DLP Lab Guide

Forcepoint DLP Bootcamp
Lab Guide
© 2020 Forcepoint Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public
1
Credentials to Access Machines
Machine Credentials
FSM (192.168.122.21) demo\Administrator / Forcepoint1
DC (192.168.122.11) demo\Administrator / Forcepoint1
Client-machine demo\tmuller / Forcepoint1
(192.168.122.44) demo\Administrator / Forcepoint1
Email appliance admin / Forcepoint1!

(C: 192.168.122.23)
(E1: 192.168.122.24)
Mail Server *@stephanie.rosario.lab.go4labs.net / any password.
Boldon James demo\Administrator / Forcepoint1

(192.168.122.191)
Copyright © 2017 Forcepoint. All rights reserved. | Day1-Slide2

File Resource Location
random-prefix4.txt \\192.168.122.44\apdata-files\credit-cards\
HANDS-ON LAB
Predefined Policies - Credit Card
FORCEPOINT
Copyright © 2018 Forcepoint. All rights reserved.
© 2018 Forcepoint
## Lab M4-c: Scripts for Credit Card Numbers
As a prerequisite to this lab please locate the file random-prefix4.txt. This file
contains 10000 random numbers (all of them have 16-digits and start with digit “4”).
This file is located on
`\\192.168.122.44\apdata-files\credit-cards\random-prefix4.txt`.
**Objective:** Compare two varieties of Credit Card classifiers. One is “PCI Audit”
(Predefined classifier that respects configuration of 6-digit prefixes – IINs/BINs).
Another is “Credit Cards(Wide)” – i.e. a Luhn check (plus some requirements
regarding the first digit).
1. Predefined policy “PCI Audit” and custom policy with “Credit Cards (Wide)”
classifier.
2. Email file with random 16-digit numbers. Inspect incidents.
Predefined policy “PCI Audit”
1 Run predefined policy import wizard
2 Add “PCI Audit” predefined policy,

3 Enable one rule
1. In *FSM* navigate to **Data > Main > DLP Policies > Manage Policies**. Click
**Add > Predefined Policy**. If there is a policy selection wizard, mark all the regions
and all the industries.
2. In the predefined policy selection page expand “Regulations Compliance and
Standards”, then “PCI”, then check “PCI Audit”, and click Use Policies.
3. In the “Manage Policies” screen, expand the “PCI Audit” (the predefined policy you
just added). Initially all its rules are disabled. Select one rule – namely “PCI Audit: CCN
User-Defined IINs (wide)”. Click Edit, check Enabled and save.
Custom policy “Credit Cards (Wide)”
1 Create custom policy “CCN” 2 Add Credit Cards (Wide) classifier
3 Pick “Block All”

action plan
1. In *FSM* navigate to Data > Main > DLP Policies > Manage Policies. Select **Add >
Custom Policy**. Enter CCN as the name of the policy and the rule. Click **Next**.
2. Under tab Condition pick **Add > Patterns & Phrases**. In the text window “Filter
by” enter `Credit Cards (Wide)`, click on the magnifying glass to search. Pick `Credit
Cards (Wide)` and click OK. Leave the threshold equal to 1. Click **Next**.
3. Under **Severity&Action** pick `Block All` as action plan. Leave the default values
everywhere else. Click **Finish** to create a policy rule. Click **Deploy**.
Email Testfile and Inspect Incidents
1 Send random numbers
as an email attachment
2 Inspect the incident

3 Inspect valid IINs
1. Log into **Client-Win10 (192.168.122.44)** as `tmuller`. Open Outlook and send

`random-prefix4.txt` file as an email attachment. Pick any external email address.
2. Navigate to **Data > Main > Data Loss Prevention > Incidents (last 7 days)**. Open
the most recently created incident (with random-prefix4.txt file as attachment). This
file violated both rules, but different number of times.
3. In Windows Explorer visit `C:\Program Files (x86)\Websense\Data
Security\policies\scripts`, right-click CCN_IIN_Valid.csv and open it with Notepad++.
Verify that “PCI Audit” only triggers those CCNs that have first 6 digits configured in
that file.
Note: The 10000 random numbers (all starting by “4”, i.e. their external appearance
looks like Visa-issued Payment Card numbers) violated “Credit Cards (Wide)” 972
times. This is approximately 10% - which corresponds to the Luhn check (a checksum
criterion for credit cards). The predefined policy “PCI Audit” is pickier. Not only does it
verify the Luhn check, but also – the 6-digit prefix (IIN or BIN – Bank issued number).
It has to come from the list CCN_IIN_Valid.csv.
common-health-conditions.docx \\My_Share\apdata-files\health-forms
HANDS-ON LAB
Dictionary Classifiers
## Lab M3-a: Dictionary Classifiers
**Goal:** In this lab we show how to learn the content of a predefined dictionary. To
achieve this we send to a Policy Engine a large list of words and see, which trigger the
policy match with this dictionary.
Scenario
1. Configure “Common Health Terms (English)” as the only classifier in the DLP rule. Leave threshold
equal to 1.
2. Use PolicyEngineClient.exe to send file common-health-conditions.docx to the Policy Engine on
FSM. Inspect the Violation Triggers. What is the approximate percentage of health conditions and
disease names that trigger this classifier?
3. Optional: To avoid triggering the dictionary classifier on very large files (which could contain
disease names even though the file is not primarily about the health), use “Transaction Size”
classifier to create the following policy:
𝑇 = 1, if 𝑠𝑖𝑧𝑒 𝑡𝑥𝑛 < 1MiB
ቊ
𝑇 = 2, otherwise
(I.e. for transactions that are 1MiB or larger we expect 2 health terms to trigger the policy.)
8
karlsruhe-phones.txt \\192.168.122.44\apdata-files\regex
random-prefix4.txt \\192.168.122.44\apdata-files\credit-cards
HANDS-ON LAB
Regular Expressions
FORCEPOINT
© 2018 Forcepoint
## Lab M3-b: Regular Expressions
We build one regex classifier (it starts with (?s) modifier, i.e. the strings it can match
could span multiple lines (and be divided by newline `\n` characters).
It is tested in two ways – `Karlsruhe-phones.txt` contains some variations of these
data.
**Goal:** Given the country code and area code (and two different ways to write the
phone number), create a regex classifier that would capture all such phone numbers.
Phone numbers in Karlsruhe, Germany are written either as +49 72 DDDDDD or 072
DDDDDD. Create a regular expression that will match all such phone numbers
regardless of whether the country code (+49) or the leading zero is used. Do not use
word boundaries \b – at the beginning and at the end of your regex – they are, in fact
assumed. (In some cases word boundary should ensure that there are no
alphanumeric characters immediately before and after the phone number itself, i.e. it
is separated from the remaining text by spaces or by punctuation.)
Create a Regex Classifier and a Policy Rule
1. Create regex classifier:

a. Connect to the **FSM (192.168.122.21)** machine, log into *FSM*.
b. Open Data > Main > Policy Management > Content Classifiers > Patterns &
Phrases
c. Open New > Regular Expression
d. Enter Name = KarlsruhePhones and Value equal to the following:
`(?s)(\+49|0)\s?72\s?[0-9]{6}`
2. Create Policy with this rule. Create a custom policy with a single rule (name them
Regex2), select the condition for that policy 1 match of the regex “PhoneNumber”.
What if Regex is Syntactially Wrong?
 Syntax errors in regular expressions are noticed at the moment when policies
using those rules are being deployed.
 Regular Expression classifiers may be syntactically wrong, but deployed/active
policy rules cannot use such classifiers.
Note: If regular expression classifier contains a syntax error, it will show up only if a
policy rule using that regex is being deployed. Error message (which also appears in
all Policy Engine logs) indicates the problem. For example, “Invalid content of repeat
range” (unless you are experienced with such messages, it is not immediately clear,
what kind of classifier is affected). In such cases you can disable one or more policy
rules to see, which policy rule caused the deployment to fail. It is also a good practice
to test regular expressions before using them in DLP.
**Note:** Since error messages sometimes do not point to the location of policy
error, it is usually better to add policies gradually – deploying after every small
change. Then it is easier to see what caused that error. If for some reason you lose
track of the cause of the error, the only thing that remains is “binary search”. It
proceeds as follows:
(a) You can disable half of the existing policy rules, see if the deployment error
disappears.
(b) If it does not, disable half of the remaining rules. If it does disappear, re-enable
half of the previously disabled rules.
Repeating steps (a) and (b) you will locate the problematic rule (and it will be much
faster than doing exhaustive search).
Test with Phone Numbers and with Much Else
1. Open website \url{http://dlptest.com/} and try posting the phone numbers

karlsruhe-phones.txt. You can copy-paste the file content in a browser and submit the
POST form.
2. Inspect forensics of the incident and see, which strings were identified as phone
numbers in Karlsruhe region. All the “phone numbers” that have alpha-numeric
prefixes or suffixes should not match. E.g. 072123123 is a phone number, but
072123123ABC is not a phone number.
3. Submit another file which does not have any phone numbers in Karlsruhe region,
but contains lots of numbers – e.g. `\My_Share\apdata-files\credit-cards\random-
prefix4.txt`. Since this file is large, it is better to submit it using PolicyEngineClient
(see Day 2, lab 2c) or as an email attachment.
file290.txt \\192.168.122.44\apdata-files\file-classifiers
file400.txt \\192.168.122.44\apdata-files\file-classifiers
HANDS-ON LAB
File Classifiers
FORCEPOINT
© 2018 Forcepoint
## Lab M4-a: File Classifiers
In this lab you will do some tests with files (in particular, file sizes, and file types).
These experiments let us learn about some nuances, and
There are many nuances that are important to understand exactly, but are easier to
learn by doing simple experiments (rather than studying the manual). In these
examples we try to accumulate various "surprises" that clarify the product’s behavior.
File Classifiers by Size
Base64 transformation:
To avoid special characters, 8-bit
bytes are represented by 6-bit
bytes.
1
File size multiplies by 1
3
Is applied to the individual files
and also to the transaction.
File size classifier may surprise users, if it is applied to emails with attachments.
1. Create a file size classifier that detects files of size between 390 and 410 Kilobytes.
2. Make a custom policy rule that blocks all the files in this size range. Deploy that
policy.
Example: If you send a file attachment of size about 300KiB (and the email message
itself is short), the attachment is Base64-encoded – and the email message size
becomes 400KiB. Such an attachment would trigger file size classifier in two different
ways:
1. If file size classifier is interval [290KiB, 310KiB], message triggers the rule because
of the 300KiB attachment
2. If file size classifier is interval [390KiB, 410KiB], message triggers the rule because
of the 400KiB size of the whole message.
Occasionally you need to have classifiers to detect file types that are not included in
the default DLP product. In this case you need to contact TechSupport, provide the
description of the file type you want to identify, and some sample files.
Test File Size Rule
 As email attachments from the MS Outlook (user tmuller at Client-Win10
(192.168.122.44)) or from PolicyEngineClient send these 4 files (all should have been
unzipped in \\192.168.122.21\My_Share\apdata-files\file-classifiers – Slide 1):
 download.jpg (binary file of size 297KiB – should trigger 400KiB rule, if it is an email
attachment, because it is Base64 encoded)
 file290.txt (plaintext file of size 290KiB – also should trigger the same 400KiB rule;
it is also Base64 encoded).
 file400.txt (plaintext file of size 400KiB – should trigger the same 400KiB rule
 files290-400.zip (Zip file containing both above files – should trigger the same
400KiB rule, but only once – because of file400.txt).
This step should demonstrate the filetype identification by DLP. The file-size
experiment should illustrate how the size classifier is applied to every attachment
(and also to the email message as a whole). Plus – file size expansion as it is being
encoded with Base64 (file size is multiplied by a factor 4/3).
cumulative-rule.zip \\192.168.122.44\apdata-files\cumulative-rules\
HANDS-ON LAB
Cumulative Rules
FORCEPOINT
© 2018 Forcepoint
## Lab M4-d: Cumulative Rules
You would need 10 small text files (containing one credit card number each) and also
a BAT script that submits all these files with predefined time intervals to the Policy
Engine. All these files are contained in cumulative-rule.zip.
**Lab Objective:** Configure a rule that detects “Credit Card Number (Wide)”; allow
< 3 CCNs in any 5-minute window. Test by running `PolicyEngineClient.exe`.
Phase 1.
: Configure Policy with CCN (Wide)
Phase 2.
: Use the CLI tools to test. Test the CLI tool simulating extractor. Run the script
simulating CCN leaks
Configure Policy with CCN (Wide)
1 Delete or disable all previously created CCN-rules
2 Configure cumulative rule to detect 3 CCN in a 5-minute time window
1. Delete any previous CCN policy rules. If you have custom CCN policy or predefined
PCI policies defined (as in the Lab “Credit Card Classifiers”), please delete these rules.
For the cumulative rules lab it is important to see, what happens with CCN
transactions before the counter exceeds the threshold (and they are not stopped by
any other rule).
2. Configure Cumulative Rule for Credit Card Numbers
a. Connect to the **FSM (192.168.122.21)** machine, log into *FSM*.
b. Open **Data > Main > Policy Management > DLP Policies > Manage Policies**.
c. Select **Add > Custom Policy**.
d. Create a policy with a single rule; pick the `Credit Cards (Wide)` classifier.
e. Under **Severity&Action** configure the cumulative settings (screenshot #2).
f. Save policy changes and click **Deploy**.
Inspect the Cumulative Incidents
1 Extract files with CCNs 2 Place ccn-test.bat next to PolicyEngineClient.exe
3 Run the test-script with waiting times
1. On the **FSM (192.168.122.21)** locate the file

`\My_Share\apdata-files\cumulative-rules\cumulative-rule.zip` file and copy it on the
**FSM (192.168.122.21)** desktop. Right-click and select Extract All.
2. Open the newly unzipped folder
`C:\Users\administrator.demo\Desktop\cumulative-rule` and copy the BAT script ccn-
test.bat to the directory `C:\Program Files (x86)\Websense\Data Security`.
3. Open cmd shortcut on the **FSM (192.168.122.21)** desktop. Navigate to the
`C:\Users\administrator.demo\Desktop`. Run ccn-test.bat. Wait until 3 files are
submitted to the Policy Engine (or about 15 minutes until the BAT script finishes).
4. In the incident list locate incidents with severity Low (and Details = Historic
Transaction). These transactions were allowed before the cumulative rule triggered
(as the counter did not exceed the threshold yet).
Configure 2 cumulative rule windows
 As an exercise to do on your own, edit the CCN
policy rule. Pick Severity & Action. Open Advanced
section and configure another time window (e.g.
wait for 5 CCNs within 15 minutes).
 Edit the ccn-test.bat script and its timeout intervals
so that both time windows arrive simultaneously
(i.e. same transaction is CCN-match #3 for the 5
minute window, and also CCN-match #5 for the 15
minute window). Does the Cumulative Rule create
one incident or two incidents?
 Inspect the time-order of the incidents. What is the
difference between Incident Time and Event Time?
In order to distinguish the incident order, consider visiting the list of incidents: **Data
> Main > Data Loss Prevention > Incidents (last 7 days)**. Pick the icon Table
Properties, and add Event Time.
HANDS-ON LAB
Combining Classifiers and Custom
Logic
FORCEPOINT
© 2018 Forcepoint
## Demo M3-c: Custom Logic
In this homework you will do several experiments and answer to some qualitative
(yes/no type) questions.
There are many nuances that are important to understand exactly, but are easier to
learn by doing simple experiments (rather than studying the manual). In these
examples we try to accumulate various "surprises" that clarify the product’s behavior.
Borderline Behaviors of Dictionaries and Keyphrases
 Set up a rule with 4 names from the "Harry Potter" novels (Gryffindor, Hufflepuff,
Ravenclaw, Slytherin).
 Create a Keyword classifier with "Internal use only" keyphrase.
 Create a rule that reacts to one keyphrase "Internal use only" and 2 instances of "Harry
Potter" words.
 T1: Leak a text with "Internal Use Only" and "XXGryffindorZZ", "00Hufflepuff11"
(i.e. try surrounding dictionary terms with extra characters).
 T2: Leak a text with
"Internal Use Only" separated by several whitespace characters.
 T3: Leak a text with "Internal-Use-Only" separated by hyphens.
Expected result:
Only T3 should match the rule.
In this example we can test these properties of dictionaries:

* Are dictionaries case-sensitive
* How the plural case is handled by dictionaries
* How the duplicates are counted (e.g. differently capitalized variants of the same
word)
File-Type Rule with Boolean Logic
1. Log into FSM, open Forcepoint Security Manager.

2. Edit "FactoryTestKeyWord" DLP Rule.
3. Add two filetype classifiers:
a. Go to the "Condition" tab of the DLP Rule. Click **Add > File Properties**.
b. Enter "Word" in the search box. Pick "Microsoft Word File" as the filetype
classifier.
c. Click **Add > File Properties**.
d. Search for "Zip", and pick "ZIP File" as the second filetype classifier.
e. Leave the default logic (FactoryTestKeyWord AND "Microsoft Word File" AND
"ZIP File"). Leave all the threshold values equal to 1.
2. Pick “All parts of the transaction as a whole".
Test File-Type Rule with Boolean Logic
On the Client-Win10 navigate to the file Email with an attachment

share:
testfile1.bin
\\192.168.122.21\My_Share\apdata- (Misnamed ZIP file)
files\file-classifiers\testfile1.bin and
send it as an email attachment. testfile.bin
(Misnamed Word file)
...
Expected result: FactoryTestKeyWord
File testfile1.bin should match the rule ...
(if "all parts of the transaction as a
whole" is selected in the condition)
Test this policy:

* Log into **Client-Win10** as `tmuller\Forcepoint1`
* Create a MS Word file `testfile.docx` containing “FactoryTestKeyWord”. Rename it
into `testfile.bin`.
* Create a ZIP file `testfile1.zip` containing a single file (`testfile.bin` created in the
previous step). Rename the `testfile1.zip` file into `testfile1.bin`.
* Test the policy by sending the nested ZIP file `testfile1.bin`.
**Note:** `testfile1.
HANDS-ON LAB
Policy Exceptions
## Lab M4-e: Policy Exceptions
Some DLP policies should have special action plans for certain sources or
destinations. Assume that we want to block all emails with `gmail.com` as the
destination.
**Objective:** Create a policy to block any emails to “gmail.com” domain (action =

Block All, severity = Medium), and create an exception to allow sending such mail to
users in “Sales” department (if they are also in MyDlpGroup).
The Phases:
1. Assign “Department” and Create a group in the AD.

2. Create Custom LDAP Group.
3. Create a policy to block emails to the `gmail.com` domain.
4. Create a BU and a Policy Exception.
5. Test the policy for 2 users.
Scenario
CN=Engineering,DC=demo,DC=com Christiano Ronaldo (department=Sales)

Tim Muller (department=TechSupport)
Tom Crowne (department=Sales)
MyDlpGroup
CN=HR,DC=demo,DC=com Chad Smith (department=Sales)

Mark Dean (department=Sales)
Neil Peart (department=TechSupport)
 General rule: Sending email from enterprise mail accounts to “gmail.com”

domain should be blocked.
 Exception: Members of “MyDlpGroup” with department value “Sales” should be
allowed to send email to the “gmail.com” domain.

Phase 1: Assign “Department” and Create a Group in the AD
1. Assign attribute Department

a. Log into DC as Àdministrator\Forcepoint1`
b. Open the AD editor: Active Directory Users and Computers (there is an icon on
the taskbar as a yellow book).
c. Edit 6 users under the LDAP tree nodes: **demo.com>Engineering** and
**demo.com>HR**.
d. For each user open **Properties > Organization**. Enter the value for
“Department” attribute. “Tim Muller” and “Neil Peart” are both in “TechSupport”
department; all the 4 others are in “Sales” department.
e. Right-click `demo.com/Users` node in the LDAP tree. Create a new group
`MyDlpGroup`. Open **Properties > Members**. Add "Mark Dean", "Neil Peart",
"Tim Muller" and "Tom Crowne" as members.
Phase 2: Create Custom LDAP Groups
1. Log into **FSM**, open *Security Manager*.

2. Select Data > Main > Resources > Custom User Directory Groups.
3. Click New, enter group name “Sales-and-MyDlpGroup”. Select “DC” as User
Directory.
4. Enter this LDAP Search Query (without any spaces or newlines):
```
(&(objectClass=user)(&(department=Sales)
(memberOf=CN=MyDlpGroup,CN=Users,DC=demo,DC=com)))
```
5. Click “View Sample Data”. Inspect the LDAP entries selected by this LDAP search
filter. It should return 2 users (Mark Dean and Tom Crowne).
6. Select **Data > Main > Resources > Business Units**. Create a new Business Unit
named “Sales-and-MyDlpGroup-BU” and under “Display” pick “Custom User
Directory Groups”. Add newly created “Sales-and-MyDlpGroup”. Save the Business
Unit.
7. In *Security Manager* open **Data > Settings > User Directories**. Select the
directory “DC” (created in the *Lab M1-b*) and synchronize it.
Phase 3: Create a Policy to Block Emails to the “gmail.com” Domain
1. Create a new policy “AnyGmail” with a single rule of the same name.
a. In tab “Condition” select Add > Patterns & Phrases… Create a regular expression
“MatchEverything” with a value .* (i.e. any characters repeated any number of
times).
b. In tab **Destination** click **Edit** button under **Network email**. Select
`*.gmail.com`. (If this domain does not exist, you can add it under **Data > Main >
Resources > Domains**).
Phase 4: Create a Policy Exception
1. Add policy exception to the ÀnyGmail` rule.

a. Log into **FSM**, open *Forcepoint Security Manager*
b. Navigate to **Data > Main > DLP Policies > Manage Policies**.
c. Select the ÀnyGmail` rule you created in the previous step. From the menu
select **Add > Exception**.
d. Make this exception apply for the `Sales-and-MyDlpGroup-BU`. Modify the rule
severity as `Low` and set the action to Àllowed`.
HANDS-ON LAB
Encryption with User Password
FORCEPOINT
© 2018 Forcepoint
## Lab M6-c: Encryption with User Password
**Note:** If ImDisk Virtual Disk Driver is tricky to use, there is also a command-line
tool associated with ImDisk. E.g.
```
imdisk -a -t harddrive -f C:\tmp\image.bin -s 100M -p "/fs:ntfs /q /y" -o rw -m #:
```
Phase 1: Action Plan with User-Encrypt Action
1 Create Action Plan named User-Encrypt 3 Install ImDisk on Client-Win10
(192.168.122.44)
2 Assign the Action Plan to the FTKW rule
1. Create Action Plan named User-Encrypt

a. From the **FSM (192.168.122.21)** machine log into Forcepoint FSM.
b. Open **Data > Main > Resources > Action Plans**.
c. Click **New**, enter name User-Encrypt, and fill in the actions as shown in the
screenshot (Quarantine or Block for everything except Removable Media, which
should have action Encrypt with User Password.)
d. Leave default values in all the other fields in the Action Plan. Save the plan.
2. Add this action plan to some policy.
a. In TRITON UI navigate to **Data > Main > DLP Policies > Manage Policies**.
b. Edit some policy rule, e.g. FactoryTestKeyWord.
c. Open tab **Severity&Action** and pick Ùser-Encrypt` as action plan.
d. Open tab Destination. Make sure that Endpoint Removable Media is checked.
e. Save the policy rule and deploy.
3. Download and setup the ImDisk Virtual Disk Driver
a. In **Client-Win10 (192.168.122.44)** navigate to \url{http://www.ltr-
data.se/opencode.html/#ImDisk}.
b. Right-click the link "Download ImDisk Install package", current stable version
2.0.9". Download the installer and save it as ìmdiskinst.exe`.
c. Double-click imdiskinst.exe, click Run, then Yes, then OK.
Phase 2: Create a Virtual Disk Image
1 Run ImDisk Driver
1. Run the ImDisk Virtual Disk Driver

a. On **Client-Win10 (192.168.122.44)** click Start > Control Panel. In the search
window type imdisk.
b. Click ImDisk Virtual Disk Driver link.
c. In the driver window click button Mount new.
d. On **Client-Win10 (192.168.122.44)** create an empty directory `c:\tmp` to
store the virtual image of the removable media.
e. Click on the **[…]** button next to the Image File. Locate the directory `c:\tmp`,
write in the filename ìmage.bin`. Click **Open**. When it asks whether to create a
new file, click Yes.
f. Fill in other values; pick Drive letter = È`; size of virtual disk = `100M`, offset = 0
bytes, Device type = `Floppy`. Also check “Virtual disk drive accesses image file
directly” and “Removable media”.
g. Click **OK** to mount.
Phase 3: Copy a File to Cause an Incident
1 Format virtual disk 2 Copy a FTKW file to the E drive
1. Format virtual disk

a. Since the virtual disk image file was just created, it is not yet formatted. You can
select it in the ImDisk Virtual Disk Driver application and click Format. Or just wait
until the dialogue that suggests to format opens. Click Format disk.
b. Pick File system = NTFS. Pick some volume label. Click Start.
c. Click OK when there is a warning that all data will be erased.
d. Click OK when it says that formatting was successful. (Note: If you did not pick
device type = Harddisk volume, it is not possible to format to NTFS.)
2. Copy a file to cause an incident.
a. On the **Client-Win10 (192.168.122.44)** desktop create a file testfile.txt that
contains `FactoryTestKeyWord`.
b. Copy-paste that to the mounted volume E (that is mapped to the virtual disk
drive).
c. Observe that there is an alert (the first time it blocks), and you are prompted to
enter a password for the decryption utility. Enter `Forcepoint1` two times. Click
**OK**.
Phase 4: Compress and Move the Disk Image
1 Inspect the created files, unmount E drive 3 Unzip and mount the virtual drive on
MRSRV
2 ZIP the virtual image file
1. Inspect the created files, unmount E drive

a. View the files that are created when testfile.txt was copied. The E drive on
**Client-Win10 (192.168.122.44)** should contain the Forcepoint Decryption
Utility.exe, testfile.txt and possibly 2 other files.
b. In case if there is no testfile.txt (in case if the Endpoint encryption was used for
the very first time and it prompted password creation), copy the file testfile.txt again.
Please note that there is a little lock added to the usual TXT file icon.
c. In the ImDisk Virtual Disk Driver right-click E drive, select Remove. This will
unmount E drive. You may need to close all Windows Explorer instances or other
applications that currently are looking at the E drive.
2. ZIP the virtual image file
a. On **Client-Win10 (192.168.122.44)** file system select image.bin, right-click
and pick **7-zip > Add to image.zip**.
b. Move ìmage.zip` and also the ImDisk installer imdiskinst.exe from the **Client-
Win10 (192.168.122.44)** to some shared directory of the **FSM
(192.168.122.21)** machine, e.g. `c:\Forcepoint\My_Share\ep-encryption`.
3. Unzip and mount the virtual drive on **MRSRV**.
a. Log into **MRSRV**.
b. Create a directory `c:\tmp`, and move files image.zip and indiskinst.exe from
`\\192.168.122.21\My_Share\ep-encryption` to the **MRSRV**’s directory `c:\tmp`.
c. Install ImDisk also on **MRSRV**.
d. Unzip ìmage.zip` so that ìmage.bin` ends up in directory `c:\tmp`.
e. Right-click ìmage.bin` and select Mount as ImDisk Virtual Disk.
f. In the dialogue leave some default values (`c:\tmp\image.bin`, E drive, (existing
image file size), offset=0). Also change some other values to the following:
Device type = Harddisk volume,
Image file access = Virtual disk drive accesses image file directly
Removable Media (See the screenshot).
g. Click **OK** to map E drive to the new image file.
34
2 Save decrypted file
Phase 5: Try to Use Decryption Tool
1 Run Decryption Utility
3 Unmount E drive from MRSRV
1. Run Decryption Utility:

a. On **MRSRV** open Windows Explorer and newly mapped disk drive E.
b. Double-click Forcepoint Decryption Utility.exe.
c. Enter password (same as was selected in Phase 3).
2. Save decrypted file
a. Inside the Decryption Utility window right-click the file `testfile.txt`, select Save
To – and pick some location on the **MRSRV**.
b. Open file to see that it is correctly decrypted.
3. Unmount E drive from MRSRV:
a. On **MRSRV** open Control Panel. Type ImDisk in the search window.
b. Open *ImDisk Virtual Disk Driver* utility.
c. Right-click E drive and select **Remove**.
HANDS-ON LAB
Deploying and Managing Endpoints
FORCEPOINT
© 2018 Forcepoint
Deploying and Managing Endpoints
Data Endpoint is a software that does not make sense in isolation from other DLP
components. It needs an DLP Manager to be deployed. Also a separate
Supplementary DLP server is recommended to be Endpoint Server (unless this is a
small demo environment, where DLP Manager itself can become an Endpoint Server).
All these deployment steps are covered in Modules 1 and 2. This lab only covers how
to deploy endpoint software, if the DLP deployment is already done.
There are various “environmental forces” that affect the installation and setup of the
Data Endpoint:
1. Data Endpoint is supported on multiple platforms (on 32-bit and 64-bit Windows –
including servers and workstations, on OS x, on Linux), in multiple languages (alert
messages can be displayed in Dutch, English, French, Italian, Japanese, Korean,
Portugese, Russian, Simplified and Traditional Chinese, Spanish – and you can add
more message texts in these and other languages). There are interactive and stealth
modes, regular and discovery-only version of the software. To avoid having different
Endpoint installers for all these situations, there is a single Package Builder, which is a
bootstrap to create the installer package that fits customer’s needs.
2. Data Endpoint is designed to be tamper resistant. Some users may try to interfere
with this software – either to avoid being detected or simply to get rid of services
that they do not fully understand. For this reason Endpoint service has to be difficult
to uninstall or to stop.
3. Data Endpoint might need to be monitored both from the target machine (unless it
is a stealth installation) and from the *FSM*.
Data Endpoint itself has quite an interesting story on how it can be deployed on
target machines. This lab tells this story – how to download the software (phase 1),
how to run package builder (phase 2), how to create and how to use the installation
file (phase 3). We also explain the client console (how to inspect Endpoint’s behavior
from the client’s machine), and the Endpoint Status screen (how to inspect multiple
endpoints from the Forcepoint FSM), assigning some useful global parameters for the
endpoint, temporary disable and even attempt to uninstall (phases 4, 5 and 6). This
first lab does not create incidents, but rather explains how to get the infrastructure
running properly.
36
Phase 1: Download EP Package Builder for v8.2.0 and v8.2.5
1 EITHER download from mywebsense.com 2 OR download from 85.254.250.28
To install AP-ENDPOINT software, we need to download the package builder (usually

distributed as a ZIP file). Normally it can be downloaded from the mywebsense.com
website – along with other Forcepoint software.
1. (Alternative 1): Use the software distribution site

a. Navigate to mywebsense.com.
b. Authenticate with the Forcepoint client account
c. Select **Downloads > All Downloads**.
d. Under AP-ENDPOINT select the version 8.4.
e. Locate the download named “Forcepoint DLP Endpoint 8.4” and download the
ZIP.
2. (Alternative 2): Use the course website.
In case if you do not have the account with Forcepoint products, you can also
download (unofficial, no-warranty, training purposes only) Endpoint software from
the training server: \url{http://85.254.250.28/downloads/dlp-course/v84-software/}.
Right-click the file ÈndpointPackage84.zip` and download it.
Phase 2: Run Package Builder
1 Run EndpointPackage84.exe
1. Run the Package Builder:

a. Unzip the ÈndpointPackage84.zip` file on **FSM** desktop.
b. Run EndpointPackage84.exe (the only file that was in the archive).
c. Select checkbox TRITON AP-ENDPOINT DLP, leave **Language** = Ènglish`, click
**Next>**.
d. Select Windows 64-bit. There is NO NEED to enter any password. Leave the anti-
tampering checkbox selected. Click **Next>**.
e. Leave the default installation path (we are not trying to hide the presence of the
Data Endpoint). Click **Next>**.
f. Verify that the IP address or hostname is `192.168.122.21`. Click **Next>**.
**Note:** Password (e.g. `Forcepoint1`) could be entered and would cause no harm.
But it makes sense only for Web Endpoint; so it is useless to specify it during this
package builder phase. If you specify it here, but do not specify password with Data
Endpoint Global Settings (see *\hyperref[lab-m6-a-deploying-and-managing-
endpoints]{Phase 5}* of this Lab), Endpoint can be uninstalled by admin user without
any password being asked.
Phase 3: Save the Installation Package and Install Manually
1 Finish the installer creation
2 Install manually and reboot
1. Finish creating the Installation package.

a. Pick Interactive and Full radio buttons, click **Next>**.
b. Select `c:\Forcepoint\My_Share` directory and finish.
c. Click **OK** when the package has been created.
2. Install the Data Endpoint on **Client-Win10**:
a. Copy installer from `\\FSM\My_Share\` to the **Client-Win10** desktop.
Double-click the installer. Click **Next>**.
b. Accept the license agreement, click **Next>**.
c. Accept the default installation directory: `C:\Program Files\Websense\Websense
Endpoint\`. Click **Next>**.
d. Click **Install**. When the installation is complete, click **Finish**.
e. Click **Yes**, when the installation asks to reboot the client machine.
Deploying the Data Endpoint Client
AP-ENDPOINT deployable using
Manual
Microsoft-based tools
System Center Configuration Manager (SCCM)
Systems Management Server (SMS)
Two installers
WebsenseEndpoint_XXbit.exe for Windows
LinuxEndpoint_SFX_installer_elX for Linux
Updates deployable automatically
The client can be deployed via software deployment tools such as Microsoft’s System
Center Configuration Manager (SCCM), Active Directory’s Group Policy Objects (GPO)
or installed manually on any computer. The entire installation package created by the
Endpoint Builder tool should be used by the deployment system. There are two
installers that have the same functionality:
WebsenseDataEndpoint.msi - should be used with Microsoft-based systems (SCCM
and GPO).
Setup.exe - for deployment systems which require an executable.
Each deployment system has its own requirements and functionality; the .msi should
be deployed using the following command: “msiexec /package “Websense Data
Endpoint.msi” /quiet /norestart”.
In order for the Data Endpoint to be “Active” on the user’s computer, you must
restart. Set restart as the last action in the deployment script.
Note: See Deployment and Installation Guide for more information on utilizing
network-based deployment tools.
Phase 4: Check Endpoint Status
2 Check Endpoint Status, find the client
1 Data Endpoint Client Console
Data Endpoint Client Console
1. Open the Data Endpoint Client Console

a. Log into **Client-Win10 (192.168.122.44)** as `tmuller` again.
b. In the bottom-right corner of the desktop locate the green square-like
Forcepoint icon, double-click it.
c. In the client console note the time “Updated” (i.e. when the DLP configuration
was most recently synchronized). If Data Endpoint is freshly installed, it should
coincide with the clock time on **Client-Win10 (192.168.122.44)**.
d. Endpoint should be assigned a profile (since we did not configure anything else
under **Data > Settings > Endpoint Profile**, it should be Default Profile). It should
have status Enabled.
e. Click on the “Updated” timestamp that looks like a blue hyperlink. It should
display the policy version, fingerprint version and profile version. (Note: Policy version
can be verified in **Data > Main > DLP Policies > Manage Policies** – compare the
numbers surrounded by circles.). If FSM displays a newer version than Endpoint client
console – it is necessary to synchronize the Endpoint client (click Update button in
the Client Console).
2. Check Endpoint status from the TRITON UI.
a. From FSM (192.168.122.21) machine log into TRITON UI.
b. Open **Data > Main > Endpoint Status**.
c. Locate **Client-Win10 (192.168.122.44)** as an endpoint machine and look at
its parameters.
41
Phase 5: Apply Global Endpoint Settings 2 Set protected domain and email direction
1 Set update interval and unstall password
\label{lab-m6-a-deploying-and-managing-endpoints-phase5}
1. Log into *FSM*. Navigate to **Data > Settings > Deployment > Endpoint Profiles**.
Open tab General.
a. Next to “Check for updates every” select 30 minutes.
b. Make sure that administrator (uninstall) password is checked. Enter password
`Forcepoint1` two times.
2. Open tab Email Domain.
a. Add domain demo.com to the internal email domains.
b. Select **Outbound** checkbox. Optionally also **Internal** checkbox.
c. Click **Save**, and then **Deploy**.
2 Click Bypass Endpoint, enter Bypass ID
Phase 6: Temporary Bypass
1 Click Disable in Endpoint Client UI
3 Enter the Bypass Code 4 Try to uninstall Endpoint
1. Click Disable:
a. Log in to **Client-Win10 (192.168.122.44)** as tmuller.
b. From the system tray open the endpoint UI console.
c. Click on Disable button, write down the Bypass ID (4-digit number)
2. Generate bypass code:
a. Log in to **FSM (192.168.122.21)**, open *FSM*.
b. Open **Data > Main > Status > Endpoint Status**.
c. Select the client machine `192.168.122.44`, click button Bypass Endpoint
d. Enter the Bypass ID (obtained in the previous step), generate bypass code.
3. Return to **Client-Win10 (192.168.122.44)**, enter the bypass code. Click
**OK**.
4. Try to uninstall Data Endpoint:
a. On **Client-Win10 (192.168.122.44)** open **Start > Control Panel**.
b. Write Add or remove programs in the search window and open this dialogue.
c. Select Forcepoint One Endpoint, right-click it and pick Uninstall.
d. Verify that there is a pop-up screen that asks to enter password (same as you
configured in the previous phase). Do not proceed with uninstallation, press
**Cancel**.
**Note:** In many situations you need to keep track of the time-spans the endpoints
have been disabled (in particular, if the disabling is longer than 1hr; when it is not just
to allow the user to complete one specific ativity). The record-keeping should happen
outside the **Data > Main > Status > Endpoint Status** screen, because there we can
only see the current status of the endpoint (not the time when it will be enabled
again).
43
HANDS-ON LAB
EP Incidents and Unhooking
Applications
FORCEPOINT
© 2018 Forcepoint
## Lab M6-b: EP Incidents and Unhooking Applications
**Objective:** In this lab we attempt to get incidents on as many Data Endpoint

channels as possible.
The Phases:
Endpoint HTTP/HTTPS Incidents.

: Experiment with plain HTTP and HTTPS (for Data Endpoint there is no need to worry
about SSL certificates!). Also try out HTTP GET (should not be intercepted), and AJAX
applications like GMail (single attempt to send an email could result in multiple
incidents). The limitation of CG to skip messages shorter than 30 bytes does not
apply.
Endpoint Email Incidents.

: Experiment with MS Outlook and possibly some other email client.
Printing, LAN and PrtScr.

: Printing (e.g. to a PDF-generating printer driver) can be blocked. File transfer to a file
share can be intercepted as well; unsaved file is added to the **Contained Files**.
The button **PrtScr** is intercepted only if the Endpoint Application has enabled it.
Copy-Paste in Office Applications.

: Application groups (including “Office Applications”) can intercept files as they are
accessed, as well as clipboard operations.
Unhooking Applications.
: Application unhooking (or excluding) means that Data Endpoint does not monitor
them via the hooking DLL. It can be configured among the Data Endpoint global
settings.
Re-test Copy-Paste in Office Applications.

: Once the application is unhooked, copy-paste is no longer controlled by Endpoint.
44
Phase 1: Endpoint HTTP/HTTPS Incidents
1 Test Plain Web form on Firefox 2 Test AJAX Application on Firefox
3 Test Plain Web Form on Chrome
Before running these tests make sure that there is a DLP policy to detect keyword
“FactoryTestKeyWord”, and the Action Plan for it is Block All.
1. Log in to **Client-Win10 (192.168.122.44)** to test form submission (with a POST

method) to a traditional HTML form.
a. Open Browser (except Google Chrome), e.g. Firefox.
b. Navigate to \url{http://dataleaktest.com} and click link “POST to a Web page”.
c. Enter FactoryTestKeyWord in the text area and click POST.
d. Observe that the form is not submitted (the browser stays on the same URL; it
does not navigate to the web form’s action page), and there is an alert.
2. From **Client-Win10 (192.168.122.44)** open Firefox (i.e. any browser except
Chrome) connect to a Gmail or some other webmail application.
a. Try to send an email that contains `FactoryTestKeyWord`.
b. Observe that there is an application-specific message saying that email could not
be sent; there are also multiple warnings (background JavaScript may try to send the
form multiple times and it will fail all the time).
c. Log off the webmail application and close the browser, otherwise you may get
too many incidents for this.
3. Test Web form submission from *Chrome*
a. From **Client-Win10 (192.168.122.44)** open *Chrome*, navigate to
\url{http://dataleaktest.com}, and click link “POST to a Web page”.
b. In the text area write keyword “FactoryTestKeyWord” and append more text at
the end of the message (the total length should exceed 30 bytes). Submit the form by
clicking POST. Observe the block-page from the Content Gateway. (Since Endpoint on
Chrome was monitor-only mode, it let the message be sent, but the message was
blocked later – on the Content Gateway.)
4. Inspect incidents.
a. On **FSM (192.168.122.21)** log into Forcepoint FSM. Open **Data > Main >
Data Loss Prevention > Incidents (last 7 days)**.
b. Locate the block incidents (channel is “Endpoint HTTP” or “Endpoint HTTPS”) –
they were caused by Firefox.
c. Locate the monitor incident (channel is “Endpoint HTTP”) and next to it – a block
incident caused by Content Gateway (channel is “HTTP”).
**Note:** In steps 1 and 2 we do not care that `FactoryTestKeyWord` is a short POST

message (less than 30 bytes), because Endpoint does not impose the minimum size
for the message to be analysed. In step 3 we need to ensure that the POST message
is at least 30 bytes, since otherwise it would only cause Endpoint (Monitor) incident,
but would not be stopped by the Content Gateway.
45
Phase 2: Endpoint Email Incidents
2 Use Outlook Web Access
1 Send email causing and incident
1. Send email from *MS Outlook* (Instead of Using the Outlook, please login to
192.168.122.1:5006 with user name: tmuller@demo.com & Password: Forcepoint1)
a. Log into **Client-Win10 (192.168.122.44)** as `tmuller\Forcepoint1`.
b. Open *MS Outlook* application, create a new mail message to an external (non-
demo.com) recipient; include “FactoryTestKeyWord” in that message.
c. Observe that email is not sent, and there is alert.
2. Send email via Outlook Web Access.
a. Open browser, navigate to \url{https://192.168.122.11/owa}
b. Log in as `tmuller\Forcepoint1`
c. Create a new mail message to any email address (even internal), write
“FactoryTestKeyWord” in that message. Try to send.
d. The message should cause error and an alert (this time it is Web alert).
Phase 3: Enable Contols for Printing, LAN, App Control, PrtScr
1 Enable LAN channel control; block screen capture 3 Block Screen Capture
2
Add all applications
for some DLP policy
rule Copyright © 2018 Forcepoint. All rights reserved.
1. Enable LAN channel control; block screen capture

a. Log to **FSM (192.168.122.21)** machine, log into the FSM.
b. Open **Data > Main > DLP Policies > Manage Policies**.
c. Select FactoryTestKeyWord rule to edit. Go to Destination tab. Verify that
Endpoint Printing is selected (should be active by default), and also check Endpoint
LAN.
2. Add all applications for some DLP policy rule:
a. Continue to edit the same `FactoryTestKeyWord` rule. Go to **Destination** tab.
b. Locate **Endpoint Applications** section, mark the checkbox. Click **Edit**.
c. Select all Endpoint Application Groups and move them to the right side of the
screen.
d. Click **OK** in the bottom right corner of the browser screen. Save the rule.
3. Block Screen Capture.
a. Open **Data > Main > Resources > Endpoint Applications**.
b. Pick Notepad as an application, and under Screen Capture, select `Block &
Audit`. Save the settings
c. Deploy the changes in resources and the policy rule made earlier.
3 Trigger a PrtScr incident
Phase 4: Print, Copy to LAN, PrtScr, Copy-Paste
1 Trigger Printing incident
2 Copy a file (violating FTKW rule)

over the LAN 4 Copy-Pasting from Notepad to Word
1. Trigger Printing incident:

a. Create a file containing “FactoryTestKeyWord” and save as testfile.txt (e.g. on
**Client-Win10 (192.168.122.44)** desktop).
b. Select **File > Print**, pick PDF995 printer device, click Print.
c. Observe the alert warning that printing (actually – converting document to a
PDF) was blocked by the Data Endpoint.
2. Copy a file over the LAN
a. On **Client-Win10 (192.168.122.44)** machine copy the same `testfile.txt`
created earlier and paste it to `\\192.168.122.21\My_Share`.
b. Observe that the file is not copied, and there is an alert warning saying that
copying to a network drive was blocked by the Data Endpoint.
3. Trigger a PrtScr incident
a. Open an empty Notepad application (no need to have any rule-breaking text
there).
b. Click **PrtScr**.
c. Observe the alert warning that the print screen was blocked.
d. In **Client-Win10 (192.168.122.44)** click **Start** and write in the search
window “snipping tool”
e. Open Snipping Tool application, press New.
f. Press mouse and drag it, e.g. around a Notepad app with “FactoryTestKeyWord”
displayed (testfile.txt).
g. Observe that a screenshot can be made with a snipping tool and there is no
incident.
4. Copy-Paste from Notepad to Word
a. Open file testfile.txt created earlier with Notepad.
b. Open MS Word application, pick blank document.
c. Copy a text chunk (containing “FactoryTestKeyWord”) from Notepad to MS Word.
d. Observe an alert (upon **Ctrl+C** in the Notepad screen) warning that copy-
pasting was blocked by the Data Endpoint.
e. Observe that the copied text can be pasted in another Notepad screen, but not
into MS Word. Any attempt to paste (with **Ctrl+V**) text chunk violating a DLP rule
into another (non-Notepad) office application displays the same alert again.
48
Phase 5: Unhooking/Excluding an Application
1 Display list of DLLs 3 Deploy, synchronize, reboot
2 Add notepad.exe to the excluded list
4 Re-run the tasklist to display DLLs again:
1. Run Tasklist to see DLLs used by notepad.exe (before adding it to the exclusion list)
a. On **Client-Win10 (192.168.122.44)** machine open notepad.exe editor. Leave
it open, the editor pane can stay empty.
b. On **Client-Win10 (192.168.122.44)** run **Start > cmd** to see command-
line window. Copy-paste this command:
```
tasklist /m /fi "imagename eq notepad.exe"
```
c. Copy-paste the output of this command somewhere.
2. Add notepad.exe to the Excluded List:
a. On **FSM (192.168.122.21)** machine log into Forcepoint FSM.
b. Open **Data > Settings > Endpoint Profiles > Settings**; open **Advanced**
tab.
c. In the text field write a name of executable (notepad.exe), click Add. Click Save in
the bottom right corner.
3. Deploy, synchronize, reboot
a. Stay on the **FSM (192.168.122.21)** machine. After notepad.exe is added to
the excluded list in TRITON UI, the Deploy button becomes active(yellow). Click it to
deploy the change to the Endpoint Server (in our case it is DLP Manager itself, but in
most deployments would be a different machine).
b. On **Client-Win10 (192.168.122.44)** machine, open Endpoint Client console
and click Update to manually synchronize the settings with the Endpoint Server (this
happens by default at regular intervals – see “Apply Global Endpoint Settings” from
the Lab 5a – but this time we want the synchronization to happen immediately.)
c. On **Client-Win10 (192.168.122.44)** machine, open a command-line window
and type the command “shutdown -r“.
4. Re-run the tasklist to display DLLs again:
a. After **Client-Win10 (192.168.122.44)** is rebooted log into this machine as
tmuller again.
b. Open `notepad.exe` editor, leave it open and empty.
c. Open cmd window. Repeat the same “tasklist…” command as in Step 1 to list
DLLs associated with the notepad.exe application.
d. It should now display a different (smaller) list of DLLs. In particular, QIPCAP64.dll
is no longer among the DLLs.
**Note:** Here is the tasklist output before the exclusion of notepad.exe:

```
ntdll.dll, kernel32.dll, KERNELBASE.dll, ADVAPI32.dll, msvcrt.dll,
sechost.dll, RPCRT4.dll, GDI32.dll, USER32.dll, LPK.dll,
USP10.dll, COMDLG32.dll, SHLWAPI.dll, COMCTL32.dll, SHELL32.dll,
WINSPOOL.DRV, ole32.dll, OLEAUT32.dll, VERSION.dll, IMM32.DLL,
MSCTF.dll, QIPCAP64.dll, DNSAPI.dll, WS2_32.dll, NSI.dll,
CRYPTBASE.dll, UxTheme.dll
```
**Note:** After adding notepad.exe to the exclusion list, the following 4 DLLs
disappear:
`QIPCAP64.dll`, `DNSAPI.dll`, `WS2_32.dll`, `NSI.dll`.
49
Phase 6: Re-Test Copy-Paste in Office Applications
1 Printing from notepad.exe is now 3 Click PrtScr while notepad.exe is running
possible
2 Copy a file (violating FTKW rule)

over the LAN – still an incident
4 Copy-paste to another text editor
1. Printing from notepad.exe is now possible

a. On **Client-Win10 (192.168.122.44)** open a previously created file, e.g.
`testfile.txt` with Notepad.
b. Select **File>Print**, pick PDF995 printer driver.
c. Select the path, where the result of “printing” should be stored.
d. You should see that the file conversion happens without an incident.
2. Copy a file (violating FTKW rule) over the LAN – still an incident
a. On **Client-Win10 (192.168.122.44)** try to copy testfile.txt to a
`\\192.168.122.21\My_Share` file share.
b. See that there is an alert warning again and the file copy did not happen.
3. Click **PrtScr** while notepad.exe is running
a. Run notepad.exe editor; e.g. open testfile.txt in it.
b. Click **PrtScr**.
c. Observe that PrtScr command does not cause any alert.
d. Run **Start > paint.exe**. Copy-paste the screenshot image into the Paint
program.
4. Copy-paste to another text editor
a. In the notepad.exe application select whole text in the same testfile.txt file (it
should contain “FactoryTestKeyWord”).
b. Press **Ctrl+C** to copy it. Observe that there is no alert.
c. Open MS Word and paste the offending text into the Word editor. It should
happen without any alert warning.
50
HANDS-ON LAB
Alerts & Notifications
FORCEPOINT
© 2018 For c epoi nt
## Lab M7-c: Incident Management Script

Phase 3a: Set up Alerts
Configure link to Active Directory 2 Configure link to Active Directory
1
1. Alerts allow you to determine which DLP Manager conditions will trigger messages
to be sent to the system log (syslog) or to one or more administrator email addresses.
To set up alerts, follow the steps below.
2. Get to the Alerts configuration page
a. In the TRITON console, click **Data > Settings > General > System > Alerts**
b. Review the email alert options, then on the System > Alerts toolbar
c. Click tab **Email Properties**, specify sender = administrator@demo.com
d. Also specify recipient: click Edit, Display = Directory Entries, check next to
tmuller, and click arrow to move this user to the right-side pane.
e. Click OK at the bottom of the page. Click the yellow button Deploy.
f. Click Mail Server Settings. Configure the Outgoing Mail Server:
g. IP address or hostname = 192.168.122.21, Port = 25
h. Click the Test Connection button on the **System > Alerts > Mail Servers**
configuration page; enter address `tmuller@demo.com`. This should send a test mail
to that address.
Phase 3b: Set up Alerts
1 Check the SMTP configuration success 2 Check that the email was delivered.
and save it.
1. Check that the connection is successful. Click OK to save the Outgoing Mail Server
settings.
2. Log to **Client-Win10** machine as tmuller and open MS Outlook. See that it has
received an email from the MS Exchange.
Note: “Incoming Mail Server” settings are only relevant if you need to set up email-
based incident workflow; this setting can be left empty for now. Incident workflows
will be discussed in Session 3.
Phase 4a: Set up Notifications
1 Go to Default notifications
3 Configure outbound server for notifications
Configure
Notifications
template
Notifications are emails to inform about DLP incidents. They need recipients and
templates.
In the TRITON console, click Data > Main > Policy Management > Resources >
Notifications and then in the table of available notification templates, click Default
notification.
Configure the Notification with the following parameters:
Sender name = DLP Manager Notification
Sender email Address = administrator@demo.com
Subject = Data breach at %Incident Time%
Click button Mail Server Settings. This should refer to the same outgoing SMTP
settings that you configured in Phase 3. The SMTP configuration should be already set
to their correct values (Outgoing mail server = ******** or ********; Port = 25 )
Phase 4b: Set up Notifications
1 Select “tmuller” as a recipient of notifications 2 Notification Body
1. Add tmuller as a recipient (Select the Edit button, pick Display = “Directory entries”,
find and move ’tmuller’ to the right-hand side). Click OK.
2. Select the Notification Body tab and review the default selections and the message
text that will be sent to the recipient. Click OK and then Close. You do not need to
change anything in the Notification Body.
Phase 5: Set up Release Gateway
1 Set the Release Gateway to ESG, port 25
(Optional) Configure
2
syslog settings
Release GW is used to release emails from quarantine to their destinations (e.g. false
positives captured by our DLP policies).
1. Set release gateway to 192.168.122.24 – the P1 of ESG. You can also use the DNS
name of the ESG host.
a. In the TRITON Console, click **Data > Settings > General > Remediation** and go
to the **Release Gateway** section.
b. Configure the Release Gateway with the following parameters: IP address or host
name = `192.168.122.24`; **Port** = `25`
c. Click OK at the bottom of the page. Note green message (“Your changes were
saved”).
2. If you wish, also configure Syslog settings, e.g. set it to `192.168.122.21`, leave the
port to `514` (by default this is UDP port, not TCP port!). Click **Test Connection** -
it should send a message to the Syslog server, if it exists. These settings will be used
in the SIEM configuration: *\hyperref[lab-m8-b-integration-with-splunk]{Lab M8-b:
Integration with Splunk}*.
**Note:** Since Syslog uses connectionless UDP protocol, this “Test Connection” will
always display green success message. The only way to test, if the connection actually
succeeded, is to verify, that the “Websense Syslog Test Message” has arrived to a
Syslog console.
56
HANDS-ON LAB
Remediation Script (Incident
Management Script “CopyFiles”)
FORCEPOINT
## Lab M7-c: Incident Management Script

Scenario
1. Download the files for CopyFiles remediation script.
2. Edit the CopyFiles.py – set up a network share (e.g. \\192.168.122.22\My_Share\CopiedFiles) and
refer to it in the CopyFiles.py. Create a ZIP file with it as the only resource for the remediation
script.
3. Configure a new “Incident Management Script” – select CopyFiles.bat as its executable, and also
configure the ZIP file as additional files.
4. Pick any Network or Endpoint Discovery incident and apply the CopyFiles script.
5. Inspect, what files (and what file paths) are created on the file share on
\\192.168.122.21\My_Share\CopiedFiles.
6. Attempt to re-run the same remediation script from the command line:
Go to the c:\Program Files (x86)\Websense\Data Security\tomcat\temp (where the XML files and
LOG files are placed by default).
58
HANDS-ON LAB
Force-Release Feature
## Lab M8-c: Force-Release Feature
**Goal:** In this lab we configure force-release feature that enables anyone who
receives notification about an email incident – to release it from quarantine by
pressing just two buttons **Reply** and **Send**. It has been made easy on
purpose, so that even admins or managers who are not sitting at the computer (but
accessing email on their smartphones) can release incidents quickly. As a result,
Forcepoint DLP (even in the case of false positives, if they are blocked by some DLP
rule) does not delay legitimate business transactions; and incident processing costs
are reduced.
**The Phases**
Manual Release.
: Verify that there is some policy rule that is easy to trigger via email channel, and the
matching transactions can be blocked. (We will use the `FactoryTestKeyWord` policy
rule that was created in the Key Words and Phrases lab.) Check that incidents can be
created and released.
Configure Notification.
: Configure a new notification template that sends notifications from a force release
mailbox in your domain, e.g. ÀpDataNotificationsMBX@demo.com` (i.e. a service
email account that is not used by any person) to some actual users, e.g. Administrator
or tmuller.
Contact in Non-Routable Domain.

: Create a new contact in the MS Exchange having a non-routable domain, e.g.
ÀpDataNotificationMBX@demo.com`.
Create User to Forward to the Mailbox.

: Configure email forwarding for the force release mailbox to the non-routable
domain: all mails to ApDataNotificationsMBX@demo.com should be forwarded to
Test the Action Plan.

: Trigger an incident from the mdean account on **Client-Win10**, log in as
`tmuller`, respond to the notification.
Notify the Sender Feature.

: Verify that the incident is marked as released in the incident management table in
TRITON GUI. Configure the feature to notify the sender and also the administrator
about the released incident.
59
Phase 1: Test Manual Incident Release
1. Locate the policy FTKW and a rule of the same name inside it. Set the action plan
for this rule to Block.
2. Log in to Client-W7 as mdean. From the MS Outlook send a mail message to an
external email address. The mail message should contain FactoryTestKeyWord.
3. Verify that the email is not delivered, and an incident is created under TRITON Data
> Main > Data Loss Prevention > Incidents (last 7 days). Select the checkbox near this
incident, click Remediate > Release... Enter a comment for release and click OK.
4. Verify that the email is now delivered, i.e. the release gateway is configured
correctly.
**Note:** If incident is not released, please review Data > Settings > Remediation.
Make sure that the Release Gateway is filled in with data similar to the screenshot.
Phase 2: Configure a Notification Template
Notification sender is:
ApDataNotificationsMBX1@demo.com
1. On the TRITON APX Server, log in to the TRITON.

2. Navigate to Data > Main > Policy Management > Resources > Notifications.
3. Click New to create a new notification. The Notification Details window displays.
4. Enter My Notification as its Name, and also write something in the description
field.
5. Under Notification Properties open tab General, and enter values to match the
screenshot.
a. Sender Name: ÀpDataNotificationsMBX1`.
b. Sender email address: ÀpDataNotificationsMBX1@demo.com` (note the domain
`demo.com`).
c. Add `tmuller` among the recipients.
1. Open another tab – Notification Body. Inspect the default values there. The
checkbox “Allow recipients to release quarantined email by replying to the
notification” should be marked.
2. In this step one should use a valid internal email address (here `demo.com` is our
protected email domain). This is the name and address that will be shown in the
**From:** field of the notification email message.
Phase 3: Contact in a Non-Resolvable Domain
1 Open Exchange Management on DC 3 Pick New Contact, click Next
2 Run New Mail Contact 4
Firstname, Name,
and Alias are all
ApDataNotificationsMBX2,
Email domain is
demo.com
1. Log on to the DC machine.

2. In the Exchange Management Console, under Recipient Configuration, right-click
the Mail Contact option and select New Mail Contact from the pop-up menu. The
New Mail Contact wizard is launched.
3. In the first step (Introduction) leave the default radio button New Contact selected.
Click Next.
4. Enter details for the contact as in the 4th screenshot. Click the Edit button under
the External e-mail address field, and create a contact with an SMTP address
ApDataNotificationsMBX2@demo.com (note the strange-looking non-routable
domain `demo.com`)
5. Click **New** on the wizard. Click **Finish**.
Note: The new contact can have any name or email address, but the email should be
one that cannot be resolved by DNS. It can be routed out of the Exchange and
through the TRITON Data Security to be processed. Please note that the email alias
**ApDataNotificationsMBX2** is not identical to **ApDataNotificationsMBX1**
(specified in the previous step). On the other hand, these email aliases are also
mutually related: one would forward to the other.
Phase 4a: User for Force Release Mailbox
1 3
4
2
In the Users folder of the Active Directory Users and Computers console, create a
user with the email address of the notification sender that was configured in the
Phase 2.
1. Enter the firstname, full name and logon name to be ÀpDataNotificationsMBX1`.

Click **Next**.
2. On the next screen enter password **Forcepoint1** two times. Ensure that only
two checkboxes are marked: User cannot change password and Password never
expires.
3. Open Exchange Management Console. Navigate to **Microsoft Exchange >
Microsoft Exchange On-Premises > Recipient Configuration > Mailbox**. Right-click in
the central pane and pick **New Mailbox...** from the menu. Leave the default
choice – **User Mailbox**. Click **Next**.
4. Click Existing Users, and press button **Add**. Select ÀpDataNotificationsMBX1`
(from `demo.com/Users`). Click OK.
5. Enter ÀpDataNotificationsMBX1` as the alias for this user (i.e. set his email address
to
ÀpDataNotificationsMBX1@demo.com`). Click Next and New to finish the mailbox
creation.
Phase 4b: Create a Forwarding Rule
1
2
1. Right-click the newly created mailbox for the **ApDataNotificationsMBX1** user,

open Properties from the menu. Open tab **Mail Flow Settings**.
2. Select **Delivery Options** and click **Properties**. In the newly opened
**Delivery Options** window select **Forward to:** checkbox, click **Browse**.
Select the mail contact you created in the previous subsection – namely
ÀpDataNotificationsMBX2@demo.com`.
3. Click **OK** two times. Log out of the **DC** machine.
Phase 5: Create a Custom Action Plan
1 Add new Action Plan 3 Add Notification to Action Plan
Set actions
for channels
1. On the TRITON APX Server log into the TRITON Data Security. Edit the rule
`FactoryTestKeyWord`. Select the tab **Severity & Action**. Click an icon showing a
clean page (Add a new action plan).
2. Assign a name to the custom action plan, e.g. **My Action**. Open tab **Data
Loss Prevention**. Select action **Quarantine** for channels **Email** and
**Mobile Email**. Select action **Block** for other channels.
3. Near the bottom of the same **Action Plan Details** window, pick **My
Notification** as the template for the email notification (the one created in Phase 2)
4. Click **OK** to save the action plan settings. Click **OK** again to save the policy
rule. Click **Deploy**.
Phase 6: Test the Force Release Feature
1. Log into Client-W7 as mdean. Open Microsoft Outlook. Send an email message to
your own email address containing FactoryTestKeyWord. Log out of Client-W7.
2. Log into Client-W7 as tmuller. Check that there is a notification message. Near the
bottom of the notification message there should be an instruction how to release a
message along with the release code.
3. Reply to this message without changing anything in the message body or the email
address. I.e. ship it back to the sender – to the email
ÀpDataNotificationsMBX1@demo.com`.
Verify that the incident is released:

1. In the TRITON open **Data > Main > Data Loss Prevention > Incidents (last 7
days)**. Verify that the incident is marked as released.
2. Check your own mailbox and verify that the message is just delivered.
3. Log into **Client-Win10** as **tmuller**. Check his Microsoft Outlook. There
should be another notification message tellling that the incident message was
released from the quarantine.
Phase 7 (Optional): Configure Notifications to the Source
1. From the TRITON APX Server open SQL Server Management Studio. Login using
“Windows Authentication”.
2. Click button New Query. Paste the SQL query (given in the notes). Click Execute. It
should display a message (1 row(s) affected).
In some scenarios, where false positives are likely to occur, you may need to notify
the sender that his/her outbound email has been released from the quarantine and
has reached the intended recipient. This feature is configured directly in the
database.
```
USE "wbsn-data-security";
GO
BEGIN TRANSACTION;
GO
UPDATE PA_CONFIG_PROPERTIES SET VALUE='true'
WHERE NAME='notifyOriginalSenderOnRelease';
GO
COMMIT TRANSACTION;
GO
```
1. Log to **Client-Win10** as **mdean**. Send one more message that will trigger a
My Keywords (FactoryTestKeyWord) policy and will create a quarantined email.
2. Log to **Client-Win10** as **tmuller**. Release the incident by responding to the
notification message.
3. Log to **Client-Win10** as **mdean** again. Check that there is a notification
message, which notifies the sender that the message was released.
67
HANDS-ON LAB
Manage Policy Levels
## Lab M8-c: Force-Release Feature
**Goal:** In this lab we configure force-release feature that enables anyone who
receives notification about an email incident – to release it from quarantine by
pressing just two buttons **Reply** and **Send**. It has been made easy on
purpose, so that even admins or managers who are not sitting at the computer (but
accessing email on their smartphones) can release incidents quickly. As a result,
Forcepoint DLP (even in the case of false positives, if they are blocked by some DLP
rule) does not delay legitimate business transactions; and incident processing costs
are reduced.
**The Phases**
Manual Release.
: Verify that there is some policy rule that is easy to trigger via email channel, and the
matching transactions can be blocked. (We will use the `FactoryTestKeyWord` policy
rule that was created in the Key Words and Phrases lab.) Check that incidents can be
created and released.
Configure Notification.
: Configure a new notification template that sends notifications from a force release
mailbox in your domain, e.g. ÀpDataNotificationsMBX@demo.com` (i.e. a service
email account that is not used by any person) to some actual users, e.g. Administrator
or tmuller.
Contact in Non-Routable Domain.

: Create a new contact in the MS Exchange having a non-routable domain, e.g.
Create User to Forward to the Mailbox.

: Configure email forwarding for the force release mailbox to the non-routable
domain: all mails to ApDataNotificationsMBX@demo.com should be forwarded to
Test the Action Plan.

: Trigger an incident from the mdean account on **Client-Win10**, log in as
`tmuller`, respond to the notification.
Notify the Sender Feature.

: Verify that the incident is marked as released in the incident management table in
TRITON GUI. Configure the feature to notify the sender and also the administrator
about the released incident.
68
Policy Levels
When you create policies, you can assign them a level that indicates execution
priority order. The tree structure demonstrates the hierarchy that has been assigned.
You can have as many levels as you wish. When you create a policy level, you assign it
a name and an execution order. For example, you may create 3 levels called High,
Medium, and Low, where high-level policies are executed first, medium-level policies
second, and low-level policies last. If there is a match when data is scanned according
to the high-level policies, no scanning is performed on other levels. (Policies on the
high level are still checked.) If there is no match, data is scanned according to
medium-level policies, and so on.
Policy Levels Example
Above is an example of two Policy Levels. If a match will be found at the ‘High Priority
Policies’ level’s policies then policies within the lower level ‘Default Priority Level’ will
not be checked.
Sensitive content: books\ \\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured
business-plans\
non-english-language\
Ignore Section: \\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured
not-fingerprinted\Full
License.txt
Tests:
Gullivers Travels.txt \\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured\books\
War of the Worlds.txt \\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured\
HANDS-ON LAB
File Fingerprinting
FORCEPOINT
## Lab M5-b: File Fingerprinting
First we fingerprint 3 directories with files in the “sensitive content” mode; test that
FPR classifier by sending two testfiles:
(a) Gullivers Travels.txt is an intended match (in fact it is identical to one of the
fingerprinted files; but you can also try out a copy-pasted fragment of some book).
(b) War of the Worlds.txt is an unintended match (in a sense – a false positive); it was
detected just because it contains a shared “License” from Project Gutenberg.
In the second part of the test we fingerprint the Full License.txt as “Ignored Section”
(and re-deploy the policy). And send both test files again. This time War of the
Worlds.txt should not be detected, as it overlaps with the fingerprinted documents
only in the “Ignored Section” (i.e. the license).
The Phases
* Create File FPR Classifier

* Build File FPR Policy
* Test File FPR Policy
* Configure Ignored Section and Test Again
71
Scenario for Lab M5-a
Sensitive Content
DLP Crawler 1 FPR
Build File FPR Repository
1 4
Classifier
(Sensitive Content)
2 Deploy
File FPR Policy and
the repository
Sensitive Content
Build File FPR

4 3
Classifier
Ignored Section (Ignored Section) 4
Send
Test Emails
In this lab exercise we send two test emails (same to e-books) before and after the
Ignored Section has been configured.
Phase 1: Create File FPR Classifier
1 Content Classifiers > File Fingerprinting 2 Under Scanned Files click Edit
3 On File Types pick Office Documents
1. Select the directory to be fingerprinted:

a. Select **Data > Main > Content Classifiers > File Classifiers**.
b. Pick **New > File System Fingerprinting**.
c. Give the classifier some name (e.g. MyFPR); select root folder:
`\\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured`.
2. Select subdirectories `books`, `business-plans` and `non-english-language`.
3. Pick **Office Documents** as the filter for files to fingerprint. Finish creating the
fingerprinting classifier. Select it and click **Run**.
Phase 2: Build File FPR Policy
1 Content Classifiers > File Fingerprinting
2 Set Action Plan to Block All
1. Create a new Custom Policy with a single policy rule of the same name. Under the
Condition tab select **Add > Fingerprinting**. Select which classifier it refered to.
2. Under **Severity&Action** pick **Action Plan** = `Block All`.
Phase 3: Test File FPR Policy
1 Send two e-books (in plaintext) as attachments 1 Inspect both incidents
1. Send two books – `Gullivers Travels.txt` and also `The War of the Worlds.txt`.
2. Inspect the incidents. In case of Gullivers Travels we should get 1 policy match. In
case of War of the Worlds we should get 4 policy matches (surprisingly – 3 with books
in Portugese; and 1 with a book in Finnish). They are caused not by any similarity in
the core text, but by an overlap of Gutenberg’s project license.
Phase 4: Configure Ignored Section and Test Again
1 Select the Root Directory for Ignored Section 3 Select the only file in the ignored section:
Full License.txt
4 Select Ignored Section, and click Start

2
button to scan/train the classifier.
1. Select the directory to be fingerprinted:

a. Select **Data > Main > Content Classifiers > File Classifiers**.
b. Pick **New > File System Fingerprinting**.
c. Give the classifier some name (e.g. MyFPR); select root folder:
`\\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured`.
2. Select **Root Folder** =
`\\192.168.122.21\My_Share\apdata-files\fingerprinting-unstructured\not-
fingerprinted\`. Enter the Administrator’s credentials. Leave Domain empty.
3. In the step Scanned Files, click Edit. Select only one file to be in the ignored
section. Disable scheduling, do not export. Finish creating the classifier.
4. Select the **Ignored Section** classifier; click on Start (and check when it ends by
Reload). After it is finished, you can disable/enable some policy rule to deploy this
new classifier.
5. Send both ebooks in the same way as in Phase 3. Now only `Gullivers Travels.txt`
should create an incident.
Customer Records.csv \\192.168.122.21\My_Share\apdata-files\fingerprinting-

structured\csv\
HANDS-ON LAB
Database Fingerprinting of a CSV File
FORCEPOINT
## Lab M5-c: Database Fingerprinting of a CSV File
In this lab we start with a CSV file – in this case the database (data structured in a
table) is small, but there are no DB connectivity issues. It is also easier to inspect the
plaintext file to see why one or another combination of data caused a policy match.
Outline of the Phases
Phase 1:
: Inspect CSV; change encoding to UTF-8.
Phase 2:
: Create Classifier.
Phase 3:
: Traind the Classifier.
Phase 4:
: Configure Database Fingerprinting policy.
Phase 5:
: Test Database Fingerprinting policy.
77
Scenario for Lab 4b
Train
DLP Crawler DB FPR
CustomerID SSN ContactName Address CreditCard (on Manager or Classifier
MRSRV)
… … … … … 3 FPR
Repository
1 Change encoding to UTF-8
CustomerID SSN ContactName Address CreditCard 2

Configure
… … … … … DB FPR Classifier
4 Deploy
DB FPR Policy and the
repository
No 2 records:
5 Not a match
AP-EMAIL
2 full records:
5 A match
In this lab we first prepare the data as a UTF-8 encoded CSV file (step 1). Then read it
into DLP Crawler - there may be multiple crawlers in the deployment, we can pick any
one (step 2). This file is then processed into a DB FPR classifier that is a part of FPR
repository (step 3). Then we develop a DLP policy with this classifier and deploy it to
the system modules including AP-EMAIL (step 4). Finally we send a few tests – one of
them should not trigger the policy (no 2 leaked records), the other should (because
there are
Phase 1: Inspect CSV; Change Encoding to UTF8
1 Open Customer Records.csv 2 In a new text editor panel switch
encoding to UTF-8
2 Copy-paste to the new panel and save.
1. Log into **FSM (192.168.122.21)**, with Windows Explorer locate directory

`\\192.168.122.21\My_Share\apdata-files\fingerprinting-structured\csv`.
Right-click file `Customer-Records.csv` and open it with Notepad++. You should see
some proper names in Spanish or German (that include non-ASCII characters – Latin
letters with various accents). Also in the bottom-right corner it says ANSI. This means
that the file is not properly encoded (modified Latin letters use Win-1252 encoding or
similar – one letter = one byte). We should use Unicode (UTF-8 encoding) instead. It
encodes all modified Latin letters with 2 bytes. Only such format can be read by DLP
crawler.
2. Open another Notepad++ window. Switch encoding to UTF-8.
3. Copy paste the text from the ASCII-encoded text editor panel to the new panel.
The file content should look the same (it still displays modified Latin letters), but at
the bottom-right corner the eitor says UTF-8. Save this file as `Customer
Records.utf8.csv`.
**Note:** Large files may be difficult to convert into UTF-8 with a text editor
application. In these cases the UTF-8 encoding should be ensured by the exporting
procedure. (Or you should use database connection instead of CSV.)
Phase 2: Configure Classifier
1 Pick New > CSV File Fingerprinting 3 Copy the network location of
Customer Records.utf8.csv
created in the previous step.
2 Select a Name
4 Enter the credentials for the data source
1. Log into *FSM*. Go to **Data > Main > Policy Management > Classifiers >
Database Fingerprinting**. Select **New > CSV File Fingerprinting**.
2. Enter the name of the DB fingerprinting classifier – e.g. `MyDBFpr` (you can also
select which crawler to use, in case if you have many).
Phase 3: Complete the Classifier and Train It
1 Pick data fields; disable scheduler 2 Pick data fields; disable scheduler
3 Cancel the dialogue

to create DLP Policy.
Train the classifier.
1. Select “CustomerID”, “SSN”, “ContactName”, “Address”, “CreditCard” fields in the

checkboxes. Click **Next>**. Uncheck the Enabled checkbox in the Scheduler (we
will run this fingerprinting task once - manually).
2. Leave the default choice Full fingerprinting. Click **Next>**. Do not export
anything, click **Finish**.
3. Click **Cancel** to dismiss the dialogue. Select the DB Fingerprinting classifier,
click **Start** to start crawling the database and building the classifier. Click
**Refresh**, until the classifier displays status Completed.
Phase 4: Configure DB Fingerprinting Policy
2 Set the threshold
1 Create Custom Policy;

pick Fingerprinting, select
MyDBFpr, and pick
two fields.
1. Create a new custom policy, write its name, click Next>. Under Condition tab select
**Add > Fingerprinting**. Select the classifier `MyDBFpr` created in the previous
step, select 2 fields (CustomerID, SSN).
2. Edit the threshold – pick value “at least 2”. (When matching just 2 DB fields, it is
recommended to have threshold at least 3, but here we are just experimenting.) Click
**Next>**. Set action to `Block All` and finish creating the rule.
**Note:** It is common to add the same DB Fingerprint classifier and pick another
set of database fields (and add another threshold). So the full condition of such DLP
rule becomes
Phase 5: Test DB Fingerprinting Policy
Send 2 test
messages:
Message1
2 Inspect the incident

Message2
1. Send 2 email messages from the to your personal mailbox. Use these email bodies:
a. ÀLFKI, 564-32-6547, ANTON, 536-23-5673` (Message 1)
b. ÀLFKI, 463-23-6477, ANATR, 564-32-6547` (Message 2)
2. Inspect the incidents, see the forensics and see the violation triggers (there are 2
matches that meets the threshold = 2 – i.e. there was attempt to leak 2 records).
**Note:** Only Message2 should trigger an incident (it contains 2 valid combinations
of CustomerID+SSN), while Message1 contains two CustomerIDs and two SSNs, but
each data item is taken from a different row.
HANDS-ON LAB
Network Discovery
FORCEPOINT
## Lab M7-a: Network Discovery

Phase 1a: Create a US SSN Discovery Policy
Policy Management >
1 3 Pick US SSN (Wide) classifier
Discovery Policies > Manage
Policies
2 Custom US SSN rule
4 Finish creating the policy (default severity and action plan)
1. Open **Main > Policy Management > Discovery Policies > Manage Policies**.
Select from the menu **Add > Custom Policy**.
2. Enter Policy name = ÙS SSN`, leave **Use the policy name for the rule name**.
Click **Next**.
3. Select **Add > Patterns \& Phrases**, enter **Filter by:** = `SSN`. Leave threshold
`1`. Click **Next**.
4. Leave `Medium` severity and **Audit Only** action plan. Click **Finish**.
5. Also add a policy to detect instances of `FactoryTestKeyWord`. Deploy the changes.
Phase 1b: Add “FactoryTestKeyWord” as a Discovery Rule
1. In *FSM* open **Data > Main > Policy Management > Discovery Policies > Manage
Policies**.
2. Click **Add > Custom Policy**, enter **Policy Name** = `FactoryTestKeyWord`,
leave **Use the policy name for the rule name**, click **Next**.
3. Under **Condition** tab, click **Add > Patterns & Phrases …**, in the dialogue
that opens, enter **Filter by:** = `FactoryTestKeyWord`, click **OK**. Click
**Next**.
4. Under **Severity and Action** pick **Action Plan** = `Block All’. (This predefined
action plan does not have any meaning for discovery policies yet; unless we associate
it with some remediation script.)
Phase 2: Configure a Network Discovery Task
1 Define IP range 192.168.122.[1-200] 2 File System Discovery task 3 Enter folder and credentials
4 Pick Network created earlier
1. Open **Policy Management > Resources > Networks**. Enter a new IP address
range from `192.168.122.1` to `192.168.122.200`.
2. Open **Policy Management > Discovery Policies > Network Discovery Tasks**.
From the menu pick **New > File Discovery > File System Task**.
3. In **General** tab enter the name `My Discovery`. Select `Crawler fsm` as the
crawler. Click **Next >**
4. Select **Display:** = `Networks`. Check next to `Server Farm`, press the arrow to
move it to the right pane. Click **OK**, click **Next >**.
Phase 3: Select Schedule, Policies, File Filter, Advanced Settings
1 2 Set schedule = Once 4 Pick “Filter by Type” and select all “Office” file types.
Enter the folder
3 Pick discovery policies
5
Set preserve
Access time
1. Pick **Specific folders** = `\My_Share\apdata-files`, **Method** = `TCP`. Enter

the credentials **Administrator@demo.com** and password **Forcepoint1**.
2. Leave **Enable** selected, pick **Run scan** = Ònce`. Click **Next >**.
3. Select discovery policies (**US SSN** should be configured earlier; for additional
confidence to find something – also add **FactoryTestKeyWord**).
4. Pick **Office Documents** as file extensions that will be scanned.
5. Under **Advanced** select **Preserve original access time**. Click **Finish**.
Deploy the new discovery task.
Scan Results: Inspect the Report, Configure Load Balancing
3 View the errors 2 View the discovery report
Inspect the load

3
balancing
1. In TRITON navigate to **Data > Main > Policy Management > Discovery Policies >
Network Discovery Tasks**. Open the task created during the previous step. Click on
the link **Completed with errors**. It should display the machines in the configured
network that do not contain the shared folder (e.g. `\My_Share\apdata_files`) that
was required on all the servers in the network.
2. Also click on **Download Discovery Report** button. Unzip and view the report. It
should display the files that were visited.
3. In *FSM* navigate to **Data > Settings > Deployment > System Modules**. Click
on **Load Balancing** button, select **Crawler fsm**. Make sure that it uses **All
available policy engines** (i.e. part of the traffic is analyzed also on **MRSRV**).
Trouble 1: Task is Stuck Forever
1 Discovery task is stuck forever
Symptom: “0 percentage” progress stays indefinitely. This may be caused by

inaccessible file shares; improper load balancing on the crawler.
1. Try to edit the task, change the root folder (or file filters), or leave as it is. Set
scheduling to “Once”. Save the discovery task. Select the saved task, click on
**Start** button.
Trouble 2: Crashed Crawler and Deleting Discovery Tasks
1 Crawler crashes and discovery task
cannot be re-started
2 Reminder to clean out the Discovery Job
3 Observe, if the delete action was successful
Crawler (if on **FSM (192.168.122.21)**) may become unavailable. In this case

deleting the discovery task from the TRITON manager GUI is not enough – if crawler
starts up, it may resume doing the deleted tasks. To avoid this, discovery tasks need
to be deleted manually.
1. Log onto the machine that should perform the discovery task (**FSM
(192.168.122.21)** or **MRSRV**).
2. Move to `%DLP-HOME%\DiscoveryJobs`. Open every `discovery.xml`, look at the
first line. As soon as you see XML outer element with **name**=`MyDiscovery` (or
whatever name you used). Look at the **id** attribute of this element. For example:
ìd="3178b4f9-96fe-4554-ad1d-eaa29fa23374"`
3. Run the manual deletion command:
a. Open `cmd`, move to `%DLP-HOME%\packages\Services`
b. Run the following command:
```
Python WorkSchedulerWebServiceClient.pyc -o startWorkerScheduler
Python WorkSchedulerWebServiceClient.pyc -o deleteJob -j #jobId#
```
This command could issue an error message, and the discovery job does not exist
anymore. It may still show up in **Data > Main > Policy Management > Discovery
Policies > Network Discovery Tasks** - even after it is deleted from the crawler’s
machine.
91
HANDS-ON LAB
Endpoint Discovery
FORCEPOINT
## Lab M7-b: Endpoint Discovery

Scenario
1. Make sure that “FactoryTestKeyWord” and “PCI Audit” are configured as Discovery policies.
2. Copy some files from apdata-files to the Client-Win10 (192.168.122.44) desktop.
3. Create an Endpoint Discovery Task for Client-Win10 (192.168.122.44), visit only “Office” filetype
(regardless of size and age), schedule the scan to happen only once.
4. Deploy the policy and synchronize on the Endpoint. Notice when the Endpoint Discovery task
displays the number of scanned files and goes into the idle state.
5. Wait approximately 30 minutes; make other demonstrations.
6. Observe the endpoint discovery incidents.
93
jena300-training.zip \\192.168.122.21\My_Share\apdata-files\machine-learning\
jena300-testing-flat.zip \\192.168.122.21\My_Share\apdata-files\machine-learning\
ml-test.bat \\192.168.122.21\My_Share\apdata-files\machine-learning\
HANDS-ON LAB
Machine Learning
FORCEPOINT
## Demo M5-d: Machine Learning
You can download the file resources as described in Slide 1.
Resource description:
* jena300-training.zip – an unflattened directory with Java source files used to train

the ML classifier
* jena300-testing-flat.zip – a flattened directory with Java source files used to test the
ML classifier
* ml-test.bat – a BAT script that makes PolicyEngineClient.exe calls, one per every
Java source file in jena300-testing-flat.zip (assuming it is unzipped in a certain
location).
Lab Objective: Configure and test Machine Learning classifier using Java source code.
In order to get a higher-level view on what is detected by the Machine Learning
classifier, we test it by an automated test script that submits about 200 files to the
Policy Engine – to see, how many of them were detected.
All the Java files used for testing are from the same Apache Jena project as the Java
files in the positive/training set. But they are NOT the same files – training and testing
file sets do not overlap. This demonstrates an important principle of Machine
Learning – it creates policy matches not upon copy-paste, but upon (lexical) similarity
of the target file with the set of positive examples. Clearly, files in the same Java
project share certain identificators, library names, etc. But unlike fingerprinting, the
confidence is not absolute. There might be false positives and false negatives. In fact,
about 20% of the testing-set files are not detected by the classifier (which is still OK,
because ML classifier would still detect any massive leak of source code of a Java
project).
94
Scenario for Lab 4c
Apache Jena Project:
https://jena.apache.org/download/index.cgi DLP Manager
training set Create ML Classifier from positive

1 examples (Jena project) and Java and C
negative examples (genericJava+C source code
testing set source code).
Crawler + ML PolicyEngineClient
Java files in same project split generator
into two parts: Unpack and Run BAT Script
Check Path 2 File System to Test Policy
1st part – build ML classifier Names 3
2nd part – test ML classifier
Policy Engine
Machine Learning is often used to protect source code, so this lab starts with a real-
life Java project (Apache Jena 3.0). The Java files in this project are divided into two
approximately equal parts (training set and testing set). Training set is used as
“positive examples”. Machine Learning classifier also needs “negative examples” –
but these are supplied by DLP product itself.
Phase 1: Prepare Training/Testing Sets; Set ML File Share
1 Unzip directories with training set and testing set 3 Select the file share for the classifier:
Create a new Machine

Learning classifier
1. Log into **FSM (192.168.122.21)**.

a. Navigate to the directory `\\192.168.122.21\My_Share\apdata-files\machine-
learning`
b. Right-click both ZIP files – `jena300-testing-flat.zip` and `jena300-training.zip`,
pick **7-Zip > Extract Here**.
**Note:** Depending on how you unzip, the archiving tool can create an extra
directory level. E.g. it might happen that instead of
`\\192.168.122.21\My_Share\apdata-files\machine-learning\jena300-training\jena-
core`
you get a different name. In this case you might want to eliminate extra directory
“jena300-training” (or update the lab instructions and automated testing script to
reflect the real directory structure).
2. In the *FSM* navigate to **Data > Main > Classifiers > Machine Learning**. Click
**New**. Select **Name = JenaML**. Click **Next>**
3. Enter the credentials as shown in the screenshot: **Username** = Àdministrator`,
**Password** = `Forcepoint1`, **Domain** = `demo.com`. Set root folder to:
`\\192.168.122.21\My_Share\apdata-files\machine-learning`
Phase 2: Complete and Train the ML Classifier
1 Select the Scanned Folder (positive examples) 2 Train the classifier
1. Next to “Positive Examples” click on Browse button and select jena300-training

subdirectory (of the Windows share selected in the pervious step) to be scanned.
Click **Next>**. Leave the scheduler page unchanged. Click **Next>**. Click
**Finish**.
2. In the list of all Machine Learning tasks, select the newly created JenaML task, click
button Start. The ML classifier starts to build itself, click Refresh. The status of this ML
task should go from Pending to Preprocessing to Processing to Training to Completed.
If positive/negative training sets are poorly chosen, there is no usable classifier – in
this case you need to adjust these sets of files. For our Java code samples the
classifier should be created (Accuracy is $98\%$ or similar); and it is “Ready for Use”.
Phase 3: Create an ML-based DLP Policy
1 Create a New Custom Policy 2 Add Machine Learning classifier
1. Log into *FSM*. Go to the **Data > Main > Policy Management > DLP Policies >
Manage Policies**. Select **Add > Custom Policy**. Select **Policy Name** =
`JenaML.` Click **Next>**
2. Under “Condition” tab click Add > Machine Learning. Pick the only classifier that
was created in the previous step. Click OK. Under Severity&Action tab select Action
=Block All. Finish creating the rule. Deploy the policy changes.
Phase 4: Run the Automated Test Script
1 Run test-ml.bat
2 Inspect the traffic log 3 Inspect incidents and their forensics
1. On **FSM (192.168.122.21)** machine open cmd (command-line window),

navigate to
`\\192.168.122.21\My_Share\apdata-files\machine-learning`.
Run test-ml.bat and wait until it finishes (During the script execution you can also
open the incident table **Data > Main > Reporting > Data Loss Prevention > Incidents
(last 7 days)**, click **Refresh** a few times and see how fast the incident list
populates with incidents).
2. In *FSM* navigate to **Data > Main > Logs > Traffic Log**. Refresh, to see the
latest incidents. Estimate the percentage of green checkmarks among all the items in
the traffic log to see what is the recall/sensitivity of this classifier (in our experiment
it was something between $80\%$ and $90\%$).
3. Also visit **Data > Main > Reporting > Data Loss Prevention > Incidents (last 7
days)**. Inspect the incident details. Select some incident and open its forensics in
another browser tab (click filename and select Preview in new window). Observe the
selected words in the forensics (the words that were used by this classifier to
measure frequencies and to determine).
HANDS-ON LAB
Analytics Engine
## Lab M1-d: Analytics Engine
**Goal:** Analytics Engine is meant to highlight incidents with the highest perceived
risk (using the AE built-in heuristics). This lab is near the beginning of the class on
purpose. As we create various incidents during this course, it may be interesting to
compare their respective risk ranks.
Check the HW before Installing Analytics Engine
192.168.122.55 root/Forcepoint1!
Find out the distro and release name, and also the kernel version (for BOTH server and
target):
cat /etc/*-release
uname -a
Check hardware parameters for the Investigative Server. (Check that hard drive is about
100GiB, RAM memory is about 8GiB, at least 4 CPU cores. Type these commands:
fdisk –l
df -H
free
nproc
lscpu
http://www.websense.com/content/support/library/data/v83/install/install_dss.pdf
These are commands to create CentOS partition (in the increased space configured
by VMWare) that will be used to install Analytics Engine:
```
parted /dev/sda
mkpart primary ext4 22GB 100GB
cat /proc/partitions
/sbin/mkfs -t ext4 /dev/sda3
e2label /dev/sda3 /work
mkdir /work
```
Upgrade from CentOS 6 to CentOS 7.

https://tecadmin.net/how-to-upgrade-centos-6-to-latest-release/
https://wiki.centos.org/TipsAndTricks/CentOSUpgradeTool
```
(this includes yum -y update kernel)
```
101
Prepare CentOS Environment
yum clean all
yum update
yum -y install apr apr-util perl-Switch unixODBC
Enable EPEL:
yum install epel-release
yum install freetds
yum install wget
cd /tmp
wget http://participant:roadshow@85.254.250.28/downloads/dlp-course/v83-
software/AnalyticsEngine83
chmod u+x AnalyticsEngine83
./AnalyticsEngine83
If you need to re-run the installer wizard, log into CentOS machine again and run
these commands:
```
source /etc/profile.d/ae_env.sh
wizard
```
Running AE Registration Wizard
source /etc/profile.d/ae_env.sh
wizard
(enter IP = 192.168.122.21, user = admin, password = Forcepoint1! )
This variant of a setup wizard allows to configure custom SQL Server

wizard -a new
(SQL = 192.168.122.20, user = demo\Administrator,
password = Forcepoint1 )

Set Risk Threshold, Run Client
Manual run: You can now run the client and start the importing and analysis
phase. Before you start the client, open a new window in PUTTY session and tail
the Log file to make sure the import has started.
tail -f /opt/websense/AnalyticsEngine/Logs/AEClient.log
To run the client do the following:
/opt/websense/AnalyticsEngine/scripts/ae_run
**Logging**
Configuration for the ÀEClient.log` file and log itself can be found here:
```
/opt/websense/AnalyticsEngine/conf/AnalyticsEngine.log.config
/opt/websense/AnalyticsEngine/Logs
```
**Results**
Once the import and analysis are done, a report will be generated in zip form
and emailed to the configured recipient. The report can also be found here in a
locked zip file:
```
/opt/websense/AnalyticsEngine/reports
```
Sample Incidents
You could now cause incidents with various scores (e.g. try getting all 5 colors). To see
them in the report, re-run àe_run` (previous slide). Here are some examples:
* **Score 1.3:** Leaking keyword `FactoryTestKeyWord`.

* **Score 3.4:** Leaking an encrypted file (RC4) where Web DLP “Malware
Detection” policy is on.
* **Score 7.2:** Leaking more than 100 credit card numbers with predefined “PCI
Audit” policy on.
* **Score 8.1:** Leaking password files (SAM, shadow) with Web DLP “Malware
Detection” policy on.
You could also click the (i) icon to get additional information, why the risk ranking
algorithm has assigned given score. There are various drill-down capabilities for each
of the displayed cluster of incidents. Multiple related incidents make one “case”.
There could be up to 20 such cases every day.
Scheduled Task
The client will run with a scheduled task that is configured to run every
night. Task is available at:
/etc/cron.d/ae_daily_import

Changing the Analysis Period
If the analysis ran at least once:
 Open the file:
/opt/websense/AnalyticsEngine/UBA_Output/ae_data/last_exe
cution_information.json
 Erase the following json entry: "last_analysis_start_date": <date>.
The default analysis period is 90 days. To change the analysis period to the last
<X> days:
 Open configuration file in path:
/opt/websense/AnalyticsEngine/conf/UBAConfiguration.yml
 Change "analysis_period_days" entry to< X>.
107

DLP Lab Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DLP Lab Guide

Uploaded by

Copyright:

Available Formats

Forcepoint DLP Bootcamp

Email appliance admin / Forcepoint1!

Boldon James demo\Administrator / Forcepoint1

Copyright © 2017 Forcepoint. All rights reserved. | Day1-Slide2

## Lab M4-c: Scripts for Credit Card Numbers

2 Add “PCI Audit” predefined policy,

Copyright © 2018 Forcepoint. All rights reserved.

3 Pick “Block All”

Copyright © 2018 Forcepoint. All rights reserved.

2 Inspect the incident

Copyright © 2018 Forcepoint. All rights reserved.

1. Log into **Client-Win10 (192.168.122.44)** as `tmuller`. Open Outlook and send

Copyright © 2018 Forcepoint. All rights reserved.

## Lab M3-a: Dictionary Classifiers

Copyright © 2018 Forcepoint. All rights reserved.

## Lab M3-b: Regular Expressions

Copyright © 2018 Forcepoint. All rights reserved.

1. Create regex classifier:

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

1. Open website \url{http://dlptest.com/} and try posting the phone numbers

## Lab M4-a: File Classifiers

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

## Lab M4-d: Cumulative Rules

2 Configure cumulative rule to detect 3 CCN in a 5-minute time window

Copyright © 2018 Forcepoint. All rights reserved.

3 Run the test-script with waiting times

Copyright © 2018 Forcepoint. All rights reserved.

1. On the **FSM (192.168.122.21)** locate the file

Copyright © 2018 Forcepoint. All rights reserved.

## Demo M3-c: Custom Logic

Copyright © 2018 Forcepoint. All rights reserved.

In this example we can test these properties of dictionaries:

Copyright © 2018 Forcepoint. All rights reserved.

1. Log into FSM, open Forcepoint Security Manager.

On the Client-Win10 navigate to the file Email with an attachment

Copyright © 2018 Forcepoint. All rights reserved.

Test this policy:

## Lab M4-e: Policy Exceptions

**Objective:** Create a policy to block any emails to “gmail.com” domain (action =

1. Assign “Department” and Create a group in the AD.

CN=Engineering,DC=demo,DC=com Christiano Ronaldo (department=Sales)

CN=HR,DC=demo,DC=com Chad Smith (department=Sales)

 General rule: Sending email from enterprise mail accounts to “gmail.com”

Copyright © 2017 Forcepoint. All rights reserved. | Day2-Slide25

Copyright © 2017 Forcepoint. All rights reserved. | Day2-Slide26

1. Assign attribute Department

Copyright © 2017 Forcepoint. All rights reserved. | Day2-Slide27

1. Log into **FSM**, open *Security Manager*.

Copyright © 2017 Forcepoint. All rights reserved. | Day2-Slide28

Copyright © 2017 Forcepoint. All rights reserved. | Day2-Slide29

1. Add policy exception to the `AnyGmail` rule.

## Lab M6-c: Encryption with User Password

2 Assign the Action Plan to the FTKW rule

Copyright © 2018 Forcepoint. All rights reserved.

1. Create Action Plan named User-Encrypt

Copyright © 2018 Forcepoint. All rights reserved.

1. Run the ImDisk Virtual Disk Driver

Copyright © 2018 Forcepoint. All rights reserved.

1. Format virtual disk

2 ZIP the virtual image file

Copyright © 2018 Forcepoint. All rights reserved.

1. Inspect the created files, unmount E drive

1. Log into Client-Win10 (192.168.122.44) as `tmuller`. Open Outlook and send

1. On the FSM (192.168.122.21) locate the file

Objective: Create a policy to block any emails to “gmail.com” domain (action =

1. Log into FSM, open Security Manager.

Objective: In this lab we attempt to get incidents on as many Data Endpoint

1. Log in to Client-Win10 (192.168.122.44) to test form submission (with a POST

Note: In steps 1 and 2 we do not care that `FactoryTestKeyWord` is a short POST

Note: Here is the tasklist output before the exclusion of notepad.exe:

1. Right-click the newly created mailbox for the ApDataNotificationsMBX1 user,