Security

Why one cybersecurity startup uses real malware and real attacks to test your company's defenses

Penetration testing company Cymulate can attack your network from multiple vectors, but what really matters is how you use the results to improve your security.

Cybersecurity is anything but fire and forget. A firewall, anti-malware platform, or other security suite can be a valuable asset one day, then turn into a huge liability the next. The key to preventing the latter? Constant vigilance.

Eyal Wachsman thinks his company Cymulate has the answer to the ever-changing cyber threat landscape. Its platform attacks client networks from multiple vectors, looking for the smallest weak spots to exploit.

Cymulate isn't hitting you with fake attacks either—they throw real malware at your network, try to steal real data, and try to phish real employees. It might sound dangerous, but that, says Wachsman, is the only way to get real, usable statistics about your network security.

Real cyberattacks without real damage

Yes, Cymulate runs tests with real malware, but it won't get onto your network for two reasons. First, they're performing all tests using a software agent that is completely automated and hosted on a machine specifically for that purpose.

Second, the malware isn't being installed on that machine, just trying to penetrate your defenses. If it makes it through your security to the agent's email inbox then the test is considered a success.

Email attacks aren't the only way Cymulate tests network security. They have a total of six attack vectors that all poke and prod your network in different ways.

First, as mentioned, is email. In a test that takes about three hours, Cymulate hits a network with thousands of messages containing different types of malware stored in different kinds of attachments.

SEE: Report: The top 5 cybersecurity threats of 2017 (TechRepublic)

Second is web browser testing. The agent installed on your network hits a website owned by Cymulate that's chock full of malware, exploits, scripts, and other bad things found on the internet. It browses around for a while and sees what makes it past internet filters.

Third is what Cymulate calls a "hopper." It acts like an attacker that has successfully penetrated your network. This test is run by designating an entry point, say finance, and testing to see how easy it is for the hopper to make its way from computer to computer. It also tries different methods of getting around and extracting data to see what your network is most vulnerable to.

Fourth is a phishing test, and this one actually targets real users. There are a bunch of phishing emails that can be chosen from, and clients can also create their own to test. They come to email addresses on your domain and provide lots of data—you can even see how long a user spends looking at an email before clicking the link (which isn't harmful, by the way).

Fifth is data loss prevention (DLP), if applicable. The DLP test can be set up to check for certain key phrases in emails and even to check if certain types of data is being loaded onto USB drives.

Sixth is a web applications firewall (WAF) assessment. No WAF is attackproof, and Cymulate will attack a specified URL to look for ways around the WAF.

Don't get comfortable with your cybersecurity solution

Wachsman said that it isn't about the security product you use—it's more about how you use it. And even that isn't entirely under your control.

He told me about a time that a client ran a hopper test on their network and got a great response because of a honeypot installed on its network. The hopper only made it to two workstations before it was stopped.

SEE: 2017 IT Security & Ethical Hacking Certification Training (TechRepublic Academy)

Just one week later that same hopper test on the same company managed to make it to 40 different servers. Not workstations; servers.

In the time between the first and second scans, their security provider had run an update that broke the honeypot by putting a backend server to sleep. So, nothing had changed, at least as far as the client knew, but had an actual attack taken place it would have been disastrous.

That exact same thing could happen on your network—a good security posture today doesn't equal a good security posture tomorrow. Whether you choose to look into Cymulate's solutions or someone else's, you need to do something. Attacks are always evolving, and if your security isn't evolving as well, you're just asking for trouble.


Also see:

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox