The NCSC are giving away free malware simulators
The NCSC’s Exercise in a Box has a simulator that allows you to mimic a common malware command and control technique. The simulator is just one of several exercises that make up the “Exercise in a Box” that can be downloaded and used for free from the NCSC. The majority of the scenarios are conducted in a tabletop format but this simulator now lets these exercises test technological security controls.
This means you now have a free tool to test the actual performance of your security team in responding to an incident. This is good for organisations with well established teams conducting threat hunting. It also gives organisations with more immature cyber security programmes a clear target to aim for. And it’s great for team building!
Most people are aware that anti-virus can help detect and prevent malware. Unfortunately many anti-virus products can only detect malware that is known to the security industry. This makes it challenging to detect and is one reason why complementary approaches, such as the ones you’ll be forced to do in the NCSC exercise, are so important.
Here’s how it works. You first need to register for an account with the NCSC “Exercise in a box”. Google “Exercise in a box” and select the NCSC page. After you’ve completed the registration and logged in you can choose what type of exercise you want to run.
We’ll select the Cyber threat simulation exercises. This exercise is designed to be run over half a day and is designed to test your IT or security team’s ability to detect a common method of malware command and control.
I’m not going to go into any detail about the exact scenario otherwise it’ll reduce the training benefit of those who take part – particularly should they stumble across this post in the course of “preparing”/googling for the exercise.
What I can say is that while it is a relatively simple example, it will test some key capabilities that your security team should be able to do quickly and easily. If your security team lack the training, tools, access or experience to do this then you’ll find out in 3-4 hours. In this respect the simplicity of the example does not matter. The simulator also gives you the reason and purpose to begin learning the tools and techniques you’d need to successfully complete the exercise.
If you’re the person in an overstretched IT or security team I’d recommend running through this exercise with the support of your management, even if you know you’re going to fail. This might not sound like a wise career move but if you can’t successfully complete this exercise then you’re lacking either the training, the tools, the access or the experience – or all 4! This is a key risk that your organisation’s leadership needs to be aware of.
This exercise ‘failure’ should provide the evidence, backed up by the NCSC, as to why you need these resources. The fact that this is the only (first if many?) simulation they’ve chosen to publish should lend some weight to how important they think it is, and how important you should think it is too.