White Paper
How Strong is Your Malware Testing? Be Sure to Test for Infected Systems and Payloads
Executive Summary As technology evolves, so does malware. Unfortunately, Even with all these security solutions and capabilities in place, this means that broad technology trends often set the stage malware still manages to infect target systems. In order to for powerful new forms of malware. For example, increasing stop malware, all security solutions must be carefully tested infrastructure connectivity—including smart meters, and validated using a wide range of malware-based attacks intelligent sensors and remotely controlled highway signs—is to ensure they are working properly. Robust testing of creating increased risk for disruption of core services. security solutions requires test equipment that can generate real malware payloads and emulate network traffic from A variety of security solutions are used to detect and prevent already-infected systems. malware. These include firewalls and network intrusion prevention systems, deep packet inspection capabilities, Complete testing of security solutions also requires a proper unified threat management systems, antivirus and anti-spam testing methodology that considers performance, availability, gateways, and content filtering and data loss prevention security and scale. Collectively, these four variables, when systems. Newer security technologies on these systems viewed holistically provide for reliable test results. go further and can detect breaches by identifying already Importantly, testing must be completed under real-world infected endpoints within the protected network. This is conditions. This means during normal operating conditions often done by leveraging various types of network based as well as during times of peak workloads when infrastructure behavioral profile analyses. is severely stressed. It also means going beyond accurately simulating different levels of network traffic to include accurate representations of real-world traffic mixes. How Strong is Your Malware Testing? Be Sure to Test for Infected Systems and Payloads
According to data compiled Understanding Malware by cyber crime coalitions Malware, which is short for malicious software, describes a broad category such as Anti-Phishing of hostile software that is used to disrupt computer operation, gather Working Group, malware has sensitive information or gain access to private computer systems. Common infected nearly a third of the types of malware include: world’s computers. What’s worse, is the numbers • Adware—While some forms of adware may be considered legitimate, continue to grow as a the others make unauthorized access to computer systems and greatly disrupt recent 2018 PandaLabs users. Annual Security Report • Keyloggers—Typically done in a covert manner, keyloggers track the keys showcased that malware files struck on a keyboard and may capture passwords or credit card numbers. have grown 60% with trojans and ransomeware • Ransomware—After establishing itself on a computer system, ransomware representing most of the rise restricts access to the system and demands a ransom be paid to remove in threats. it. It may also take files and hold them ransom.
Impacted businesses may • Rootkits—This type of malware gains privileged access to computer face long-term impacts such systems and hides itself from normal methods of detection. as loss of competitive • Spyware—Spyware observes the activities of computer users without their position or outright consent and reports it to the software’s author or other entity. organizational failure. When governments are involved • Trojan Horses—A Trojan Horse initially appears to perform a desirable there may be threats to function and then facilitates unauthorized access to the computer system. national security. Many • Viruses—A computer virus typically attaches itself to an executable file so instances of infection by it can perform malicious activities and replicate itself on other systems. malware result in advanced persistent threats entering • Worms—A worm is a standalone piece of software that, like a virus, can the protected network. perform malicious activities and replicate itself on other systems.
Source: Microsoft Statista 2018. 2 According to PandaLabs’ Annual Report for Q2 2015 As suggested by these methods, malware commonly by Panda Security, over 21 MILLION new threats took introduces itself to businesses, universities, government place in the second quarter of 2015. With over 230,000 agencies and homes through the network. While new malware and variants created DAILY during those the network represents a key source of intrusion it three months, the clarion call for IT departments is to also presents an opportunity for stopping malware “test often and monitor continuously” to mitigate the before it reaches its targeted computer systems. evolving threats of malware. Firewalls, unified threat management (UTM) systems, authentication systems and others can all be used to With so much malware and so many variations it mitigate the threats from malware. At the same time, all shouldn’t be surprising that there are many methods these systems must be carefully tested and validated malware can use to infect computer systems. For using a wide range of malware-based attacks to ensure example, malware can exploit security defects in they are up-to-date and working properly, especially operating systems, applications, browsers, browser with so many new attacks being discovered daily. plug-ins and other types of software. It can also take advantage of insecure designs such as older email systems that would automatically open HTML email containing malicious JavaScript code. Over-privileged users and over-privileged code may also allow greater opportunity for malware to subvert computer systems.
Malware also uses a variety of methods to spread itself to other computer systems:
• File servers, such as those based on common Internet file system (SMB/CIFS) and network file system (NFS), can let malware spread rapidly as users access and download infected files
• File-sharing software can allow malware to copy itself onto removable media and then on to computer systems
• Peer to peer (P2P) file sharing can introduce malware by sharing files as seemingly harmless as music or pictures
• Email attachments containing malicious code can be opened—and therefore executed—by unwary users. They may even be forwarded to other users, helping the malware spread even further
• Remotely exploitable vulnerabilities allow hackers to access systems across great geographic distances with little or no need for involvement of the computer user
3 How Strong is Your Malware Testing? Be Sure to Test for Infected Systems and Payloads
Motives, Risks and Impacts In order to prevent malware, it is helpful to understand the associated motives, risks and impacts. Keep in mind that these attributes are often interrelated. For example, financial motives tend to relate to financial risks and result in financial impacts.
Motives Adding to the challenge of malware prevention is the fact that motivations behind malware are varied and often unpredictable. Sometimes the motivation is as simple as fame, with a hacker hoping to prove his or herself within the hacker community. Some hackers justify their actions by relating them to activism—commonly referred to as “hacktivism”. For example, if an individual or group believes certain government data should be public they may use malware to steal it and make it public. Some forms of malware are economically or financially motivated. Criminals, once again in the form of individuals or groups, develop and use malware to steal data, identities and money. Other forms of malware— sometimes state-sponsored—are used for corporate espionage, government espionage, disruption of core services and even cyber warfare.
Risks and Impacts As with the motives behind malware, the risks associated with malware infections are many and varied. They may also depend on the type of organization that is under attack. Businesses that store financial data such as customer credit card information are at risk for large economic losses from lawsuits and repayment of losses. They also risk of further losses from damage to their brand and erosion of customer confidence.
Even organizations with little in the way of financial assets or other forms of valuable data may be attacked. Attackers may simply wish to gain access to the organization’s IT infrastructure in order to send spam or launch attacks on other organizations. Alternatively, attackers may wish to expose sensitive data Source: Microsoft Statista 2018. rather than valuable data in order to create fear or embarrassment.
Once infected with malware, organizations may be impacted in temporary and relatively minor ways including slight disruption of organizational activities or, they may face more serious, long-term impacts such as loss of competitive position or outright organizational failure. When governments are involved there may be threats to national security.
4 Increasing Malware Risks As technology evolves, so does malware. While organizations of all kinds deploy and use new technology to better meet their objectives, malware developers quickly capitalize on unforeseen vulnerabilities. Unfortunately, this means that broad technology trends often set the stage for powerful new forms of malware.
Infrastructure Connectivity Growing Number of Endpoints By the turn of the millennium it may have seemed that The number and type of endpoints connecting to all IT infrastructure in the world was interconnected, networks is growing much faster than the rate of but there were still islands of technology. For example, infrastructure connectivity. Just a few years ago an IT public infrastructure—including law enforcement, fire organization may have only supported, for example, protection, transportation, water and power—tended a single type of desktop computer, a couple different to have at least some isolated IT components. Now, versions of laptops and perhaps one type of approved many of these previously isolated infrastructures smart phone. With the emergence of tablets and bring- are accessible through the Internet. For decades, your-own-device (BYOD), there is a nearly unending networks—and the Internet—have served as pathways for array of devices attaching themselves to networks in the distribution of malware. Today we have even more forms workplace. of infrastructure gaining connectivity. Smart meters, An obvious challenge is that many of these devices intelligent sensors and remotely controlled highway are used outside the workplace while connected to signs can all be reached through the Internet. While less secure networks. When these endpoint devices there are benefits, such as efficiency, from increased get infected, malware can then spread to many other connectivity, there is also an increased risk of disruption devices within the workplace. Now that IT organizations to infrastructure and related services from malware. have lost full control over what devices connect to their networks, they need improved methods for preventing malware.
5 How Strong is Your Malware Testing? Be Sure to Test for Infected Systems and Payloads
Preventing Malware Virtually every IT environment uses some type of In order to stop malware, all security solutions must security solutions to help detect and prevent malware. be carefully tested and validated using a wide range of malware-based attacks to ensure they are working Deep packet inspection (DPI) is another important properly. A robust, up-to-date library of malware approach for stopping malware. DPI combines the signatures must be used to ensure testing is completed functionality of an intrusion detection system (IDS) and against the latest attacks. Additionally, this testing an intrusion prevention system (IPS) with a traditional should take place while authentic, realistic traffic is stateful firewall. passing through the network. Many switches also have a long list of built-in security capabilities, including: Infected Systems and Payloads Not all test equipment is capable of driving the traffic • Access Control Lists (ACL) required to fully test all these security solutions. For • DHCP Snooping Prevention example, security solutions should detect already- • Dynamic ARP Inspection infected systems as well as malware payloads in • Port-Level Traffic Controls network traffic. However, if test equipment cannot accurately simulate the network behaviors of infected Security Solutions and Malware systems, malware detection systems will not be fully Firewalls can be configured with a variety of rules to tested. Similarly, if test equipment cannot generate real detect and prevent various types of malware. UTM malware payloads, security solutions including DPI will systems provide even more comprehensive protection not be fully tested. Be sure to choose test equipment by delivering multiple security capabilities in a single that can generate real malware payloads and emulate appliance. These may include network firewalling, network traffic from already-infected systems. Test NGFW, network intrusion prevention, gateway antivirus equipment should have the capability to generate both (AV), gateway anti-spam, virtual private network (VPN), of these types of traffic at scale while also driving other content filtering, and data leak prevention. realistic network traffic.
Security Solutions Must Be Tested Even with all these security solutions and capabilities in place, malware still manages to infect target systems. Part of the problem is that many of these security measures are so complex that they are often deployed, configured or administered incorrectly. Unfortunately, a single misconfigured firewall or switch port can mean the difference between a safe environment and one overcome by malware. Testing with a large database of malware that is 6+ years out of date is of no use. Spirent provides newly-found and zero day malware constructs that are quickly made available for testing via our TestCloud™ content subscription providing thousands of malware samples for vast test coverage.
Source: Microsoft Statista 2018. 6 Testing Methodology for Malware Many problems in IT involve several interdependent Security variables and trade-offs between them. IT projects, • How many unique pieces of malware can your for example, are often defined by making trade-offs systems detect and stop? between scope, schedule and resources. If additional features (i.e., scope) are desired, then additional • Are your systems able to stop the latest security resources must be applied and/or a longer schedule threats? Is your malware library for testing accepted. Similarly, if key project staff members up-to-date? (i.e., resources) are lost, then the schedule must be Scale lengthened and/or the project scope reduced. For better or worse, the same dynamics are at play with • How many users can you support in normal malware prevention, albeit with even more variables. conditions? How many while under attack?
IT security, in the form of protection against malware, • How does the addition of a new security solution can be so stringent that it can become difficult to keep impact the number of users you can support? an organization running smoothly. For example, if no one can access IT systems, including legitimate users, Additional Testing Considerations the malware prevention system is clearly not working correctly. At the end of the proverbial day, testing must be completed under real world conditions. This means When working with security issues such as malware testing during normal operating conditions as well as prevention, there are four additional interdependent during times of peak workloads when infrastructure is variables to consider: performance, availability, security severely stressed. In order to validate security, testing and scale. In order to perform proper security testing, must also be performed during simulated attack this testing methodology for malware should be situations. If the testing is not realistic, it will fail to followed. Testing across all four variables ensure the find problems leaving you to encounter them in the proper tradeoffs are made. production environment where the costs of mitigation Testing can answer a number of questions for each are the highest. variable, all in the context of malware testing. Some Testing with realism goes beyond accurately simulating examples are provided below. different levels of network traffic. It must also include accurate representations of real-world traffic mixes. Performance For example, some users may be completing business • How much legitimate traffic can your network handle transactions using SSL connections and/or IPsec while also looking for malware? tunnels. Malware testing should be done side by side • What is the impact to users, in terms of latency or with both secure and insecure traffic. The malware QoS, of the malware prevention mechanisms? should be prevented while legitimate activities continue without interruption. Availability • When malware causes a device go into a fail open or fail close state, do critical services go down?
• When under an attack, can you still service your customers?
• How long does it take for services to switch to failover mode?
7 How Strong is Your Malware Testing? Be Sure to Test for Infected Systems and Payloads
About Spirent Summary Communications A variety of security solutions are used to detect and prevent malware. Spirent Communications These include firewalls, next-generation firewalls, network intrusion (LSE: SPT) is a global leader prevention systems, deep packet inspection capabilities, unified threat with deep expertise and management systems, antivirus and anti-spam gateways, virtual private decades of experience networks, content filtering and data leak prevention systems. in testing, assurance, Yet, even with all these security solutions and capabilities in place, malware analytics and security, still manage to infect target systems. In order to stop malware, all security serving developers, service solutions must be carefully tested and validated using a wide range of providers, and enterprise malware-based attacks to ensure they are working properly. networks. Robust testing of security solutions requires test equipment that can We help bring clarity to generate real malware payloads and emulate real network traffic from increasingly complex already-infected systems. It also requires a proper testing methodology, technological and business which involves testing performance, availability, security and scalability with challenges. respect to malware. Spirent’s customers have When it comes to security testing our solutions cover all of the above. made a promise to their customers to deliver superior And because Spirent knows security, enterprises, government agencies, performance. Spirent assures equipment vendors, service and infrastructure providers can now rest- that those promises are assured that the security and resiliency of their networks and services will be fulfilled. able to operate on a continuous basis.
For more information, visit: www.spirent.com About Security & Applications (AppSec) Spirent’s testing technology is used to gauge the security, performance and effectiveness of the world’s most vulnerable networks by emulating the realistic traffic volumes as well as threat and attack scenarios so that users will never face limited speeds or complete outages due to high volumes of traffic.
For more information For additional information on security testing please visit: http://www.spirent.com/Solutions/Security-Applications.
Contact Us Americas 1-800-SPIRENT For more information, call your Spirent sales representative or +1-800-774-7368 | [email protected] visit us on the web at www.spirent.com/ContactSpirent. Europe and the Middle East www.spirent.com +44 (0) 1293 767979 | [email protected]
© 2019 Spirent Communications, Inc. All of the company names and/or brand names Asia and the Pacific and/or product names and/or logos referred to in this document, in particular the +86-10-8518-2539 | [email protected] name “Spirent” and its logo device, are either registered trademarks or trademarks pending registration in accordance with relevant national laws. All rights reserved. Specifications subject to change without notice. Rev G | 05/19