Making the Case for Continuous, Automated Security Testing

Phil Quade’s new book, The Digital Big Bang, which characterizes cyber security as a scientific endeavor, emphasizes the importance of visibility and inspection as elements of an effective cyber defense strategy. His essential point should be easy to understand: You can’t mitigate a threat that you can’t see. This may sound obvious, but advances in attack sophistication are making this simple concept increasingly challenging to realize.

One approach to visibility and inspection that’s offering better visibility and more thorough inspection involves continuous, automated cybersecurity testing. Methods vary, but the general idea is to deploy software that probes your infrastructure and digital assets for undiscovered cyber vulnerabilities around the clock.

Methods vary, but the general idea is to deploy software that probes your infrastructure and digital assets for undiscovered cyber vulnerabilities around the clock.

Continuous, automated testing is a wise practice for at least two reasons: 1) threats and exploits are constantly changing and getting better at evading established countermeasures, especially those based on signature detection; and 2) systems are in a constant state of flux, exposing themselves to an ever-changing set of risks.

To demonstrate the depth of these problems, Safebreach presented a session on process injection at the Black Hat Conference in August. Process injection offers a compelling example of sophisticated threats and vulnerable systems—that can be better secured if continuous testing can reveal their vulnerabilities in real time.

Process injection offers a compelling example of sophisticated threats and vulnerable systems—that can be better secured if continuous testing can reveal their vulnerabilities in real time.

Process injection is a type of attack that involves inserting malicious code right into a process functioning in the operating system. There many kinds of process injection, but for the sake of simplicity, Safebreach focused on Windows 10 64-bit processes. Process insertion is different from the more common process execution attack, wherein the malware has to execute a process to harm the system. Process execution is relatively easy to detect. Process insertion, in contrast, can be very hard to see because it runs inside an existing process, e.g. a web browser’s code running in core memory.

Windows offers two built-in countermeasures to mitigate the process injection threat. However, as is often the case, the defenses are not 100% effective. Safebreach’s presentation featured their own process injection creation, which they call “Stack Bomber.” Stack Bomber was able to insert itself into ongoing processes in a Windows 10 machine, undetected. It accomplished this by suspending the process, inserting itself and then restarting the process. This activity might present to the end user as a momentary, unremarkable delay in a function.

The risk to an organization that cannot detect process injection is that it’s PC will be doing things that look normal, but aren’t. For example, if a process injection technique inserts malware into the browser process, then users could have their browser sessions spied on or get redirected, unknowingly, to sites they didn’t plan to visit.

The risk to an organization that cannot detect process injection is that it’s PC will be doing things that look normal, but aren’t.

The Safebreach attack simulation solution, which performs continuous, automated testing as well as attack simulation, helps organizations attain a high level of visibility and inspection. The attack simulation mode gives security analysts the ability to understand attack vectors by reproducing the attacker’s tactics and techniques—but does so in a protected environment.

The process injection example shows why continuous, automated testing deserves strong consideration as a countermeasure in cybersecurity going forward.

Photo Credit: wuestenigel Flickr via Compfight cc