A more experienced security analyst or a threat intelligence analyst should be comfortable with malware research and even reverse engineering. This will not only provide valuable skills and knowledge to the analyst, but it will also build up a profile of who the adversaries are and what they are trying to achieve. This, in turn, allows for pro-active measures to be taken against the attack methods. For instance, by blacklisting related or observed bad domains or by writing customized Intrusion Prevention signatures.
Malware analysis can be risky, however. A completely isolated network and sandbox system are needed to prevent the malware from accidentally moving into the production network. A simple mistake in a configuration or a shortcut used for convenience could lead to a companywide outbreak.
Another risk to take into consideration is the potential for the sandboxed malware to beacon back to the attacker’s infrastructure. This will leave a trail for that attacker to follow back to a potentially compromised network. The attacker can then check for already infected machines or try to slightly adjust the attack method, based on the (partially) failed first attempt.
The use of a third-party cloud platform is the perfect solution for all these issues. Other than a web-interface or some form of remote desktop (for instance via RDP or VNC), there is no need for any other connection between the production network and the cloud platform. Any return communication from the tested malware back to the initial attacker will also be anonymous and hard to trace back to the intended target. The source would simply be the cloud platform in which the test environment operates.
Not only are specialized Cloud Service Providers such as Microsoft and Amazon more open to malware analysis inside their platform these days, some security vendors such as FireEye and Cisco have also launched cloud integration in their flagship products. In the latter case, detected files are uploaded to their cloud systems for external analysis. Results are then compared to threat intelligence collected from all customers, after which a more informed decision can be made on the risk level of the file.
Penetration testing comes in many flavors, but quite often the tests are conducted from a system outside the target’s network, simulating an external attacker. Security companies specialized in penetration testing could have their own infrastructure setup, but they could also benefit from the use of cloud platforms. Vendors such as Microsoft and Amazon offer, for instance, Kali Linux and several vulnerability scanners like Tenable Nessus as pre-configured Virtual Machine Images. The flexibility and relatively low on-demand costs have made this option very accessible.
There is another difference, however. If the penetration tester uses the security company’s infrastructure, the attack usually originates from a known IP that can be (temporarily) suppressed or blocked by the target company as a response to the test. For a more thorough test or a red team exercise, however, this might not create a realistic scenario, because attackers quite often leverage cloud platforms for their attack. Companies are simply too risk-averse to block an entire IP range or subnet from for instance Amazon or Azure, potentially taking down legitimate services, leaving an opening that is often exploited by more sophisticated attackers.
Ethical Hacking Training – Resources (InfoSec)
One of the most important roles any security professional has is to ensure the availability and integrity of security logs. Not only are these logs critical from an operational perspective (reporting, analysis, threat hunting, correlation), most companies also need to adhere to compliance regulations around retention of this data. When it comes to cost per Gigabyte and redundancy options, cloud solutions tick all the boxes. Being based on off-site storage, data is also much more secure in case an attacker tries to hide his tracks by directly targeting the logs.
Proof of concepts
A cloud environment is a perfect platform to build and test systems without affecting the company’s production environment. Security professionals in the architecture or design areas or even attempting to troubleshoot an issue with for instance a firewall cluster, can quickly set up an environment to proof whether a specific outcome can be achieved. Virtual machines and appliances and virtual networks avoid delays and costs associated with sourcing the required hardware and software, and once the proof of concept is completed, the environment can simply be reset or removed.
This concept links in with penetration testing as well; An application or environment can be cloned into a cloud instance where security exploits and their impact can be safely tested, even during production hours.
Virtual labs and Training
Every Security Professional knows that he or she has signed up for a life of training and learning. Whether this training is formal or informal, without it, the battle between new threats and new defensive technologies is lost. Virtualization products such as VMware, VirtualBox, GNS3, and Hyper-V have allowed anyone to set up an affordable local training and test lab since the late 1990’s. The downside is that local virtualization requires high-end hardware. A premium laptop, a high-end pc or even a (partially) full server rack is needed. Cloud technologies, however, have made virtualization even more flexible without the need for any on-premises hardware. Amazon AWS offers a free low-end environment for testing and for a few dollars per month, many other providers offer VPS systems as well.
Cloud solutions also significantly enhance accessibility to the platform. A security professional has access to the lab from anywhere and only needs an internet connection. For this same reason, vendors and specialized training providers offer training via a cloud model these days, greatly enhancing the accessibility of their offerings while reducing the requirements for the customer.
There simply is no way around it; the cloud is here to stay and has become invaluable to any security professional.