Endpoint

7/6/2009
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool And Managed Service 'Penetration-Test' End Users

New User Attack Framework (UAF) could eventually work with Metasploit's hacking tool, researchers say

A security researcher next month plans to release a Metasploit-style hacking tool and a managed service that lets organizations wage realistic and complex email-borne phishing attacks on their end users to gauge their risk of multilayered client attacks.

The so-called User Attack Framework (UAF) includes metrics, tracking details of the victim's actions when hit with phishing bait, and it can exploit the victim's browser, harvest his credentials, and even attack his operating system.

"There is been pen-testing of networks and applications. This is pen-testing users," says Joshua Perrymon, CEO for PacketFocus, and the author of the tool behind UAF. UAF, which is written in Ruby, is based on a tool Perrymon initially built for phishing users called Lunker.

Perrymon had planned to release Lunker as an open-source tool in September at the Open Web Application Security Project (OWASP) conference in New York, but held back at the last minute amid worries such a tool in its raw form could be abused by the bad guys after seeing how easily it duped users in beta tests with several banks and government agencies. Around 80 percent of the users in the beta tests visited the phishing Websites after receiving the malicious URLs via email, and 60 percent were duped into giving up their credentials once they got there, he says.

So Perrymon decided not to release Lunker and instead expand it into more of an overall end-user attack framework, with both a commercial tool and managed services option, as well as a bare-bones, open-source tool that wasn't as potentially lethal, he says. "I didn't feel comfortable releasing Lunker publicly because of how powerful it was. I didn't want to release it...in turnkey form with an 80 to 90 percent success rate it had," he says. "I decided to release a tool that was a commercial version and not let the tool run wild."

UAF isn't the first such service -- Intrepidus Group offers PhishMe, a Web-based service for helping companies find the weakest links in their targeted phishing defense. The service, which was announced a year ago, lets companies spear-phish their employees both for risk assessment purposes and also to educate users. The "victimized" users get instant feedback: They are redirected to educational messages and information, including a PhishMe educational comic strip and links to their corporate sites for more information.

Perrymon says UAF is different because it's a managed security service that relies on security experts to run the phony phishing attacks, and it provides metrics and reporting. "This is a user attack framework instead of a phishing attack framework," like Lunker was aimed at providing, he says. "And even though it uses email as the attack vector, there are a lot of different ways it can attack the user."

UAF could be integrated with Metasploit at some point, says HD Moore, creator of Metasploit. "A few people have been working on similar projects over the years, and I'm excited that someone is going to finally release one," Moore says. "There's a good chance we can share code and do integration on the Metasploit side as well."

UAF tracks specific details of a multilayer phishing attack, such as when a phishing email was sent; if the user clicked on it and, if so, at what time; whether the user provided his credentials; and a count of how many payloads were successful. "We don't want to make this a canned Outlook attack," he says.

The metrics data can help an organization determine how effective it was at stopping at attack, for instance, or what tricks users fell for, Perrymon says. "This is not a tool where we spoof and see if someone gives information. We want to track the whole process to help an organization apply security awareness to the problem," he says. "At the end of the day, that's what's going to protect them against these [user] attacks. Technology can't."

UAF can run on Linux and Windows, he says. The free, open-source version of UAF software is aimed at penetration testers, and doesn't contain all of the functionality of the commercial tool or managed service. "You have to use your own mail server, so we're not going to provide a way to send anonymous attacks. This gives companies that may not want to purchase it a way to test their organization in a safe manner," he says.

The commercial tool, meanwhile, will be priced around $5,000, and the managed service, from $2,500 to $10,000 per year. PacketFocus is looking for beta testers for the product and service, as well ([email protected]).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17300
PUBLISHED: 2018-09-21
Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name.
CVE-2018-17301
PUBLISHED: 2018-09-21
Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.
CVE-2018-17302
PUBLISHED: 2018-09-21
Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.
CVE-2018-17292
PUBLISHED: 2018-09-21
An issue was discovered in WAVM before 2018-09-16. The loadModule function in Include/Inline/CLI.h lacks checking of the file length before a file magic comparison, allowing attackers to cause a Denial of Service (application crash caused by out-of-bounds read) by crafting a file that has fewer than...
CVE-2018-17293
PUBLISHED: 2018-09-21
An issue was discovered in WAVM before 2018-09-16. The run function in Programs/wavm/wavm.cpp does not check whether there is Emscripten memory to store the command-line arguments passed by the input WebAssembly file's main function, which allows attackers to cause a denial of service (application c...