BERLIN–Penetration testing has come a long way in the last decade, evolving from a somewhat controversial practice to a de facto best practice in the enterprise market. That evolution hasn’t stopped by any means, and one of the things that experts say must be a part of any comprehensive test now is the use of live, custom malware.
Pen testers often use custom tools that they–or their companies–have built, but the use of live malware isn’t necessarily as common as it should be, said Gunter Ollmann, CTO of IO Active in a talk at the Virus Bulletin 2013 conference here Thursday. The idea behind using freshly made malware is to better reproduce the effect of an actual attacker taking aim at the target network. Pen testing in many ways is about playing the role of a malicious actor, but the tests can be limited in scope and therefore less effective if tools such as live malware aren’t used, Ollmann said.
“Malware accounts for the vast majority of breaches. We need pen-testing methodologies to replicate the current attacker profiles,” he said. “We need to figure out which layers are actually detecting the malware. Did the malware compromise the host? Is it usable?”
Although there are millions upon millions of malware samples available in databases these days, Ollmann said they’re of limited use in a real-world penetration test. Creating new, unique malware and throwing that at a customer’s network is a much more effective and realistic way to test the network’s defenses.
“It’s not worth throwing yesterday’s malware at a target,” Ollmann said. “Off-the-shelf malware is trivial to detect.”
However, it’s not a matter of simply writing a little piece of malware and seeing whether you can slip it by the customer’s security systems. Ollmann said there are a number of important factors to consider in the process, including whether the target network employs proxies, how to handle command control and whether to create multiple versions of a given type of malware.
“I’d say you should create a tree of new malware. You should definitely pre-test it, but only against AV tools that you can prevent from uploading it to cloud services,” he said. “Create markers for each specific job, and choose your C&C carefully. Most enterprises employ proxies, so you likely need to make your malware proxy-aware to get through those defenses.”
In terms of methods for getting your newly created malware onto a target network, it’s no surprise that tried-and-true methods such as social engineering and spear phishing are still the most effective. Ollmann said email is among the more effective ways to get malware into a target network.
“Email with a URL to a download usually works,” he said. “One thing I’ve found to be very successful is going through a company’s recruiting site and then when they request a resume or CV, I send it with the malware attached and voila.”