Cymulate has introduced its Agentless APT Simulation solution that can replicate realistic full kill chain attacks.
The SaaS-based agentless advanced persistent threat (APT) solution, which runs on Cymulate's breach and attack simulation (BAS) platform, allows security teams to test and validate security defenses and provides the information necessary to fix potentially dangerous gaps across the kill chain.
Cymulate’s Agentless APT Simulation enables security teams to preview how hackers can reach their company’s crown jewels, helping red teams (white hat hackers charged with trying to attack their organization's infrastructure to test security defenses) test and validate, while assisting blue teams (security personnel who identify security flaws and test and verify the effectiveness of security measures) in proactively remediating gaps and optimizing the attack surface, keeping APT risk to a minimum.
Instead of installing agents on machines and testing specific modules or attacks with an agent, the advanced persistent threat agent mode acts as an insider. That means that just like an attacker, the hold inside the environment is not predefined. It requires no deployment and, more significantly, includes employees in the process who play a key role in the attack kill chain, especially with phishing, said Avihai Ben-Yossef, Cymulate's CTO.
"Our current APT simulations replicate phishing techniques, the initial and primary method attackers now take when trying to penetrate organizational networks or target individuals," Ben-Yossef explained. "For example, our simulation enables a phishing email to be sent to employees, either with malicious file attachments or a malicious link embedded in the email copy. When employees open the files or click on the links, the 'malicious content' spreads, either via lateral movement [or] ransomware or downloads other payloads and continues with exfiltration. Our email simulations contain malicious content, but it doesn't harm the organization in any way."
Cymulate's APT tool deploys real simulations and allows organizations to run authentic phishing campaigns with the correct social engineering and payloads. This helps substantiate if an organization's security controls are effective enough. At the same time, the distribution techniques of the malicious content can test whether the organization's incident response team responds quickly and efficiently when an attack occurs.
For spear phishing, for example, the system would test by sending a phishing email with a malicious attachment, while for scripting, it would use a PowerShell stager script to download a payload from a remote server. For file and directory discovery, it would locate a target folder and scan for Office, PDF, HTML and TXT file extensions.
For each simulation run, the platform generates detailed reports of exactly how and what happened, suggesting configurations to cybersecurity products and security controls deployed across the company’s network. This helps ensure optimal monitoring, detection and blocking, and remediation, Ben-Yossef said. In addition, the platform is modular, with each module representing an attack vector in the kill chain. This provides blue teams with insight on how to prevent such attacks and create relevant detection mechanisms to alert when an attack is occurring.
Working within the Mitre attack framework, the solution then creates insights and specific recommendations. Insights differ according to the platform modules, each relating to a specific attack vector. In general, the insights provide guidance for local security teams. For example, they might suggest available integrations or increased automation via vulnerability management systems or SOAR systems.
Mitigation Advice Depends on Type of Threat
Depending on the type of threat, the mitigation and analysis advice may differ. For example, Agentless APT Simulation might recommend using deceptions to lure attackers and catch malicious behavior by creating fake directories and to monitor access. It might recommend blocking WMI if not required via local firewall or identifying and blocking unnecessary system utilities using whitelisting tools. Often, the recommendations are even more specific. It also facilitates the work of prioritization of which vulnerabilities require the most immediate response.
The approach Cymulate has chosen is simpler than most, yet quite comprehensive, said Rik Turner, a principal analyst at Ovum.
"Those that rely on multiple agents, or sensors, are a more complex proposition than Cymulate, where you download a single agent to one workstation, then define and launch all the simulated attacks from there," he said. Turner added that he believes the solution is the first to simulate APTs, which are more complex to understand and model.
Ben-Yossef said his company is working on an additional simulation option using USB devices for physical phishing.