Professional Documents
Culture Documents
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW0510: Sophos Firewall Features and the Attack Kill Chain
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
20 minutes
In this chapter you will learn what security features Sophos Firewall uses to protect networks, and
how they map onto the attack kill chain.
The Sophos Firewall is a full featured firewall and security device that can be used in many
different scenarios. It can be placed at the edge of the network or inline behind other security
devices. It can be the sole point of security for a network, operating at the edge and providing
multiple services, or be used to augment an existing implementation providing services that other
devices lack.
Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control
PRE-BREACH POST-BREACH
We will now look at the protection features offered by Sophos firewall. To do this, we will show
adversary tactics and techniques and how Sophos Firewall is able to stop complex attacks at each
phase of an attack.
By reviewing these techniques, you will get a better and more reliable understanding of Sophos’
ability to stop the attacker’s techniques at each of the phases.
Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control
PRE-BREACH POST-BREACH
The first part of the anatomy of a cyber attack is reconnaissance and weaponization. Hackers
usually start by passively researching and gathering information about the target organization, for
example, email addresses of key players in the organization such as CEOs and company directors.
During passive reconnaissance, the attacker is not touching your network or systems so there is
nothing to detect.
During active reconnaissance, they may actively look for network ranges, IP addresses, and domain
names, using port scanners or finding information about the company being sold on the dark web.
Weaponization is done on the attackers’ device so there is nothing to detect with the Sophos
Firewall.
Now we come to the Delivery stage. This stage of an attack is defined by the attacker being able to
access your estate through an attack vector, for example an email, and deliver malware to a
specific target. This is sometimes referred to as delivering a weaponized bundle to a target.
Cyber
Criminal
Infiltrate
Phishing Website
Attacker sends an Data Theft Attacker collects victim’s credentials
email to the victim
Attacker users victims credentials to
access the legitimate website
Attackers may send emails to users asking them to click on a link or go to a website that is
compromised. This is referred to as Phishing. Typically, in a phishing scam, you and many of your
colleagues will receive an email that appears to come from a reputable organization and will
sometimes include attachments which, if opened, can infect a device. Attackers will use social
engineering tactics over social networks, emails, applications, phone calls, text messages and in
person to get people to reveal sensitive information. Typically, the attack is designed for some of
the following purposes:
Many malware infections begin with a user visiting a specifically designed website that exploits
one or more software vulnerabilities. This can be triggered by a user clicking on a link within an
email or browsing the Internet. This type of infection will happen silently.
Genuine websites can be compromised by attackers who place malicious advertisements on the
site. In other cases, traffic to the website may be redirected to the attacker's server. The re-
directed site is designed to look authentic and usually requests a username and password to login.
[Additional Information]
You can find out more about social engineering and how it can be prevented by watching the video
on Sophos’s Naked Security page.
Sophos Firewall protects you by scanning HTTP and HTTPS traffic for unwanted content or
malware.
• Web Filtering provides pre-defined filters that automatically block access to categorized
websites, such as gambling or pornography
• Live Protection provides real-time lookups to SophosLabs to check for any threats and prevent
them from infecting the device/network
• Pharming Protection prevents users from being re-directed to fake or compromised websites
• Certificate validation validates websites certificates to ensure legitimacy
• File type filtering is based on MIME type, extension and active content types. This can be used
to block macro enabled documents for example
• Enforcing SafeSearch, which is a feature of Google Search that acts as an automated filter of
pornography and potentially offensive content
The Web Protection feature is customizable, for example, restricting users surfing quota and access
time allows control over what users can have access to and when. If you wanted to restrict your
users from being able to access websites that are not business essential you can place a restriction
in the web policy that blocks access to non-business sites, for example social networking sites.
Email Servers
Sophos
Firewall
Cyber Criminal
Quarantine
To protect against email attacks, Email Encryption and Control can be used.
The email scanning engine will scan all inbound emails for malicious content. You control what
emails can be received into your network:
• IP Reputation is enabled allowing you to determine whether you accept, reject or drop emails
that are sent from known spam senders
• File-Type detection is configured to scan and block specific file types. For example, you can
block or quarantine any macro enabled files from being received by any senders
The email scanning engine will also detect phishing URLs within e-mails and block those emails
accordingly. As well as scanning inbound and outbound emails for malicious content, the email
protection allows you to encrypt emails so that you can send sensitive data securely out of your
network.
It uses SPX encryption for one way message encryption and recipient self-registration SPX
password management. This encryption is simple and secure and does not require certificates or
keys. It also allows users to add attachments to SPX secure replies to allow your users to securely
send files.
Email protection also uses our Data Loss Protection (DLP) engine, which automatically scans emails
and attachments for sensitive data. This is also a key benefit at the last stage of the attack which
we’ll talk about later in the module.
Determine Behavior
HASH
Sophos Firewall
Sophos zero-day protection uses next-gen sandbox technology with integrated deep learning,
giving your organization an extra layer of security against ransomware and targeted attacks. It
integrates with your Sophos Firewall and is cloud-delivered, so there’s no additional hardware
required. It’s the best defense against the latest payload-based malware lurking in phishing attacks,
spam, and file downloads.
Let’s look at how Sophos zero-day protection tests for and identifies possible malware.
The Sophos Firewall accurately pre-filters traffic using all the conventional security checks,
including anti-malware signatures, known bad URLs and so forth, so only previously unseen
suspicious files are submitted to Sophos ensuring minimal latency and end user impact.
If the file is executable or has executable content, the file is treated as suspicious. Sophos Firewall
sends the file hash to Sophos, to determine if it has been previously analyzed.
If the file has been previously analyzed, Sophos passes the threat intelligence to the Sophos
Firewall. Here, the file will be delivered to the user’s device or blocked, depending on the
information provided by zero-day protection.
Sophos Firewall keeps a local cache of file hashes and the results in a local database to prevent
unnecessary lookups.
Finally, Sophos Firewall uses the detailed intelligence supplied by zero-day protection to create
deep, forensic reports on each threat incident.
Determine Behavior
Sophos Firewall
If the hash has not been seen before, a copy of the suspicious file is sent to Sophos.
Here, the file is executed, and its behavior is monitored. Once fully analyzed, Sophos passes the
threat intelligence to Sophos Firewall which will determine if the file is allowed or blocked.
Malicious
OR
PE File Deep Learning Engine Legitimate
Amongst the layers of protection within our sandbox is something called deep learning, which
protects against the latest unseen advanced threats like ransomware, crypto mining, bots, worms,
hacks, breaches, and Advanced Persistent Threats without using signatures.
Deep Learning uses a set of algorithms that try to replicate the way a human brain would solve a
problem. By looking at the features of an object, it decides as to what that object is.
Let’s relate this to securing your network. The deep learning model is trained on millions of
samples of known good and bad files, some examples shown here. It is taught the features (the
size, compression setting, printable strings, vendor and so forth) of these files which are then
labelled. The model is then trained to determine the features of a file to create a learned model.
When a file is then tested with this model, deep learning evaluates portable executable (PE) files
on a machine at the time of execution within the sandbox. The engine predicts if the file is
malicious or legitimate based on the file characteristics, which have been learnt from the samples
the model has been trained on. The prediction is returned, and the file is categorized as malicious
or legitimate.
Application Control works on several levels to help protect your network, the most obvious of
these is reducing the attack surface by controlling what applications are allowed. For example,
users cannot download infected files through peer-to-peer applications if you are blocking them.
On average, 60% of application traffic is going unidentified. Static application signatures don’t work
for custom, obscure, evasive, or any apps using generic HTTP or HTTPS. Synchronized App Control
on Sophos Firewall automatically identifies all unknown applications enabling you to easily block
the apps you don't want and prioritize the ones you do.
What this means is that you can now identify – and deal with – the unknown threats and
unwanted apps that are running on your network, putting organization at risk and impacting user
productivity.
Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control
PRE-BREACH POST-BREACH
Users continue to be the easiest target for attackers, but an army of trained, phishing-aware
employees can provide you with a human firewall against these threats.
Let’s look at the next stage, exploitation, which is defined by leveraging a vulnerability to execute
code on a victim’s machine. An exploit is basically a method, or a tool used for abusing software
bugs for nefarious purposes.
10101010101010
0101010101010101010101
0101010101010101011010
1010101010101010101010
Internet
Attacker
Protocol Violations Generic Attacks Web Servers
By their very nature, web servers need to be accessible from the Internet, but this makes them
targets for attackers who may be trying to extract data or install malware to compromise other
users visiting the website.
Attacks can take many forms, including cross site scripting (XSS) attacks, using protocol violations
and anomalies, cookie signing, SQL injection, or other generic attacks.
10101010101010
0101010101010101010101
0101010101010101011010
1010101010101010101010
Internet
Attacker
Protocol Violations Generic Attacks Web Servers
Sophos Firewall includes comprehensive Web Server Protection, which is bundled with
preconfigured templates to make protecting commonly used web-facing servers like Microsoft
Exchange as easy as possible.
Web Server Protection acts as a reverse proxy protecting web servers on the internal network or
DMZ from inbound traffic. Web Server Protection uses a web application firewall to filter traffic,
harden forms, sign cookies, and scan for malware.
Web Server Protection can also authenticate incoming connections with a username and password
before they even reach the web server.
Endpoint Internet
Sophos Firewall
Vulnerabilities and exploit kits can be protected against using Intrusion Prevention Systems (IPS).
IPS monitors network traffic as it passes through the firewall for malicious activity. It logs the
activity and attempts to block and prevent the infection and then reports the activity.
Please note that Intrusion Prevention is not designed to replace applying software patches to fix
bugs and security vulnerabilities.
Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control
PRE-BREACH POST-BREACH
This attack phase is where the installed malware makes a connection to a Command-and-Control
server.
Some of the more complex malware like Emotet includes communication to remote servers for
further instructions and or updates or to upload or download further files.
Internet
Advanced Threat Protection monitors global outgoing traffic. It blocks outgoing network traffic
attempting to reach malicious servers. This prevents remote access trojans from reporting back to
their malicious servers.
If ATP detects a threat an alert will be recorded, and the number of detections will be shown in the
control center. The administrator can then check the alert for additional information about the
threat such as:
This process allows the administrator to clean up the threat while the device is isolated, protecting
the rest of the network from becoming infected.
Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control
PRE-BREACH POST-BREACH
This stage of the attack varies depending upon the type of malware, for example a ransomware
attack will look to encrypt data and demand ransom. Whereas spyware tends to log the keystrokes
of victims and gain access to passwords or intellectual property.
Next, we’ll review some of the Sophos Firewall protection components that detect malicious
threats.
Server Protection and Intercept X can be used to assign every device a health status. In the event a
device is compromised, it can be automatically isolated from other parts of the network at the
firewall, as well as blocking network connections between other healthy devices. This limits the
fallout of a breach or the spread of malware or lateral movement of an attacker. Even on the same
broadcast domain or network segment where the firewall has no opportunity to block the traffic.
We’re effectively pushing isolation enforcement out to endpoints so they can help the firewall
isolate any threats and keep the network secure. This will stop any threat or attacker attempting to
move laterally.
Email protection stops data from being leaked outside of the organization by email. You can create
data control lists from the content control list (CCL). CCLs are based on common financial and
personally identifiable data types, for example, credit card or social security numbers, postal or
email addresses. When Sophos Firewall finds a match for the specified information, it applies the
action specified in the policy.
Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control
PRE-BREACH POST-BREACH
Digital security and physical security have many parallels. Think of a building and how it could be
protected. If you were to build nothing but a giant wall, it may prove difficult to climb over but
eventually someone will find a way to get over it (or under it).
Now consider a fortress. Armed guards, attack dogs, CCTV, tripwires, barbed wire, motion sensors.
It may be possible to hop the wall, but you still have many additional hurdles ahead of you.
Single layers are simple to build but are also simple to bypass. Our goal has always been to build
fortresses so that multiple security elements are present to detect movement across assets and for
attacks to be detected and stopped.
Sophos Firewall provides multiple layers of protection to detect and block attacks
The delivery and exploitation phases are both intended to get malicious code onto a
device and have it executed
Here are the three main things you learned in this chapter.
Sophos Firewall provides multiple layers of protection to detect and block attacks.
The delivery and exploitation phases are both intended to get malicious code onto a device and
have it executed.
Once malware is running or an attacker is on a device attacks can be detected based on behavior.