Defending Your Network with Deception Using Deception Decoys, SIEM, and SOAR to Block Suspicious Traffic in Sophos Firewall for SSH Service

On March 15, 2024


Tools used in the infrastructure

SIEM is a free, open source, enterprise-grade security monitoring platform that provides comprehensive protection for cloud, on-premises, containerized, and virtualized environments.

Deception techniques - if deployed well - can be very effective for organizations to improve network defence and can be a useful arsenal for blue teams to detect attacks at a very early stage of cyber kill chain.

Shuffle is an Open-Source interpretation of SOAR. It aims to bring all the capabilities necessary to transfer data throughout an enterprise with plug-and-play Apps, making automation approachable for everyone.

Sophos XG Firewall provides comprehensive next-generation firewall protection powered by deep learning and Synchronized Security.

This blog walks through the steps of blocking a suspicious traffic on a deception decoy created in the virtual machine, using a playbook created in SOAR; ultimately taking action in Sophos XG generation of firewall.

Flow Of Attacker: -

deception-ssh-image1

High Level Deception, SIEM & SOAR Diagram: -

deception-ssh-image2

Step 1:

Firstly, we will walk through configuration steps of our environment, which includes.

A. SIEM

B. Deception Engine & Decoy Ready.

C. Deception Engine & SIEM Integration

D. SOAR server

E. Sophos XG firewall

F. A pre-defined rule in firewall to block suspicious traffic.

A. SIEM:

SIME server is ready on IP 172.X.X.X

deception-ssh-image3

B. Deception Engine with a Decoy Rady:

  • To have a decoy created as a deception tool in a Deception Engine Virtual Machine. • Decoy - In this reference, Decoy named “Cisco-Router” with IP address 172.17.14.63 is created, which has SSH services enabled on it.

deception-ssh-image4

Deception Engine & SIEM integration:

Integrate Deception server with SIEM to receive all the decoy logs directly as SIEM alerts, via Syslog service.

deception-ssh-image5

C. SOAR Server:

Have SOAR server instance ready and setup. In our case, it is configured on IP 172.X.X.X

deception-ssh-image6

D. Sophos XG Firewall:

Our Sophos firewall is ready and setup on IP 172.X.X.X

deception-ssh-image7

E. A pre-defined rule in firewall to block suspicious traffic:

A rule to block suspicious IP addresses -

deception-ssh-image8

Step 2:

In this step, we will be creating the following points in our deception scenario.

A. Create a rule in SIEM to collect decoy logs.

B. Collect Decoy Logs in SIEM

C. Now we integrate SIEM with SOAR and download workflow from the mentioned URL.

D. Connect SOAR with Sophos XG Firewall.

E. Create alert notification to be sent via outlook application.

A. Create a rule in SIEM to collect decoy logs:

Create a rule here, which collects information of SSH logs from Deception Engine’s earlier created Decoy.

deception-ssh-image9

B. Collect Decoy Logs in SIEM.

If any attacker Hit of Created Decoy, then you are able to get those logs into SIEM.

deception-ssh-image10

C. Now we integrate SIEM with SOAR.

Integrate SOAR playbook with Sophos XG firewall, with all the details of firewall, such as rule name, source IP address of suspicious traffic, etc using API connection

deception-ssh-image11

 Make sure to change rule_id in above snippet with the ones you’ve configured alerts for in your SIEM.

 This is it. Now, as soon as the alert comes into the SIEM this workflow will get triggered and perform the actions.

 You can check the workflow editor for the execution details.

Download workflow to your SOAR instance and import it in the same from /workflows path and then click on import workflow.

GitHub repo link to the SOAR x DECEPTION workflow https://github.com/Infopercept/invinsense-soar-usecases/blob/main/DECEPTION%20BLOCK%20IP.json deception-ssh-image12

Now click on the workflow to go into the workflow editor and click on the very first node and click start to initiate a webhook. This webhook will be used with SIEM to forward alerts to SOAR.

deception-ssh-image13

D. Connect SOAR with Sophos XG Firewall.

For the next step click on Create_rule_and_block_ip inside workflow editor to configure Sophos firewall creds. Change the value of URL with your Sophos XG firewall instance.

deception-ssh-image14

Now scroll down the app sidebar and uncheck the option Automatically fix body option if it is selected already. And then click on the box on the right side of body to expand the code editor. You should be seeing the following screen.

deception-ssh-image15

Default admin account is not applicable you need to create another admin account with full admin privileges. Then update the value of Your Sophos account username and Password. And click on done. Then save the workflow. As and when this rule gets triggered, that suspicious connection IP address will get added into block list in Sophos XG firewall.

E. Create alert notification to be sent via Microsoft teams application.

Click on (+) and configure the outlook for sends email notification.

deception-ssh-image16

F. Create case in hive application.

Click on (+) and configure the hive app for create case.

deception-ssh-image17

Step 3:

Real scenario, process check:

A. Attacker IP 172.17.12.60 which is suspicious IP that is trying to access RDP connection to our decoy.

• In our scenario, source PC – 172.17.12.60 triggered that rule

B. Decoy Send logs to SIEM.

C. SOAR Playbook gets run.

• SOAR Collects the Attacker IP Address from SIEM.

• Webhook sends that IP address into Sophos firewall rule

D. Attacker IP address block in Sophos Firewall.

• Teams notification section is initiated

• Teams notification is sent

A. Attacked Tries to Connect SSH decoy.

deception-ssh-image18

Tried to access RDP decoy as mentioned below

deception-ssh-image19

B. Decoy Sends logs to SIEM.

deception-ssh-image20

C. SOAR Playbook gets run

deception-ssh-image21

SOAR Collect the Attacker IP Address from SIEM. Webhook sends that IP address into Sophos firewall rule

deception-ssh-image22

D. Attacker IP address block in Sophos Firewall. Attacked IP Address Host Object Crated into SOPHOS Firewall and it is added in to Predefine Address Object Group, which is already attached in SOPHOS Firewall Drop Rule.

deception-ssh-image23

Email notification section is initiated

deception-ssh-image24

Email notification is sent

deception-ssh-image25

E. Hive will create a new case

deception-ssh-image26

deception-ssh-image27


*

*

*

*