Threat Simulator: Emulating hackers slinging malicious emails
2020-10-01 | 7 min read
Hackers don’t care about exploits; they’re a means to an end, the same way an adrenaline junky doesn’t care how they melt their face with a mountain slope or a race car. To a hacker, exploits are tools to achieve a goal, and that goal is to break into your network and infect it with ransomware, or steal your IP, or mine bitcoins. This concept is important to understand, because once you get it, you’ll also realize hackers are only going to try as hard as they have to. Exploits are often unreliable, noisy, require advanced knowledge of the victim, and can be patched away in a moments’ notice. Convincing someone to open an attachment in their email? Now that’s easy!
Everyone knows that the most common way a data breach starts with a phishing email. An email that designed to get a users’ attention, to click a link, or open an attachment. Then, if done right, no further interaction needs to take part on behalf of the user. Some types of files simply execute as soon as you open them, like a Windows Jscript file (extension .js). Others might need the user to take additional action, like enabling macros, before any code will run. The easy solution would be to ban all attachments. But users need to be able to open attachments and in order to do their job, so how do you find an acceptable solution that balances an attachment policy that will keep them safe but also capable of getting work done?
With our next release for Threat Simulator, we’ve added the ability to assess your email content and threat management solution. We read the documentation on numerous email security products, looking for common themes across them, and created assessments focused on those themes. We’ve also taken the work we do on exploits and introduced them to email content inspection systems.
How does it work?
From a Keysight managed domain, we send a battery of emails targeting your infrastructure. Each of them contains an attachment or message that, depending on your policy configuration, should either be blocked or stripped from the email. Our agent, developed using Microsoft’s Graph API, locates each email in a users’ mailbox. When it gets a match, it performs a computational hash of the contents or attachment. If it matches, that audit is marked as failed. Using Threat Simulator’s scheduler you can configure an assessment to run daily, weekly, or monthly, ensuring that you’ll be the first to know if there’s a policy change or gap in your configuration.
What assessments are there?
Currently we have two classes of assessments: policy and instrumentation. The policy assessments validate if your email policy is configured correctly. Instrumentation assessments validate that your security controls can recognize malicious content and block it.
- Anomalous Archives – A collection of archives, like PKZIP, that have files packed in a way that’s non-standard or excessive.
- Compressed Files – A collection of compressed files in different formats, such as PKZIP, 7ZIP, and TGZ.
- Corrupted Files – A collection files corrupted in a way that they are barely readable by the receiving device.
- Encrypted Archives and Documents - A collection of compressed archives and documents that have encryption enabled.
- Encrypted Content – A collection encrypted messages, such as PGP/MIME or S/MIME.
- Executable Binaries – A collection of compiled executable files, such as EXE, SCR, or DLLs.
- Executable Scripts – A collection of executable script files, such as JScript, Windows Shell, or Visual Basic Scripts.
- Microsoft Office Documents – A collection of office documents that have macro’s or other scripts embedded within them.
- CISA Top Exploited Vulnerabilities – A collection of file-based vulnerabilities listed on CISA’s website of most commonly used exploits.
- Antivirus Test Files – A collection of known antivirus test patterns designed to validate if antivirus is installed and operating correctly.
We’re adding new audits to each of these categories with every release, so keep your eye out for them. Also look for new killchain assessments that utilize this feature to introduce more realism to your advanced scenarios. This lets you see and find the gaps that might exist in the full set of security controls you have in place. The first one we’ve released starts as a phishing attempt for a crypto currency before moving on to installing malware and connecting back to a command and control service. Killchain assessments are great ways of seeing how mature your security posture is. The sooner you can catch the attack, the less risk your infrastructure is to compromise.
All of these features let you get a clear picture of what your security posture is now, in your production environment. And clear recommendations to close any gaps or holes you uncover.