Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/2/2015
10:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Startup Offers Free Cyberattack Simulation Service

Attack simulation emerging as a way to test network security on demand and without exploits.

First came penetration testing, then the tabletop exercise, and now attack simulation -- the relatively nascent practice of war-gaming attacks on your network to gauge how prepared (or not) you are, and where your weaknesses reside.

Unlike pen-testing, attack simulation doesn't run exploit code. It's more about simulating the way attackers do their dirty work, from composing a phishing email and infecting a machine to the path the take to access and then pilfer credit-card data out of company. Attack simulation startup vThreat today announced free access to its software-as-a-service based applications.

The concept of simulating and providing a detailed postmortem of how an attacker could hack you is capturing some venture capital interest:  Israel-based startup SafeBreach, which provides attack simulation via a platform model, recently raised some $4 million via Sequoia Capital and serial entrepreneur and angel investor Shlomo Kramer.

vThreat was founded by Marcus Carey, a former security researcher with Rapid7 and one of the architects of the US Department of Defense Cyber Crime Center's live network investigations course. Carey says vThreat simulates what an attacker could actually do to an organization's infrastructure, and shows the attack sequence through the hacker's eyes.

It's not a replacement for penetration testing. "We don't replace pen testing, but we do augment it and give blue teamers an opportunity to simulate adversaries, between penetration tests," Carey says.

"We do 80 percent of what a pen tester does, without exploitation," he says. The goal is to keep on top of your security posture between pen tests and attacks or attack attempts.

Carey says vThreat uses a JavaScript agent in its tools. The various attack apps can imitate the techniques and movements of an attacker, including the scanning of local systems and the theft of information. "We concentrate on the movements an attacker makes on the network," he says.

The new free vThreat Apps SaaS doesn't provide all of the detailed reporting and analytics and exclusive apps that the paid subscription offers, but it does include a full enterprise-wide breach option, with limited reporting, Carey says. A vThreat Pro annual subscription costs $4,995, and vThreat Enterprise is priced based on the size of an organization, he says.

Aside from a full enterprise-wide attack, the apps include specific attack scenarios such as SSN exfiltration, executable download, DNS tunneling, egress scanning, and a tool for testing the organization's incident response.

Andrew Hay, director of research, OpenDNS, says attack simulation lets companies more regularly  probe at the security of their network, especially as changes are made to the infrastructure. "If you add a new network security device, does it actually make a difference to your overall attackable surface area? Does one product work better than another for detecting or blocking specific threats?" he says. "[It] also provides a way to test the efficacy of your security program and that of your organization's ability to respond to incidents," he notes.

Services like vThreat's are more affordable for midsized companies that can't afford to hire full-time security testing talent, he says.

Guy Bejerano, CEO and co-founder of SafeBreach, describes his firm's attack simulation platform as a way for companies to deploy offensive security in order to root out their vulnerabilities to attack. In a recent blog post, he called it a "'red team' on a platform."

Here Are Your Security Holes. Now What?

The simulation service has a botnet that vThreat controls, according to Carey, for a realistic attack scenario. "We're not dropping any code or backdoors," he says, but the tests produce RAR files with sample credit-card files if the attack was able to find "blind spots" in the network.

The catch with these attack simulations is the response side of the equation, however. OpenDNS's Hay says what you do with the information and problems these tests expose is the big challenge for companies. "If you see that DNS tunneling can be used to exfiltrate data from your network, how do you stop it? What's the best course of action?" he says.

Carey says companies in the financial services, energy, healthcare, and software startup sectors are currently using its SaaS.

"The primary benefit I see is that these types of  simulations allow for ongoing and scheduled testing of deployed technical controls" such as those of firewalls, IPS, proxies, and other systems, OpenDNS's Hay says. It also provides a way to measure whether adding a new security tool actually makes a difference, or which ones work better than others, he says.

"It's a fantastic 'product bake-off simulator,'" Hay says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jeromeo1969
50%
50%
jeromeo1969,
User Rank: Apprentice
2/9/2017 | 2:22:26 PM
Excellent!
This dovetails nicely into what I have thought all along. Penetration Testing shouldn't be a twice a year endeavor, instead Red Teams should be constantly attacking the environments they are protecting. There is no such thing as a static environment, and new vulnerabilities are being found all the time!
danelleau1
50%
50%
danelleau1,
User Rank: Strategist
12/9/2015 | 2:35:51 PM
Re: Cyberattack Simulation Service
theb0x - I understand your question now. You are correct, it would not make sense to simulate "reconnaissance". But reconnaissance isn't the only way to attack an organization, i.e. insider threats etc. It is important to validate lateral movement and data exfiltration as well.

As for the architecture, there are various deployment options available. The SaaS model is the vThreat model, talk to Marcus. We (SafeBreach) have an on-premise model that doesn't require SaaS. Happy to chat offline. 
theb0x
50%
50%
theb0x,
User Rank: Ninja
12/9/2015 | 9:57:06 AM
Re: Cyberattack Simulation Service
The first phase of any cyberattack is always reconnaissance. This is public information gathered about the company. The second phase is enumeration. This where systems can be port scanned and the querying of individual services are performed to identify specific systems of weaknesses. It is not until the exploition phase is launched where the information identified as weaknesses can actually be confirmed. 

A simulation of this does not really confirm any weaknesses discovered. There is also a high probability of false positives.

A cyberattack does not involve deploying SaaS agents internally to the network to gather information. This is not how reconnaissance and enumeration are performed. Also loading such an agent may very well be exploitable by an actual attack through it's own weaknesses. 

 

danelleau1
50%
50%
danelleau1,
User Rank: Strategist
12/9/2015 | 4:00:18 AM
Re: Cyberattack Simulation Service
It's different from vulnerability assessment. Here you are simulating the actions of an attacker, and the breach methods used may or may not take advantage of a vulnerability. It's more like an automated red team on a platform. 
theb0x
50%
50%
theb0x,
User Rank: Ninja
12/8/2015 | 12:27:01 PM
Cyberattack Simulation Service
How is this any different than a vulnerability assessment? No exploits are actually launched and the probable damage is based on the value of a company's assests and the severity of a successful attack. That's what CVEs are for. Even running scans on a production network can have a negative impact depending on how many nodes and how aggressive it is. Even without using any exploit code things can and will still break.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/4/2015 | 11:35:55 AM
Good news for SMBs
This is something that SMBs could actually afford, and might teach them more about security than the average static monitoring software. But it could also be good for the larger companies if they actually do use it as an "in-between pen tests" maintenance tool. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/3/2015 | 5:36:28 AM
Counter to M&M Security
Sounds like a great service lest we become to complacent about M&M security (hard on the outside, soft inside).  Security is not just about the outer gates; it's about everything that happens within the walls as well.
danelleau1
50%
50%
danelleau1,
User Rank: Strategist
12/2/2015 | 4:26:30 PM
Attack Validation
If attackers are being successful, it makes sense to play that role. Attack validation allows organizations to adopt an offensive security mindset in the right way (i.e. without the implications and potential legal backlash from fighting back against attackers), and complements existing security solutions. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...