How Strong Is Your Malware Testing? Be Sure to Test for Infected Systems and Payloads

Home , Security testing

White Paper

How Strong is Your Malware Testing? Be Sure to Test for Infected Systems and Payloads

www.spirent.com

How Strong is Your Malware Testing? SPIRENT

TABLE OF CONTENTS

Executive Summary 1

Understanding Malware ...... 2

Motives, Risks and Impacts ...... 3

Motives ...... 3

Risks and impacts ...... 4

Increasing Malware Risks ...... 4

Infrastructure connectivity 4

Growing number of end-points ...... 5

Preventing Malware ...... 5

Security systems and malware ...... 5

Security systems must be tested ...... 6

Infected systems and payloads 6

PASS Testing Methodology for Malware ...... 6

Performance ...... 7

Availability ...... 7

Security ...... 7

Scale 7

Additional Testing Considerations ...... 8

Summary ...... 8

SPIRENT WHITE PAPER www.spirent.com | i

How Strong is Your Malware Testing? SPIRENT

Executive Summary Malware is a large and growing problem across the globe, with an estimated 32% of computers worldwide infected in 2012. Impacted businesses may face long-term impacts such as loss of competitive position or outright organizational failure. When governments are involved there may be loss of life or threats to national security. Many instances of infection by malware result in advanced persistent threats entering the protected network.

As technology evolves, so does malware. Unfortunately, this means that broad technology trends often set the stage for powerful new forms of malware. For example, increasing infrastructure connectivity – including smart meters, intelligent sensors and remotely controlled highway signs – is creating increased risk for disruption of core services.

A variety of security systems are used to detect and prevent malware. These include firewalls and network intrusion prevention systems, deep packet inspection capabilities, unified threat management systems, antivirus and anti-spam gateways, and content filtering and data loss prevention systems. Newer security technologies on these systems go further and can detect breaches by identifying already infected end-points within the protected network. This is often done using various types of network based behavioral profile analyses.

Even with all these security systems and capabilities in place, malware still manages to infect target systems. In order to stop malware, all security systems must be carefully tested and validated using a wide range of malware- based attacks to ensure they are working properly. Robust testing of security systems requires test equipment that can generate real malware payloads and emulate network traffic from already-infected systems.

Complete testing of security systems also requires a proper testing methodology such as PASS testing. PASS is an acronym for performance, availability, security and scale. PASS testing involves testing each of these dimensions with respect to malware.

Importantly, PASS testing must be completed under real world conditions. This means testing during normal operating conditions as well as during times of peak workloads when infrastructure is severely stressed. It also means going beyond accurately simulating different levels of network traffic to include accurate representations of real world traffic mixes.

SPIRENT WHITE PAPER www.spirent.com | 1 SPIRENT How Strong is Your Malware Testing?

Understanding Malware Malware, which is short for malicious software, describes a broad category of hostile software that is used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Common types of malware include:

• Adware: While some forms of adware may be considered legitimate, others make unauthorized access to computer systems and greatly disrupt users

• Keyloggers: Typically done in a covert manner, keyloggers track the keys struck on a keyboard and may capture passwords or credit card numbers

• Ransomware: After establishing itself on a computer system, ransomware restricts access to the system and demands a ransom be paid to remove it

• Rootkits: This type of malware gains privileged access to computer systems and hides itself from normal methods of detection

• Spyware: Spyware observes the activities of computer users without their consent and reports it to the software’s author or other entity

• Trojan Horses: A Trojan Horse initially appears to perform a desirable function and then facilitates unauthorized access to the computer system

• Viruses: A computer virus typically attaches itself to an executable file so it can perform malicious activities and replicate itself on other systems

• Worms: A worm is a standalone piece of software that, like a virus, can perform malicious activities and replicate itself on other systems

According to the PandaLabs Annual Report for 2012 by Panda Security (http://press.pandasecurity.com/wp- content/uploads/2013/02/PandaLabs-Annual-Report-2012.pdf), “approximately 27,000,000 new strains of malware were created in 2012, 74,000 every day.” Trojans accounted for most of the new malware strains with nearly 77% of the total. Worms accounted for another 11% and viruses rounded out the top three with about 10% of the total. The report also noted that the proportion of infected computers worldwide was 32% in 2012.

With so much malware and so many variations it shouldn’t be surprising that there are many methods malware can use to infect computer systems. For example, malware can exploit security defects in operating systems, applications, browsers, browser plug-ins and other types of software. It can also take advantage of insecure designs such as older email systems that would automatically open HTML email containing malicious JavaScript code. Over-privileged users and over-privileged code may also allow greater opportunity for malware to subvert computer systems.

2 | www.spirent.com SPIRENT WHITE PAPER How Strong is Your Malware Testing? SPIRENT

Malware also uses a variety of methods to spread itself to other computer systems:

• File servers, such as those based on common Internet file system (CIFS) and network file system (NFS), can let malware spread rapidly as users access and download infected files

• File-sharing software can allow malware to copy itself onto removable media and then on to computer systems

• Peer to peer (P2P) file sharing can introduce malware by sharing files as seemingly harmless as music or pictures

• Email attachments containing malicious code can be opened—and therefore executed—by unwary users. They may even be forwarded to other users, helping the malware spread even further

• Remotely exploitable vulnerabilities allow hackers to access systems across great geographic distances with little or no need for involvement of the computer user.

As suggested by these methods, malware commonly introduces itself to businesses, universities, government agencies and homes through the network. While the network represents a key source of intrusion it also presents an opportunity for stopping malware before it reaches its targeted computer systems. Firewalls, unified threat management (UTM) systems, authentication systems and others can all be used to mitigate the threats from malware. At the same time, all these systems must be carefully tested and validated using a wide range of malware-based attacks to ensure they are up to date and working properly, especially with so many new attacks being discovered daily.

Motives, Risks and Impacts In order to prevent malware, it is helpful to understand the associated motives, risks and impacts. Keep in mind that these attributes are often interrelated. For example, financial motives tend to relate to financial risks and result in financial impacts.

Motives Adding to the challenge of malware prevention is the fact that motivations behind malware are varied and often unpredictable. Sometimes the motivation is as simple as fame, with a hacker hoping to prove his or herself within the hacker community. Some hackers justify their actions by relating them to activism—a form of expression called hactivism. For example, if an individual or group believes certain government data should be public they may use malware to steal it and make it public.

Some forms of malware are economically or financially motivated. Criminals, once again in the form of individuals or groups, develop and use malware to steal data, identities and money. Other forms of malware— sometimes state-sponsored—are used for corporate espionage, government espionage, disruption of core services and even cyber warfare.

SPIRENT WHITE PAPER www.spirent.com | 3 SPIRENT How Strong is Your Malware Testing?

Risks and impacts As with the motives behind malware, the risks associated with malware infections are many and varied. They may also depend on the type of organization that is under attack. Businesses that store financial data such as customer credit card information are at risk for large economic losses from lawsuits and repayment of losses. They also risk of further losses from damage to their brand and erosion of customer confidence.

Even organizations with little in the way of financial assets or other forms of valuable data may be attacked. Attackers may simply wish to gain access to the organization’s IT infrastructure in order to send spam or launch attacks on other organizations. Alternatively, attackers may wish to expose sensitive rather than valuable data in order to create fear or embarrassment.

Once infected with malware, organizations may be impacted in temporary and relatively minor ways including slight disruption of organizational activities. On the other hand, they may face more serious, long-term impacts such as loss of competitive position or outright organizational failure. When governments are involved there may be loss of life or threats to national security.

Increasing Malware Risks As technology evolves, so does malware. While organizations of all kinds deploy and use new technology to better meet their objectives, malware developers quickly capitalize on unforeseen vulnerabilities. Unfortunately, this means that broad technology trends often set the stage for powerful new forms of malware.

Infrastructure connectivity By the turn of the millennium it may have seemed that all IT infrastructure in the world was interconnected, but there were still islands of technology. For example, public infrastructure—including law enforcement, fire protection, transportation, water and power—tended to have at least some isolated IT components. Now, many of these previously isolated infrastructures are accessible through the Internet.

For decades, networks—and the Internet—have served as pathways for distribution of malware. Today we have even more forms of infrastructure gaining connectivity. Smart meters, intelligent sensors and remotely controlled highway signs can all be reached through the Internet. While there are benefits, such as efficiency, from increased connectivity, there is also an increased risk of disruption to infrastructure and related services from malware.

4 | www.spirent.com SPIRENT WHITE PAPER How Strong is Your Malware Testing? SPIRENT

Growing number of end-points The number and type of endpoints connecting to networks is growing much faster than the rate of infrastructure connectivity. Just a few years ago an IT organization may have only supported, for example, a single type of desktop computer, a couple different versions of laptops and perhaps one type of approved smart phone. With the emergence of tablets and bring-your-own-device (BYOD), there is a nearly unending array of devices attaching themselves to networks in the workplace.

An obvious challenge is that many of these devices are used outside the workplace while connected to less secure networks. When these endpoint devices get infected, malware can then spread to many other devices within the workplace. Now that IT organizations have lost full control over what devices connect to their networks, they need improved methods for preventing malware.

Preventing Malware Virtually every IT environment uses some type of security system to help detect and prevent malware.

Security systems and malware Firewalls can be configured with a variety of rules to detect and prevent various types of malware. UTM systems provide even more comprehensive protection by delivering multiple security capabilities in a single appliance. These may include network firewalling, network intrusion prevention, gateway antivirus (AV), gateway anti-spam, virtual private network (VPN), content filtering, and data leak prevention.

Deep packet inspection (DPI) is another important approach for stopping malware. DPI combines the functionality of an intrusion detection system (IDS) and an intrusion prevention system (IPS) with a traditional stateful firewall. This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own.

Many switches also have a long list of built-in security capabilities, including:

• Access Control Lists (ACL)

• DHCP Snooping Prevention

• Dynamic ARP Inspection

• Port-Level Traffic Controls

SPIRENT WHITE PAPER www.spirent.com | 5 SPIRENT How Strong is Your Malware Testing?

• Private VLANs

Security systems must be tested Even with all these security systems and capabilities in place, malware still manages to infect target systems. Part of the problem is that many of these security measures are so complex that they are often deployed, configured or administered incorrectly. Unfortunately, a single misconfigured firewall or switch port can mean the difference between a safe environment and one overcome by malware.

In order to stop malware, all security systems must be carefully tested and validated using a wide range of malware-based attacks to ensure they are working properly. A robust, up-to-date library of malware signatures must be used to ensure testing is completed against the latest attacks. Additionally, this testing should take place while authentic, realistic traffic is passing through the network.

Infected systems and payloads Not all test equipment is capable of driving the traffic required to fully test all these security systems. For example, security systems should detect already-infected systems as well as malware payloads in network traffic. However, if test equipment cannot accurately simulate the network behaviors of infected systems, malware detection systems will not be fully tested. Similarly, if test equipment cannot generate real malware payloads, security systems such as DPI will not be fully tested.

Be sure to choose test equipment that can generate real malware payloads and emulate network traffic from already-infected systems. Test equipment should have the capability to generate both of these types of traffic at scale while also driving other realistic network traffic.

PASS Testing Methodology for Malware Many problems in IT involve several interdependent variables and trade-offs between them. IT projects, for example, are often defined by making trade-offs between scope, schedule and resources. If additional features (i.e., scope) are desired, then additional resources must be applied and/or a longer schedule accepted. Similarly, if key project staff members (i.e., resources) are lost, then the schedule must be lengthened and/or the project scope reduced.

For better or worse, the same dynamics are at play with malware prevention, albeit with even more variables. IT

6 | www.spirent.com SPIRENT WHITE PAPER How Strong is Your Malware Testing? SPIRENT

security, in the form of protection against malware, can be so stringent that it can become difficult to keep an organization running smoothly. For example, if no one can access IT systems, including legitimate users, the malware prevention system is clearly not working correctly.

When working with security issues such as malware prevention, there are three additional interdependent variables to consider: performance, availability and scale. Together, these variables—Performance, Availability, Security and Scale—form the acronym PASS. In order to perform proper security testing, the PASS testing methodology should be followed. This involves testing across all four PASS variables to ensure the proper trade- offs are made.

PASS testing can answer a number of questions for each variable, all in the context of malware testing. Some examples are provided below.

Performance • How much legitimate traffic can your network handle while also looking for malware?

• What is the impact to users, in terms of latency or QoS, of the malware prevention mechanisms?

Availability • When malware causes a device go into a fail open or fail close state, do critical services go down?

• When under an attack, can you still service your customers?

• How long does it take for services to switch to failover mode?

Security • How many unique pieces of malware can your systems detect and stop?

• Are your systems able to stop the latest security threats? Is your malware library up-to-date?

Scale • How many users can you support in normal conditions? How many while under attack?

• How does the addition of a new security device impact the number of users you can support?

SPIRENT WHITE PAPER www.spirent.com | 7 SPIRENT How Strong is Your Malware Testing?

Additional Testing Considerations Importantly, PASS testing must be completed under real world conditions. This means testing during normal operating conditions as well as during times of peak workloads when infrastructure is severely stressed. In order to validate security, PASS testing must also be performed during simulated attack situations. If the testing is not realistic, it will fail to find problems—leaving them to be encountered in the production environment where the costs of mitigation are the highest.

Testing with realism goes beyond accurately simulating different levels of network traffic. It must also include accurate representations of real world traffic mixes. For example, some users may be completing business transactions using SSL connections and/or IPSEC tunnels. Malware testing should be done side by side with both secure and insecure traffic. The malware should be prevented while legitimate activities continue without interruption.

Summary A variety of security systems are used to detect and prevent malware. These include firewalls and network intrusion prevention systems, deep packet inspection capabilities, unified threat management systems, antivirus and anti-spam gateways, virtual private networks and content filtering and data leak prevention systems.

Yet, even with all these security systems and capabilities in place, malware still manages to infect target systems. In order to stop malware, all security systems must be carefully tested and validated using a wide range of malware-based attacks to ensure they are working properly.

Robust testing of security systems requires test equipment that can generate real malware payloads and emulate network traffic from already-infected systems. It also requires a proper testing methodology such as PASS testing, which involves testing performance, availability, security and scalability with respect to malware.

For security testing, Spirent covers all aspects from DDOS, Fuzzing, Known vulnerabilities and Malware. Enterprises, government agencies, service providers, infrastructure providers and equipment vendors can ensure the security and resilience of their networks and services on a continuous basis.

For additional information on security testing please visit: www.spirent.com/go/tws-security.

8 | www.spirent.com SPIRENT WHITE PAPER How Strong is Your Malware Testing? SPIRENT

SPIRENT WHITE PAPER www.spirent.com | 9 SPIRENT 1325 Borregas Avenue Sunnyvale, CA 94089 USA AMERICAS 1-800-SPIRENT | +1-818-676-2683 | [email protected] EUROPE AND THE MIDDLE EAST +44 (0) 1293 767979 | [email protected] ASIA AND THE PACIFIC +86-10-8518-2539 | [email protected]

© 2014 Spirent. All Rights Reserved. All of the company names and/or brand names and/or product names referred to in this document, in particular, the name “Spirent” and its logo device, are either registered trademarks or trademarks of Spirent plc and its subsidiaries, pending registration in accordance with relevant national laws. All other registered trademarks or trademarks are the property of their respective owners. The information contained in this document is subject to change without notice and does not represent a commitment on the part of Spirent. The information in this document is believed to be accurate and reliable; however, Spirent assumes no responsibility or liability for any errors or inaccuracies that may appear in the document. Rev B 03/14