
Just launched our web-based spear phishing attack simulator app - packetwerks
http://www.threatsim.com
======
packetwerks
Little background here: We're a security consulting company. We do a ton of
web app security assessments, network vuln/pen testing, etc. A while back one
of our clients (large financial) hired us to do a spear phishing simulation.
"Show us how people are still able to get in and show us how they are able to
get out". So we did it all manually both the phishing as well as going on site
to to data exfiltration to see how we could get around their outbound firewall
rules, IDS/IPS, DLP, proxies, sniffers, etc. We figured out how to do all of
these successfully and were able to "steal" some fake credit card numbers.

We lost a lot of money on that engagement. :) We went waaay over margin. So we
started thinking how can we automate this and make it a repeatable process
that customers can run on an on-demand and on-going basis. Security is who we
are and in our blood. We we started coding...

And here we are.

So there are two sides:

1\. Web based spear phishing engine that sends out "malicious" emails with all
kinds of different options (e.g. malicious attachments, links to malicious web
sites, 'your pass expired, enter it here!' sites, etc.) We track who clicked
on what, who has out of date Acrobat, Flash, Java, etc.

2\. Bottom line is that phishers will ALWAYS get people to click on something.
No matter what. And the attacker only needs 1 person to do it. Just 1. So
let's assume that we're going to eventually get in. We have an on-demand
executable that mimics attacker malware complete with ninja-sneaky network
tricks that phones home fake credit card numbers, .rar files, all kinds of
cool network trickery.

All of the above is run by the end user and presented in a nice web UI so a
security guy/gal can make intelligent decisions on where their security is
good and where it sucks.

We're super excited about our new service and we hope everyone else is too.
Would love to hear more feedback.

~~~
dholowiski
Awesome - I'll be contacting you. This is great, for the typical over-worked
but security conscious IT guy (me).

------
dsr_
It looks like something I would want to use -- but I can't tell whether it's
priced in a range I can afford. I mentally equate the lack of a price list
with a hard-sell, high-price sales approach.

~~~
packetwerks
We're targeting the enterprise market so most of our customers have a security
budget that this would fit nicely in. Our model is subscription based,
allowing customers to run as many tests as they want. If you look at how much
a breach costs organizations it isn't hard for us to justify our price. I can
tell you that everyone here at ThreatSim has been in IT for well over 10 years
and we're no fans of high pressure sales. Most of our business is based on
referral and repeat customers. If you want to know more please fill out the
contact form on our site.

~~~
mcherm
That answer didn't have a single dollar figure in it.

Perhaps you could tell us an average price (or median, which would be lower),
or even just an example of a price someone paid.

If I can't tell what this is going to cost me to within a factor of 10, then I
probably can't afford it. Based on what I see here, the entry level cost might
be as cheap as $100, or as expensive as $50,000.

------
joelvh
I wonder how many companies are currently running tests like this in the
enterprise. Anyone have an idea of what people currently use?

~~~
tptacek
This is a consulting offering at several low-end app sec firms (if you're a
high-end appsec firm that does this stuff, sorry, I didn't know). It's one of
those attractive "scales across every employee of the company" services
consultants love. Happy to see it productized.

~~~
packetwerks
We're a mid-level appsec firm, how's that? :) The problem is that high, med,
and low end attackers are using spear phishing to get a foothold inside many
organizations. This is testing that everyone should be doing today. Read any
recent mainstream media article about any breach and Cmd-F "phish".

------
coreymaass
I can't wait to see stats from this! Hoping when you license it to companies,
you collect anonymous but public stats.

~~~
packetwerks
Yes, one of our goals is to collect industry-wide metrics that will help
everyone figure out what the best approach to tackling this difficult problem.

------
ZackOfAllTrades
1\. I have no idea what this website does, but it sounds like it is web based
security checking. 2\. The web site is down. Potential Delicious Irony:
Somebody took down ThreatSim with ThreatSim.

~~~
packetwerks
Irony is that we're under a lot of traffic right now and moving to EC2 as I
type this. Site is back up btw :)

~~~
ZackOfAllTrades
That sounds like an excellent problem to have.

------
overdong
just want to step in and say that its a nice little logo you got there, what
is the font used and where did you get it designed :)

~~~
packetwerks
Thanks! The logo was designed by the talented folks at <http://peeble.in/> Not
sure what the font is, however you can drop it into "What The Font"
<http://new.myfonts.com/WhatTheFont/> and see what they think it is.

