SafeBreach Simulates Attacks on Customers to Find Security Risks

By Sean Michael Kerner  |  Posted 2016-01-26 Print this article Print
SafeBreach simulates attacks

Attackers use multiples types of tools and techniques to exploit an organization that SafeBreach automates in an effort to determine risk.

One way to know if a company is vulnerable to attacks is to try and breach it—safely. That's the goal of SafeBreach, which announced the official launch and general availability of its security platform today.

"SafeBreach is all about not waiting for a breach to happen," SafeBreach CEO and co-founder Guy Bejerano told eWEEK.

The SafeBreach platform runs what Bejerano referred to as the "hacker playbook," that is, the offensive knowledge of attackers. The hacker playbook includes all manner of techniques and actions, for example, attempting to exfiltrate credit card data, activating malware and trying brute-force password attacks. The SafeBreach platform automates the common techniques hackers use in an attempt to breach an organization and helps defenders identify potential risks.

The idea of testing an organization's readiness for an attack is often associated with the security discipline of penetration testing.

Itzik Kotler, CTO and co-founder of SafeBreach, emphasized that what his company's platform does is more than a typical penetration test in that it simulates both clients and servers. In a traditional penetration test, a security researcher will attempt to gain external access to an organization or application and has to wait for the systems to react.

"What we're doing in our simulation is we're triggering the reaction immediately," Kotler explained to eWEEK.

For example, with a brute-force password attack, the SafeBreach system simulation will know how many attempts it takes for the attack to be successful or if it will fail. The goal is to rapidly make a determination of an organization's risk. With a typical penetration test, user behavior is often the weak link that leads to exploitation. For example, with a phishing attack, the goal of the hacker is to get the victim to click on a malicious link that leads to some form of malicious Website or attack payload.

There is no need to wait to see if the user will click, Kotler said. Instead, the SafeBreach approach is not to care about the user action and see what would happen if the phishing email was clicked and whether the malicious link or Website could infect the targeted user or system, he added.

"Let's not wait for the user to actually click the link or open the malware," Kotler said. "Eventually, someone will open the mail and click on the link, so let's simulate this right now and see what happens."

While encouraging users not to click on potential phishing emails, organizations have enterprise controls in place that protect users and prevent malware exploitation. The right way to really see if the enterprise controls for attacker protection work is to test them, Kotler said. However, rather than conducting a live penetration test against a production environment, what SafeBreach uses isn't real malware that can harm an organization. Instead, SafeBreach simulates malware activity as well as the client and the security controller, he said. As such, there is no risk to the live production environment.

Among the common actions modern hackers take is to use an exploit kit with a collection of known vulnerabilities that a target victim may not have patched. SafeBreach tests the impact of an exploit kit on an organization by simulating both the user that could potentially click on an exploit kit link as well as simulating the actions of the exploit kit command-and-control server, Kotler explained.

"In running the simulation, we can see if any security controls are triggered—whether that's an IPS [intrusion prevention system], data loss prevention system or a firewall," Kotler said. "If a security control isn't triggered, then we have identified that there is a risk."

SafeBreach provides a high-level dashboard that identifies the risks. Clicking into the specific risks, the system provides detail on how SafeBreach was able to exploit a specific part of an IT infrastructure.

"Since we're looking at the entire attacker kill chain, from reconnaissance to data exfiltration, it's easier for the security person to patch what matters," Bejerano said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel