SE Labs

Posts filed under 'targeted attacks'

Latest security tests introduce attack chain scoring

When is a security breach serious, less serious or not a breach at all?

Latest reports now online.

UPDATE (29/10/2018): This set of reports are confirmed to be compliant with AMTSO Standard v1.0 by the Anti-Malware Testing Standards Organization.


Our endpoint protection tests have always included targeted attacks.

These allow us to gauge how effectively anti-malware products, in use by millions of customers, can stop hackers from breaching your systems.

We penalise products heavily for allowing partial or full breaches and, until now, that penalisation has been the same regardless of how deeply we’ve been able to penetrate into the system. Starting with this report we have updated our scoring to take varying levels of ‘success’ by us, the attackers, into account.

The new scores only apply to targeted attacks and the scoring system is listed in detail on page eight of each of the reports.

If the attackers are able to gain basic access to a target, which means they are able to run basic commands that, for example, allow them to explore the file system, then the score is -1.

The next stage is to attempt to steal a file. If successful there is a further -1 penalty.

At this stage the attackers want to take much greater control of the system. This involves increasing their account privileges – so-called privilege escalation. Success here turns a bad situation worse for the target and, if achieved, there is an additional -2 penalty.

Finally, if escalation is achieved, certain post-escalation steps are attempted, such as running a key logger or stealing passwords. A final -1 penalty is imposed if these stages are completed, making possible scores for a breach range between -1 and -5 depending on how many attack stages are possible to complete.

We have decided not to publish exact details of where in the attack chain each product stands or falls, but have provided that detailed information to the companies who produce the software tested in this report and who have asked for it.

If you spot a detail in this report that you don’t understand, or would like to discuss, please contact us via our Twitter or Facebook accounts.

SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define ‘threat intelligence’ and how we use it to improve our tests please visit our website and follow us on Twitter.
Our latest reports, for enterprisesmall business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

SE Labs introducing cyber security to schools

It’s widely acknowledged that the cyber security workforce needs more talented young people to engage. Just as we, at SE Labs, want to help fix information technology security by testing products and services, we also want to encourage an interest among young people, hopefully igniting a passion for understanding and defending against hacking attacks.

We test next-gen security products AND encourage the gen-next!

Our attempts to enable youth from progressing from complete novice, through to getting their first job and then to reaching the top of industry, is an initiative to bring about the needed change and fill the gaps.

As part of our new corporate social responsibility programme we set up an event at Carshalton Boys Sports College to introduce the concept of cyber security and its career prospects to the students.

Around 15 participants ranged from year 10s to sixth formers (aged 16-18) attended the main presentation and all year groups approached us at the stand we set up.

We outlined various topics in the presentation including the different types of cybercrime and attacks; and institutions offering free and paid courses to certain age groups on cyber security, aimed at students.

We also addressed how to break into the cyber security sector; what positions are available in the industry; and how employees are in high demand in both public and private sectors, part- and full-time, in virtually every industry in countries around the world.

Then we went through a test run of a targeted attack to demonstrate what it looks like and what it means.

“Why do we use Kali Linux?”, “What should I do to get into cyber security?”, “What are the skills required?”, were a few curious questions asked by the students at the end of the presentation.

Those who came over to the stand wanted to know who we were, what we do and simply, “what is cyber security?”

They were interested in who are clients are (we gave limited answers due to NDAs), what do they need us and how did we manage to get this far. A lot of these were asked by the younger years who were inquisitive to learn more about this subject. Positive!

Feedback from the college:

On behalf of the Governors, Head Principle, students and parents of Carshalton Boys Sports College, I would like to thank you for your valued input, helping to make our Directions and Destinations Day a great success. 

Our staff work tirelessly to open our students’ minds to the possibilities available to them, but without the support of partners like you, that job would be impossible. Together we had the school filled with a sense of purpose all day and responses we have had from students and parents have shown us that the day has inspired our students. 

We have already started thinking about the future and would be grateful if you have any suggestions about how we might make things even better next year. 

Thank you once again for giving your time, energy and expertise last week.

Well, yes! A career in cyber security is a journey for sure, but a worthwhile one. And in the end, it’s more about people than machines, as a mind’s software can be more powerful than any hardware.

Pooja Jain, March 2018

Network security appliances vs. Word and PowerShell

Over the last few months we have seen a surge in attacks using apparently innocent documents that install malware covertly on victims’ systems.

Unless you are running specialist monitoring tools, or very effective security software, you probably won’t see any symptoms of the attack.

The goals of these attacks are varied. In some cases they provide remote access to hackers. In others so-called cryptocurrency mining software is installed. These programs (ab)use your systems’ processing power in an attempt to generate cryptocurrencies such as Monero. The attackers get rich off your power bill.

While there are variations in how the attacks work, the typical path to compromise involves opening the document, which could be in Microsoft Word format, after which an exploit runs a PowerShell script. This, in turn, downloads and installs the malware.

In this report we investigate how effectively some very popular network security products are at handling these and other threats.

As usual, we have also thrown in some particularly devious targeted attacks that appear to be completely legitimate applications but that provide us with remote access to unprotected targets. When we gain this access we try to hack the target in the same way a real attacker would. This gives the security products the best chance of detecting and potentially blocking the bad behaviour.

The good news is that all of these products were able to detect many (if not all) of the threats. Some were able to block most, although complete protection is not guaranteed. As always, a layered approach to protection is best. For advice on which endpoint software to choose see our Endpoint Protection test results on our website.

Latest report (PDF) now online.

What’s the difference between SE Labs and a cyber-criminal?

nsa-jan-2018-2776476

As we prepared this network security appliance report for publication we were also getting ready to present at BT’s internal security conference Snoopcon.

We had been asked to talk about security products and how they might not do what you assume they will.

Reports like this (PDF) provide an interesting insight into how security products actually work. Marketing messages will inevitably claim world-beating levels of effectiveness, while basic tests might well support these selling points. But when you actually hack target systems through security appliances you sometimes get a very different picture.

Some vendors will support the view that testing using a full attack chain (from a malicious URL pushing an exploit, which in turn delivers a payload that finally provides us with remote access to the system) is the right way to test. Others may point out that the threats we are using don’t exactly exist in the real world of criminality because we created them in the lab and are not using them to break into systems worldwide.

We think that is a weak argument. If we can obtain access to certain popular, inexpensive tools online and create threats then these (or variants extremely close to them) are just as likely to exist in the ‘real world’ of the bad guys as in a legitimate, independent test lab. Not only that, but we don’t keep creating new threats until we break in, which is what the criminals (and penetration testers) do. We create a set and, without bias, expose all of the tested products to these threats.

But in some ways we have evolved from being anti-malware testers to being penetration testers, because we don’t just scan malware, execute scripts or visit URLs. Once we gain access to a target we perform the same tasks as a criminal would do: escalating privileges, stealing password hashes and installing keyloggers. The only difference between us and the bad guys is that we’re hacking our own systems and helping the security vendors plug the gaps.

Latest report (PDF) now online.

Tough test for email security services

essp-4202383

Our latest email cloud security test really challenged the services under evaluation.

Latest report now online.

Last summer we launched our first email cloud security test and, while it was very well received by our readers and the security industry as a whole, we felt that there was still work to do on the methodology.

This report shows the results of six months of further development, and a much clearer variation in the capabilities of the services under test.

The most significant change to the way we conducted this test lies in the selection of threats we used to challenge the security services: we increased the number and broadened the sophistication.

Whereas we might have used one fake FBI blackmail email previously, in this test we sent 10, each created using a different level of sophistication. Maybe a service will detect the easier versions but allow more convincing examples through to the inbox?

We wanted to test the breaking point.

We also used a much larger number of targeted attacks. There was one group of public ‘commodity’ attacks, such as anyone on the internet might receive at random, but also three categories of crafted, targeted attacks including phishing, social engineering (e.g. fraud) and targeted malware (e.g. malicious PDFs).

Each individual attack was recreated 10 times in subtly different but important ways.

Attackers have a range of capabilities, from poor to extremely advanced. We used our “zero to Neo” approach to include basic, medium, advanced and very advanced threats to see what would be detected, stopped or allowed through.

The result was an incredibly tough test.

We believe that a security product that misses a threat should face significant penalties, while blocking legitimate activity is even more serious.

If you’re paying for protection threats should be stopped and your computing experience shouldn’t be hindered. As such, services that allowed threats through, and blocked legitimate messages, faced severe reductions to their accuracy ratings and, subsequently, their chances of winning an award.

Intelligence-Led Testing

We pay close attention to how criminals attempt to attack victims over email. The video below shows a typically convincing attack that starts with a text message and ends stealing enough information to clean out a bank account.
SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define ‘threat intelligence’ and how we use it to improve our tests please visit our website and follow us on Twitter.

Hacked! Will your anti-malware protect you from targeted attacks?

2017q4-4717048

The news isn’t good. Discover your best options in our latest reports.

Latest reports now online.

Criminals routinely create ingenious scams and indiscriminate attacks designed to compromise the unlucky and, occasionally, foolish. But sometimes they focus on a specific target rather than casting a net wide in the hope of landing something interesting.

Targeted attacks can range from basic, like an email simply asking you to send some money to an account, through to extremely devious and technical. If you received an email from your accountant with an attached PDF or Excel spreadsheet would you open it?

Most would and all that then stands between them and a successful hack (because the email was a trick and contained a dodgy document that gives remote control to the attacker) is the security software running on their PC.

In this test we’ve included indiscriminate, public attacks that come at victims from the web and via email, but we’ve also included some devious targeted attacks to see how well-protected potential victims would be.

We’ve not created any new types of threat and we’ve not discovered and used ‘zero day’ attacks. Instead we took tools that are freely distributed online and are well-known to penetration testers and criminals alike. We used these to generate threats that are realistic representations of what someone could quite easily put together to attack you or your business.

The results are extremely worrying. While a few products were excellent at detecting and protecting against these threats many more were less useful. We will continue this work and report any progress that these companies make in improving their products.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Network appliances vs. targeted attacks

apt-2533097

There have been so many publicised data breaches in 2017 that we didn’t even have enough space in our latest report to provide a basic summary. In many cases a business network was breached. Business networks comprise endpoints (usually Windows PCs), servers, Point of Sale computers and a range of other devices.

Latest reports now online.

In this report (PDF) we explore the effectiveness of network appliances designed to detect and block attacks against endpoint systems.

One approach to compromising a business is to hack an endpoint (PC) and then to use it as a platform from which to launch further attacks into the network. For example, rather than going straight for a company’s main servers why not trick a user into infecting his/ her computer with malware? We can then scan and infect the entire network, stealing information, causing damage and generally behaving in ways contrary to the business’ best interests.

There is some really good endpoint software available, as we see in our regular Endpoint Protection tests, but nothing is perfect and any extra layers of security are welcome. If one layer fails, others exist to mitigate the threat. In this report we explore the effectiveness of network appliances designed to detect and protect against attacks against endpoint systems.

The systems we have tested here are popular appliances designed to sit between your endpoints and the internet router. They are designed to detect, and often protect against, threats coming in from the internet or passing through the local network. Their role is to stop threats before they reach the endpoints. If they fail to stop a threat, they might learn that an attack has happened and generate an alert, while subsequently blocking future, similar attacks.

There are no guarantees that technology will always protect you from attackers, but our results show that adding layers of security is an effective way to improve your prospects when facing general and more targeted attacks.

100% Certifiable

food-hygiene-ratings-5244024

Whether you’re in the market for a car, hamburger or computer security product, certifications are useful. They don’t tell you how smooth the car drives, how tasty the sandwich is or how completely accurate the anti-virus software will be, but certifications indicate a general level of competence.

Latest reports now online.

In the UK new cars must be certified by the Vehicle Certification Agency (VCA), restaurants are checked for hygiene by the Food Standards Agency (FSA) and various independent testing organisations, including SE Labs, test IT security products for basic functionality.

A certification emphatically does not indicate the overall quality of a product, though. The FSA specifically states that, “The food hygiene rating is not a guide to food quality.” In other words, the food won’t make you ill, but you might not like it! Similarly, the VCA cares more about cars being made according to specification rather than how nice they look.

SE Labs has a range of available testing services. We consider certification to be the most basic type of testing. If a product claims to be able to detect malware then we can test that, but we don’t claim it can detect all types. For a higher level of understanding about a product’s capabilities so-called ‘real-world’ testing is necessary.

The report you are reading now is based on our more advanced testing, which exposes real products to live threats in a realistic environment, running on real computers on an internet-connected network.

But how can you be sure that we’re really doing that, and not just making up the figures or giving some products an unfair advantage? After all, some companies contribute financially to supporting the tests, while others do not.

To go some way to addressing this concern, as well as to improve generally and continue to evolve the business, SE Labs has achieved ISO 9001:2015 certification for “The Provision of IT Security Product Testing”. We think it’s fair for the testers to be tested and we’re very proud to have passed!
If you spot a detail in this report that you don’t understand, or would like to discuss, please contact us via our Twitter or Facebook accounts.

SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define ‘threat intelligence’ and how we use it to improve our tests please visit our website and follow us on Twitter.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Anatomy of a Phishing Attack

phishing_magnifying_glass_fi-3673555Who attacked a couple of Internet pressure groups earlier this year? Jon Thompson examines the evidence.

For those on those of us engaged in constructing carefully-crafted tests against client email filtering services, the public details of an unusually high-quality spear-phishing attack against a low value target make for interesting reading.

In this case, there were two targets: Free Press, and Fight for the Future. The attack, dubbed “Phish for the Future” in a brief analysis by the Electronic Frontier Foundation, is curious for several reasons.

Free Press is a pressure group campaigning for an open internet, fighting media consolidation by large corporations, and defending press freedom. Fight for the Future works to protect people’s basic online freedoms. Objectively, they’re working for a better online future, which makes the whole affair stand out like a pork buffet at a bar mitzvah.

The first thing that struck me was that the emails were apparently all sent during office hours. The time zones place the senders anywhere between Finland and India, but apparently resolve to office hours when normalised to a single zone.

Another interesting aspect is that even though the emails were sent on 23 active days, the attackers didn’t work weekends. This immediately marks them out as unusual. Anyone who’s run an email honeypot knows that commodity spam flows 24 hours a day.

The attackers first tried generic phishing expeditions, but quickly cranked up their targeting and psychological manipulation. This begs an interesting question: If you’re an experienced, professional, disciplined crew, why jeopardise the operation by beginning with less convincing samples that may alert the target to be on the lookout? Why didn’t they simply start with the good stuff, get the job done, and move on?

One possible explanation is that the attackers were trainees on a course, authorised to undertake a carefully controlled “live fire” exercise. Psychologically manipulative techniques such as pretending to be a target’s husband sending family photos, or a fan checking a URL to someone’s music, imply a level of confident duplicity normally associated with spying scandals.

The level of sophistication and persistence on display forms a shibboleth. It looks and smells somehow “wrong”. The published report reveals an attention to detail and target reconnaissance usually reserved for high value commercial targets. Either the attackers learn at a tremendous rate
through sheer interest alone, or they’re methodically being taught increasingly sophisticated techniques to a timetable. If it was part of a course, then maybe the times the emails were sent show a break for morning coffee, lunch and afternoon tea, or fall into patterns of tuition followed by practical exercises.

phishing2b-6448783The timing of the complete attack also stands out. It began on 7th July, ended on 8th August, and straddled the Net Neutrality Day of Action (12th July). With a lot happening at both targets during that time, and one assumes a lot of email flying about, perhaps the attackers believed they stood a better chance when the staff were busiest.

So, to recap, it looks like highly motivated yet disciplined attackers were operating with uncommonly sophisticated confidence against two small online freedom groups. Neither target has the business acumen of a large corporation, which rules out criminal gain, and yet an awful lot of effort was ranged against them.

The product of phishing is access, either to abuse directly or to be sold to others. Who would want secret access to organisations campaigning for online freedom? Both targets exist to change minds and therefore policy, which makes them political. They’re interesting not only to governments, but also to media companies seeking to control the internet.

I’m speculating wildly, of course. The whole thing could very easily have been perpetrated by an under-worked individual at a large company, using their office computer and keeping regular hours to avoid suspicion. The rest is down to ingenuity and personal motivation.

We’ll never know the truth, but the supporting infrastructure detailed in the EFF report certainly points to some considerable effort over a long period of time. If it was an individual, he’s out there, he’ll strike again, and he learns fast. In many ways, I’d prefer it to have been a security service training new recruits.

Next-generation firewalls: latest report

2017q1-2088039

Using layers of security is a well-known concept designed to reduce the chances of an attacker succeeding in breaching a network. If one layer fails, others exist to mitigate the threat.

Latest reports now online.

In this report (PDF) we explore the effectiveness of network appliances designed to detect and block attacks against endpoint systems.

The systems we have tested here are popular appliances designed to sit between your endpoints and the internet router. They are designed to detect, and often protect against, threats coming in from the internet or passing through the local network.

Their role is to stop threats before they reach the endpoints. If they fail to stop a threat, they might learn that an attack has happened and generate an alert, while subsequently blocking future, similar attacks.

In some cases an appliance will take information it considers suspicious and send it to a cloud-based service for further analysis. In this way it might allow a threat through the first time, explore it more deeply using the cloud service and send back information to the appliance so that it will block  that same (or similar) attack in future.

It’s a little like an immune system.

As immune systems adapt to protect against known threats, so threats adapt in an arms race to defeat protection mechanisms. This report includes our first public set of network security appliance results.

Future reports will keep you updated as to how well the industry competes with the bad guys in the real world.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press