First came penetration testing, then the tabletop exercise, and now attack simulation -- the relatively nascent practice of war-gaming attacks on your network to gauge how prepared (or not) you are, and where your weaknesses reside.
Unlike pen-testing, attack simulation doesn't run exploit code. It's more about simulating the way attackers do their dirty work, from composing a phishing email and infecting a machine to the path the take to access and then pilfer credit-card data out of company. Attack simulation startup vThreat today announced free access to its software-as-a-service based applications.
The concept of simulating and providing a detailed postmortem of how an attacker could hack you is capturing some venture capital interest: Israel-based startup SafeBreach, which provides attack simulation via a platform model, recently raised some $4 million via Sequoia Capital and serial entrepreneur and angel investor Shlomo Kramer.
vThreat was founded by Marcus Carey, a former security researcher with Rapid7 and one of the architects of the US Department of Defense Cyber Crime Center's live network investigations course. Carey says vThreat simulates what an attacker could actually do to an organization's infrastructure, and shows the attack sequence through the hacker's eyes.
It's not a replacement for penetration testing. "We don't replace pen testing, but we do augment it and give blue teamers an opportunity to simulate adversaries, between penetration tests," Carey says.
"We do 80 percent of what a pen tester does, without exploitation," he says. The goal is to keep on top of your security posture between pen tests and attacks or attack attempts.
The new free vThreat Apps SaaS doesn't provide all of the detailed reporting and analytics and exclusive apps that the paid subscription offers, but it does include a full enterprise-wide breach option, with limited reporting, Carey says. A vThreat Pro annual subscription costs $4,995, and vThreat Enterprise is priced based on the size of an organization, he says.
Aside from a full enterprise-wide attack, the apps include specific attack scenarios such as SSN exfiltration, executable download, DNS tunneling, egress scanning, and a tool for testing the organization's incident response.
Andrew Hay, director of research, OpenDNS, says attack simulation lets companies more regularly probe at the security of their network, especially as changes are made to the infrastructure. "If you add a new network security device, does it actually make a difference to your overall attackable surface area? Does one product work better than another for detecting or blocking specific threats?" he says. "[It] also provides a way to test the efficacy of your security program and that of your organization's ability to respond to incidents," he notes.
Services like vThreat's are more affordable for midsized companies that can't afford to hire full-time security testing talent, he says.
Guy Bejerano, CEO and co-founder of SafeBreach, describes his firm's attack simulation platform as a way for companies to deploy offensive security in order to root out their vulnerabilities to attack. In a recent blog post, he called it a "'red team' on a platform."
Here Are Your Security Holes. Now What?
The simulation service has a botnet that vThreat controls, according to Carey, for a realistic attack scenario. "We're not dropping any code or backdoors," he says, but the tests produce RAR files with sample credit-card files if the attack was able to find "blind spots" in the network.
The catch with these attack simulations is the response side of the equation, however. OpenDNS's Hay says what you do with the information and problems these tests expose is the big challenge for companies. "If you see that DNS tunneling can be used to exfiltrate data from your network, how do you stop it? What's the best course of action?" he says.
Carey says companies in the financial services, energy, healthcare, and software startup sectors are currently using its SaaS.
"The primary benefit I see is that these types of simulations allow for ongoing and scheduled testing of deployed technical controls" such as those of firewalls, IPS, proxies, and other systems, OpenDNS's Hay says. It also provides a way to measure whether adding a new security tool actually makes a difference, or which ones work better than others, he says.
"It's a fantastic 'product bake-off simulator,'" Hay says.