results**
Once the import and analysis are done, a report will be generated in zip form
and emailed to the configured recipient. The report can also be found here in a
locked zip file:
```
/opt/websense/AnalyticsEngine/reports
```
Sample Incidents
You could now cause incidents with various scores (e.g. try getting all 5 colors). To see
them in the report, re-run `ae_run` (previous slide). Here are some examples:
You could also click the (i) icon to get additional information, why the risk ranking
algorithm has assigned given score. There are various drill-down capabilities for each
of the displayed cluster of incidents. Multiple related incidents make one “case”.
There could be up to 20 such cases every day.
Scheduled Task
The client will run with a scheduled task that is configured to run every
night. Task is available at:
/etc/cron.d/ae_daily_import
107