Endpoint

7/6/2009
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool And Managed Service 'Penetration-Test' End Users

New User Attack Framework (UAF) could eventually work with Metasploit's hacking tool, researchers say

A security researcher next month plans to release a Metasploit-style hacking tool and a managed service that lets organizations wage realistic and complex email-borne phishing attacks on their end users to gauge their risk of multilayered client attacks.

The so-called User Attack Framework (UAF) includes metrics, tracking details of the victim's actions when hit with phishing bait, and it can exploit the victim's browser, harvest his credentials, and even attack his operating system.

"There is been pen-testing of networks and applications. This is pen-testing users," says Joshua Perrymon, CEO for PacketFocus, and the author of the tool behind UAF. UAF, which is written in Ruby, is based on a tool Perrymon initially built for phishing users called Lunker.

Perrymon had planned to release Lunker as an open-source tool in September at the Open Web Application Security Project (OWASP) conference in New York, but held back at the last minute amid worries such a tool in its raw form could be abused by the bad guys after seeing how easily it duped users in beta tests with several banks and government agencies. Around 80 percent of the users in the beta tests visited the phishing Websites after receiving the malicious URLs via email, and 60 percent were duped into giving up their credentials once they got there, he says.

So Perrymon decided not to release Lunker and instead expand it into more of an overall end-user attack framework, with both a commercial tool and managed services option, as well as a bare-bones, open-source tool that wasn't as potentially lethal, he says. "I didn't feel comfortable releasing Lunker publicly because of how powerful it was. I didn't want to release it...in turnkey form with an 80 to 90 percent success rate it had," he says. "I decided to release a tool that was a commercial version and not let the tool run wild."

UAF isn't the first such service -- Intrepidus Group offers PhishMe, a Web-based service for helping companies find the weakest links in their targeted phishing defense. The service, which was announced a year ago, lets companies spear-phish their employees both for risk assessment purposes and also to educate users. The "victimized" users get instant feedback: They are redirected to educational messages and information, including a PhishMe educational comic strip and links to their corporate sites for more information.

Perrymon says UAF is different because it's a managed security service that relies on security experts to run the phony phishing attacks, and it provides metrics and reporting. "This is a user attack framework instead of a phishing attack framework," like Lunker was aimed at providing, he says. "And even though it uses email as the attack vector, there are a lot of different ways it can attack the user."

UAF could be integrated with Metasploit at some point, says HD Moore, creator of Metasploit. "A few people have been working on similar projects over the years, and I'm excited that someone is going to finally release one," Moore says. "There's a good chance we can share code and do integration on the Metasploit side as well."

UAF tracks specific details of a multilayer phishing attack, such as when a phishing email was sent; if the user clicked on it and, if so, at what time; whether the user provided his credentials; and a count of how many payloads were successful. "We don't want to make this a canned Outlook attack," he says.

The metrics data can help an organization determine how effective it was at stopping at attack, for instance, or what tricks users fell for, Perrymon says. "This is not a tool where we spoof and see if someone gives information. We want to track the whole process to help an organization apply security awareness to the problem," he says. "At the end of the day, that's what's going to protect them against these [user] attacks. Technology can't."

UAF can run on Linux and Windows, he says. The free, open-source version of UAF software is aimed at penetration testers, and doesn't contain all of the functionality of the commercial tool or managed service. "You have to use your own mail server, so we're not going to provide a way to send anonymous attacks. This gives companies that may not want to purchase it a way to test their organization in a safe manner," he says.

The commercial tool, meanwhile, will be priced around $5,000, and the managed service, from $2,500 to $10,000 per year. PacketFocus is looking for beta testers for the product and service, as well ([email protected]).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.