How Next-Generation Firewall Platforms Help Protect Your Perimeter at Each Stage of the Cyber Kill Chain*

November 16, 2017, Mark Bedell, Senior Consultant, Cyber Engineering, Coalfire

Whether you need to upgrade your firewalls on-premise or in the cloud, next-generation firewalls (NGFWs) can significantly reduce the risks associated with the modern threat landscape. Since attacks have evolved using techniques such as encryption, polymorphism, etc., firewalls have also evolved to protect against some of the most sophisticated attacks. Whether they are deployed as physical appliances or virtual machines, these firewalls are not only “application aware,” but they have become complete threat intelligence managers guarding you against known and zero-day threats.

So, what is the cost justification and how can it benefit you? To explain that point, I’ll turn to exploring how NGFWs help during each stage of the cyber kill chain.

Kill chain – A brief history

The term “kill chain” started as a military concept that defines the structure of an attack. The information security field borrowed this strategy and created a model for defending computer networks. The attack kill chain is a sequence of events that an attacker executes to successfully infiltrate a network and exfiltrate data. Breaking the kill chain requires stopping an advanced attack; whether it be spyware, malicious links, exploits, or command and control requests before an attack moves to the next stage. NGFW enterprise security platforms can provide a solid layer of protection at every stage of the kill chain through detection and prevention.  

Stage 1. Reconnaissance - > attackers gather information to plan an attack.   

Action:  Intrusion Prevention System (IPS)

NGFWs have perimeter-based intrusion prevention baked in, which is continuously inspecting network traffic and can help by detecting and blocking port scans and host sweeps. This may not stop the ‘behind the scenes’ social engineering techniques, such as learning about employees on social media and handing them a USB drive, but it is a layer of protection against the detectable elements of the Reconnaissance stage.

Stage 2. Weaponization / Delivery –> attackers determine which methods to use for exploitation.

Action:  SSL decryption/inspection

This capability gives full visibility into all traffic and enables admins to block high-risk applications.

Action: Block known exploits

Multiple threat prevention techniques, such as anti-malware, anti-bot, anti-ransomware, DNS sinkholing, and file blocking all contribute to protecting your perimeter from being breached. 

Action: Zero-day threat detection

Real-time, cloud-based sandboxing/threat emulation. Examples include, but are not limited to, Palo Alto Networks Wildfire, Checkpoint SandBlast, and Fortinet FortiSandbox.

Action: URL filtering

Protects by blocking access to malicious or risky websites, such as hacking, phishing, malware, gambling, etc., which could contain harmful web exploits.

Stage 3. Exploitation –> attackers gain access inside and activate code on a victim’s host computer.

Action: Advanced Endpoint Protection

NGFWs can protect against vulnerability exploits using advanced endpoint protection, which integrates cloud-based threat intelligence at the local host level where most vulnerabilities exist. Examples include, but are not limited to, CheckPoint SandBlast agent, Fortinet Forticlient, and Palo Alto Networks TRAPS.

Stage 4. Installation –> attackers attempt to establish privileged accounts, root kits, and establish persistence on a target.

Action: Apply secure zones with strict user access control

Zone-based protection allows greater access control and enables inspection of all traffic between zones. 

Action: Antivirus, File Blocking, Application Control

File blocking will prevent drive-by downloads and unwanted file types; antivirus will block malicious files; and granular administrative control over applications will limit the attacker’s ability to move laterally with unknown tools and scripts.

Stage 5. Command and Control – > attackers create a command channel back to a specific server so they can pass data between infected devices and their server.

Action: Anti-Spyware, DNS sinkhole, URL filtering, Application Identification

Some NGFWs have predefined or customizable anti-spyware profiles, which block compromised hosts from trying to phone-home to external C2 servers. A DNS sinkhole is also an available feature that enables the firewall to respond to a DNS query for a known malicious domain and forges the domain name to resolve to an IP address that the firewall administrator defines as the DNS sinkhole. This feature helps identify infected hosts on the trusted/protected network. As a result, a DNS sinkhole is the network equivalent of a honeypot. URL filtering can block outbound access to known malicious web domains. NGFWs identify traffic at the application layer and can block C2 traffic if applications are using non-standard ports. Examples include, but are not limited to, Palo Alto Networks App-ID, CheckPoint AppWiki, and Cisco Application Visibility and Control (AVC).


Cyber Kill Chain® is a registered trademark of Lockheed-Martin Corporation.
Mark Bedell


Mark Bedell — Senior Consultant, Cyber Engineering, Coalfire

Recent Posts

Post Topics