Security Laboratory

Security Laboratory

Sec Lab: Security Products

In 1995 if you wanted a security product, you downloaded the source and compiled it on your Sun 3, today we buy supported commercial products: this series on the security lab is to introduce you to some of the products out there and, when possible, the movers and shakers that are part of the team that creates these products.

Other Related Articles in Sec Lab: Security Products

Interview with Maximiliano Caceres about CORE IMPACT

By Stephen Northcutt

In early 2003, I received an email offering to show me a new product from a security consulting company. A week later I watched a demonstration of a GUI based exploit tool -- I was totally blown away. I said, "I am not sure you should have built this. Now that you have, please use some care in who you sell it to and, above all, build some licensing security into this so it does not end up in the underground." Today they still offer consulting services (to keep their skills sharp), but they have put significantly more resources into building the product, which has grown steadily since v1 was launched in 2002. The product is actively used today by over 450 organizations across multiple industries, including financial services, telecommunications, healthcare, retail, and federal and state and local government agencies, including different arms of the military and the DoD. Let's look at CORE through Maximiliano's eyes. Prior to joining Core and working up to the head engineer position, Caceres worked for 4 years as a member of the Special Projects Group at the Argentine tax agency.

Max, thank you for taking the time to share your thoughts with us. What's CORE IMPACT?

CORE IMPACT is an automated penetration testing product. It helps security managers prove the strength of their information security program. By safely running real attacks against a network, the product helps users:

  • Prove the existence of vulnerabilities and gauge the impact of data breaches
  • Intelligently prioritize remediation efforts
  • Audit defensive security applications (IPS, IDS, firewalls, etc.)
  • Evaluate security policies and exposure to social engineering attacks
  • Demonstrate compliance with privacy and regulatory mandates

OK, that sounds like you had your marketing team help you with this, but it's a start. How was the product born? How did this come into existence?

It is hard to track the birth of the product to one single idea or event. Core Security was founded in 1996 and originally operated as a security consultancy, offering services such as penetration testing and source code audits. We regularly dealt with custom exploit code and with ad-hoc tools to perform our testing, but we always felt that there had to be a better way. We also believed that part of the complexity and untidiness of the penetration testing practice was related to having to rely on this mish-mash of tools, primitive or non-existent automation, and on optimizing exploits that did not work, or even developing new exploits during a test. Through this experience we developed a series of ideas we thought could greatly simplify penetration testing, and would make the practice available and cost-effective for organizations to do on their own. That's how in early 2001 the company decided to invest in developing this tool (which we now call CORE IMPACT). To this day we strongly believe that proactive organizations must be able to think like an attacker to be able to measure and prove that their defenses work effectively, whether they do that through utilizing products or services.

What are the benefits of a penetration testing product vs. a service?

While penetration testing is obviously not a new practice, organizations can take advantage of an automated product to perform this testing as often as they want. More than half of our customers use the product on a daily and weekly basis to test the security of their networks.

That makes sense, after all you are only as good as your last pen test. At the end of the day, we really are not in the security business or they would issue us guns and armored cars, we are in the risk management business. And a GUI exploit tool sounds like it would have its own risks. Can you give me some talking points to tell a senior manager why IMPACT's attacks are safe? (Or, at least in the realm of reasonable risk management.)

First of all, we do all the coding behind the attacks ourselves. We have a team of expert exploit developers that create reliable exploits for different vulnerabilities which are released on a weekly basis to all our customers. Before a given exploit is released, our QA team performs a series of manual and automated tests to make sure the exploit behaves correctly across a range of target configurations. We also regularly test and update all our exploits to ensure optimal performance. For instance, it is fairly common to find PoC (Proof of Concept) exploit code on the Internet that only works reliably against a single edition and service pack level of Windows. We ensure that our exploits work across multiple operating system versions, editions, and patch-levels. Secondly, all of our exploits deploy a benign payload that we call an IMPACT agent. This agent gives the tester a lot of flexibility to interact with the target without affecting its configuration. For instance, if a system is found to be vulnerable to a certain attack and the tester is able to compromise it with one of our exploits, an agent will be deployed. The tester would then be able to use it to interact with the compromised computer by, browsing disk contents to see which information is actually stored there (and which would be available to an attacker exploiting the same flaw), and eventually even using the computer to launch additional attacks against other computers on the same network. This flexible agent, which runs only in the memory space of the compromised machine, does not require you to install any additional software on the computer you are testing. When you are done, the agent removes itself from memory and the system is left in the original state it was in before you started the test. This method is significantly more efficient than manual penetration testing and, unless you have the knowledge and time to verify the soundness of each exploit you want to use, much safer than utilizing PoC exploit code from unknown or untrustworthy sources.

Max, since you know the product as well as anyone, what new functionality was included in the latest product releases? Where are you headed in terms of features and capability?

Last year we did one major release, v6, and two minor releases. One of the key capabilities we introduced last year was new functionality to simplify what we call Client-Side Penetration Testing. The main idea behind this new functionality stems from the fact that as organizations do a better job of securing their perimeters, attackers are increasingly focusing on easier targets, such as end user computers which, coincidentally, are within that hardened network perimeter. Attacks that focus on exploiting software we all run in our computers (vs. our servers) are on the rise, along with phishing and social engineering attacks. The new Client-Side features in CORE IMPACT help organizations introduce these types of attacks into their testing to measure how prepared they are to deal with them before they actually happen. Using these new capabilities customers can send exploits for vulnerabilities in browsers or office documents via e-mail, and monitor the effectiveness of their e-mail and endpoint security defenses, along with the overall response of their users to the attacks. In addition, in our new releases we have added lots of other new capabilities, including improved functionality in our agent technology, support for testing additional operating systems, such as Apple's OS X and IBM's AIX, and improved usability.