OPSEC Basic: Virtualization Technology

Posted by on

 

windows virtual machines

I. Introduction

This time, I will introduce the use of virtualization technology to mitigate potential threat models when using suspicious software and tools. By leveraging the aspect of isolation and the functionality to create snapshots, as well as encrypting the virtual machines.

To maintain a cleaner PC, the use of virtual machines will be applied in certain cases.

  • Someone who needs to safely run software on PC. You want to use a software but are unsure about its safety. For example, shareware, something you downloaded from torrent sites, tools sourced from non-reputable providers, etc.
  • You need a place to safely test a malware file.
  • Red teamers or Pentesters want to experiment with tools or techniques related to their field. They build labs to practice attack and defense skills.
  • Software developers want to test their products, especially when it involves changing system configurations.

This is the third article in a series on OPSEC. The series covers basic security measures to protect sensitive files from data breach.

II. Going Deeper

1. What is a virtual machine

A virtual machine (VM) is a software emulation of a physical computer. It allows you to run an operating system and applications just like you would on a physical machine, but it operates within a software environment.

For our purposes regarding OPSEC, the greatest benefit of using virtual machines is the aspect of isolation. Each VM is isolated from the host system and other VMs, providing a secure and controlled environment.

The simplest example is when you download a utility software from the Internet. Assuming it is infected with ransomware, if you run it in a virtual machine, instead of your computer facing a ransomware attack, only the virtual machine becomes infected. You can completely delete that machine without any harm done.

However, even the use of virtualization technology is not entirely safe. There is still a possibility that your system could face a virtual machine escape attack. Therefore, it is important to update your system regularly.

Some practical examples of virtual machine escape attacks include:

The VENOM vulnerability, also known as Virtualized Environment Neglected Operations Manipulation (VENOM), is a critical security flaw discovered in 2015. It affects several virtualization platforms, including QEMU, KVM, Xen, and VirtualBox. More info

CVE-2022-31705 is a heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion. This vulnerability affects the USB 2.0 controller (EHCI) and can be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the VMX process running on the host. More info

2. Virtualization Technology: Software on Windows

Below are some virtualization software options on Windows that I have used and found suitable for supporting OPSEC on my personal computer.

  • VMware Workstation Pro: Free for personal use, supports GPU virtualization, and offers robust features.
  • Oracle VirtualBox: Open-source and free, with good performance and support for various operating systems.
  • Hyper-V: Built into Windows Server and Windows 10/11 Pro editions, providing a solid virtualization solution.

You can choose any software that you find convenient and comfortable to use. The best virtual machine is the one that you find most comfortable to use. However, it must have the functionality to create snapshots and encrypt virtual machines.

3. Use virtualization software for your OPSEC purposes.

I will use VMware Workstation as an example, not because I want to advertise this software, but because I am currently using it. Other software will have similar functions, and you can find many detailed step-by-step guides on the Internet.

Assuming I have created a new virtual machine, the next step is to create a VM snapshot and use this feature to safely test a malware file.

However, before that, we should briefly understand the snapshot function.

A. What is a virtual machine snapshot?

A virtual machine snapshot is a point-in-time copy of the VM's state and data. It allows you to capture the entire state of a VM, including its memory, disk, and settings, at a specific moment. And allowing you to revert to that state later if needed.

Some key points about snapshots:

  • Backup: They provide a way to back up the current state of a VM before making changes, such as software updates or configuration changes.
  • Testing: You can take a snapshot before testing new software or configurations, allowing you to easily revert back if something goes wrong.
  • Disaster Recovery: In case of a failure or corruption, you can restore the VM to the last known good state.
  • Development: Developers can use snapshots to create multiple environments for testing different scenarios without affecting the main system.

Red teams use virtual machines (VMs) for several reasons:

  • VMs provide a controlled and isolated environment for testing and executing attacks without risking the host system
  • VMs can be used to maintain persistence on a compromised system, allowing red teams to continue their operations even after reboots.
  • VMs can be used to pivot and move laterally within a private network, simulating real-world attack scenarios.
  • VMs serve as a sandbox for deploying and testing various attack techniques and tools in a safe environment.

Everything is quite simple. You need to use a software application but are unsure of its safety. First, you create a virtual machine snapshot, install, and use the software you need. After you are done, you revert the virtual machine back to the snapshot you just created, and everything related to the suspicious software will be completely erased.

B. Virtual Machine: Manager snapshot 

How to create virtual machine snapshot.

In the main window of VMware Workstation, click on the "VM" menu, then select "Snapshot"

In the submenu, click on "Take Snapshot"

vmware create snapshot

Next, you enter a "Name" and "Description" for this snapshot. It is advisable to choose names that are memorable, such as: "before installing A," "before modifying XY," and so on.

vm snapshot name and description

Before you open a virtual machine, the information about which snapshot this machine is currently running will be displayed.

vmware vm details

How to revert VM snapshot

In the main window of VMware Workstation, click on the "VM" menu, then select "Snapshot" In the submenu, click on "Snapshot Manager"

vmware snapshot manager

In the "Snapshot Manager" window, select the snapshot you want to revert to, and then click "Go To"

C. Encrypting and protecting virtual machines

Although it is strongly discouraged to store sensitive data on a virtual machine, there are sometimes exceptions to this rule.

Situations where it may be necessary:

  • Testing and Development: When developing and testing applications that handle sensitive data, it might be necessary to use real data to ensure accurate results.
  • Isolation: Using a VM for sensitive tasks can provide an isolated environment, reducing the risk of data leakage from the host system.
  • Regulatory Compliance: Certain regulatory requirements might necessitate the use of VMs for specific tasks while ensuring data encryption and access controls.
  • Quick Deployment: you just need to install the necessary services on the virtual machine and then copy this VM to the network where you need to deploy the services.
  • Centralized Management: use cloud computing virtualization to deploy and manage machines for users.

Top of Form

When faced with these situations, it is necessary to apply encrypting virtual machines to enhance security.

Encryption ensures that the data within the VM is secure and cannot be easily accessed by unauthorized individuals, even if the physical host is compromised. When using these VMs, a password is required for decryption before they can be utilized.

Top of Form

To encrypt a virtual machine in VMware Workstation, follow these steps:

  1. Power off the VM you want to encrypt.
  2. Select the virtual machine and click on “VM” > “Settings
  3. On the “Options” tab, select “Access Control
  4. Click “Encrypt
  5. Choose the appropriate encryption type.
  6. Click “Encrypt”, type an encryption password, and click Encrypt again.
  7. Record the encryption password. If you forget it, no way to retrieve it.
  8. Click “OK” in the Virtual Machine Settings dialog box

The encryption process can take some time depending on the size of the virtual machine. Once encrypted, the VM will be protected from unauthorized use.

III. Conclusion

In OPSEC, the use of virtualization technology, specifically virtual machines, greatly aids in minimizing sensitive data exposure.Top of Form

If you want a safe environment to test malware files or to safely run software on your PC, virtual machines will almost completely meet those requirements.

Although not significant, there is still a risk that virtual machines can be compromised and potentially infect the underlying physical device.

When using VMs, you should isolate the network into a separate network or completely disconnect the connections, and always regularly update the patches for the virtualization software you are using.Top of Form

By creating a virtual machine snapshot, you can revert the state of the VM and completely eliminate any system changes made after using suspicious software.

Encrypting the virtual machine will ensure that only those with the decryption password can use this VM.

Using VMs appropriately will significantly help you protect sensitive files and stay safe on the Internet.

Virtual machines are also an essential part for Red Teamers and Pentesters: testing redteam software and building labs to practice lateral movement.

Comments

Post a Comment