Testing the Effectiveness of Antimalware Mechanisms for Infrastructure.

Antimalware Mechanisms Effectiveness Testing is a comprehensive service for assessing the quality of antimalware solutions in IT infrastructure, focusing on identifying, blocking attacks and mitigating their effects.

Service Description:

The service includes five key activities:

Activity 1 – Evaluate the quality of solutions by running scenarios using files previously unknown to the solution under test

This work is aimed at evaluating the quality of solutions for identifying and blocking the attack, as well as mitigating its effects and identifying recovery mechanisms for the attacked system.
We assume the use of IT infrastructure to upload, save and run files prepared for testing, unknown to the solution under test, having characteristics of malware and yet not being malware, hereinafter referred to as “test files”.

Under Action 1, attack scenarios will be implemented, including:

• Download and run files from servers located on the Internet,
• Perform a large number of file operations in a short period of time (including cryptographic operations).

Among other things, the following actions will be performed to hide the test files and ongoing activities before sending:

• placing them in other files considered secure (e.g., Office documents, PDF files, archive file),
• Use of modified and/or customized extensions,
• Encrypting their contents.

The indicated attack scenarios, as well as the methods of hiding the test files and the activities carried out, are key to successfully infecting the IT infrastructure with ransomware.

In order to upload the test files, the following examples of attack scenarios have been defined, which will be refined and supplemented with the results of the review of the architecture of antimalware mechanisms:

• attempts to attach a file as an e-mail attachment,
• Attempts to use network communicators used by employees,
• attempts to use the software version control system used by developers,
• attempts to write a file to a network resource that is accessible on the attacked device,
• attempts to use tools available to employees (e.g., a SharePoint site created on the intranet, or mobile versions of applications that allow file transfer),
• Attempts to download and save files from an external server (e.g. WWW using HTTP and HTTPS, FTP, SFTP protocols),
• attempts to use an external data carrier.

For all ongoing test scenarios, their exact start and end dates and times will be noted.

Activity 2 – Evaluate the quality of solutions by running scenarios using files known to the solution under test

In step 2, the characteristics of the test file (e.g. SHA-256 hash values, IP addresses of the servers it communicates with) will be defined, which will then be defined in the antimalware solution under test as a known malware (Indicator of compromise, IoC). The test file, thus defined, will be stripped of other malware characteristics not defined as IoC at this stage of the work.
In the next step, actions will be repeated to hide the test files, their extensions and the actions carried out, as well as attempts to upload and run them.
These activities are aimed at assessing the quality of solutions in identifying
and blocking the attack, as well as mitigating their effects and identifying recovery mechanisms for the attacked system, using files known to the solution under test, while not being malware. For all ongoing test scenarios, their exact start and end dates and times will be recorded.

Activity 3 – evaluate the quality of solutions by simulating network attacks

Simulation of known network attacks will be performed, including by:

• identifying shared services by scanning TCP/UDP ports along with attempting to obtain information about installed software versions using fingerprinting and banner grabbing techniques,
• scanning shared services to identify known vulnerabilities
  using automated tools and manual techniques.
  During our work, we will use leading commercial
  and non-commercial tools to analyze the security of the IT environment.

These activities are aimed at assessing the quality of solutions for identifying
and blocking the attack, as well as mitigating their effects and identifying recovery mechanisms for the attacked system, using methodologies that simulate the actions of cyber criminals
and used in penetration testing, while not being an unauthorized attack on the Bank’s IT infrastructure. For all ongoing test scenarios, their exact start and end dates and times will be recorded.

Activity 4 – Evaluate solution quality by analyzing the monitoring and alarming interfaces of the solution under test

In Activity 4, we will conduct an analysis of the effectiveness of the monitoring and alerting mechanisms of the identified threats of the tested solution, by correlating the date and time of the executed test scenarios with the interfaces displaying the list of identified attacks of the tested antimalware solution.
In the next step, we will conduct an analysis of the scope of attacks identified by the antimalware solution and the alerting actions taken (e.g., sending an email to employees), and identify potential actions that were not detected as an attack.
These activities are aimed at assessing the quality of the solution in identifying the attack
and effectively providing information about it to employees.

Activity 5 – Evaluate the quality of solutions by identifying software and/or hardware mechanisms for protection, archiving
and data recovery

In Activity 5, we will identify software and/or hardware protection, archiving and recovery mechanisms aimed at recovering the performance of an attacked IT system. Then, we will conduct a controlled test:

• modification and/or destruction of data,
• recovery of the aforementioned data.

These activities are aimed at assessing the quality of recovery solutions in the event that attackers launch a successful attack that results in the modification and/or destruction of data. In addition, we will analyze the configuration of the identified solutions, in accordance with the scope presented in the following pages of the offer.
Tests of the effectiveness of antimalware mechanisms will be carried out on a sample workstation and server with a configured antimalware solution
in the full range of protection (e.g., e-mail box, local antivirus system, firewall protection).
The work will be carried out using test files and leading commercial and non-commercial tools for security analysis of the IT environment. The prepared test scenarios will be confirmed with you prior to the start of the work in this area, as well as we will do our best to reduce the risk of unforeseen consequences of our tests.
However, taking into account that an antimalware solution will be tested, we recommend ensuring that a backup copy of the tested solution and the devices submitted for testing is made before the work begins.

Customer benefits:

The customer gets a comprehensive assessment of the effectiveness of its antimalware systems, which translates into increased data and infrastructure security.

Features and Specifications:

The service uses innovative testing methods, including advanced attack simulation and security analysis tools.

For whom it is intended:

The service is aimed at IT managers and cybersecurity professionals who want to increase the protection of their systems against malware.

Application examples:

Ideal for testing the effectiveness of antimalware solutions in a variety of IT environments, both in large corporations and smaller enterprises.