|
Little background here: We're a security consulting company. We do a ton of web app security assessments, network vuln/pen testing, etc. A while back one of our clients (large financial) hired us to do a spear phishing simulation. "Show us how people are still able to get in and show us how they are able to get out". So we did it all manually both the phishing as well as going on site to to data exfiltration to see how we could get around their outbound firewall rules, IDS/IPS, DLP, proxies, sniffers, etc. We figured out how to do all of these successfully and were able to "steal" some fake credit card numbers. We lost a lot of money on that engagement. :) We went waaay over margin. So we started thinking how can we automate this and make it a repeatable process that customers can run on an on-demand and on-going basis. Security is who we are and in our blood. We we started coding... And here we are. So there are two sides: 1. Web based spear phishing engine that sends out "malicious" emails with all kinds of different options (e.g. malicious attachments, links to malicious web sites, 'your pass expired, enter it here!' sites, etc.) We track who clicked on what, who has out of date Acrobat, Flash, Java, etc. 2. Bottom line is that phishers will ALWAYS get people to click on something. No matter what. And the attacker only needs 1 person to do it. Just 1. So let's assume that we're going to eventually get in. We have an on-demand executable that mimics attacker malware complete with ninja-sneaky network tricks that phones home fake credit card numbers, .rar files, all kinds of cool network trickery. All of the above is run by the end user and presented in a nice web UI so a security guy/gal can make intelligent decisions on where their security is good and where it sucks. We're super excited about our new service and we hope everyone else is too. Would love to hear more feedback. |