Get Proactive About Security With Malware Emulation
According to the ENISA 2023 Threat Landscape Report this year saw DDoS and ransomware ranked the highest among prime threats. There was also a significant uptick in incidents related to malware compared to 2022, with a resurgence in incidents involving this particular type of threat. Palo Alto Networks Unit 42 cited a 55% increase in the exploitation of critical vulnerabilities in 2023 compared to 2021. Email continues to be a popular malware infection vector for threat actors, often paired with social engineering tactics and PDFs are being used 66% of the time to deliver malware via email.
Figure 1. Observed incidents related to prime threats by sector (Source: ENISA Threat Landscape 2023)
In this blog we will be discussing the importance of an "assume breach" approach when establishing a proactive cybersecurity strategy. We will also detail how our latest malware emulation features can assist you in successfully evaluating endpoint security controls.
Breach and Attack Simulation Is The Best Medicine
A network infrastructure can be very similar to living organism, just as viruses can cause illness, malware can disable critical services and destroy, encrypt, or steal data. As immunology theory teaches us, a vaccine works by introducing a weakened or inactive form of the virus into the body. This allows the immune system to learn how to combat the disease without the risk of serious illness. Once the immune system learns how to fight off the threat, it can do so more effectively if the virus ever tries to invade the body in the future.
Similarly, malware emulation is a technique that reproduces the behavior of malware to understand and analyze its potential effects without exposing the actual system to the risk of infection. It provides a means to refine the existing security infrastructure by assessing its effectiveness against various types of threats. Additionally, by incorporating malware emulation into a proactive security approach, companies can identify and address vulnerabilities before they are exploited by adversaries.
This proactive strategy increases the effectiveness of security measures and reduces the potential harm caused by malware. In essence, the goal of malware emulation is to execute code that simulates the behavior of a specific threat into a system-under-test and determine the ability to either detect or block the execution.
Let's now explore in more detail the malware emulation capabilities present in Threat Simulator and how these can be used to assess security controls.
Assume Breach Model
We help our customers and partners develop a threat model which assumes that an attacker will eventually reach its target. This type of model, often referred to as an "assume breach" model, operates on the principle that an incident is not a possibility, but rather an inevitable event that will happen at some point in time.
By considering a successful attack as an inevitability, organizations can shift their focus from solely preventing attacks to also detecting and responding to them effectively. This approach can lead to a more robust and resilient cybersecurity posture. It allows organizations to plan and prepare for potential breaches, ensuring they have the necessary measures in place for damage control, agile recovery, and remediation.
Threat Simulator helps you automate a wide variety of attacks typically in the form of audits and assessments that evaluate the network security, and the ability of the endpoint security controls to detect malicious behaviors.
An endpoint security audit typically involves implementing a specific MITRE attack technique. This is done in a manner that simulates the actions of a real adversary. For instance, in an endpoint audit, a PowerShell command might be used to execute a WMI query, gathering information about the target system. This mirrors a technique employed by Agent Tesla in one of its campaigns.
In isolation, the execution of this command, as recorded by a Security Information and Event Management (SIEM) system, may not necessarily indicate the presence of an adversary in the network. WMI queries are commonly employed by system administrators for automation purposes. However, if multiple such indicators are detected within a specific time interval, it becomes imperative to conduct a thorough investigation. That is the essence of a Kill Chain assessment.
A Kill Chain assessment emulates the behavior of documented threat actors, modeling the same tools, tactics and techniques used in their campaigns. It comprises multiple endpoint audits linked together in a specific order, emulating a chain of events that begins with an external attacker gaining access and concludes with the attacker achieving a specific objective. The assessment is executed in a manner which generates similar Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs) to those associated with the actual threat.
Know Your Enemy
When an adversary successfully gains access to a target system, they typically employ one of two non-mutually exclusive techniques to achieve their objectives:
- Leveraging existing system tools/cmdlets
This technique is often known as Living off the Land (LOTL) and is used by adversaries to blend in and disguise their purpose by utilizing existing system tools. Despite its advantages, this approach comes with several disadvantages for attackers:
Detection risk
While using built-in tools may help evade detection, it is not foolproof. If an attacker employs a tool in an unconventional manner, it could trigger an alert. Additionally, the use of multiple built-in tools might make it easier to infer the adversary's purpose.
Limited capabilities
Attackers are constrained by the capabilities of the pre-existing tools on the system. If the system does not have the required tools to carry out a specific activity, they may have to resort to other, potentially riskier methods.
Furthermore, since the LOTL technique is well documented, the system administrators may take specific measures to guard against it, such as carefully monitoring or blocking the use of administrative tools, making it more difficult for the attacker to succeed.
- Leveraging native OS API to implement its own logic (malicious code)
The advantage of this technique is that an adversary has complete flexibility and understanding the purpose of the malicious code takes time. Analysis can be hindered further by using various anti-analysis/anti-debugging methods. This delay in analysis may provide the adversary with a significant window of opportunity to achieve its goals. However, there are notable disadvantages for the attacker:
Detection risk
Malicious code is often more easily detected by security solutions. Antivirus software, firewalls, and intrusion detection systems are all designed to identify, and block known malware. While new malware may initially bypass these defenses, once detected and its signature added to databases, it can be effectively blocked.
Maintenance and updates
Malicious code often requires constant updates to remain effective. As security solutions update their malware definitions, the malicious code must be altered or completely rewritten to avoid detection. This process can be time-consuming and financially burdensome for the attacker.
Luckily, Threat Simulator can help keep you safe by providing realistic emulation of both these attack techniques.
Malware Emulation From Threat Simulator
Firstly, we determine the malware behavior by leveraging the static and dynamic analysis capabilities of our Threat Intelligence System (TIS). To simulate a ransom attack for example, our malware emulation implements the same encryption algorithm as the malware itself while ensuring that the encrypted files are recovered after the assessment ends.
To simulate malware communication with a command-and-control server, a Threat Simulator malware emulation sends a similar message using the same communication protocol, but the destination is what we call the Dark Cloud, an entity controlled through the Threat Simulator testing infrastructure which behaves like a C2 server. An emulation can either download or upload resources to/from Dark Cloud, to realistically simulate tool transfer and exfiltration scenarios in a safe way.
To simulate filtering capabilities of malicious domains/IPs, Threat Simulator conducts a simple TCP handshake, DNS lookup or HTTP HEAD request against the malicious destination, operations that do not lead to any loss of confidential data.
Figure 2. TrickBot assessment execution chain as implemented in Threat Simulator
As EDRs are often monitoring specific Windows APIs that malware uses for techniques such as process injection or memory dumping, a Threat Simulator malware emulation employs similar procedures as the malware chosen for emulation. An inference engine is then used to map the behavior to a set of malware-like routines and the emulation source code corresponding to the real malware is created.
Figure 3. Realistic malware emulation generation pipeline
The actual emulation binary consisting of the malware behavior is generated on-demand for each assessment. This design choice is made to limit the possibility of flagging the malware emulation simply based on its digital signature and to stress-test the behavioral detection capabilities. It is common knowledge that EDRs usually offer the possibility of potential malicious files being processed in the cloud, and if the detection engine deems the analyzed file as being malicious, its digital signature will be added to a database, to be blocked the next time it is encountered.
The emulation binary is then executed in a single stage of the assessment. In the subsequent stages, the emulated behavior is validated to identify whether a security control present on the system-under-test has blocked the emulation’s procedures. Finally, the IOCs produced by the emulation are deleted, to restore the system-under-test to the initial state.
Figure 4. Correct EDR behavioral detection of GandCrab ransom emulation
After years of testing against various EDRs, our team have noticed that each endpoint security product has its own strengths and weaknesses. For example, while Windows Defender is quite capable of detecting various forms of PowerShell obfuscation for example, it fails to detect some of the ATI emulations, although they exhibit the same behavior as the malware itself. These considerations, delivered as Threat Simulator assessment results and recommendations, can provide valuable insights when designing security defenses.
Figure 5. EDR detection failures of custom malicious code. Case 1 features an emulation for LSASS memory dump through direct syscall execution (Halos Gate). Case 2 features an emulation for SunCrypt ransom using a custom lightweight encryption scheme.
Case study: Royal Ransom
The Keysight Application and Threat Intelligence (ATI) team is constantly on the lookout for the latest threats and has developed multiple kill chain assessments based on malware emulation to allow our customers to test their infrastructure against the latest malware procedures observed in the wild. At the time of writing, the latest malware emulation released is targeting the Royal ransomware.
Royal ransom group is backed by threat actors from Conti. They employ a mix of techniques, such as callback phishing and intermittent encryption, to infiltrate victims' machines and encrypt files. The group initially used BlackCat's encryptor before developing its own, and it targets multiple corporations. Royal has been particularly prolific since its launch and has targeted various critical infrastructure sectors, such as chemical, communications, manufacturing, defense industrial bases, financial services, and emergency services. Despite warnings from the FBI and CISA, the group continues to adapt, even developing Linux-based variants to expand its range of targets. The Threat Simulator assessment performs the following abridged series of steps:
- It retrieves user account information using 'net user' and 'net localgroup' commands.
- It disables Windows Defender using 'Set-MpPreference' PS cmdlet.
- It leverages PowerSploit to execute 'Find-LocalAdminAccess' to identify systems where the current user has local administrator privileges.
- It exfiltrates sensitive data from the system using SharpExfiltrate .NET tool.
- It downloads and executes the emulated malware binary.
- It deletes all Volume Shadow Copies using 'vssadmin.exe'.
- It extracts information about the current system using 'GetNativeSystemInfo' Win32 API functions.
- It creates multiple threads depending on the number of CPU cores, used to encrypt files.
- It enumerates the network shares using 'NetShareEnum' Win32 API function.
- It iteratively connects to other hosts in the same network on port 445
- It encrypts local files using AES-256 algorithm, leveraging OpenSSL library.
- It attempts to encrypt files on the network shares.
- It creates a ransom note file in each folder where files were encrypted.
- It attempts lateral movement using PsExec.exe tool, based on the intel gathered in steps 1 and 3.
- As a final cleanup step, the assessment restores the system to its initial state.
New Malware Emulation Assessments in Threat Simulator
Designing, deploying, and operating security solutions is a never-ending challenge. Regardless of the skills of your people, how well thought out your processes are, or the quality of your vendors, your organization will eventually run into issues that affect cybersecurity. Many problems and issues are preventable with the appropriate test strategies.
Security issues are often hidden until it is too late. To avoid becoming headline news, lean on Keysight and our award-winning Threat Simulator to better protect yourself and your customers from preventable issues.
Check out some of our new malware emulation assessments
- Malware Emulation: Royal Ransom 12 October 2023
- Malware Emulation: LockBit 3 July 2023
- Malware Emulation: SunCrypt June 2023
- Malware Emulation: GandCrab V5 September 2022
One of our customers has used our malware emulation and discovered they were not as safe as they had originally thought.
Figure 6. Successful execution of LockBit 3 malware emulation assessment
To find more information on how Keysight can help you rapidly discover, remediate, and validate exploitable security vulnerabilities, visit our website.