Monday, March 25, 2013

Next Level Testing

We've been having a good time doing intensive, month long or longer APT simulation tests for people, acting like malicious insiders, using hardware implants, 0days, human enabled malware, etc. Lately, however, we've been playing around with a new type of testing to take things to the next level. This testing has two basic components:

  • Reverse Engineer Testing
  • Network Forensics Testing

The basic idea is to exercise your RE and packet ninjas even harder to make them strong.

On the RE side we create progressively more difficult malware for them to analyze. Here is an example of a ramp up path for this kind of test:

  1. Basic packed binary
  2. Challenging packed binary
  3. Staged unpacker with memory checksums
  4. Binary with analysis detection
    1. Virtualization detection & retaliation
    2. Dynamic analysis tools detection & retaliation
    3. Debugger detection & behavioral changes
      1. Multiple and increasingly difficult debugger detection from IsDebuggerPresent() to execution timers
  5. Strong crypto, slack space and other binary tricks
  6. Phantom routines & dead ends in the code
  7. Exploits against analysis tools
Essentially we infect your systems with progressively more difficult to analyze malware (that we develop ourselves and ensure is safe), causing your in-house analysts to stretch, learn new skills, and practice so that when real world malware hits, you are ready to deal with it.

We pen test your reverse engineer.

(Or your sandbox appliance if you have decided to go that route instead).

On the Network Forensic side we ramp up the difficulty of our command and control and data ex-filtration techniques in order to exercise and improve your network security staff's capabilities in the following ways:

  • Randomized timing & changing beacons
  • Out of band network communications
  • Protocol misuse & covert channels
  • False flag / false signature packets
  • Complex sequencing & esoteric packet based OP codes
  • Port knocking type attacks
  • Encoding & encryption
  • Exploits against network analysis tools

This allows your network forensic analysts to hone their skills looking for anomalous traffic and finding the tricky ways real bad guys hide from detection. It also shows you how effective (or ineffective) your network security appliances such as IDS/IPS are.

All of the tricks and techniques we use for these tests are taken from real world experience in analyzing some of the trickiest malware and the most complex network evasion schemes during incident response events. In addition we throw in some of our own developed methods to keep the analysts on their toes.

This type of testing is most effective as a component to a larger APT simulation but can be done stand alone as well.

At this point in 2013 you probably know what machines on your network need to be patched. You have automated vulnerability scans in place and you have verified and validated scan reports using an exploitation framework. Maybe you've taken that additional step of doing APT simulations to understand your exposure to malicious insiders and sophisticated targeted threats like nation states. However, unless you are testing that final line of defense, the analysts, forensic specialists and anomaly tools, you are still falling behind.




Anonymous said...

looks like this blog is become just a place to advertise the useless classes of this company. carnal0wnage lost the spirit of the old time

CG said...

im not going to disagree with your comment...maybe the post you put it on.

its not a buy training post

that being said, i suppose that the problem with sharing a blog specially when the ppl sharing run a business. maybe more comments of less training class posts and more foot in ass posts plz.