Your SlideShare is downloading. ×
ICT Security: Testing methodology for Targeted Attack defence tools
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ICT Security: Testing methodology for Targeted Attack defence tools

324
views

Published on

Current testing methodologies are not appropriate for nowadays threats like Targeted Attacks, legacy test methods are malware-centric and strongly oriented to AV products. …

Current testing methodologies are not appropriate for nowadays threats like Targeted Attacks, legacy test methods are malware-centric and strongly oriented to AV products.
The main objective of my master thesis is the design of a meaningful test method for modern threat defense tools and systems. The proposed guidelines aim to fill the gap between what is tested and what is actually tackled.
Here a few slides about my work.
--
Complete thesis available at http://amslaurea.unibo.it/6963/

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
324
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ICT Security: Testing methodology for Targeted Attack defence tools Luca Mella Relatore: Prof. Franco Callegati Correlatore: Dott. Ing. Marco Ramilli Tesi di Laurea in Progetto di Reti di Telecomunicazioni LM University of Bologna, Scuola di Ingegneria ed Architettura Campus di CeSeNA March 27, 2014
  • 2. Modern Threats Modern Threats (in a Nutshell) Cyber Attacks before 2005 Pranksters, lone wolves Disruption, DoS, DDoS, . . . Identity theft, Cyber-crime Modern Cyber Attacks Organized groups, heavy automation, black markets Business models: Pay Per Install (PPI) Exploit as a Service (EAAS) Cyber-espionage, Targeted Attacks, APTs Cyber-warfare and Cyber-espionage Steal secrets, intellectual propriety, projects Surveillance Sabotage Luca Mella (University of Bologna) TA Test Method March 27, 2014 2 / 16
  • 3. Modern Threats OAs and TAs OAs and TAs Opportunistic Attacks “Non-targeted-target policy” Steal accounts, passwords, credit cards, Bitcoin wallets, . . . Drive by downloads Targeted Attacks Reconnaissance Gather information about target Weaponization and Delivery Prepare the weaponized malware and deliver. Installation and Command and Control Ensure access to target infrastructure Actions Lateral movement for achieving the goals of the attack. . . . Similar process can be found in Cyber-Warfare taxonomies Luca Mella (University of Bologna) TA Test Method March 27, 2014 3 / 16
  • 4. Defense approaches against Modern Threats Defense approaches against Modern Threats An holistic approach. . . Traditional defenses AVs FW/NGF Proxy, WAF Network and Host probes Sandboxes “a way to separating running programs, contain their execution through a fully controllable environment” Eg. virtualization and emulation based Automated dynamic analysis Security Information and Event Management (SIEM) Dashboard Alerting and Reporting Retention Aggregation and Correlation Aid forensic analysis Computer Security Incident Response Team (CSIRT) Luca Mella (University of Bologna) TA Test Method March 27, 2014 4 / 16
  • 5. Security System Testing Security System Testing Anti Malware Products Testing Anti Malware Testing Standard Organization (AMTSO) Static tests EICAR test file Known sample-set Dynamic tests Performance of the product is determined by the behaviour of the sample Execution environment determines sample behaviour Dependency from external resources Loss of reproducibility Cloud-Based Products Testing Continuous updates Reputation data Black-list, White-lists Threat data correlation Cannot be frozen during a test session! Luca Mella (University of Bologna) TA Test Method March 27, 2014 5 / 16
  • 6. Security System Testing Summing Up Security System Testing: Summing Up Summing Up EICAR test files is merely an “installation test file” Samples that “resemble” a malicious program are useless Known sample-sets Focus on malicious programs detection Gap between what is tested and what is actually tackled Part of the InfoSec community is aware of this problem, eg: http://www.fireeye.com/blog/corporate/2013/10/ be-the-change-test-methodologies-for-advanced-threat-prevention-products.html Luca Mella (University of Bologna) TA Test Method March 27, 2014 6 / 16
  • 7. Testing Security Systems Against TAs Testing Security Systems Against TAs Vision Test systems against modern threats Goal Lower the gap between what is tested and what is actually tackled Mainstays Several sub-tests based on the TA kill-chain model Reconnaissance Weapon Delivery and Command and Control Actions Testing Systems Emphasis on Products w.r.t. System point of view Expectations from each component of the TA detection system to test Comparative Tests Interferences Luca Mella (University of Bologna) TA Test Method March 27, 2014 7 / 16
  • 8. Testing Security Systems Against TAs Testing Reconnaissance Testing Security Systems Against TA Testing Reconnaissance Testing Reconnaissance Test the ability to detect information gathering phase of the attack Need care when defining the sample-set An example: Want to network monitor product or web-analytics with some detection eng. Samples as network traffic samples Malicious samples via real information gathering Benign samples via traffic replay, traffic models, or real-user traffic Luca Mella (University of Bologna) TA Test Method March 27, 2014 8 / 16
  • 9. Testing Security Systems Against TAs Testing Reconnaissance Testing Security Systems Against TA Testing Delivery and Command and Control Testing Delivery and Command and Control Detection of the act of spreading malware with the purpose of compromise hosts Observable delivery and unobservable delivery Samples Execution is required Unknown nature of the threat Side effects in the sample-set definition Consider the sample creation Luca Mella (University of Bologna) TA Test Method March 27, 2014 9 / 16
  • 10. Testing Security Systems Against TAs Testing Actions Testing Security Systems Against TA Testing Actions and Lateral Movements Testing Actions Detect lateral movements performed by the attacker after a successful infection Local actions performed inside the host Network actions involve network, eg. telnet sessions, login brute-force, network share access, RDP sessions, . . . Malicious Samples: sequence of actions with malicious intent. Watch for the context of the host! Consider the expectations formulated in preliminary analysis Luca Mella (University of Bologna) TA Test Method March 27, 2014 10 / 16
  • 11. Testing Security Systems Against TAs Workflow Testing Security Systems Against TA: Workflow Luca Mella (University of Bologna) TA Test Method March 27, 2014 11 / 16
  • 12. Testing Security Systems Against TAs Workflow Testing Security Systems Against TA: Workflow Luca Mella (University of Bologna) TA Test Method March 27, 2014 11 / 16
  • 13. Testing Security Systems Against TAs Workflow Testing Security Systems Against TA: Workflow Luca Mella (University of Bologna) TA Test Method March 27, 2014 11 / 16
  • 14. Testing Security Systems Against TAs Workflow Testing Security Systems Against TA: Workflow Luca Mella (University of Bologna) TA Test Method March 27, 2014 11 / 16
  • 15. Case Study Preliminary and Test-Bed Activities Case Study Preliminary and Test-Bed Activities Testing Two Systems Preliminary Analysis Formulate expectations for each component Channels (HTTP) Artifacts (malware download, malicious comm.) Sub-tests to enable Test-bed Activities Deploy test-bed Report possible interferences, eg. If a system might block further communications Figure : Test-bed architecture Luca Mella (University of Bologna) TA Test Method March 27, 2014 12 / 16
  • 16. Case Study Sample and Test Activities Case Study Sample and Test Activities Sample Activities Collect Samples Two phase sample collection strategy Same week: collect, validate Few hours before: re-collect, find latest version of previously collected samples. Create Samples Real malicious program: SpyWare Evasion techniques Test Activities Proceed with delivery phase Monitor each component PASS/FAIL/NA judgment for each component Proceed with command and control phase Monitor each component PASS/FAIL/NA judgment for each component Luca Mella (University of Bologna) TA Test Method March 27, 2014 13 / 16
  • 17. Case Study Analysis Activities Case Study Analysis Activities Delivery Results Command and Control Results Analysis Activities Take into account expectations and possible interferences. Formulate considerations from System point of view All systems have not detected the completely new attack SYSTEM-1 performed better in command and control detection Formulate considerations from Component point of view APT-DET-1 provides valuable contribution especially in command and control detection. Luca Mella (University of Bologna) TA Test Method March 27, 2014 14 / 16
  • 18. Case Study Analysis Activities Conclusions Lower gap between what is tested and what is actually tackled Modern, advanced, targeted threats in mind Support real-word test-beds, context has central role Comparison test between systems Enable formulation of consideration from both system and product point of view Complete and General Covers relevant attack steps Can also be applied in Gray-Box tests on already deployed security systems Further Work Specializations and further analysis of particular scenarios (eg. drive-by, phishing mails, data-leak, . . . ) Extension with Incident Response testing Luca Mella (University of Bologna) TA Test Method March 27, 2014 15 / 16
  • 19. :(){:|: &}; : :(){:|: &}; : GRAZIE PER L’ATTENZIONE! Luca Mella (University of Bologna) TA Test Method March 27, 2014 16 / 16