Scribd
Upload
2 views

Zscaler - Cyberthreat Protection - Hands On Lab Guide 2024

The Cyberthreat Protection (EDU-230) Hands-on Lab Guide provides a structured approach to learning Zscaler's security features through practical exercises. It covers various labs focused on securing internet access, content filtering, and advanced threat protection, along with setup instructions and tasks for users to complete. The document emphasizes the importance of Zscaler's Zero Trust Exchange in enhancing security operations against cyber threats.

Uploaded by

barry.fisher123
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Zscaler - Cyberthreat Protection - Hands On Lab Guide 2024

The Cyberthreat Protection (EDU-230) Hands-on Lab Guide provides a structured approach to learning Zscaler's security features through practical exercises. It covers various labs focused on securing internet access, content filtering, and advanced threat protection, along with setup instructions and tasks for users to complete. The document emphasizes the importance of Zscaler's Zero Trust Exchange in enhancing security operations against cyber threats.

Uploaded by

barry.fisher123
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 71

Cyberthreat Protection (EDU-230)

Hands-on Lab Guide

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 1
Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 2
Copyright

This document is protected by the United States copyright laws, and is proprietary to Zscaler Inc. Copying, reproducing,
integrating, translating, modifying, enhancing, recording by any information storage or retrieval system or any other use of this
document, in whole or in part, by anyone other than the authorized employees, customers, users or partners (licensees) of
Zscaler, Inc. without the prior written permission from Zscaler, Inc. is prohibited.

©2015-24 Zscaler, Inc. All rights reserved.

Trademark Statements

Zscaler™, Zscaler Internet Access™, Zscaler Private Access™, ZIA™ and ZPA™ are either (i) registered trademarks or service marks or
(ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the property
of their respective owners.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide

June. 2024, Rev. 1.4


Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 4
Contents
About the Zscaler Cyberthreat Protection Hands-on Lab 7
Lab Setup 7
Lab 0: Connecting to the Virtual Lab 8
Accessing the Lab Environment 8
Lab Resources and Login Credentials 9
Enroll with Zscaler Client Connector 10
Lab 1: Securing Access to the Internet 12
Task 1.1: View SSL Inspection Policy & Verify SSL Decryption 12
Task 1.2: View Threat Protection Configurations & Risk Reports 15
Task 1.3: Check Your Security Posture 20
Lab 2: Enforce Safe Internet & SaaS Application Access - Content Filtering & Access Control 24
Task 2.1: View Content Filtering Controls 24
Task 2.2: Test End User Experience with Content Filtering 26
Lab 3: Inspect Unknown Files Through Advanced Cloud Sandbox 27
Task 3.1: View Sandbox Configuration 27
Task 3.2: View Sandbox Activity Report 29
Lab 4: Browser Isolation for Cyber Threat Use Cases 33
Task 4.1 View URL/Cloud App Isolate Control Policies 33
Task 4.2: Test Isolate as an Action in Cloud App Control Policies 35
Task 4.3: View Smart Browser Isolation Configuration 37
Task 4.4: Test Smart Browser Isolation 39
Task 4.5: View Cloud Sandbox + Isolation Configuration 40
Task 4.6: Test Cloud Sandbox + Isolation 43

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 5
Lab 5: Firewall & DNS Control Policies 50
Task 5.1: Inspect Non-web Traffic Blocking by Default Firewall Block 50
Task 5.2: Blocking QUIC Traffic as a Network Service 54
Task 5.3: Blocking Access to Restricted Sites with DNS controls 57
Lab 6: Extending Zero Trust with Deception-Based Active Defense 60
Task 6.1: Generate Recon Activity 60
Task 6.2: Investigate Deception Alerts 62
Task 6.3: Explore the ITDR Dashboards 67
Summary 71

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 6
About the Zscaler Cyberthreat Protection Hands-on Lab

Welcome to the Zscaler Cyberthreat Protection Hands-on Lab. During this lab, you will practice the skills you learned during the
eLearning using Zscaler’s remote lab. You will complete several lab exercises designed to allow you to experience and familiarize
yourself with Zscaler Internet Access (ZIA) security features in a lab environment. Your objectives are to learn how to streamline
your security operations and take full advantage of the multiple layers of security provided by Zscaler’s Zero Trust Exchange.

Lab Setup
This lab environment is designed for carrying out the lab exercises in the provided manual. Your lab environment contains the
resources needed to test secure user access to the Internet through the Zscaler Zero Trust Exchange. Your virtual lab environment
will be started with:
● a virtual Windows PC that you may use for testing as an end user,
● credentials for the admin and user accounts you need,
● a lab manual with a set of lab exercises to guide your learning.

Note: In this lab, you will access the ZIA Admin


Portal as a Read-Only Administrator.
This role affects what you will see in the Admin
Portal

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 7
Lab 0: Connecting to the Virtual Lab

Accessing the Lab Environment


To access your lab environment, follow these steps:
1. On your laptop, open a browser window and
navigate to the Skytap Access URL.
2. Enter your Skytap Passcode and click Go.

3. If the Windows PC VM is shut down, click to start the VM.


4. If prompted for to Windows credentials, login:

● Username: Student,
● Password Admin-123!
Lab 0: Connecting to the Virtual Lab

Lab Resources and Login Credentials


5. At any time during the lab, click the Resources tab in the right window frame to access your:

a. Lab Guide attachment

b. Credential information

Note: You can download a softcopy of the Lab Guide from the right window frame.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 9
Lab 0: Connecting to the Virtual Lab

Enroll with Zscaler Client Connector


6. Login with Zscaler Client Connector as a user in the IT department:

a. Enter the MKT_department_username.


b. Click Login.
7. At the IdP authentication prompt:

a. Enter the MKT_department_username again if it is not


pre-filled, and click Next.
b. Enter the Session_Password
and click Sign in.
8. At the Stay signed in? prompt, click No.

9. Zscaler Client Connector will minimize to the Windows taskbar and go


through some initialization steps.
10. After a few minutes, check that Zscaler Client Connector is running, and
that:
a. Internet Security Service Status shows ON.
b. Network Type is shown as Off-Trusted Network.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 10
Lab 0: Connecting to the Virtual Lab

11. Confirm that traffic is being forwarded to Zscaler:

a. Open a browser window and go to


http://ip.zscaler.com.

b. Verify that you are accessing the Internet via a Zscaler


data center.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 11
Lab 1: Securing Access to the Internet

Threat Protection is at the core of preventing compromise. Zscaler offers layered protections to user traffic to provide this basic
requirement. As a cloud-native proxy, the Zscaler security cloud ensures that every packet from every user, on- or off network,
gets fully inspected from start to finish, with unlimited capacity to inspect SSL.

Task 1.1: View SSL Inspection Policy & Verify SSL Decryption
To view the current SSL inspection policies, follow these steps:
1. On your laptop (or the Client PC VM), open a web browser and go to the ZIA Admin Portal URL.

2. Log in to the ZIA Admin Portal with your assigned Admin_User_ID and Session_Password.
3. Go to Policy > SSL Inspection to view examples of SSL policies.Click the View icon for a policy to explore its settings.

Note: Several default policies like Office 365 One Click, and Zscaler Recommended Exemptions help implement SSL
inspection without disrupting users.

4. On the Client PC VM, open a new browser window and go to https://www.microsoft.com.


Lab1: Securing Access to Internet

5. View the certificate for the site.

Note: Viewing the certificate varies by browser choice, but it’s typically done by clicking on the lock symbol in the browser
address bar, then viewing ‘More Information’. You should see that the site is using a Zscaler certificate (Zscaler
Intermediate Root CA).

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 13
Lab1: Securing Access to Internet

6. [Optional] On the ZIA Admin portal, go to Analytics > Web Insights and select Protocol to see encrypted vs unencrypted traffic
mix.
7. [Optional] Change the Timeframe on the left navigation bar to see charts for different time periods or by transactions vs bytes.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 14
Lab1: Securing Access to Internet

Task 1.2: View Threat Protection Configurations & Risk Reports


To view the current Threat Protections, follow these steps:
1. In the ZIA Admin Portal, go to Policy > Malware Protection.
2. Scroll through the settings and compare them to the Recommended Policy settings, taking notice of which Malware
Protections have been enabled. These protection areas guard users against spyware, botnets, malicious active content, and
more.

3. Go to Policy > Advanced Threat Protection.


4. Scroll through the settings and compare them to the Recommended Policy settings, taking notice of which Advanced Threat
Protections have been enabled. These protection areas guard users against Command and Control Traffic, Malicious Sites,
Fraud Protection, Phishing, Cryptomining, Tunneling, Cross-Site Scripting (XSS), etc.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 15
Lab1: Securing Access to Internet

5. Note the current Page Risk Score Index (SUSPICIOUS CONTENT PROTECTION (PAGE RISK™)).
6. Go to Analytics > Configuration Risk Report.

The Zscaler service calculates the Risk Index of a page in real-time by identifying malicious content within the page
(injected scripts, vulnerable ActiveX, zero-pixel iFrames, and many more) and creating a risk score, or Page Risk Index.

Simultaneously, a Domain Risk Index is created using data such as hosting country, domain age, past results, and links to
high-risk top-level domains. The Page Risk and Domain Risk are combined to produce a single score for the Risk Index;
this score is then evaluated against the Suspicious Content Protection (Page Risk™) value that you set in this policy. The
Low Risk area indicates that you are willing to block anything that is even slightly suspicious; there is no tolerance for
risk. The High Risk area indicates a high tolerance for risk and will allow users to access even very risky sites.

The Configuration Risk Report evaluates the current policy configuration, traffic pattern and feature capabilities against
Zscaler’s best practices and recommends configuration changes to better protect against emerging threats.

6. Click on each category, Web-Based Threats, File-Based Threats, Network-Based Threats, Uninspected Encrypted Traffic, to
understand the current protection status and its contribution to the overall risk.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 16
Lab1: Securing Access to Internet

7. Navigate to the category with the highest Risk Contribution and drill into the details by clicking on the category name. Review
the potential threats and recommended configuration changes.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 17
Lab1: Securing Access to Internet

8. Go to Analytics > Company Risk Score Report.

Company Risk Score Report allows organizations to monitor and analyze the various factors that contribute to an
organization's risk score, which can include recent malware outbreaks, risky user behavior, and other suspicious factors.
Administrators can study how their users' and company's risk score has changed over time and compare their score
against their industry peers and Zscaler cloud averages.

Company Risk Score Report provides the following benefits and enables you to:
● Configure stronger policies by monitoring your organizational, location, and user-level risk exposure.
● Study users' and company's risk scores change over time to determine the effectiveness of various policy
configurations.
● Compare the risk scores against your industry peers and Zscaler cloud averages to understand your position against
potential attacks.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 18
Lab1: Securing Access to Internet

9. Review the sections Events Contributing to the Risk Score and Top Advanced Threats Trend to understand the user’s risky
behavior & activities trend that contributed to the current risk score.

10. Subsequently, you can click on any of the Top Risky Users to pivot to the User Risk Report to understand the selected user’s
behavior that contributed to the risk score and trends.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 19
Lab1: Securing Access to Internet

Task 1.3: Check Your Security Posture


To see the before-and-after effects of enabling Zscaler protections, follow these steps:
1. On the Client PC VM, go to the Client Connector and turn off Internet Security.

2. In a browser window, go to https://www.testmydefenses.com/.


3. Scroll down to Internet Threat Exposure Analysis.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 20
Lab1: Securing Access to Internet

4. Select Test your defenses now and then click Test your cyber risk posture to see how you are protected without Zscaler.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 21
Lab1: Securing Access to Internet

5. Wait for the test to complete and review the results.

6. Return to the Test My Defenses site.


7. Under Ransomware Risk Assessment, click Test your defenses now and then click Test My Ransomware Defenses.
8. Wait for the test to complete and review the results.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 22
Lab1: Securing Access to Internet

Note: You can fill out the details on the right to get a more detailed, downloadable risk assessment.

9. Now turn Internet Security back on and rerun both analysis tools.

Note: You should see a significant difference with ZIA disabled vs. reenabling the service in Zscaler Client Connector.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 23
Lab 2: Enforce Safe Internet & SaaS Application Access - Content Filtering & Access Control

Much of combating cyber threats is never letting them have a chance in the first place! Zscaler URL Filtering and Cloud App
Controls are tools that can be used to provide controls around which sites and applications users can reach on the Internet.

Task 2.1: View Content Filtering Controls


To familiarize yourself with the current URL Filtering and Cloud App controls, follow these steps:

1. In the ZIA Admin Portal, go to Policy > URL & Cloud App Control.

2. Under the URL Filtering Policy tab, review the currently defined policies, for example blocking URLs in the Social Networking
category and sending Miscellaneous traffic to Browser Isolation.

3. Under the Cloud App Control Policy tab, review pre-configured policies, including:

a. Social Networking policies that only allow users in the HR department to view and post to social media sites.
Lab 2: Enforce Safe Internet & SaaS Application Access - Content Filtering & Access Control

4. Scroll further down the list to see the rules configured in other categories. For example:

a. Streaming Media policies that will allow users in the Marketing department to view Zscaler’s YouTube channel, but
block access to any other YouTube videos

b. Webmail policies for sending Unsanctioned Mail apps to Browser Isolation.

5. Click the Advanced Policy Settings tab and review the recommended settings for Advanced URL Filtering options, such as
SafeSearch, Suspicious New Domains Lookup and AI/ML based Content Categorization.

6. Go to Administration > Tenant Profiles.

7. Review the settings of Zscaler’s YouTube channel, which was used in the Streaming Media policy you viewed previously.

Zscaler's Tenancy Restriction feature allows you to restrict access either to personal accounts, business accounts, or both for certain
cloud applications.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 25
Lab 2: Enforce Safe Internet & SaaS Application Access - Content Filtering & Access Control

Task 2.2: Test End User Experience with Content Filtering


To test the end user experience when accessing websites and cloud apps, follow these steps:
1. On the Client PC VM, log into the Zscaler Client Connector as the Marketing user.

2. Browse to the Zscaler YouTube channel to test tenant restrictions


https://www.youtube.com/channel/UCSylwuqCXM_W13ARfzASm3Q

3. Go to https://linkedin.com to see if you can get to it.

Note: Based on the policies you reviewed earlier, a user in the Marketing department should be able to view Zscaler
YouTube videos and be Isolated when visiting social networking sites, like Twitter.

4. [Optional]: Log out of Zscaler Client Connector and log back in with the HR_department_username. Verify that as a user in
the HR department you are able to view Facebook, LinkedIn, or Twitter directly without being sent to Isolation.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 26
Lab 3: Inspect Unknown Files Through Advanced Cloud Sandbox

Lab 3: Inspect Unknown Files Through Advanced Cloud Sandbox

Any Threat Protection solution needs to include Sandboxing to protect against unknown files. Zscaler offers an inline sandbox
with inline quarantine and AI-Driven prevention to accurately identify downloads
with malicious intent and block before the user downloads it.

Task 3.1: View Sandbox Configuration


To view Sandbox policy settings, follow these steps:
1. In the ZIA Admin Portal, go to Policy > Sandbox.

2. Select the icon for the Catch_All rule to view its settings.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 27
Lab 3: Inspect Unknown Files Through Advanced Cloud Sandbox

Note: You can see that this policy looks at many file types, applies to all users, and will Quarantine a previously unknown
file, before allowing it to be downloaded.

3. Explore other Sandbox policies.

4. Note the configured Criteria and Actions, e.g. the difference between ‘Quarantine First Time and Block Subsequent
Downloads’ vs. ‘Allow and scan First Time and Block Subsequent Downloads’ actions.
5. Click Recommended Policy and review the suggested configuration.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 28
Lab 3: Inspect Unknown Files Through Advanced Cloud Sandbox

Task 3.2: View Sandbox Activity Report


To get a better understanding of the threats that are identified and blocked by sandbox policies, follow these steps:
1. In the ZIA Admin Portal, go to Analytics > Sandbox Activity Report.

2. Explore the various graphs. For example, check how many of the quarantined files were assessed to be malicious.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 29
Lab 3: Inspect Unknown Files Through Advanced Cloud Sandbox

3. From the dropdown menu in the upper left, select Sandbox Files found Malicious.
4. Review the list of malicious files, including their File Type and Threat Name.

Note: Select a different timeframe for the report if there are no reports of malicious activity in the week selected.

5. In the table, click the unique MD5 value for a malicious file and then select View Sandbox Detail Report.

Note: Clicking a file’s Threat Name will open the Zscaler Threat Library and display more details about the identified
threat.

The Sandbox Detail Report provides different


types of information about a file and its
behavior, including forensic details such as
which registry keys were changed, which
network connections were initiated, and which
files were read.

For each category, you can view additional


details by clicking the Expand icon at the top
right-hand corner of each widget

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 30
Lab 3: Inspect Unknown Files Through Advanced Cloud Sandbox

6. Go to Analytics > Web Insights and select the Logs tab.

7. Click Add Filter, select Sandbox and then select all Sandbox options.

8. Click Done.

9. Click Apply Filters.

Note: You can add additional filters to quickly zero in on


specific threats. For example, you could add the Policy Action>
Block filter to only display logs for files that were blocked by
Sandbox.

10. Scroll through the log details.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 31
Lab 3: Inspect Unknown Files Through Advanced Cloud Sandbox

11. Change the Timeframe and click the icon to add/remove columns from the logs table.

Note: You can also go to Dashboard > Security to view a list of Sandbox Patient Zero Events.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 32
Lab 4: Browser Isolation for Cyber Threat Use Cases

Reduce Risk by Isolating Risky Websites | Document files + Cloud Sandbox (Protection against potential Zero Day files)

As noted in the presentation, Zscaler Browser Isolation is able to provide an “air gap” between the user and the destination.
Browser Isolation is able to provide additional “last mile” security controls such as:

● Upload/Download Controls,
● Clipboard Controls,
● Print Controls,
● Office File Document Viewing,
● Read Only Controls,
● Whether or not to display a Watermark, etc.

Task 4.1 View URL/Cloud App Isolate Control Policies


Isolate can be used as an action in URL and Cloud App Control policies. Any traffic hitting these policies would be isolated and will
be rendered in an isolated browser using the profile selected. In this lab you will examine the configured Cloud App control
policies to see where Isolate is configured as the action. To view URL/Cloud App Isolate control, follow these steps:

1. View the configured Cloud App control policy:


a. Go to Policy > URL & Cloud Application Control
b. Click to view the Cloud App Control Policy tab.
2. Identify the rules that have Isolate configured as the action.
Lab 4: Browser Isolation for Cyber Threat Use Cases

Note: You should be able to spot a policy isolating Consumer/ Online Shopping cloud applications.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 34
Lab 4: Browser Isolation for Cyber Threat Use Cases

Task 4.2: Test Isolate as an Action in Cloud App Control Policies


In this task, you will test to see what a user sees when they access an application that is rendered in isolation. To test Isolate as an
action in Cloud App control policies, follow these steps.

1. Verify that your Client PC VM is logged in through Zscaler Client Connector and that Internet Security is On.
2. Try browsing https://www.costco.com to test Cloud App control policies.
3. Verify that you are redirected to Browser Isolation (Notification banner displayed for a brief time).

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 35
Lab 4: Browser Isolation for Cyber Threat Use Cases

Note: With the isolation profile applied in the Consumer / Online Shopping rule, expect the following:
● You will not be able to copy/paste/print.
● Pages will be watermarked
● You will be able to input text into the page.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 36
Lab 4: Browser Isolation for Cyber Threat Use Cases

Task 4.3: View Smart Browser Isolation Configuration


Employees will stay safe online when their cyber threat protection is enhanced with Smart Browser Isolation.

In this task you will examine the one-click setting to enable Smart Browser Isolation. With this enabled, attempting to browse web
content that is categorized as suspicious using AI/ML models will put the user in an isolated session for the questionable web
page. This policy identifies suspicious websites and decrypts them using SSL inspection, and presents the users with a rendition
of the actual websites in a remote browser using cloud browser isolation. To view the Smart Browser Isolation, follow the steps:

1. Go to Policy > Secure Browsing


2. On the Smart Isolate tab view the Enable AI/ML based Smart Browser Isolation one-click setting.
3. Note that the Browser Isolation Profile selected in the configuration is called AI Render Only.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 37
Lab 4: Browser Isolation for Cyber Threat Use Cases

4. View the settings for the configured Browser Isolation Profile:


○ Go to Administration > Browser Isolation
○ Locate the AI Render Only rule.

5. Examine the AI Render Only Isolation profile to verify that it:


○ Prevents printing.
○ Renders the page “read-only” (user will not be able to type keystroke in text fields).
○ Does not allow local browser rendering.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 38
Lab 4: Browser Isolation for Cyber Threat Use Cases

Task 4.4: Test Smart Browser Isolation


In this task, you will test that with Smart Browser Isolation enabled, URLs categorized as suspicious will be automatically isolated.
To test Smart Browser Isolation, follow these steps:

1. On the VM, go to a suspicious URL.

Note: Instructor will advise the specific specific URL to test with for your session.
By their nature, the existence of suspicious URLs is often only temporary, which makes it necessary to find a new URL each
session to demonstrate and test.

2. Verify that the URL is automatically isolated, indicating that it was categorized as a suspicious destination with Smart
Browser Isolation enabled.
3. Verify that a banner stating that the webpage is rendered in read-only isolation mode and that you would not be able to
pass any text from the local computer to the isolated webpage.
4. Identify the profile being used for isolation:
a. Click the icon in the bottom right corner of the screen
b. Check that the URL bar of the isolation browser is displayed.
c. Click the button to view additional information,
including the isolation profile used to isolate the webpage.
5. If possible, find and test additional controls applied by the Isolation
profile:

a. Are you prevented from inputting text into text entry fields?
b. Are you able to interact with controls on the page such as
clicking on an "Order Now" button, or similar?

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 39
Lab 4: Browser Isolation for Cyber Threat Use Cases

Task 4.5: View Cloud Sandbox + Isolation Configuration


The purpose of this task is to understand the integration between Cloud Sandbox with Browser Isolation.

To boost user productivity while also protecting them from potential Zero Day malicious document files, Browser Isolation has
been seamlessly integrated with Zscaler’s Cloud Sandbox. This enhanced integration enables the end user to instantly view
quarantined files in isolation while the file undergoes Advanced Sandbox analysis. Potential malicious files are rendered in an
isolated container as a flattened PDF, granting instant access to the content of the file. This allows the user to be both safe and
productive while they wait for the sandbox verdict to determine if the file is benign or malicious. If the sandbox analysis verdict is
benign, the user will be able to download the original content, or as the flattened PDF file. If the verdict is that the file is malicious,
the user will be able to download the flattened PDF version of the file only.

Note: Advanced Sandbox subscription is needed for this feature.

1. Examine the rule that is configured to isolate files for viewing until they are evaluated in the sandbox.
a. Go to Administration > Browser Isolation.
b. Find the rule named TZTE Download and Copy.This rule allows file transfer from Isolation to local computer +
Sandbox Scanning.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 40
Lab 4: Browser Isolation for Cyber Threat Use Cases

c. Verify that the configuration is for files transfer from Isolation to the local computer to be Sandbox Scanned.

NOTE: Security options to Allow File Transfers in either direction (local computer to isolation, or isolation to computer) are
configured in the Isolation Profile. For this option to be available here in the policy it would have to have been enabled in
sandbox settings first.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 41
Lab 4: Browser Isolation for Cyber Threat Use Cases

2. Check the sandbox rules.


a. Go to Policy > Sandbox.

b. Locate the rule named Isolate & Scan with AI, and click to View

3. Note that several document file types have been selected to go through “Quarantine and Isolate” if it’s the first time Zscaler
Cloud is seeing the file.

Note: Quarantine and Isolate action is only applicable to document type files.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 42
Lab 4: Browser Isolation for Cyber Threat Use Cases

Task 4.6: Test Cloud Sandbox + Isolation


In this task you will test to see Cloud Sandbox + Isolation in action. Testing will be done by downloading from a site with test files
that will trigger the sandbox policy. To test Cloud Sandbox + Isolation, follow these steps:

1. On the Client PC, go to https://securitytest.zsdemo.com/passwordless/browser-isolation.php

Note: Since all traffic from this device is going through the Zscaler cloud, once the potential malicious link is clicked,
Zscaler’s Zero Trust Exchange instantly goes into action. Since the Browser Isolation profile is set for sandbox scanning, and
is configured the Sandbox policy to Quarantine and Isolate potential malicious document files, the file is launched in
Isolation for Cloud Sandbox to start its analysis of the file

2. Observe that a brief alert is displayed


indicating that the file was sent for Sandbox
analysis, and the name of the file stays
displayed at the bottom of the page.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 43
Lab 4: Browser Isolation for Cyber Threat Use Cases

3. Access the file through the Protected Storage.

a. Click on on the bottom right hand to expose an additional Isolation menu.

4. Next click Show saved files to see what is happening in the Protected Storage section.

Note: The Protected Storage is a temporary location where files are saved to while in Isolation. Once the session has been
terminated, the files are purged.

5. Observe that the Protected Storage section offers the option of viewing the file in a flatten PDF format while Cloud Sandbox
is doing its analysis

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 44
Lab 4: Browser Isolation for Cyber Threat Use Cases

6. Check the status icon:

a. Semi-closed circle indicates Sandbox Analysis in progress.

b. Green shield indicates the file is safe and okay to download.


7. Verify that once the analysis is done and the file is safe, that you can download the original file to the Client PC VM.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 45
Lab 4: Browser Isolation for Cyber Threat Use Cases

8. Check the Sandbox Analysis log:


a. Go to Analytics > Web Insights.
b. Click the Logs tab.
c. Add filters to search on:
i. the user name, and
ii. the URL for the link that was clicked on.
d. Click Apply Filters.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 46
Lab 4: Browser Isolation for Cyber Threat Use Cases

9. View the log entries, and look for Isolate and Scan in the Policy Action column.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 47
Lab 4: Browser Isolation for Cyber Threat Use Cases

10. Ensure the MD5 field is included on the display:


a. Click on the 3 dots on upper right hand corner
b. Either click Select All, or search for and select to display the MD5 field.
c. Click on the link in the MD5 column to see and click on the link to View Sandbox Detail Report.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 48
Lab 4: Browser Isolation for Cyber Threat Use Cases

11. View the details shown in the Sandbox Detail report.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 49
Lab 5: Firewall & DNS Control Policies

The Zscaler service provides integrated cloud-based next-generation firewall capabilities that allow granular control over your
organization’s outbound TCP, UDP, and ICMP traffic. Non-web traffic is controlled via Firewall policies and requires the Advanced
Firewall license.

With Firewall Filtering, you can configure policies that define which types of traffic are allowed from specific sources and to
specific destinations. Firewall Control also includes a dashboard, giving your organization visibility into your networks.

In this lab you will examine a set of configured firewall and DNS control policies and view the corresponding analytics.

Task 5.1: Inspect Non-web Traffic Blocking by Default Firewall Block


With Z-Tunnel 2.0 traffic for all ports and protocols may be sent to Zscaler for inspection. The firewall has a default rule to block all
traffic that is not explicitly allowed . To view this default firewall rule follow these steps:

1. Check the configured Firewall Policy to ensure that non-web traffic is blocked by the firewall:

a. Go to Policy > Firewall Control (in the FIREWALL FILTERING section) in the ZIA Admin Portal.

b. Verify that the Default rule is set to Block/Drop.

c. Verify that there are no rules configured that would allow non-web traffic.
Lab 5: Firewall & DNS Control Policies

Note: Rules such as the Office 365 One Click Rule, Zscaler Proxy Traffic, and Recommended Firewall Rule explicitly allow
very specific traffic needed for correct operation of the related features. ICMP and SSH traffic run in this lab exercise will not
match any of those rules and will fall to the Default rule which is configured to block by dropping the connections.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 51
Lab 5: Firewall & DNS Control Policies

2. Check the Firewall Insights logs:

a. Go to: Analytics > Firewall Insights.

b. Click on the Logs tab.

c. Filter to see the relevant log entries:


● Select the Timeframe as Previous Month.
● Click on Add Filter and select the filter category Rule
Name.
● Under Rule Name, search for and select the rule name
Default Firewall Filtering Rule.
● Optionally add additional filters if needed to narrow the
records returned down to the specific entries of interest.
For example, add a filter for Network Service and select
ICMP.
● Click on Apply Filters.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 52
Lab 5: Firewall & DNS Control Policies

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 53
Lab 5: Firewall & DNS Control Policies

Task 5.2: Blocking QUIC Traffic as a Network Service


QUIC is an alternative method to transmit web content. QUIC forms the transport basis of the HTTP/3 protocol, replacing TCP. To
ensure that QUIC web traffic is able to be SSL inspected, the best practice recommended by Zscaler is to block QUIC traffic, which will
then invoke the QUIC failsafe to fall back to using TCP.

Blocking QUIC: QUIC is a UDP-based protocol, with most QUIC traffic seen as a network service for UDP with destination port
443. Zero Trust Firewall is configured to block this, forcing the client to use a different protocol like HTTP/2 for web traffic.
QUIC can be blocked by the default firewall rule when there are no other rules that would match (such as in the configuration
for this lab), or a rule can be added to explicitly block QUIC. Adding an explicit rule to block QUIC is recommended, and would
be required if the default rule action was to allow rather than blocking traffic.

In this task you will examine the Firewall configuration for classifying and blocking QUIC as a network service:
1. Examine the network service configured for QUIC:
a. Go to Administration > Network Services (In the RESOURCES section)
b. Under Services tab, search for the service named QUIC.
c. Verify that QUIC is configured to match UDP Destination Port 443.

2. Check the configured Firewall Policy to ensure that QUIC traffic is blocked by the firewall:
a. Go to Policy > Firewall Control:
b. Search on the Firewall Filtering Policy tab for the rule named Block QUIC.
Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 54
Lab 5: Firewall & DNS Control Policies

c. Verify that the rule configuration with the Action: Block/Reset and Criteria: Network Services -QUIC.

d. Verify that there are no preceding rules configured that would allow QUIC traffic to pass.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 55
Lab 5: Firewall & DNS Control Policies

3. Click on the View icon to see the details of the rule configuration, and note the configured values:
a. Services tab: Network Services is set to QUIC.
b. Action is set to Block/Reset.
c. Click Close.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 56
Lab 5: Firewall & DNS Control Policies

Task 5.3: Blocking Access to Restricted Sites with DNS controls


With DNS Control, rules can be defined that control DNS requests and responses. In the lab there is a DNS Control rule configured
to block access to gambling websites by controlling the DNS lookup of the IP address to connect to. In this task you will examine
these rules.

1. Check the configured DNS Control Policy rules:


a. Go to Policy > Firewall > DNS Control.
b. Scroll or search for the rule named Block Gambling.
c. Verify that the Action is set to Block for the Gambling Request and Response Categories.
d. [Optional] Click the View icon to see details of how the rule is configured.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 57
Lab 5: Firewall & DNS Control Policies

Note: To send all DNS traffic (UDP, TCP and DoH) to the Zscaler Cloud Firewall from Zscaler Client Connector traffic
forwarding must be using Z-Tunnel 2.0.

2. Check the DNS Insights Analytics log entries to confirm that the configured policies were enforced.
a. Go to: Analytics > Insights > DNS Insights.
b. Click on the Logs tab.
c. Filter to see the relevant log entries:
a. Select the Timeframe as Previous Month.
b. Click on Add Filter and select the filter category Rule
Name
c. Under Rule Name, search for and select the rule name
Default Firewall Filtering Rule.
d. Click on Apply Filters.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 58
Lab 5: Firewall & DNS Control Policies

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 59
Lab 6: Extending Zero Trust with Deception-Based Active Defense

Lab 6: Extending Zero Trust with Deception-Based Active Defense

Deception is a proactive defense approach that detects active threats by populating your environment with decoys: fake
endpoints, services, databases, users, computers, and other resources that mimic production assets for the sole purpose of
alerting you to adversary presence when they’re touched. Since decoys are hidden from valid users unaware of their existence,
any interaction with them is a high-confidence indicator of a breach. Security analysts and SOCs leverage deception-based alerts
to generate threat intelligence, stop lateral movement and orchestrate threat response and containment without human
supervision.
In this lab there are decoys configured that you will trigger to simulate an attacker. You will then get familiarized with the Zscaler
Deception administrator console and the types of attack intelligence it provides.

Task 6.1: Generate Recon Activity


In this task, you will simulate the activities of an attacker doing reconnaissance on the attack surface. This will generate an entry to examine
in the logs. Some of the examples of public facing decoys that have
been deployed include:
● http://moveit.thezerotrustexchange.com/
● http://vpn.thezerotrustexchange.com/
● http://wordpress.thezerotrustexchange.com/
● http://helpdesk.thezerotrustexchange.com/

To generate decoy activity, follow these steps:

1. On the Client PC VM, open a new browser window, and go to one of


the public facing decoys listed above.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 60
Lab 6: Extending Zero Trust with Deception-Based Active Defense

2. Enter some values in the credentials that you will be able to find in the logs later: Example:

a. Username: sdcuser_<identifier>__

b. Password: SDCaccess

Note: For this lab any random values for Username and Password can be used. If you include a unique identifier string in the
username it will be easier to identify the specific log entry for this recon activity.

c. Click to Sign On.

Note: When Sign-on is clicked the page will appear to have simply been submitted and cleared, prompting again for
credentials. This is the expected behavior for the decoy doing its job to record recon activity.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 61
Lab 6: Extending Zero Trust with Deception-Based Active Defense

Task 6.2: Investigate Deception Alerts


In this task you will sign-in to the Deception Administrator Console and explore some of the incident data collected as a way to familiarize
yourself with the Admin Console. To investigate deception alerts, follow these steps:
1. Open the Deception Admin Console and login with your assigned admin
credentials:
a. Go to https://zerotrust.illusionblack.com/

b. Click the Solutions Demo Center Login tile.

c. Enter the admin credentials provided in your lab environment :

i. Login ID: Admin_User_ID (same as your assigned ZIA Admin


credential)

ii. Password: Session_Password

d. Click Sign in.

Note: Be sure to click the Solutions Demo Center Login tile to connect to the tenant configured for this lab.

If sign-in fails it is most likely that you attempted to sign in directly on the form initially presented.

e. Accept the End User Subscription Agreement.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 62
Lab 6: Extending Zero Trust with Deception-Based Active Defense

2. Investigate the alert data to view the entry for the recon event generated
above.

a. Click Investigate in the main menu and select ThreatParse.

b. Select Last 10 minutes to see the latest logs.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 63
Lab 6: Extending Zero Trust with Deception-Based Active Defense

c. Search for the name of the public facing decoy hit in the previous task. Enter the following query in the in the Investigate bar:

decoy.name is "moveit.thezerotrustexchange.com"

(substitute the name of the decoy that was visited)

d. Press the Enter key to run the query.

e. Click on any one of the attackers displayed to display the event


information entry.

f. Note the Event summary information displayed on the right side.

3. Click View Extended Details to see more information about the event.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 64
Lab 6: Extending Zero Trust with Deception-Based Active Defense

4. Click to view the Event Logs tab.

5. Review the details presented and review event logs.

6. Sort or Search by recon post_data user to review the logs for the specific event based on the Username that was input in the public
decoy.

Note: If the field recon post_data user is not visible in the table, adjust the table fields
displayed by clicking the chevron at the top left of the table to display the field choice selection
menu.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 65
Lab 6: Extending Zero Trust with Deception-Based Active Defense

7. Click on the event log entry of interest to see all of the details.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 66
Lab 6: Extending Zero Trust with Deception-Based Active Defense

Task 6.3: Explore the ITDR Dashboards


In this task you will explore the ITDR Identity Posture dashboard to familiarize yourself with the Admin Console for ITDR. To explore the ITDR
dashboards, follow these steps:
1. Click the ITDR item in the Deception admin portal menu, and select to view the Identity Posture Dashboard.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 67
Lab 6: Extending Zero Trust with Deception-Based Active Defense

2. Select to review choicecorp.net from the Result for dropdown list.


3. View the report created from the latest scan.

Note: This report for this domain was all compiled without the need to install software on the AD server.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 68
Lab 6: Extending Zero Trust with Deception-Based Active Defense

4. Scroll down to view the differential reporting on the Recent Changes list, and and the Mitre Attack TTP exposure

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 69
Lab 6: Extending Zero Trust with Deception-Based Active Defense

5. Scroll to the top and review a few Focus Areas findings. Click to view the top find for helpful specifics on how to reduce specific types of
risks for the AD service for this domain.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 70
Lab 6: Extending Zero Trust with Deception-Based Active Defense

Summary

Zscaler Cyberthreat Protection delivers always-on protection against ransomware, zero-day threats, and unknown malware. As a
cloud-native proxy, the Zscaler security cloud ensures that every packet from every user, on- or off network, gets fully inspected
from start to finish, with unlimited capacity to inspect SSL.

With an integrated suite of security services across Malware Detection, Advanced Threat Protection, URL Filtering, Cloud App
Control, Cloud Browser Isolation, Cloud Sandbox with Machine Learning, and Threat Intelligence, you’ll close security gaps and
reduce risks that result from other security solutions’ shortcomings.

With the addition of Zscaler Deception technologies, you can ensure that even your authenticated and authorized users are not
misusing their access.

Cyberthreat Protection (EDU-230) ILT Hands-On Lab Guide © 2015-2024 Zscaler Inc., All rights reserved 71

You might also like