Attacks/Breaches
12/2/2015
10:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Startup Offers Free Cyberattack Simulation Service

Attack simulation emerging as a way to test network security on demand and without exploits.

First came penetration testing, then the tabletop exercise, and now attack simulation -- the relatively nascent practice of war-gaming attacks on your network to gauge how prepared (or not) you are, and where your weaknesses reside.

Unlike pen-testing, attack simulation doesn't run exploit code. It's more about simulating the way attackers do their dirty work, from composing a phishing email and infecting a machine to the path the take to access and then pilfer credit-card data out of company. Attack simulation startup vThreat today announced free access to its software-as-a-service based applications.

The concept of simulating and providing a detailed postmortem of how an attacker could hack you is capturing some venture capital interest:  Israel-based startup SafeBreach, which provides attack simulation via a platform model, recently raised some $4 million via Sequoia Capital and serial entrepreneur and angel investor Shlomo Kramer.

vThreat was founded by Marcus Carey, a former security researcher with Rapid7 and one of the architects of the US Department of Defense Cyber Crime Center's live network investigations course. Carey says vThreat simulates what an attacker could actually do to an organization's infrastructure, and shows the attack sequence through the hacker's eyes.

It's not a replacement for penetration testing. "We don't replace pen testing, but we do augment it and give blue teamers an opportunity to simulate adversaries, between penetration tests," Carey says.

"We do 80 percent of what a pen tester does, without exploitation," he says. The goal is to keep on top of your security posture between pen tests and attacks or attack attempts.

Carey says vThreat uses a JavaScript agent in its tools. The various attack apps can imitate the techniques and movements of an attacker, including the scanning of local systems and the theft of information. "We concentrate on the movements an attacker makes on the network," he says.

The new free vThreat Apps SaaS doesn't provide all of the detailed reporting and analytics and exclusive apps that the paid subscription offers, but it does include a full enterprise-wide breach option, with limited reporting, Carey says. A vThreat Pro annual subscription costs $4,995, and vThreat Enterprise is priced based on the size of an organization, he says.

Aside from a full enterprise-wide attack, the apps include specific attack scenarios such as SSN exfiltration, executable download, DNS tunneling, egress scanning, and a tool for testing the organization's incident response.

Andrew Hay, director of research, OpenDNS, says attack simulation lets companies more regularly  probe at the security of their network, especially as changes are made to the infrastructure. "If you add a new network security device, does it actually make a difference to your overall attackable surface area? Does one product work better than another for detecting or blocking specific threats?" he says. "[It] also provides a way to test the efficacy of your security program and that of your organization's ability to respond to incidents," he notes.

Services like vThreat's are more affordable for midsized companies that can't afford to hire full-time security testing talent, he says.

Guy Bejerano, CEO and co-founder of SafeBreach, describes his firm's attack simulation platform as a way for companies to deploy offensive security in order to root out their vulnerabilities to attack. In a recent blog post, he called it a "'red team' on a platform."

Here Are Your Security Holes. Now What?

The simulation service has a botnet that vThreat controls, according to Carey, for a realistic attack scenario. "We're not dropping any code or backdoors," he says, but the tests produce RAR files with sample credit-card files if the attack was able to find "blind spots" in the network.

The catch with these attack simulations is the response side of the equation, however. OpenDNS's Hay says what you do with the information and problems these tests expose is the big challenge for companies. "If you see that DNS tunneling can be used to exfiltrate data from your network, how do you stop it? What's the best course of action?" he says.

Carey says companies in the financial services, energy, healthcare, and software startup sectors are currently using its SaaS.

"The primary benefit I see is that these types of  simulations allow for ongoing and scheduled testing of deployed technical controls" such as those of firewalls, IPS, proxies, and other systems, OpenDNS's Hay says. It also provides a way to measure whether adding a new security tool actually makes a difference, or which ones work better than others, he says.

"It's a fantastic 'product bake-off simulator,'" Hay says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jeromeo1969
50%
50%
jeromeo1969,
User Rank: Apprentice
2/9/2017 | 2:22:26 PM
Excellent!
This dovetails nicely into what I have thought all along. Penetration Testing shouldn't be a twice a year endeavor, instead Red Teams should be constantly attacking the environments they are protecting. There is no such thing as a static environment, and new vulnerabilities are being found all the time!
danelleau1
50%
50%
danelleau1,
User Rank: Strategist
12/9/2015 | 2:35:51 PM
Re: Cyberattack Simulation Service
theb0x - I understand your question now. You are correct, it would not make sense to simulate "reconnaissance". But reconnaissance isn't the only way to attack an organization, i.e. insider threats etc. It is important to validate lateral movement and data exfiltration as well.

As for the architecture, there are various deployment options available. The SaaS model is the vThreat model, talk to Marcus. We (SafeBreach) have an on-premise model that doesn't require SaaS. Happy to chat offline. 
theb0x
50%
50%
theb0x,
User Rank: Ninja
12/9/2015 | 9:57:06 AM
Re: Cyberattack Simulation Service
The first phase of any cyberattack is always reconnaissance. This is public information gathered about the company. The second phase is enumeration. This where systems can be port scanned and the querying of individual services are performed to identify specific systems of weaknesses. It is not until the exploition phase is launched where the information identified as weaknesses can actually be confirmed. 

A simulation of this does not really confirm any weaknesses discovered. There is also a high probability of false positives.

A cyberattack does not involve deploying SaaS agents internally to the network to gather information. This is not how reconnaissance and enumeration are performed. Also loading such an agent may very well be exploitable by an actual attack through it's own weaknesses. 

 

danelleau1
50%
50%
danelleau1,
User Rank: Strategist
12/9/2015 | 4:00:18 AM
Re: Cyberattack Simulation Service
It's different from vulnerability assessment. Here you are simulating the actions of an attacker, and the breach methods used may or may not take advantage of a vulnerability. It's more like an automated red team on a platform. 
theb0x
50%
50%
theb0x,
User Rank: Ninja
12/8/2015 | 12:27:01 PM
Cyberattack Simulation Service
How is this any different than a vulnerability assessment? No exploits are actually launched and the probable damage is based on the value of a company's assests and the severity of a successful attack. That's what CVEs are for. Even running scans on a production network can have a negative impact depending on how many nodes and how aggressive it is. Even without using any exploit code things can and will still break.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/4/2015 | 11:35:55 AM
Good news for SMBs
This is something that SMBs could actually afford, and might teach them more about security than the average static monitoring software. But it could also be good for the larger companies if they actually do use it as an "in-between pen tests" maintenance tool. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/3/2015 | 5:36:28 AM
Counter to M&M Security
Sounds like a great service lest we become to complacent about M&M security (hard on the outside, soft inside).  Security is not just about the outer gates; it's about everything that happens within the walls as well.
danelleau1
50%
50%
danelleau1,
User Rank: Strategist
12/2/2015 | 4:26:30 PM
Attack Validation
If attackers are being successful, it makes sense to play that role. Attack validation allows organizations to adopt an offensive security mindset in the right way (i.e. without the implications and potential legal backlash from fighting back against attackers), and complements existing security solutions. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.