I’ve been advocating for the use of email born phishing tests against the user population within companies for over six years now, and I have to admit the fight is a complex one. Most of the network and security analysts I talk to about this agree with me and want to leverage this type of testing. But internally at their organizations, HR or some other policy group is worried about the legal or emotional Impact of ‘targeting’ users in an organization and reports floating around about the fact that a user within a certain group clicked a link which eventually lead to critical system or account compromise.
Erick Doyle recently wrote an article in TechWeek Europe discussing whether pen testing will ever include social engineering as standard practice. He explicitly asks the question “Is social pen testing ethical?” While he doesn’t seem to answer that question, my answer is “yes”. Social pen testing by itself has no ethics to it and as a practice it is needed, where the question of ethics comes in is how you treat the results. If you send out a company-wide email publicly naming and shaming those users who clicked the link you probably will increase security awareness, but not create a feelings in your user population that they are a branch of the security team.
For those organizations that are unsure about performing social pen testing, CORE Impact Pro v12.3 (announced today) provides two capabilities of measurement to help them determine the risk their users pose:
1) “How well do our users’ machines defend themselves?”
New user-less client side testing capabilities are designed to test a sample Windows desktop machine and answer the question ‘What, if any, client side attacks would compromise this image?’ Most organizations have standard desktop images, which are refreshed on a regular basis. This testing capability allows you to run every client side exploit against the image and will return a list of those attacks that succeed despite any endpoint security systems deployed on that image.
2) “How likely is it that my users would fall for a client side attack?”
I know, phishing has been available for many releases: Impact Pro’s phishing capabilities allow you to send an email to many employees with a passive link (no attacks sent). IMPACT Pro will also record the number of people who both clicked the link (and how, if you so wish) and potentially exposed their machines to attack as a result.
The magic really happens when you think about what the results from addressing these two questions allow you to know: you will know both specific & literal numbers for how many attacks could compromise a user’s machine, despite the protections on those machines. You will also know how many of your users would click a link on an email they were not expecting to receive, and risk exposing their machine to attack. If both numbers are high you know there is some serious work to be done, but you also have the evidence to show the powers that be to get the time and resources allocated to doing this work. If only one number is high you know where to best focus your resources to bring the risk your users pose to a level the organization is comfortable with.
Of course, user-less client side is not the only thing we added in v12.3 – as with every release of the product we expanded on the depth of the features we already have.
Network Testing Reports
No one would ever say that reporting is the most exciting part of a test, but few would disagree that it is very important. With that in mind we extended the capabilities of existing reports and added new reports as requested by our customers. Highlights include:
Wellness Report – as people test their networks regularly with IMPACT Pro the number of exploitable vulnerabilities naturally goes down..To help show that the level of effort for testing the system has not decreased this wellness report will detail the effort that went into testing each machine to determine its security posture.
Mitigation Report – ahhh sweet paper work, the point of finding vulnerabilities is to fix them, introduce compensating controls to mitigate them, or make a business decision to accept the risk they represent. The mitigation report provides a list of all issues found and creates the paper trail of remediation for your manager to sign off on. It can then be filed and produced for third party auditors.
Full Executive Report – while there is still an executive report for each vector tested, this one shows a combined summary of all the testing done in the workspace
Host Report – this one has undergone a makeover and now includes exposure information, which Mitre defines as access to information or capabilities that could be used as a stepping stone into a system or network. With v12.3, IMPACT Pro can check for exposures and the host report will detail them. The host report can also include a list of hosts by services or listening ports. It will also include the last screenshot taken on the machine.
Web Application Testing
By adding client certification to the existing authentication mechanisms supported by Impact Pro we are able to test a large portion of web applications automatically. These certificates can be imported from a file or accessed via the local machine store. We have also improved the sorting and categorizing of our predefined exploit search folders, to better related them to the OWASP Top Ten.
Those of you who like to use our Attack Graph to show a visual representation of how you have performed a multi-vector attack, and compromise of the environment, will be pleased to know that you can condense the web application portion of the attack graph to a single node representing the target web application. This makes for a clean and easy-to-read graph.
We listen to our customers and as a result we removed the restriction of only supporting a single AirpCap card. Now you can utilize multiple AirPcap cards and sniff on one channel while broadcasting packs on another. The introduction of a WiFi Man in The Middle (MiTM) attack wizard makes it quick and easy to create a fake access point (AP) and configure automatic MiTM attacks to take place as soon as clients connect to the AP and start passing traffic through it. This includes replacing images in HTTP traffic, injecting client side attacks into their traffic or manipulating forms to harvest the data being submitted. You can also configure DNS, SMB, POP3 and HTTP servers to act as endpoints.
I’m excited about the new capabilities we have added in this release as it shows our customers that we are adding more depth, and tangible results, to the features they already know and use. And to those of you who install and use v12.3, I would be thrilled to hear about your experiences with the new functionality!
- Alex Horan, Senior Product Manager