User Tools

Site Tools


create_a_purely_technical_test_with_the_malware_testing_suite

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
create_a_purely_technical_test_with_the_malware_testing_suite [2019/02/08 15:40]
lucy
create_a_purely_technical_test_with_the_malware_testing_suite [2019/07/25 12:49] (current)
Line 3: Line 3:
 {{ 85.jpg?600 }} {{ 85.jpg?600 }}
  
-==== The idea behind LHFC: testing your defences ​====+==== The idea behind LHFC: testing your defenses ​====
  
-You have invested time, effort, and money in defences. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment,​ you need safe and effective ways to test your visibility. This is where LUCY's LHFC comes in place. There are multiple products that may help detect a malware activity. While it can be detected at the host level, you have another chance detecting it at the network level. These devices include, but are not limited to:+You have invested time, effort, and money in defenses. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment,​ you need safe and effective ways to test your visibility. This is where LUCY's LHFC comes in place. There are multiple products that may help detect a malware activity. While it can be detected at the host level, you have another chance detecting it at the network level. These devices include, but are not limited to:
  
   * **Firewalls** (unfortunately,​ the larger the network, the more difficult it can be to track down a host and determine the functionality of the host. Knowing the functionality can be instrumental in determining if the traffic is normal or suspicious)   * **Firewalls** (unfortunately,​ the larger the network, the more difficult it can be to track down a host and determine the functionality of the host. Knowing the functionality can be instrumental in determining if the traffic is normal or suspicious)
   * **Web Proxies**   * **Web Proxies**
-  * **IDS** (an intrusion detection system can potentially detect malware activity if a rule is triggered. This is useful as a layered ​defence, but the traffic will usually have to be something that is previously known and understood in order for a rule to hit. If the IDS has additional intelligence such as traffic thresholds or trending, then there is a low chance it could be detected from this capability)+  * **IDS** (an intrusion detection system can potentially detect malware activity if a rule is triggered. This is useful as a layered ​defense, but the traffic will usually have to be something that is previously known and understood in order for a rule to hit. If the IDS has additional intelligence such as traffic thresholds or trending, then there is a low chance it could be detected from this capability)
   * **Malware/​anomalous traffic detection appliances** (Malware detection appliances go a step beyond traditional IDS by integrating multiple detection mechanisms into one device. Some for example, use an layered detection mechanism with Antivirus definitions,​ Network signatures, File Reputation, IP reputation & Static file analysis.   * **Malware/​anomalous traffic detection appliances** (Malware detection appliances go a step beyond traditional IDS by integrating multiple detection mechanisms into one device. Some for example, use an layered detection mechanism with Antivirus definitions,​ Network signatures, File Reputation, IP reputation & Static file analysis.
   * **Security Information and Event Management (SIEM) solutions** (Security Information and Event Management solutions can also help detect the presence of a malware, but it is usually using logs from one or more of the devices mentioned above. The advantage here is greater visibility by using multiple different types of logs—from hosts to network gear. Additionally,​ some advanced SIEMs can do trending to detect and understand what is normal and then set thresholds to alert on unusual traffic).   * **Security Information and Event Management (SIEM) solutions** (Security Information and Event Management solutions can also help detect the presence of a malware, but it is usually using logs from one or more of the devices mentioned above. The advantage here is greater visibility by using multiple different types of logs—from hosts to network gear. Additionally,​ some advanced SIEMs can do trending to detect and understand what is normal and then set thresholds to alert on unusual traffic).
Line 20: Line 20:
 Those who deal in APTs have the following in common: Those who deal in APTs have the following in common:
  
-  * **Customized** – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your set defences, explore your network, and steal determined types of high-value data.+  * **Customized** – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your set defenses, explore your network, and steal determined types of high-value data.
   * **Surgical** – Rather than being scattered to the wind, targeted attacks and APTs are carefully delivered to specific targets, often using highly convincing emails intended for a single individual within your organization as a penetration vector.   * **Surgical** – Rather than being scattered to the wind, targeted attacks and APTs are carefully delivered to specific targets, often using highly convincing emails intended for a single individual within your organization as a penetration vector.
-  * **Highly Sophisticated** – Today’s targeted attacks and Advanced Persistent Threats use complex techniques to conceal themselves from your defences. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods of time as they move around the network to find and steal your data. Detecting these attacks requires a modern advanced solution that provides visibility into every corner of your network.+  * **Highly Sophisticated** – Today’s targeted attacks and Advanced Persistent Threats use complex techniques to conceal themselves from your defenses. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods of time as they move around the network to find and steal your data. Detecting these attacks requires a modern advanced solution that provides visibility into every corner of your network.
  
-Since there are millions of Malware types, and even more combinations of attack patterns: How would a IT security officer know if the network can prevent APT attacks? This question can now be answered with LUCY’s Malware Testing Module (initially called Low Hanging Fruit Collector). It simulates APT behavior without harming your infrastructure. It enables you to test your defences ​(AV, hardening, monitoring etc.). ​+Since there are millions of Malware types, and even more combinations of attack patterns: How would a IT security officer know if the network can prevent APT attacks? This question can now be answered with LUCY’s Malware Testing Module (initially called Low Hanging Fruit Collector). It simulates APT behavior without harming your infrastructure. It enables you to test your defenses ​(AV, hardening, monitoring etc.). ​
  
 So What is the Typical APT Behavior? APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials,​ and reusing them. They learn which user (or service) accounts have elevated privileges and permissions,​ then go through those accounts to compromise assets within the environment. APTs often add stolen data to internal collection points before moving it outside over different channels. So What is the Typical APT Behavior? APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials,​ and reusing them. They learn which user (or service) accounts have elevated privileges and permissions,​ then go through those accounts to compromise assets within the environment. APTs often add stolen data to internal collection points before moving it outside over different channels.
create_a_purely_technical_test_with_the_malware_testing_suite.txt · Last modified: 2019/07/25 12:49 (external edit)