User Tools

Site Tools


create_a_purely_technical_test_with_the_malware_testing_suite

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
create_a_purely_technical_test_with_the_malware_testing_suite [2019/01/21 13:09] lucycreate_a_purely_technical_test_with_the_malware_testing_suite [2019/02/08 15:40] lucy
Line 3: Line 3:
 {{ 85.jpg?600 }} {{ 85.jpg?600 }}
  
-==== The idea behind LHCF: testing your defenses ====+==== The idea behind LHFC: testing your defences ====
  
-You have invested time, effort, and money in defenses. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, you need safe and effective ways to test your visibility. This is where LUCY'LHCF comes in place. There are multiple products that may help detect a malware activity. While it can be detected at the host level, you have another chance detecting it at the network level. These devices include, but are not limited to:+You have invested time, effort, and money in defences. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, you need safe and effective ways to test your visibility. This is where LUCY'LHFC comes in place. There are multiple products that may help detect a malware activity. While it can be detected at the host level, you have another chance detecting it at the network level. These devices include, but are not limited to:
  
   * **Firewalls** (unfortunately, the larger the network, the more difficult it can be to track down a host and determine the functionality of the host. Knowing the functionality can be instrumental in determining if the traffic is normal or suspicious)   * **Firewalls** (unfortunately, the larger the network, the more difficult it can be to track down a host and determine the functionality of the host. Knowing the functionality can be instrumental in determining if the traffic is normal or suspicious)
   * **Web Proxies**   * **Web Proxies**
-  * **IDS** (an intrusion detection system can potentially detect malware activity if a rule is triggered. This is useful as a layered defense, but the traffic will usually have to be something that is previously known and understood in order for a rule to hit. If the IDS has additional intelligence such as traffic thresholds or trending, then there is a low chance it could be detected from this capability)+  * **IDS** (an intrusion detection system can potentially detect malware activity if a rule is triggered. This is useful as a layered defence, but the traffic will usually have to be something that is previously known and understood in order for a rule to hit. If the IDS has additional intelligence such as traffic thresholds or trending, then there is a low chance it could be detected from this capability)
   * **Malware/anomalous traffic detection appliances** (Malware detection appliances go a step beyond traditional IDS by integrating multiple detection mechanisms into one device. Some for example, use an layered detection mechanism with Antivirus definitions, Network signatures, File Reputation, IP reputation & Static file analysis.   * **Malware/anomalous traffic detection appliances** (Malware detection appliances go a step beyond traditional IDS by integrating multiple detection mechanisms into one device. Some for example, use an layered detection mechanism with Antivirus definitions, Network signatures, File Reputation, IP reputation & Static file analysis.
   * **Security Information and Event Management (SIEM) solutions** (Security Information and Event Management solutions can also help detect the presence of a malware, but it is usually using logs from one or more of the devices mentioned above. The advantage here is greater visibility by using multiple different types of logs—from hosts to network gear. Additionally, some advanced SIEMs can do trending to detect and understand what is normal and then set thresholds to alert on unusual traffic).   * **Security Information and Event Management (SIEM) solutions** (Security Information and Event Management solutions can also help detect the presence of a malware, but it is usually using logs from one or more of the devices mentioned above. The advantage here is greater visibility by using multiple different types of logs—from hosts to network gear. Additionally, some advanced SIEMs can do trending to detect and understand what is normal and then set thresholds to alert on unusual traffic).
Line 20: Line 20:
 Those who deal in APTs have the following in common: Those who deal in APTs have the following in common:
  
-  * **Customized** – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your set defenses, explore your network, and steal determined types of high-value data.+  * **Customized** – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your set defences, explore your network, and steal determined types of high-value data.
   * **Surgical** – Rather than being scattered to the wind, targeted attacks and APTs are carefully delivered to specific targets, often using highly convincing emails intended for a single individual within your organization as a penetration vector.   * **Surgical** – Rather than being scattered to the wind, targeted attacks and APTs are carefully delivered to specific targets, often using highly convincing emails intended for a single individual within your organization as a penetration vector.
-  * **Highly Sophisticated** – Today’s targeted attacks and Advanced Persistent Threats use complex techniques to conceal themselves from your defenses. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods of time as they move around the network to find and steal your data. Detecting these attacks requires a modern advanced solution that provides visibility into every corner of your network.+  * **Highly Sophisticated** – Today’s targeted attacks and Advanced Persistent Threats use complex techniques to conceal themselves from your defences. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods of time as they move around the network to find and steal your data. Detecting these attacks requires a modern advanced solution that provides visibility into every corner of your network.
  
-Since there are millions of Malware types, and even more combinations of attack patterns: How would a IT security officer know if the network can prevent APT attacks? This question can now be answered with LUCY’s Malware Testing Module (initially called Low Hanging Fruit Collector). It simulates APT behavior without harming your infrastructure. It enables you to test your defenses (AV, hardening, monitoring etc.). +Since there are millions of Malware types, and even more combinations of attack patterns: How would a IT security officer know if the network can prevent APT attacks? This question can now be answered with LUCY’s Malware Testing Module (initially called Low Hanging Fruit Collector). It simulates APT behavior without harming your infrastructure. It enables you to test your defences (AV, hardening, monitoring etc.). 
  
 So What is the Typical APT Behavior? APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. APTs often add stolen data to internal collection points before moving it outside over different channels. So What is the Typical APT Behavior? APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. APTs often add stolen data to internal collection points before moving it outside over different channels.
Line 179: Line 179:
 ===== Malware Testing Templates ===== ===== Malware Testing Templates =====
  
-Beside single checks LHCF is also able to perform tests based on a template (please note that it is not possible to run single checks and a template at the same time). Currently there are two templates implemented which are described in detail.+Beside single checks LHFC is also able to perform tests based on a template (please note that it is not possible to run single checks and a template at the same time). Currently there are two templates implemented which are described in detail.
  
 {{ templateslhcf.png?400 }} {{ templateslhcf.png?400 }}
Line 205: Line 205:
   * Set an option to leave a copy of data on PC/Share or delete it after running. When the ransomware works with dummy data, it deletes the files right after the creation even if "Delete data" is unchecked. (it should not delete any data when it works with real data). This setting is necessary because the ransomware creates many files with relatively big sizes. By default it creates 1000 files with 512 kb size each, so it will be 0.5 Gb overall.   * Set an option to leave a copy of data on PC/Share or delete it after running. When the ransomware works with dummy data, it deletes the files right after the creation even if "Delete data" is unchecked. (it should not delete any data when it works with real data). This setting is necessary because the ransomware creates many files with relatively big sizes. By default it creates 1000 files with 512 kb size each, so it will be 0.5 Gb overall.
  
-When started the tool will create a separate executable (example: C:\Users\Test\Desktop\2afbaff8-f048-445c-bcf3-05b7d8d33133\rnsmw.exe) which will try to discover local and remote share drives (as an anonymous and an authenticated user). LHCF will then make read/write tests on the discovered dives. If the setting "work with real data" is selected LHCF will search recent docs to get a file list as well. If a write right on a share drives exist, LHCF will place a folder "LUCY RANSOMWARE SIMULATION" there. If no write right exists, LHCF will create a folder locally based on the path specified in the settings. In real data mode LHCF will make a COPY of files which were previously enumerated (the original files will not be touched by tge tool) and then encrypt the COPY and place in that new folder. If you selected "leave data" you can look at the harvested information using the SimpleXorEncrypter.exe. All harvested files can be decypted with the tool. So in order to unencrypt a file you should use this {{:simplexorencrypter.zip|unencrypter}}. It is a command line tool. For example, command "SimpleXorEncrypter.exe -u avdata.txt avdata_unencrypted.txt" will unencrypt the file avdata.txt. +When started the tool will create a separate executable (example: C:\Users\Test\Desktop\2afbaff8-f048-445c-bcf3-05b7d8d33133\rnsmw.exe) which will try to discover local and remote share drives (as an anonymous and an authenticated user). LHFC will then make read/write tests on the discovered dives. If the setting "work with real data" is selected LHFC will search recent docs to get a file list as well. If a write right on a share drives exist, LHFC will place a folder "LUCY RANSOMWARE SIMULATION" there. If no write right exists, LHFC will create a folder locally based on the path specified in the settings. In real data mode LHFC will make a COPY of files which were previously enumerated (the original files will not be touched by tge tool) and then encrypt the COPY and place in that new folder. If you selected "leave data" you can look at the harvested information using the SimpleXorEncrypter.exe. All harvested files can be decypted with the tool. So in order to unencrypt a file you should use this {{:simplexorencrypter.zip|unencrypter}}. It is a command line tool. For example, command "SimpleXorEncrypter.exe -u avdata.txt avdata_unencrypted.txt" will unencrypt the file avdata.txt. 
  
 {{ xor.png?600 }} {{ xor.png?600 }}
create_a_purely_technical_test_with_the_malware_testing_suite.txt · Last modified: 2019/07/25 12:49 by 127.0.0.1