Q&A: How emulating attacks in a live environment can more pervasively protect complex networks

Most large enterprises today can point to multi-millions of dollars expended over the past two decades erecting “layered defenses” to protect their digital systems.

Yet catastrophic network breaches continue apace. Turns out there’s a downside to “defense in depth.”

Related: Obsolecense creeps into legacy systems

There’s no doubt that monitoring and continually updating all parts of a multi-tiered security system is a must-do best practice. But it has also become a delicate balancing act. Tweaking one system can open fresh, unforeseen security holes in another.

Spirent Communications, an 82-year-old British supplier of network performance testing equipment, recently decided to branch into cybersecurity services by tackling this dilemma head on.

Spirent pivoted into security testing two years ago with the launch of its CyberFlood security and application performance testing platform. And at Black Hat USA 2018, the company unveiled a new CyberFlood functionality that makes it possible for an enterprise to emulate a real-world attack in a live environment.

Spirent refers to this as “data breach emulation,’’ something David DeSanto, Spirent’s threat research director, told me is designed to give companyies a great advantage; it makes it possible to see precisely how the latest ransomware or crypto mining malware would impact a specific network, with all of its quirky complexity.

Here are excerpts of our full conversation, edited for clarity and length:

LW: How did Spirent come to pivot from network performance testing to security?

DeSanto: When you think about it, security and performance are usually hooked at the hip. For our customers it often comes down to having to make a decision, ‘Do I want the performance or do I want the security?’ . . . We help people make the right decisions about which policies need to be enabled, or not enabled. And the performance piece is right in there.

LW: How has CyberFlood worked out?

DeSanto: Our customers like using CyberFlood in their staging environment, or in their lab, to gauge what will happen to performance if they do certain things. It helps them to decide how to configure a device before pushing it out into their live network or production network.

We have customers within the financial services vertical that do this on a regular basis. For instance, they might want to test new signatures published by their firewall vendor, before pushing it out, to make sure there are no regression issues.

LW: How did the idea for data breach emulation come about?


DeSanto: We started asking ourselves, ‘What if you can take that same level of quality and testing, and do that within the live network? What if you could use CyberFlood in a safe way, in production, to continually verify your environment. And that’s how we came up with the need to build the data breach feature.

LW: Can you clarify what exactly is new?

DeSanto: So before people did the simulated event in a lab setting, tied to a performance test, and so they were doing it as a spot check. It was done, for instance, while upgrading a device, to check to make sure the firmware didn’t have any bugs and that all the necessary signatures were in place, where needed.

But what if I needed to verify something in a production environment? Say I wanted to upload a 10 gigabyte file to a partner, but the firewall is blocking it. So I get an administrator to open it up – and then he forgets to close it. Or say an upgrade that was spot-checked in a testing environment gets put out live, and after two weeks there’s a memory leak from that device,

With emulation you can tune and test, not just in the lab; you can do it in such a way that it can be run safely in that production environment.

LW: And you’re also able to emulate known types of attacks in a live environment?

DeSanto: Yes. We have two different teams continually doing research, engagements, and monitoring for new attacks and new malware variants. Our customers can use our cloud agents anywhere in their environment and test 24 by 7.

So when we see a new attack, they can it scheduled to run, automatically, to make sure nothing has changed in their environment. This gives them a level of assurance that their security policies are working as they expected.

LW: Engagements?

DeSanto: When we’re asked to do a wireless penetration test , or a network penetration test, or a web vulnerability assessment, or whatever, that’s an engagement. During the engagement, our teams may stumble into something new. They’ll do research and then share the results with our customers and also share it with our own threat research team.

LW: Is this about uncovering new vulnerabilities?

DeSanto: It’s about finding something new that is being used in the security hole. So let’s say our team is on a system and they find there’s malware running there, and it’s a near zero-day malware; a threat actor may have put it there, and it’s brand new.

Meanwhile, we also have a dedicated threat research team analyzing malware discovered by the engagement teams, as well as coming off the backbone of the Internet. We’ve set up honeypots around the world, which we use to harvest and categorize malware. And we’re also collecting intelligence about attacks that target known vulnerabilities.

LW: So you keep close track of malware and active attacks on a day-to-day basis?

DeSanto: We have a large research team, paired with CyberFlood, and this allows us to be able to emulate the Equifax breach, or the Target breach, as it actually happened, in our customer’s environment. And because we’re publishing content as often as we are, we’re able to react quickly. We can get those emulations out there to our customers within 24 hours of news about a new attack making headlines.

LW: How does that help?

DeSanto: They can determine if they have a way to mitigate the attack in their environment. For instance, we had several enterprises thank us because we let them test their networks for exposure to WannaCry, and they found out quickly that they did not have coverage for WannaCry. They were able to work proactively with their security vendors to get coverage.

Now we’re using the same CyberFlood technology and making it available to run in the live network. So instead of it being something that you’ve got to set up in the lab, and verify, now you’re able to run it whenever you want, on demand.

LW: To what extent does this address the increasing complexity of modern business networks?

DeSanto: Due to the way enterprises have set up their clients, servers, routers, antivirus, firewalls, IDS, and the like, every network has a unique fingerprint. Network complexity is only going to increase with as we move forward with digital transformation and the Internet of Things.

With emulation we’re able to recreate precise scenarios from these multi-tiered environments. So we’ll spin up one side, and it’s the target, then we’ll spin up the other side, and it’s attacker. It’s a real client and a real server, communicating with each other just like any other client and server would on your network.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: