Sophos Firewall Features and

the Attack Kill Chain

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW0510: Sophos Firewall Features and the Attack Kill Chain

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Sophos Firewall Features and the Attack Kill Chain - 1

 Sophos Firewall Features and the Attack Kill Chain

In this chapter you will learn RECOMMENDED KNOWLEDGE AND EXPERIENCE

what security features Sophos
Firewall uses to protect
networks, and how they map
onto the attack kill chain.
✓ How Sophos Firewall acts as a zone-based firewall
with identity-based policies
✓ The use of next-gen protection technologies to
stop unknown threats
✓ How automatic threat response identifies and
isolates compromised systems

DURATION

20 minutes

In this chapter you will learn what security features Sophos Firewall uses to protect networks, and
how they map onto the attack kill chain.

Sophos Firewall Features and the Attack Kill Chain - 2

 Firewall Features

The Sophos Firewall is a full featured firewall and security device that can be used in many
different scenarios. It can be placed at the edge of the network or inline behind other security
devices. It can be the sole point of security for a network, operating at the edge and providing
multiple services, or be used to augment an existing implementation providing services that other
devices lack.

Sophos Firewall Features and the Attack Kill Chain - 3

 Attack Kill Chain
Harvesting e-mail Coupling exploit Delivering Leveraging a Installing malware Command channel With ‘hands on
addresses, with backdoor into weaponized bundle vulnerability or on the asset for remote keyboard’ access,
conference deliverable payload to victim via email, functionality to manipulation of intruders
information, etc. web … execute code on victim accomplish their
victim’s machine goal

Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control

PRE-BREACH POST-BREACH

We will now look at the protection features offered by Sophos firewall. To do this, we will show
adversary tactics and techniques and how Sophos Firewall is able to stop complex attacks at each
phase of an attack.

By reviewing these techniques, you will get a better and more reliable understanding of Sophos’
ability to stop the attacker’s techniques at each of the phases.

Sophos Firewall Features and the Attack Kill Chain - 4

 Protecting Against The Delivery of Malware
Harvesting e-mail Coupling exploit Delivering Leveraging a Installing malware Command channel With ‘hands on
addresses, with backdoor into weaponized bundle vulnerability or on the asset for remote keyboard’ access,
conference deliverable payload to victim via email, functionality to manipulation of intruders
information, etc. web … execute code on victim accomplish their
victim’s machine goal

Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control

PRE-BREACH POST-BREACH

The first part of the anatomy of a cyber attack is reconnaissance and weaponization. Hackers
usually start by passively researching and gathering information about the target organization, for
example, email addresses of key players in the organization such as CEOs and company directors.
During passive reconnaissance, the attacker is not touching your network or systems so there is
nothing to detect.

During active reconnaissance, they may actively look for network ranges, IP addresses, and domain
names, using port scanners or finding information about the company being sold on the dark web.

Weaponization is done on the attackers’ device so there is nothing to detect with the Sophos
Firewall.

Now we come to the Delivery stage. This stage of an attack is defined by the attacker being able to
access your estate through an attack vector, for example an email, and deliver malware to a
specific target. This is sometimes referred to as delivering a weaponized bundle to a target.

Sophos Firewall Features and the Attack Kill Chain - 5

 Additional information in
Email Attacks the notes
Delivery

Cyber
Criminal

Infiltrate
Phishing Website
Attacker sends an Data Theft Attacker collects victim’s credentials
email to the victim
Attacker users victims credentials to
access the legitimate website

Your Network Exploit Kit

• Scans for vulnerabilities on the
victim’s computer
• Exploit the vulnerabilities to
download the exploits malicious
Victim code onto the system
Victim clicks on the
email and goes to the
phishing website

Attackers may send emails to users asking them to click on a link or go to a website that is
compromised. This is referred to as Phishing. Typically, in a phishing scam, you and many of your
colleagues will receive an email that appears to come from a reputable organization and will
sometimes include attachments which, if opened, can infect a device. Attackers will use social
engineering tactics over social networks, emails, applications, phone calls, text messages and in
person to get people to reveal sensitive information. Typically, the attack is designed for some of
the following purposes:

• Phishing credit-card account numbers and passwords

• Hacking private e-mails and chat histories
• Hacking websites of companies or organizations and destroying their reputation
• Computer virus hoaxes
• And convincing users to run malicious code

Many malware infections begin with a user visiting a specifically designed website that exploits
one or more software vulnerabilities. This can be triggered by a user clicking on a link within an
email or browsing the Internet. This type of infection will happen silently.

Genuine websites can be compromised by attackers who place malicious advertisements on the
site. In other cases, traffic to the website may be redirected to the attacker's server. The re-
directed site is designed to look authentic and usually requests a username and password to login.

[Additional Information]

You can find out more about social engineering and how it can be prevented by watching the video
on Sophos’s Naked Security page.

Sophos Firewall Features and the Attack Kill Chain - 6

https://nakedsecurity.sophos.com/tag/social-engineering/

Sophos Firewall Features and the Attack Kill Chain - 6

 Web Protection Delivery

Policies allow you to configure

filters to automatically block
categorized websites

If a user visits a blocked website

they will not be able to get to
the site

Sophos Firewall protects you by scanning HTTP and HTTPS traffic for unwanted content or
malware.

• Web Filtering provides pre-defined filters that automatically block access to categorized
websites, such as gambling or pornography
• Live Protection provides real-time lookups to SophosLabs to check for any threats and prevent
them from infecting the device/network
• Pharming Protection prevents users from being re-directed to fake or compromised websites
• Certificate validation validates websites certificates to ensure legitimacy
• File type filtering is based on MIME type, extension and active content types. This can be used
to block macro enabled documents for example
• Enforcing SafeSearch, which is a feature of Google Search that acts as an automated filter of
pornography and potentially offensive content

The Web Protection feature is customizable, for example, restricting users surfing quota and access
time allows control over what users can have access to and when. If you wanted to restrict your
users from being able to access websites that are not business essential you can place a restriction
in the web policy that blocks access to non-business sites, for example social networking sites.

Sophos Firewall Features and the Attack Kill Chain - 7

 Email Encryption and Control Delivery

Email Servers

Sophos
Firewall

Cyber Criminal
Quarantine

To protect against email attacks, Email Encryption and Control can be used.

The email scanning engine will scan all inbound emails for malicious content. You control what
emails can be received into your network:

• IP Reputation is enabled allowing you to determine whether you accept, reject or drop emails
that are sent from known spam senders
• File-Type detection is configured to scan and block specific file types. For example, you can
block or quarantine any macro enabled files from being received by any senders

The email scanning engine will also detect phishing URLs within e-mails and block those emails
accordingly. As well as scanning inbound and outbound emails for malicious content, the email
protection allows you to encrypt emails so that you can send sensitive data securely out of your
network.

It uses SPX encryption for one way message encryption and recipient self-registration SPX
password management. This encryption is simple and secure and does not require certificates or
keys. It also allows users to add attachments to SPX secure replies to allow your users to securely
send files.

Email protection also uses our Data Loss Protection (DLP) engine, which automatically scans emails
and attachments for sensitive data. This is also a key benefit at the last stage of the attack which
we’ll talk about later in the module.

Sophos Firewall Features and the Attack Kill Chain - 8

 Zero-Day Protection Delivery

Sophos Zero-Day Protection

Determine Behavior

HASH

Suspect Control Report

Sophos Firewall

Sophos zero-day protection uses next-gen sandbox technology with integrated deep learning,
giving your organization an extra layer of security against ransomware and targeted attacks. It
integrates with your Sophos Firewall and is cloud-delivered, so there’s no additional hardware
required. It’s the best defense against the latest payload-based malware lurking in phishing attacks,
spam, and file downloads.

Let’s look at how Sophos zero-day protection tests for and identifies possible malware.

The Sophos Firewall accurately pre-filters traffic using all the conventional security checks,
including anti-malware signatures, known bad URLs and so forth, so only previously unseen
suspicious files are submitted to Sophos ensuring minimal latency and end user impact.

If the file is executable or has executable content, the file is treated as suspicious. Sophos Firewall
sends the file hash to Sophos, to determine if it has been previously analyzed.

If the file has been previously analyzed, Sophos passes the threat intelligence to the Sophos
Firewall. Here, the file will be delivered to the user’s device or blocked, depending on the
information provided by zero-day protection.

Sophos Firewall keeps a local cache of file hashes and the results in a local database to prevent
unnecessary lookups.

Finally, Sophos Firewall uses the detailed intelligence supplied by zero-day protection to create
deep, forensic reports on each threat incident.

Sophos Firewall Features and the Attack Kill Chain - 9

 Zero-Day Protection Delivery

Sophos Zero-Day Protection

Determine Behavior

Suspect Control Report

Sophos Firewall

If the hash has not been seen before, a copy of the suspicious file is sent to Sophos.

Here, the file is executed, and its behavior is monitored. Once fully analyzed, Sophos passes the
threat intelligence to Sophos Firewall which will determine if the file is allowed or blocked.

As with previous threats, a report is created for the threat incident.

Sophos Firewall Features and the Attack Kill Chain - 10

 Deep Learning Delivery

Model trained to determine features of a file

Features of the Features of the

Millions of Samples
Files Defined Files Labelled Learned
Windows EXE Model
Vendor Metadata
Documents with macros Size (Deep
PDFs with scripts Import
Printable Settings Contextual Byte Learning)

Malicious
OR
PE File Deep Learning Engine Legitimate

Amongst the layers of protection within our sandbox is something called deep learning, which
protects against the latest unseen advanced threats like ransomware, crypto mining, bots, worms,
hacks, breaches, and Advanced Persistent Threats without using signatures.

Deep Learning uses a set of algorithms that try to replicate the way a human brain would solve a
problem. By looking at the features of an object, it decides as to what that object is.

Let’s relate this to securing your network. The deep learning model is trained on millions of
samples of known good and bad files, some examples shown here. It is taught the features (the
size, compression setting, printable strings, vendor and so forth) of these files which are then
labelled. The model is then trained to determine the features of a file to create a learned model.

When a file is then tested with this model, deep learning evaluates portable executable (PE) files
on a machine at the time of execution within the sandbox. The engine predicts if the file is
malicious or legitimate based on the file characteristics, which have been learnt from the samples
the model has been trained on. The prediction is returned, and the file is categorized as malicious
or legitimate.

Sophos Firewall Features and the Attack Kill Chain - 11

 Application Control Delivery
Configure Application Rules to restrict
access to specific applications

Application Control works on several levels to help protect your network, the most obvious of
these is reducing the attack surface by controlling what applications are allowed. For example,
users cannot download infected files through peer-to-peer applications if you are blocking them.

Application Control can be used to block various types of application; including:

• Unwanted applications. Some applications are non-malicious and possibly useful in the right
context, but are not suitable for company networks. Examples are adware, tools for
administering PCs remotely, and scanners that identify vulnerabilities in computer systems.
• Peer-to-peer, or P2P, networking applications. P2P applications can contain vulnerabilities and
can also act as servers as well as clients, meaning that they can be more vulnerable to remote
exploits.
• High risk applications. Sophos categorizes all applications, this means that you can apply the
high risk application control policy and it will block all (and any new) applications categorized as
high risk. For example, proxy and web storage applications are often high risk.
• And very high risk applications. In the same way as for high risk category, the very high risk
category allows you block all applications classified as very high risk. An example of these
applications would be TOR proxy, SuperVPN and AppVPN.

Sophos Firewall Features and the Attack Kill Chain - 12

 Synchronized App Control Delivery

Sophos Endpoint shares app name, path and

Sophos Firewall sees app traffic that does not
even category to Sophos Firewall for
match a signature
classification

Automatically categorize and control where possible or

admin can manually set category or policy to apply

On average, 60% of application traffic is going unidentified. Static application signatures don’t work
for custom, obscure, evasive, or any apps using generic HTTP or HTTPS. Synchronized App Control
on Sophos Firewall automatically identifies all unknown applications enabling you to easily block
the apps you don't want and prioritize the ones you do.

What this means is that you can now identify – and deal with – the unknown threats and
unwanted apps that are running on your network, putting organization at risk and impacting user
productivity.

Sophos Firewall Features and the Attack Kill Chain - 13

 Protecting Against Exploits
Harvesting e-mail Coupling exploit Delivering Leveraging a Installing malware Command channel With ‘hands on
addresses, with backdoor into weaponized bundle vulnerability or on the asset for remote keyboard’ access,
conference deliverable payload to victim via email, functionality to manipulation of intruders
information, etc. web … execute code on victim accomplish their
victim’s machine goal

Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control

PRE-BREACH POST-BREACH

Users continue to be the easiest target for attackers, but an army of trained, phishing-aware
employees can provide you with a human firewall against these threats.

Let’s look at the next stage, exploitation, which is defined by leveraging a vulnerability to execute
code on a victim’s machine. An exploit is basically a method, or a tool used for abusing software
bugs for nefarious purposes.

Sophos Firewall Features and the Attack Kill Chain - 14

 Web Server Protection Exploitation

XSS SQL Injection Firewall

10101010101010
0101010101010101010101
0101010101010101011010
1010101010101010101010

Internet
Attacker
Protocol Violations Generic Attacks Web Servers

By their very nature, web servers need to be accessible from the Internet, but this makes them
targets for attackers who may be trying to extract data or install malware to compromise other
users visiting the website.

Attacks can take many forms, including cross site scripting (XSS) attacks, using protocol violations
and anomalies, cookie signing, SQL injection, or other generic attacks.

Sophos Firewall Features and the Attack Kill Chain - 15

 Web Server Protection Exploitation

XSS SQL Injection Sophos Firewall

10101010101010
0101010101010101010101
0101010101010101011010
1010101010101010101010

Internet
Attacker
Protocol Violations Generic Attacks Web Servers

Sophos Firewall includes comprehensive Web Server Protection, which is bundled with
preconfigured templates to make protecting commonly used web-facing servers like Microsoft
Exchange as easy as possible.

Web Server Protection acts as a reverse proxy protecting web servers on the internal network or
DMZ from inbound traffic. Web Server Protection uses a web application firewall to filter traffic,
harden forms, sign cookies, and scan for malware.

Web Server Protection can also authenticate incoming connections with a username and password
before they even reach the web server.

Sophos Firewall Features and the Attack Kill Chain - 16

 Intrusion Prevention System (IPS) Exploitation

Monitors network traffic for malicious

activity

Endpoint Internet

Sophos Firewall

Blocks and reports activities to prevent

network infections

Vulnerabilities and exploit kits can be protected against using Intrusion Prevention Systems (IPS).
IPS monitors network traffic as it passes through the firewall for malicious activity. It logs the
activity and attempts to block and prevent the infection and then reports the activity.

Please note that Intrusion Prevention is not designed to replace applying software patches to fix
bugs and security vulnerabilities.

Sophos Firewall Features and the Attack Kill Chain - 17

 Exploitation and Command and Control Connections
Harvesting e-mail Coupling exploit Delivering Leveraging a Installing malware Command channel With ‘hands on
addresses, with backdoor into weaponized bundle vulnerability or on the asset for remote keyboard’ access,
conference deliverable payload to victim via email, functionality to manipulation of intruders
information, etc. web … execute code on victim accomplish their
victim’s machine goal

Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control

PRE-BREACH POST-BREACH

This attack phase is where the installed malware makes a connection to a Command-and-Control
server.

In a typical advanced persistent threat lifecycle, the communication with a Command-and-Control

host is a repeated process. This allows malware to adapt as more knowledge is gained by the
attacker.

Some of the more complex malware like Emotet includes communication to remote servers for
further instructions and or updates or to upload or download further files.

Sophos Firewall Features and the Attack Kill Chain - 18

 Advanced Threat Protection (ATP) Command and
Control
Allows isolation of the device
and threat clean up Detects and blocks
malicious outgoing
traffic

Internet

Sophos Records an alert in

Globally monitors all Firewall the Control Centre of
outgoing traffic
the Sophos Firewall
Computers

Advanced Threat Protection monitors global outgoing traffic. It blocks outgoing network traffic
attempting to reach malicious servers. This prevents remote access trojans from reporting back to
their malicious servers.

If ATP detects a threat an alert will be recorded, and the number of detections will be shown in the
control center. The administrator can then check the alert for additional information about the
threat such as:

• The affected device’s IP address

• The affected device’s hostname
• The threat and number of times the rule was triggered
• And the user and offending process

This process allows the administrator to clean up the threat while the device is isolated, protecting
the rest of the network from becoming infected.

Sophos Firewall Features and the Attack Kill Chain - 19

 Protecting Against Malicious Behavior
Harvesting e-mail Coupling exploit Delivering Leveraging a Installing malware Command channel With ‘hands on
addresses, with backdoor into weaponized bundle vulnerability or on the asset for remote keyboard’ access,
conference deliverable payload to victim via email, functionality to manipulation of intruders
information, etc. web … execute code on victim accomplish their
victim’s machine goal

Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control

PRE-BREACH POST-BREACH

This stage of the attack varies depending upon the type of malware, for example a ransomware
attack will look to encrypt data and demand ransom. Whereas spyware tends to log the keystrokes
of victims and gain access to passwords or intellectual property.

Next, we’ll review some of the Sophos Firewall protection components that detect malicious
threats.

Sophos Firewall Features and the Attack Kill Chain - 20

 Automatic Device Isolation Behaviour

Sophos Firewall instantly informs all healthy

endpoints to ignore any traffic from a
compromised device.
Servers

Security Heartbeat™ Infected

Host
Internet
Sophos Firewall
Endpoint

Server Protection and Intercept X can be used to assign every device a health status. In the event a
device is compromised, it can be automatically isolated from other parts of the network at the
firewall, as well as blocking network connections between other healthy devices. This limits the
fallout of a breach or the spread of malware or lateral movement of an attacker. Even on the same
broadcast domain or network segment where the firewall has no opportunity to block the traffic.

We’re effectively pushing isolation enforcement out to endpoints so they can help the firewall
isolate any threats and keep the network secure. This will stop any threat or attacker attempting to
move laterally.

Sophos Firewall Features and the Attack Kill Chain - 21

 Email Protection Behaviour

Email protection stops data from being leaked outside of the organization by email. You can create
data control lists from the content control list (CCL). CCLs are based on common financial and
personally identifiable data types, for example, credit card or social security numbers, postal or
email addresses. When Sophos Firewall finds a match for the specified information, it applies the
action specified in the policy.

Sophos Firewall Features and the Attack Kill Chain - 22

 SYNCHRONIZED SECURITY
Summary WEB PROTECTION
Heartbeat™ links your endpoints with Sophos Firewall
Automatic device isolation
Prohibited website blocking Synchronized App Control
Identify Infected Systems
EMAIL PROTECTION Monitor Network Health
Inbound antivirus and anti-spam scanning INTRUSION PREVENTION
(with SPF and DKIM) Local Security Authority (LSASS)
SPX Email Encryption Security Account Manager (SAM)

ZERO-DAY PROTECITON WITH DEEP LEARNING

Time of click URL Protection

Command and
Reconnaissance Weaponization Delivery Exploitation Installation Behaviour
Control

PRE-BREACH POST-BREACH

NETWORK PROTECTION WEB SERVER PROTECTION ADVANCED THREAT PROTECTION

Stop unknown and sophisticated Threats Blocks known attack techniques Detect and block C&C traffic
Advanced networking protection Active Adversary Mitigations
Automatically responds to incidents Reverse proxy authentication.

APPLICATION CONTROL DATA LOSS PREVENTION

MALWARE SCANNING Block undesired applications Email
On-board antivirus engines Proxies, hacking tools, sniffers
Zero-day protection Out of date browsers, office apps

Digital security and physical security have many parallels. Think of a building and how it could be
protected. If you were to build nothing but a giant wall, it may prove difficult to climb over but
eventually someone will find a way to get over it (or under it).

Now consider a fortress. Armed guards, attack dogs, CCTV, tripwires, barbed wire, motion sensors.
It may be possible to hop the wall, but you still have many additional hurdles ahead of you.

Single layers are simple to build but are also simple to bypass. Our goal has always been to build
fortresses so that multiple security elements are present to detect movement across assets and for
attacks to be detected and stopped.

Sophos Firewall Features and the Attack Kill Chain - 23

 Chapter Review

Sophos Firewall provides multiple layers of protection to detect and block attacks

The delivery and exploitation phases are both intended to get malicious code onto a
device and have it executed

Once malware is running or an attacker is on a device attacks can be detected based on

behavior

Here are the three main things you learned in this chapter.

Sophos Firewall provides multiple layers of protection to detect and block attacks.

The delivery and exploitation phases are both intended to get malicious code onto a device and
have it executed.

Once malware is running or an attacker is on a device attacks can be detected based on behavior.

Sophos Firewall Features and the Attack Kill Chain - 28

Sophos Firewall Features and the Attack Kill Chain - 29