Hacker News new | past | comments | ask | show | jobs | submit login
Just launched our web-based spear phishing attack simulator app (threatsim.com)
38 points by packetwerks on June 15, 2011 | hide | past | favorite | 18 comments

Little background here: We're a security consulting company. We do a ton of web app security assessments, network vuln/pen testing, etc. A while back one of our clients (large financial) hired us to do a spear phishing simulation. "Show us how people are still able to get in and show us how they are able to get out". So we did it all manually both the phishing as well as going on site to to data exfiltration to see how we could get around their outbound firewall rules, IDS/IPS, DLP, proxies, sniffers, etc. We figured out how to do all of these successfully and were able to "steal" some fake credit card numbers.

We lost a lot of money on that engagement. :) We went waaay over margin. So we started thinking how can we automate this and make it a repeatable process that customers can run on an on-demand and on-going basis. Security is who we are and in our blood. We we started coding...

And here we are.

So there are two sides:

1. Web based spear phishing engine that sends out "malicious" emails with all kinds of different options (e.g. malicious attachments, links to malicious web sites, 'your pass expired, enter it here!' sites, etc.) We track who clicked on what, who has out of date Acrobat, Flash, Java, etc.

2. Bottom line is that phishers will ALWAYS get people to click on something. No matter what. And the attacker only needs 1 person to do it. Just 1. So let's assume that we're going to eventually get in. We have an on-demand executable that mimics attacker malware complete with ninja-sneaky network tricks that phones home fake credit card numbers, .rar files, all kinds of cool network trickery.

All of the above is run by the end user and presented in a nice web UI so a security guy/gal can make intelligent decisions on where their security is good and where it sucks.

We're super excited about our new service and we hope everyone else is too. Would love to hear more feedback.

Awesome - I'll be contacting you. This is great, for the typical over-worked but security conscious IT guy (me).

It looks like something I would want to use -- but I can't tell whether it's priced in a range I can afford. I mentally equate the lack of a price list with a hard-sell, high-price sales approach.

We're targeting the enterprise market so most of our customers have a security budget that this would fit nicely in. Our model is subscription based, allowing customers to run as many tests as they want. If you look at how much a breach costs organizations it isn't hard for us to justify our price. I can tell you that everyone here at ThreatSim has been in IT for well over 10 years and we're no fans of high pressure sales. Most of our business is based on referral and repeat customers. If you want to know more please fill out the contact form on our site.

That answer didn't have a single dollar figure in it.

Perhaps you could tell us an average price (or median, which would be lower), or even just an example of a price someone paid.

If I can't tell what this is going to cost me to within a factor of 10, then I probably can't afford it. Based on what I see here, the entry level cost might be as cheap as $100, or as expensive as $50,000.

I still don't have a clue as to your price. What's your minimum subscription period? If I have 10 people in my company, what's the price for a minimum subscription? If I have a hundred people, what's the price for a year? Should I just go away if I don't have a thousand people to test?

If you put some of this information on your website, you could get some of the prequalification done for free.

Same. Makes me feel like the services offered are dubious in value.

I wonder how many companies are currently running tests like this in the enterprise. Anyone have an idea of what people currently use?

This is a consulting offering at several low-end app sec firms (if you're a high-end appsec firm that does this stuff, sorry, I didn't know). It's one of those attractive "scales across every employee of the company" services consultants love. Happy to see it productized.

We're a mid-level appsec firm, how's that? :) The problem is that high, med, and low end attackers are using spear phishing to get a foothold inside many organizations. This is testing that everyone should be doing today. Read any recent mainstream media article about any breach and Cmd-F "phish".

Core Impact includes a module for doing phishing with client-side exploits. Probably more expensive than this, though. Metasploit will let you do similar things, but I don't know if it's packaged up nicely like Core Impact and the current post.

I can't wait to see stats from this! Hoping when you license it to companies, you collect anonymous but public stats.

Yes, one of our goals is to collect industry-wide metrics that will help everyone figure out what the best approach to tackling this difficult problem.

1. I have no idea what this website does, but it sounds like it is web based security checking. 2. The web site is down. Potential Delicious Irony: Somebody took down ThreatSim with ThreatSim.

Irony is that we're under a lot of traffic right now and moving to EC2 as I type this. Site is back up btw :)

That sounds like an excellent problem to have.

just want to step in and say that its a nice little logo you got there, what is the font used and where did you get it designed :)

Thanks! The logo was designed by the talented folks at http://peeble.in/ Not sure what the font is, however you can drop it into "What The Font" http://new.myfonts.com/WhatTheFont/ and see what they think it is.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact