The following is an excerpt from the Official (ISC)2 Guide to the CISSP CBK, fourth edition, edited by Adam Gordon, CISSP-ISSAP, ISSMP, SSCP. This section from Domain 7 familiarizes infosec pros with sandboxing, dynamic application security testing tools and honeypot security systems, which can be used to isolate, detect and thwart malware.
Sandboxing is a form of software virtualization that lets programs and processes run in their own isolated virtual environment. Typically, programs running within the sandbox have limited access to your files and system, and they can make no permanent changes. That means that whatever happens in the sandbox stays in the sandbox. Sandboxing, one alternative to traditional signature-based malware defense, is seen as a way to spot zero-day malware and stealth attacks in particular.
Malware uses a variety of techniques and approaches to evade detection. One of these techniques delays the execution of malicious code so that a sandbox times out. However, to do this, the malware does not simply sleep. Instead, the malware performs some useless computations that give the appearance of activity. The stalling technique used by the malware works because it appears to the sandbox as if the malware is simply executing functions that any normal program would, and from the point of view of the malware analysis system, everything is normal.
To monitor malware, a sandbox introduces hooks. These hooks can be inserted directly into a program to get notifications (callbacks) for function or library calls. The problem with direct hooks is that the program code needs to be modified, and this can be detected by malware or interfere with dynamic code generation. But the main problem with hooking stem calls is that the sandbox cannot see any instruction that the malware executes between calls. This is a significant blind spot that malware authors can target; and they do so with code that runs between system calls. Another evasive method is carried out through environmental checks. Malware authors can add novel, zero-day environmental checks related to the operating system and manipulate the return value as an evasive maneuver that forces vendors to patch their sandbox to catch it.
The security practitioner needs to rely on third-party services and systems in order to find and detect these kinds of threats within the enterprise. In addition, there may be other threats that go undetected from third-party software and services that are being consumed by users in the organization as well. The use of different technology vendors scanning tools for malware and virus mitigation is one area that the security practitioner can act upon fairly easily. The need to contract with a third-party company to help provide dynamic application security testing (DAST) services may be a new thought process for many security practitioners.
DAST technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state. Most DAST products test only the exposed HTTP and HTML interfaces of web-enabled applications; however, some products are designed specifically for non-web protocol and data malformation (for example, remote procedure call, Session Initiation Protocol [SIP], and so on).
The following are several areas where DAST tools are providing interesting innovative approaches to the security issues that face the enterprise today:
Dynamic application security testing as a service
The market for dynamic testing as a service is growing, and some vendors only offer their solution as a service. The security professional may prefer to use a product and a service from the DAST vendor. For example, they may want to perform testing on their more sensitive applications on-premises using a DAST product, testing on their less-sensitive applications via DAST as a service, or testing on deployed applications as a service, with testing of applications in the QA phase of the development process using on-premises DAST products.
The ability to crawl and test Rich Internet Applications (RIA)
HTML5 is not a single standard, and the multiple standards that collectively represent HTML5 are at different levels of maturity and adoption. Testing HTML5 and keeping up with the fluid standards is an emerging requirement for all DAST products.
Static application testing capabilities (SAST)
For comprehensive application security testing, applications should be able to be tested from the "inside out" using static analysis and from the "outside in" using dynamic analysis.
Interactive security testing
Some of the testing providers enable interaction between their static and dynamic security testing techniques. One of the most common ways is to instrument the application while it is being tested dynamically. This provides more detailed information (such as identifying the line of code where a vulnerability occurs and assessing the code coverage of testing). While this may not be suitable for production applications, this approach is quite useful in QA testing in order to provide more meaningful results to developers.
Comprehensive fuzz testing
Some DAST products are designed specifically to expand well beyond web protocols to include non-web protocols (for example, remote procedure calls, Server Message Block, Session Initiation Protocol [SIP], and so on) as well as data input malformation. This is especially critical for the dynamic security testing of applications used within embedded devices, such as storage appliances, telecommunications and networking equipment, directories, automated teller machines, medical devices, and so on.
Testing mobile and cloud-based applications
Ideally, mobile applications would be tested with SAST and DAST; however, pure dynamic application security testing can add value. Beyond the use of RIA and HTML5 discussed previously, most Android and iOS applications are web-like in nature and communicate over web or RESTful HTTP-based protocols. At a minimum, the exposed interfaces of the applications should be testable using DAST. Many of the mobile applications communicate with cloud-based applications on the back end, which must also be tested. In addition, many applications have specific code paths for supporting mobile devices. In order to test these properly, DAST products must emulate a number of mobile browsers.
How honeypot security works
In addition to the use of dynamic application security testing services, the security practitioner needs to consider the value of a honeypot or honeynet deployment within a secured area of the enterprise for testing and evaluation purposes. Honeypot security systems are decoy servers or systems set up to gather information regarding an attacker or intruder into your system. It is important to remember that honeypots do not replace other traditional Internet security systems; they are an additional level or system. Honeypots can be set up inside, outside, or in the DMZ of a firewall design or even in all of the locations, although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard intruder detection systems (IDS) but with more of a focus on information gathering and deception. Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems. A honeyfarm is a centralized collection of honeypots and analysis tools. Some common implementations of the honeypot in security are:
A low-interaction, open source honeypot that emulates a vulnerable web server. Running on Python, PHP, and MySQL, Glastopf can emulate literally thousands of vulnerabilities and is intended to be web crawled, a recognition that today's attackers frequently use search engines to find innocent websites to infect. Glastopf has GUI management and reporting features, and it's actively maintained and updated.
A commercial honeypot, is GUI-based and has a few interesting features (it updates its own content, has "marker" files that can be used to trace hackers, and more) that make it a honeypot to check out.
A free USB emulation honeypot that mounts as a fake USB drive to enable easier capture and analysis of malware that uses USB drives to replicate.
A Windows-based honeypot intrusion detection system. It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone. KFSensor is designed for use in a Windows based corporate environment and contains many innovative and unique features such as remote management, a Snort compatible signature engine, and emulations of Windows networking protocols.
Intro to AMTSO
The security practitioner has a difficult job in general, and when it comes to malware protection for the organization, that job can be even tougher due to the proliferation of mobile and handheld devices, as well as cloud-based storage and collaboration technologies. While the standard antimalware technologies exist and can be deployed to prevent some infections, the ability to protect varied endpoints and access points within the enterprise is difficult to scale as rapidly as the proliferation of these devices and access mechanisms. In addition to tools like dynamic application security testing and honeypot security systems, another interesting resource that the security professional can leverage is the Antimalware Testing Standards Organization (AMTSO). AMTSO's charter focuses on the following four areas:
- Providing a forum for discussions related to the testing of antimalware and related products.
- Developing and publicizing objective standards and best practices for testing of antimalware and related products.
- Promoting education and awareness of issues related to the testing of antimalware and related products.
- Providing tools and resources to aid standards-based testing methodologies.