Planning a Cybersecurity program is not completed by just configuring a few tools. A company needs to test how effective the defenses are. I am not talking about that annual pen-test; I mean safely testing whether your team can catch and analyze malware, or other forms of attack, across the network, endpoints and cloud systems you have already deployed.
It may seem impossible to validate the almost endless supply of malware or tactics used that can include anything from denial of service, service obfuscation, or executing from memory with no files being dropped (see fileless malware).
In this article we cover how to build a "Sandbox", or malware lab, and how to run simulated attacks to study them so you can be prepared for the real thing and respond properly.
Does ActZero Build A Sandbox With Their MDR Platform?
If you have read through some of the materials on our site or spoken to us before, you will know that we test your defenses in our Managed Detection and Response (MDR) service. We do not build a Sandbox for this - we use benign malware files (test files) and scanning tools to validate your defenses. This article is about infecting simulated machines with real malware (other way around) and is not part of our service. That being said, if you have ActZero and it is part of your environment, this is a great way of using logging and dashboards and their ability to capture and contain threats.
Now that's out of the way, let's find out how to build the Sandbox.
What Should Be In Your Sandbox?
So what do we put in the Sandbox? Well, if I was teaching a first-year student about malware, I would want some tools that would help them to investigate by hand, establish the fundamentals and really dig deep to understand how malware installs, moves between machines, and exfiltrates data.
But you are running an organization's IT. You are not doing this for a certificate or degree. You need this to work, not just once, but every time. So our Sandbox is not a home lab; it is a copy of your environment, scaled down and isolated from your network and domain. It does not run open source tools, it runs professional malware prevention and analysis that you have purchased.
After all, we are testing your defenses, not analyzing malware for the sake of it. We want to make sure we can apply real-world scenarios and ensure our defenses are properly configured to prevent them.
Before we begin, it is critical that I define the word "isolation". When we build an environment like this, what matters is that it follows the same guidelines that your environment does but that is no way connected to your network, joined to your domain, or using credentials you use somewhere else.
- Server Hardware: Server capable of running these components in terms of CPU/DISK/RAM. The size depends on the number of VMs you will be assigning, which depends on the number of security tools, workstations and server builds you have. Do not put this inside your regular ESX host. No configuration on the VCenter will protect this from all malware variants. Some environments go further to ensure they are testing malware outside the hypervisor which, as many will now know, they are running in a virtual environment and behave differently.
- Hypervisor: VMware ESXi to run the virtual machines.
- Workstation/Server Build: A machine with similar patch level, operating system version, anti-virus agent, and settings for your users (local GPO). Credentials should be separate from your domain or any used internally. You should also have a version of each OS in your environment - Windows XP/7/8/10/2003/2012/2015 all have unique properties.
- Firewall/IPS: Your network-based protections will be here to determine the in and out of any traffic, either east-west between machines if that is what you have setup, or north-south (to the Internet). For our purposes, if you have one firewall and it is expensive, you may want a scaled-down VM version of this exercise.
- EDR/MDR: A local copy of your endpoint detection and response agent. This will identify forensically what has happened to the device once it is infected.
How To Test For Threats
Now comes the fun part. The next set of tools relate to how you would download and test viruses or scan the machines internally. Again, for ActZero MDR customers, these offensive tools are built into the platform to test your defenses. In this list we are using what you have; if these tools are absent and you use a third party, then open source may work for you in this situation.
- Vulnerability Scanner: Use your vulnerability scanner to scan the network locally within the Sandbox. Open source if absent (Kali Linux)
- Download Malware: In the sandbox on your test machines download the malware see how the tools react, run your EDR/MDR to establish you these attacks affected the operating system. There are many sources for this. The simplest is the eicar virus.
- Test Variations: Run scans with credentials, place the eicar virus in a ZIP file or download from behind encrypted sources. Ultimatley this shows how your defenses are being fooled every day.
Not for everyone
In the real world, operating a business does not allow for much to be done outside the bottom line. That is why at ActZero, we have built our MDR service to test and simulate malware and your defenses safely. We monitor for potential threats and actively provide offensive security to scan, send test malware, and measure the response continously. This way, building a lab and downloading malware is not a job that YOU need to do - WE do it for you. Take a look at how our PPA validates this for you.
How Can I Find Out More About Malware Analysis?
A lot of work has been done in the malware analysis field and there are many books written on the subject. For many who remember "Hacking Exposed", it brought real examples of common malware exploits to our attention in a technical book that, for those interested in malware analysis, is a worthwhile read.
For the real security analysts who need to understand malware analysis at a deeper level and how forensics works, here a number of books to get you started: