We've been having a good time doing intensive, month long or longer APT simulation tests for people, acting like malicious insiders, using hardware implants, 0days, human enabled malware, etc. Lately, however, we've been playing around with a new type of testing to take things to the next level. This testing has two basic components:
- Reverse Engineer Testing
- Network Forensics Testing
The basic idea is to exercise your RE and packet ninjas even harder to make them strong.
On the RE side we create progressively more difficult malware for them to analyze. Here is an example of a ramp up path for this kind of test:
- Basic packed binary
- Challenging packed binary
- Staged unpacker with memory checksums
- Binary with analysis detection
- Virtualization detection & retaliation
- Dynamic analysis tools detection & retaliation
- Debugger detection & behavioral changes
- Multiple and increasingly difficult debugger detection from IsDebuggerPresent() to execution timers
- Strong crypto, slack space and other binary tricks
- Phantom routines & dead ends in the code
- Exploits against analysis tools
We pen test your reverse engineer.
(Or your sandbox appliance if you have decided to go that route instead).
On the Network Forensic side we ramp up the difficulty of our command and control and data ex-filtration techniques in order to exercise and improve your network security staff's capabilities in the following ways:
- Randomized timing & changing beacons
- Out of band network communications
- Protocol misuse & covert channels
- False flag / false signature packets
- Complex sequencing & esoteric packet based OP codes
- Port knocking type attacks
- Encoding & encryption
- Exploits against network analysis tools
This allows your network forensic analysts to hone their skills looking for anomalous traffic and finding the tricky ways real bad guys hide from detection. It also shows you how effective (or ineffective) your network security appliances such as IDS/IPS are.
All of the tricks and techniques we use for these tests are taken from real world experience in analyzing some of the trickiest malware and the most complex network evasion schemes during incident response events. In addition we throw in some of our own developed methods to keep the analysts on their toes.
This type of testing is most effective as a component to a larger APT simulation but can be done stand alone as well.
At this point in 2013 you probably know what machines on your network need to be patched. You have automated vulnerability scans in place and you have verified and validated scan reports using an exploitation framework. Maybe you've taken that additional step of doing APT simulations to understand your exposure to malicious insiders and sophisticated targeted threats like nation states. However, unless you are testing that final line of defense, the analysts, forensic specialists and anomaly tools, you are still falling behind.