Apr 12, 2011

Simulate Spear Phishing Attacks to Validate Enterprise Network Security

by Alexander Karstens

By Alexander Karstens

Criminal hackers are going “spear phishing” in the corporate world. This type of clever, targeted attack combines social engineering with malicious code to fool even sophisticated computer users. An in-depth USA Today article recently explained the ongoing theft of corporate secrets and intellectual property stemming from these attacks. Criminals often use personal information available from social networks to select target individuals and create relevant messages aimed at them.

In the specific attack described in the article, lawyers at several firms with ties to the oil industry received personalized emails with a PDF attachment. These emails claimed to be from analysts describing the impact of the current upheaval in Libya on the oil market. The PDF file contained a virus, but because the emails were so well targeted and seemed legitimate, the users opened the attachments.

Luckily, in this case the attack was quickly discovered, but the malicious code used in spear phishing can linger undetected in corporate networks, causing damage to systems or simply opening the gates so that criminals have unrestricted access to valuable information. This threat raises important questions for those whose duty it is to secure enterprise networks: What means do I have to defend against these types of attacks? Can I shield my network from being infected to begin with?

The answer to these questions is yes. Read on to find out how.

Simulating Spear Phishing Using Markov Text Generated Emails and Malicious Attachments

This post describes how to use Markov text generation to generate realistic-looking emails and then employ the use of malicious email attachments to simulate an attack like the one described in the USA Today article. The instructions here cover only the spear phishing email, but you could easily generate other traffic flows at the same time to find out how well your defenses respond to the malicious attachment while they are sifting through a heavy load of benign traffic.

Three key features built into the BreakingPoint CTM will be used for this simulation:

Real email, whether SMTP, Gmail, or other protocols that we cover
Markov text generation
Ability to send attachments with an email

The first element is the ability to generate real email, which is indistinguishable from email you would send from the email client on your PC. Next, Markov text generation allows a user to generate realistic-looking email bodies starting from a text file containing a number of keywords provided by the user. My colleague Pat McGarry recently wrote an excellent post on how to use Markov for realistic email generation.

Finally, we will use the ability to send attachments to complete the attack pattern described in the article. For the purpose of this article, I will be using a known virus distributed by the industry group EICAR; it will trigger antivirus systems but does not contain actual malicious code or code fragments. This is close enough to a “live fire” exercise and showcases very clearly how to harden your network infrastructure and server hardware. The antivirus test file can be downloaded from EICAR. Your first indication that this is a true antivirus signature will be your own computer’s security software picking it up immediately after you download it.

Step-by-Step Instructions

Pat’s post, referenced above, will show you how to create a superflow containing the email. Once that’s done, we need to attach the antivirus signature. First let’s open the superflow again and select the action “Send Email”:

Click the button with bracketed ellipses below the list of actions to edit your selection, then scroll down in the dialog box to the following section:

Select the Static Attachment checkbox. This will allow us to send attachments with our emails. Next, click on Import Static Attachment:

Browse on your computer to find the EICAR test virus, as in the screenshot below:

Finally, select the newly uploaded file:

You may also want to check the box for “Attachment Filename” and use a valid-looking file name. If you leave this box unchecked, the BreakingPoint CTM will assign a random file name to the attachment. Please note also the “Attachment Content-Type” field: checking that box and entering a value that correlates with the attachment will make the email even more realistic and make it that much more difficult for any IPS, firewall, or antivirus software to pick up on the threat.

That’s all there is to it. Just remember to save the superflow so you can return to it or adapt it later.

Results: How To Determine If Your Security Solution Will Block the Attack

So what constitutes a successful test for your defenses? In this case, we actually want the email transaction to fail. That would mean that your network security device or software picked up on the virus in the attachment and blocked it — which it should, since EICAR is a standard file used for testing purposes. If the email transaction succeeds, you should remediate the problem, whether that means adjusting the antivirus configuration or contacting your security vendor’s support team.

This short write-up can serve as a template. The same procedure could easily be used with Gmail or some other email protocol instead of SMTP. It would also be very easy to use different attachments, or to embed the malicious email in a flow of other traffic.

Cyber theft of corporate secrets and intellectual property is a large and costly issue. The question that anybody responsible for stopping it should ask is this: What is the cost to prevent intrusion in the first place, as opposed to the value of lost information and damage control after the fact?

Tags: