How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper How strong is your malware testing whitepaper
Trang 1How Strong is Your Malware Testing?
Be Sure to Test for Infected Systems and Payloads
Executive summary
As technology evolves, so does malware Unfortunately, this means that broad technology trends often set the stage for powerful new forms of malware For example, increasing infrastructure connectivity – including smart meters, intelligent sensors and remotely controlled highway signs – is creating increased risk for disruption of core services
A variety of security solutions are used to detect and prevent malware These include firewalls and network intrusion prevention systems, deep packet inspection capabilities, unified threat management systems, antivirus and anti-spam gateways, and content filtering and data loss prevention systems Newer security technologies on these systems go further and can detect breaches by identifying already infected endpoints within the protected network This is often done by leveraging various types of network based behavioral profile analyses
Even with all these security solutions and capabilities in place, malware still manages to infect target systems In order to stop malware, all security solutions must be carefully tested and validated using a wide range of malware-based attacks to ensure they are working properly Robust testing of security solutions requires test equipment that can generate real malware payloads and emulate network traffic from already-infected
According to data compiled by cyber crime
coalitions such as Anti-Phishing Working Group,
malware has infected nearly a third of the
world’s computers What’s worse, is the numbers
continue to grow as evidenced by research
conducted by Panda Security indicating a jump
from 80,000 malware samples a day (in the last
quarter of 2013), to 160,000 a day for the first
quarter of 2014
Impacted businesses may face long-term
impacts such as loss of competitive position
or outright organizational failure When
governments are involved there may be threats
to national security Many instances of infection
by malware result in advanced persistent threats
entering the protected network
Trang 22 | spirent.com
White Paper
Understanding Malware
Malware, which is short for malicious software, describes a broad category of hostile software that is used to disrupt computer operation, gather sensitive information or gain access to private computer systems Common types of malware include:
Adware—While some forms of adware may be considered legitimate, others make unauthorized access to computer systems and greatly disrupt users
Keyloggers—Typically done in a covert manner, keyloggers track the keys struck on a keyboard and may capture passwords or credit card numbers
Ransomware—After establishing itself on a computer system, ransomware restricts access to the system and demands a ransom be paid to remove it It may also take files and hold them ransom
Rootkits—This type of malware gains privileged access to computer systems and hides itself from normal methods
of detection
Spyware—Spyware observes the activities of computer users without their consent and reports it to the software’s author or other entity
Trojan Horses—A Trojan Horse initially appears to perform a desirable function and then facilitates unauthorized access to the computer system
Viruses—A computer virus typically attaches itself to an executable file so it can perform malicious activities and replicate itself on other systems
Worms—A worm is a standalone piece of software that, like a virus, can perform malicious activities and replicate itself on other systems
Trang 3Malware also uses a variety of methods to spread itself to other computer systems:
File servers, such as those based on common Internet file system (SMB/CIFS) and network file system (NFS), can
let malware spread rapidly as users access and download infected files
File-sharing software can allow malware to copy itself onto removable media and then on to computer systems
Peer to peer (P2P) file sharing can introduce malware by sharing files as seemingly harmless as music or pictures
Email attachments containing malicious code can be opened—and therefore executed—by unwary users They
may even be forwarded to other users, helping the malware spread even further
Remotely exploitable vulnerabilities allow hackers to access systems across great geographic distances with little
or no need for involvement of the computer user
As suggested by these methods, malware commonly introduces itself to businesses, universities, government agencies
and homes through the network While the network represents a key source of intrusion it also presents an opportunity
for stopping malware before it reaches its targeted computer systems Firewalls, unified threat management (UTM)
systems, authentication systems and others can all be used to mitigate the threats from malware At the same time, all
these systems must be carefully tested and validated using a wide range of malware-based attacks to ensure they are
up to date and working properly, especially with so many new attacks being discovered daily
Trang 44 | spirent.com
White Paper
Motives, risks and impacts
In order to prevent malware, it is helpful to understand the associated motives, risks and impacts Keep in mind that these attributes are often interrelated For example, financial motives tend to relate to financial risks and result in financial impacts
Motives
Adding to the challenge of malware prevention is the fact that motivations behind malware are varied and often unpredictable Sometimes the motivation is as simple as fame, with a hacker hoping to prove his or herself within the hacker community Some hackers justify their actions by relating them to activism—commonly referred to as
“hacktivism” For example, if an individual or group believes certain government data should be public they may use malware to steal it and make it public Some forms of malware are economically or financially motivated Criminals, once again in the form of individuals or groups, develop and use malware to steal data, identities and money Other forms of malware— sometimes state-sponsored—are used for corporate espionage, government espionage, disruption
of core services and even cyber warfare
Risks and impacts
As with the motives behind malware, the risks associated with malware infections are many and varied They may also depend on the type of organization that is under attack Businesses that store financial data such as customer credit card information are at risk for large economic losses from lawsuits and repayment of losses They also risk of further losses from damage to their brand and erosion of customer confidence
Even organizations with little in the way of financial assets or other forms of valuable data may be attacked
Attackers may simply wish to gain access to the organization’s IT infrastructure in order to send spam
or launch attacks on other organizations Alternatively, attackers may wish to expose sensitive data rather than valuable data in order to create fear or embarrassment
Once infected with malware, organizations may be impacted in temporary and relatively minor ways including slight disruption of organizational activities or, they may face more serious, long-term impacts such as loss of competitive position or outright organizational failure When governments are involved there may be threats to national security
Trang 5isolated infrastructures are accessible through the Internet For decades, networks—and the Internet—have served
as pathways for distribution of malware Today we have even more forms of infrastructure gaining connectivity Smart
meters, intelligent sensors and remotely controlled highway signs can all be reached through the Internet While
there are benefits, such as efficiency, from increased connectivity, there is also an increased risk of disruption to
infrastructure and related services from malware
Growing number of endpoints
The number and type of endpoints connecting to networks is growing much faster than the rate of infrastructure
connectivity Just a few years ago an IT organization may have only supported, for example, a single type of desktop
computer, a couple different versions of laptops and perhaps one type of approved smart phone With the emergence
of tablets and bring-your-own-device (BYOD), there is a nearly unending array of devices attaching themselves to
networks in the workplace
An obvious challenge is that many of these devices are used outside the workplace while connected to less secure
networks When these endpoint devices get infected, malware can then spread to many other devices within the
workplace Now that IT organizations have lost full control over what devices connect to their networks, they need
improved methods for preventing malware
Trang 66 | spirent.com
White Paper
Preventing Malware
Virtually every IT environment uses some type of security solutions to help detect and prevent malware
Deep packet inspection (DPI) is another important approach for stopping malware
DPI combines the functionality of an intrusion detection system (IDS) and an intrusion prevention system (IPS) with a traditional stateful firewall
Many switches also have a long list of built-in security capabilities, including:
Access Control Lists (ACL)
DHCP Snooping Prevention
Dynamic ARP Inspection
Port-Level Traffic Controls
Security solutions and malware
Firewalls can be configured with a variety of rules to detect and prevent various types of malware UTM systems provide even more comprehensive protection by delivering multiple security capabilities in a single appliance These may include network firewalling, NGFW, network intrusion prevention, gateway antivirus (AV), gateway anti-spam, virtual private network (VPN), content filtering, and data leak prevention
Security solutions must be tested
Even with all these security solutions and capabilities in place, malware still manages to infect target systems Part
of the problem is that many of these security measures are so complex that they are often deployed, configured or administered incorrectly Unfortunately, a single misconfigured firewall or switch port can mean the difference between
a safe environment and one overcome by malware Testing with a large database of malware that is 6+ years out of date is of no use Spirent provides newly-found and zero day malware constructs that are quickly made available for testing via our TestCloud™ content subscription providing thousands of malware samples for vast test coverage
In order to stop malware, all security solutions must be carefully tested and validated using a wide range of malware-based attacks to ensure they are working properly A robust, up-to-date library of malware signatures must be used
to ensure testing is completed against the latest attacks Additionally, this testing should take place while authentic, realistic traffic is passing through the network
Infected systems and payloads
Not all test equipment is capable of driving the traffic required to fully test all these security solutions For example, security solutions should detect already-infected systems as well as malware payloads in network traffic However,
if test equipment cannot accurately simulate the network behaviors of infected systems, malware detection systems will not be fully tested Similarly, if test equipment cannot generate real malware payloads, security solutions including DPI will not be fully tested Be sure to choose test equipment that can generate real malware payloads and emulate network traffic from already-infected systems Test equipment should have the capability to generate both of these types of traffic at scale while also driving other realistic network traffic
Trang 7prevention system is clearly not working correctly.
When working with security issues such as malware prevention, there are four additional interdependent variables
to consider: performance, availability, security and scale In order to perform proper security testing, this testing
methodology for malware should be followed Testing across all four variables ensure the proper tradeoffs are made
Testing can answer a number of questions for each variable, all in the context of malware testing Some examples are
provided below
Performance
How much legitimate traffic can your network handle while also looking for malware?
What is the impact to users, in terms of latency or QoS, of the malware prevention mechanisms?
Availability
When malware causes a device go into a fail open or fail close state, do critical services go down?
When under an attack, can you still service your customers?
How long does it take for services to switch to failover mode?
Security
How many unique pieces of malware can your systems detect and stop?
Are your systems able to stop the latest security threats? Is your malware library for testing up-to-date?
Scale
Trang 8© 2016 Spirent All Rights Reserved.
All of the company names and/or brand names and/or product names referred to in this document, in particular, the name “Spirent” and its logo device, are either registered trademarks or trademarks of Spirent plc and its subsidiaries, pending registration in accordance with relevant national laws All other registered trademarks or trademarks are the property of their respective owners The information contained in this document is subject to change without notice and does not represent a commitment on the part
of Spirent The information in this document is believed to be accurate and reliable; however, Spirent assumes no responsibility or liability for any errors or inaccuracies that may appear in the document Rev D | 03/16
How Strong is Your Malware Testing?
Be Sure to Test for Infected Systems and Payloads
spirent.com
AMERICAS 1-800-SPIRENT
+1-800-774-7368 | sales@spirent.com
EUROPE AND THE MIDDLE EAST
+44 (0) 1293 767979 | emeainfo@spirent.com
ASIA AND THE PACIFIC
+86-10-8518-2539 | salesasia@spirent.com
White Paper
Additional testing considerations
At the end of the proverbial day, testing must be completed under real world conditions This means testing during normal operating conditions as well as during times of peak workloads when infrastructure is severely stressed In order to validate security, testing must also be performed during simulated attack situations If the testing is not realistic,
it will fail to find problems leaving you to encounter them in the production environment where the costs of mitigation are the highest
Testing with realism goes beyond accurately simulating different levels of network traffic
It must also include accurate representations of real world traffic mixes For example, some users may be completing business transactions using SSL connections and/
or IPsec tunnels Malware testing should be done side by side with both secure and insecure traffic The malware should be prevented while legitimate activities continue without interruption
Summary
A variety of security solutions are used to detect and prevent malware These include firewalls, next-generation firewalls, network intrusion prevention systems, deep packet inspection capabilities, unified threat management systems, antivirus and anti-spam gateways, virtual private networks, content filtering and data leak prevention systems Yet, even with all these security solutions and capabilities in place, malware still manage
to infect target systems In order to stop malware, all security solutions must be carefully tested and validated using a wide range of malware-based attacks to ensure they are working properly
Robust testing of security solutions requires test equipment that can generate real malware payloads and emulate real network traffic from already-infected systems It also requires a proper testing methodology, which involves testing performance, availability, security and scalability with respect to malware.
When it comes to security testing our solutions cover all of the above
And because Spirent knows security, enterprises, government agencies, equipment vendors, service and infrastructure providers can now rest-assured that the security and resiliency of their networks and services will be able to operate on a continuous basis
About Security & Applications
(AppSec)
Spirent’s testing technology is used to gauge
the security, performance and effectiveness
of the world’s most vulnerable networks by
emulating the realistic traffic volumes as well
as threat and attack scenarios so that users will
never face limited speeds or complete outages
due to high volumes of traffic
For more information
For additional information on security testing
please visit: www.spirent.com/go/tws-security