If you’re a security executive, you’ve been here. It’s late at night and you’re about to binge-watch your favorite season of Breaking Bad (which we all know is season four) when you get a text from the boss. She was watching the news and heard about some new Internet badness. She wants evidence-based proof in the next hour showing that the company is safe. To quote the movie Speed, “What do you do?”
This is an all too common occurrence in the life of a CISO. But it’s also a valid request from any organizational stakeholder wanting to understand their organization’s security effectiveness. This Verodin customer had a particularly satisfying approach to the scenario, hence this blog with the self-indulgent click-bait title.
Setting the stage
Verodin is a security instrumentation company with a platform that allows you to validate your security effectiveness across solutions like firewalls, IPS, DLPs, SIEMs, endpoint security controls and the like by allowing you to safely execute real attacks in your production network. This results in empirical evidence about the true state of your security effectiveness at a point in time and trended over time.
This Verodin customer has multiple Verodin Actors deployed inside and outside of their network and on endpoints. Verodin Actors are both attacker and target and launch real attacks against each other to evaluate if your security controls are detecting and or blocking malicious activity. The customer runs attacks based on Verodin’s default content (updated every couple weeks), but because Verodin has an Open Content Platform they do a lot more.
This customer gets attack data that’s safely executed in their production environment from other Verodin customers, ISACs, threat intelligence services, local packet capture solutions and in the case of pcaps (packet captures), they download attacks from a multitude of Internet sources such as malware-traffic-analysis.net.
Now Verodin offers several methods for customers to add their own, new attacks such as host CLIs, malicious DNS queries, sockets, port scans and web.
But what was really cool about this customer’s story was their rapid use of pcaps and the ease of which they were able to move from downloading the pcaps to ingesting the pcaps with Verodin, to safely executing the attack and finally being able to deliver an empirical answer regarding their ability to mitigate the attack to their leadership.
Finding and downloading the pcap
After hearing about the attack from their boss they did a few Google searches which ultimately brought them to the malware-traffic-analysis site which focuses on network traffic related to malware and exploit kits.
To make things general I won’t divulge the actual malware in question. Let’s just say it was 2016-01-11-Rig-EK-malware-payload-Qbot.exe. You can get details about this from Payload Security, VirusTotal and malware-traffic-analysis, which is where I got the following screenshots.
Some information gleaned includes the associated domains. This might be something you get from a threat intelligence feed for example.
Chasing nefarious IPs and domains is extremely challenging as outlined in my blog: Inadequate intelligence integration. There is value in it for sure, but blocking the domains wouldn’t give this customer the empirical evidence needed about their security effectiveness.
More information on the malware-traffic-analysis site quickly got them into the meat of the attack showing the actual bidirectional badness.
But they didn’t want to build out their own attack they just wanted to use what’s already available and thankfully malware-traffic-analysis provides a simple mechanism to download the pcap.
They clicked the link to download, which just took a few seconds, unzipped it on their Mac with Command-O, supplied the site’s password, and in under 30 seconds they had a pcap. But now what?
Without Verodin they would have had to build out a vulnerable test system, dissect the pcap and rebuild it to make it network routable so they could launch the attack, deploy the vulnerable system in their production network behind their protective controls so that’s it’s a real-life test and get permission from the powers that be to execute the attack. With some luck that’s 2-3 weeks. They had less than 60 minutes at this point.
Weaponizing the pcap with Verodin
After they downloaded the pcap they simply did a drag and drop into Verodin which takes just a few seconds to ingest the pcap as illustrated here in the Verodin Director.
As shown below, the entire pcap is pulled into Verodin.
The pcap can then be tuned, if desired, within Verodin for greater specificity as shown with some of the options below.
The customer opted not to modify the default pcap and simply embarked on allowing Verodin the safely execute the pcap across various Verodin Actors on their production network to see if their security controls would block the attack, detect the attack, and if detected that their SIEM would correlate the events.
Within just a few minutes of bidirectional testing between network zones such as the Internet, DMZ, Desktop, Server and the like as displayed below, they could see if any of their network zones were not preventing and or detecting the attack. What would have taken weeks took only minutes and the results were evidence-based.
The process was mind-blowingly quick and simple while being definitive.
- Security got the “are we safe” call regarding 2016-01-11-Rig-EK-malware-payload-Qbot.exe
- The security team searched for then downloaded the pcap from a public repository.
- The team ingested the pcap into Verodin in seconds.
- Verodin automatically did all the heavy lifting like weaponizing the pcap so it could be safely routed through the network, making it so the pcap attacks came from different directions via Verodin Actors, querying the SIEM for detection details and finally creating a report based on the findings.
- With empirical evidence, the security team was able to show where they were preventing the attack, where they were just detecting but not blocking and where they were doing neither.
This information was communicated back to the organization’s leadership in well under an hour and was based on quantitative, measurable, repeatable results – not assumptions, hopes or prayers.
For the attacks that were successful, the customer knew preciously which areas of their network they needed to focus on to ensure they would be protected from this attack and attacks like it in the future. And they could continue to leverage Verodin to validate those areas once addressed with countermeasures.
It’s pretty cool that they were able to reduce the level of effort and time required for this scenario so greatly while at the same time producing such exacting results.
Verodin is defining the emerging concept of Instrumented Security. Its revolutionary platform empowers customers to measure and continuously validate the cumulative effectiveness of layered security infrastructures, revealing true security effectiveness. Through automated defense analysis, Verodin customers achieve maximum value from security spending, better leverage existing security investments, and measurably improve their cyber prevention, detection and response capabilities.
Request a demo and learn more about Verodin at https://verodin.com/.