You aren’t going to release a live virus on your production system, so how do you test your defenses?
In the article “The State of Ransomware in 2020“, research suggests that every 11 seconds, some business is being attacked by a cybercriminal. And in the report “The State of Ransomware 2021”, the frequency of attacks is up year over year along with the diversity of business types being attacked. Lower in the same report, you can see details from the various organizations being attacked.
Couple this with “Cybersecurity Talent Crunch to Create 350 Million Unfilled Jobs Globally by 2021,” and it is apparent that many companies will have to rely on existing worker talent to combat an ever-increasing threat. Of course, high-tech companies have high-tech talent, but what about all the other types of organizations like Government, Education, Service Industry, and Manufacturing. We all like to think we have skilled workers regardless of our industry. Still, under this new growing threat, our current in-house cybersecurity skills might not be at the level needed to provide maximum safeguard.
So what are we to do?
“Practice makes perfect” comes from the 1550’s phrase “Use makes perfect.” We have to use and exercise our cyber attack defensive tools to become experts on their installation, operation, and oversight. But this leads to a new dilemma. How do you “practice” defending against cyber attacks? The simple answer is that you install the tools and run/use them, but “where” do you install the tools so that you can practice defending against a live attack?
And then, “what” would you practice? For simple PC Laptop based viruses, maybe you use the EICAR virus test file, which is not a live virus but has test files with the signatures of live viruses. That’s fine for testing the prevention of infection from a file, email, or attachment, but what about the more difficult scenario – the worm.
Worms are self-replicating malware that seeks weaknesses in how laptops and servers are set up and travel from one computer to the next. They don’t rely on a user opening up emails or attachments. Because of this, they can spread very quickly across an organization’s network and wreaking havoc along the way.
So how are you going to test against worm propagation? Obviously, you will not release an active worm on your corporate network and hope that your existing standard security tooling stops it. Many large organizations have “clean rooms” where they place computers in an isolated environment with no connection to the corporate network and perform their virus testing in isolation. That’s great if you have one of those, but if you are a smaller organization, or maybe your company doesn’t have the facilities to set up a virus clean room, then what?
The answer is to use the cloud.
In the cloud, you can “re-create” an environment that looks just like your corporate network, same computer operating systems, same hostnames, same IP addresses, etc. You create a “clone” of your production network that is scaled-down but represents the types of systems you have. You <do not> hook up your cloud virus test environment to your corporate network: no VPNs, no ExpressRoute, nothing. Your cloud environment runs completely detached from your true corporate network. They look similar but are totally disconnected.
Now you have your “virus clean room,” it is just virtual, and in no way is it possible to cross-contaminate anything onto your real business network. You can set up Windows machines or various types of servers, multiple subnets, firewalls, etc., just like you have on-prem. But now, you can actually do something that would be unthinkable on your live corporate network. You could release a “live” computer virus into your cloud environment and study how it might traverse from one machine to another.
You can obtain working malware code at sites like this, which you can “inject” into your cloud place-holder environment, and then study what happens. You can then correct any found weaknesses on your actual corporate network.
One of the beauties of the cloud is that you can create, destroy, and then re-create fully working environments through automation or facilities built right into your cloud vendor’s portal. For example, saving a complete working environment as a “Template,” with all of your standard testing machines defined along with their storage and networking attributes. Then you “clone” from that Template and can re-create a new working environment in minutes.
This type of workflow would allow you to perform a destructive test, collect the results, delete all of the cloud-based VMs, storage, and networks, and then “re-create” a fresh environment ready for the next test run. And do this all in a matter of minutes. When you aren’t doing testing, turn it all “off” in the cloud and get charged very little, or maybe nothing.
So the net-net is that you will use the cloud as a proxy for your true corporate network. You do all your malware testing with your toolset on that proxy environment, then if you find any weaknesses, apply the remediation to your actual on-prem defenses. Since you won’t connect your cloud testing environment to on-prem, there is no risk of contamination. “Practice makes perfect.” You now have a way to practice.