There is currently a proliferation of organizational networked computing systems. Every type of organization, be it a commercial company, a university, a bank, a government agency or a hospital, heavily relies on one or more networks interconnecting multiple computing nodes. Failures of the networked computing system of an organization or even of only a portion of it might cause significant damage, up to completely shutting down all operations. Additionally, all data of the organization exists somewhere on its networked computing system, including all confidential data comprising its “crown jewels” such as prices, details of customers, purchase orders, employees'salaries, technical formulas, etc. Loss of such data or leaks of such data to outside unauthorized entities might be disastrous for the organization.
As almost all organizational networks are connected to the Internet at least through one computing node, they are subject to attacks by computer hackers or by hostile adversaries. Quite often the newspapers are reporting incidents in which websites crashed, sensitive data was stolen or service to customers was denied, where the failures were the results of hostile penetration into an organization's networked computing system.
As a result, many organizations invest a lot of efforts and costs in preventive means designed to protect their computing networks against potential threats. There are many defensive products offered in the market claiming to provide protection against one or more known modes of attack, and many organizations arm themselves to the teeth with multiple products of this kind.
However, it is difficult to tell how effective such products really are in achieving their stated goals of blocking hostile attacks, and consequently most CISO's (Computer Information Security Officers) will admit (maybe only off the record), that they don't really know how well they can withstand an attack from a given adversary. The only way to really know how strong and secure a system is, is by trying to attack it as a real adversary would. This is known as red-teaming or penetration testing (pen testing, in short), and is a very common approach that is even required by regulation in some developed countries.
Penetration testing requires highly talented people to man the red team. Those people should be familiar with each and every publicly known vulnerability and attacking method and should also have a very good familiarity with networking techniques and multiple operating systems implementations. Such people are hard to find and therefore many organizations give up establishing their own red teams and resort to hiring external expert consultants for carrying out that role (or completely give up penetration testing). But external consultants are expensive and therefore are typically called in only for brief periods separated by long intervals in which no such testing is done. This makes the penetration testing ineffective as vulnerabilities caused by new attacks that appear almost daily are discovered only months after becoming serious threats to the organization.
Additionally, even rich organizations that can afford hiring talented experts as in-house red teams do not achieve good protection. Testing for vulnerabilities of a large network containing many types of computers, operating systems, network routers and other devices is both a very complex and a very tedious process. The process is prone to human errors of missing testing for certain threats or misinterpreting the damages of certain attacks. Also, because a process of full testing against all threats is quite long, the organization might again end with a too long discovery period after a new threat appears.
Because of the above difficulties several vendors are proposing automated penetration testing systems. Such systems automatically discover and report vulnerabilities of a networked system, potential damages that might be caused to the networked system, and potential trajectories of attack that may be employed by an attacker.
Automatic penetration testing systems can be divided into those that are actual-attack penetration testing systems and those that are not. Actual-attack penetration testing systems are characterized by using actual attacks in order to validate that a given vulnerability is indeed applicable to a given network node and is effective in compromising it under current conditions of the node. Such systems do not need to know in advance whether conditions required for the vulnerability to be effective are satisfied. An attempt is made to compromise the given network node using the given vulnerability. If the attempt succeeds in compromising the node then the penetration testing system concludes the vulnerability is effective, and if it fails to compromise the node then the penetration testing system concludes the vulnerability is not effective.
On the other hand, in penetration testing systems that are not actual-attack penetration testing systems the validation of the effectiveness of a given vulnerability to a given network node is judged by collecting factual data about the given node and then evaluating the effectiveness of the vulnerability when applied to the given node according to rules retrieved from a security vulnerabilities knowledge base or according to a simulation. In such systems, unlike in actual-attack penetration testing systems, there is no risk of the penetration test compromising the tested networked system. This difference is of high importance to many organizations and is the reason why those organizations refrain from using actual-attack penetration testing systems.
One of the threats faced by organizations in recent years is “phishing”. Phishing is an attempt to obtain sensitive information such as usernames, passwords, credit card details, or other confidential information (and in some cases indirectly obtain money), by disguising as a trustworthy entity in an electronic communication or by other means. “Spear phishing” is an attempt of phishing directed at specific individuals or companies, and is the most common type of phishing today.
In a typical phishing attack a user receives an email which, on first glance, seems to come from a trusted source—the user's bank, the user's credit card company, etc. The email asks the user to execute some operation, for example to confirm his account credentials. For that purpose, the user is asked to select a link appearing within the email in order to transfer to the website of the sending entity. Once the user follows the link, he is presented with a form into which he is requested to enter his credentials (e.g. user name and password). The innocent user thinks he is providing the credentials to a legitimate bank or credit card company, but in a phishing attack he is actually in a fake website owned by the attacker. Once the user provides the credentials in the fake website, the phishing attacker stores them and may later use them for fraudulently stealing money or information from the user.
It is not really necessary for achieving successful phishing that the user explicitly provides his credentials in the malicious website to which he was tempted to get. In many attacks, it is enough that the user selects a “poisoned link” embedded in an email or in a file attached to an email and the attacker may already be able to compromise the user's computing device by running malicious code in it.
For example, the poisoned link may take the user's browser to a malicious website that provides the browser with a web page containing malicious code. Most browsers have security vulnerabilities that are known to the attackers' community, and which allow code written by knowledgeable attackers to bypass the browser's security defenses and perform operations that compromise the hosting network node. Thus, the mere fact of tempting a user to follow a link to an attacker's website might be enough for compromising the user's network node, making phishing a highly dangerous threat that fails even experienced users that would never be tempted to explicitly expose their credentials.
Another very popular method of phishing attacks relies on attaching a “poisoned file” to an innocent-looking email, where the mere opening of the poisoned file by a user is enough for the attacker to succeed in compromising the user's computing device. Such attacks typically use a macro containing malicious code that is automatically executed when a file containing the macro is opened, as is common with Microsoft Office document files.
While phishing by email is currently the most common phishing attack, phishing attacks are not limited to emails. The message through which the phishing poisoned link is communicated to the targeted computing device is not necessarily an email message. Other types of messages (e.g. SMS messages) may also be carriers of a phishing poisoned link.
Additionally, while phishing by electronic communication is currently the most common phishing attack, phishing attacks are not limited to electronic communication. For example, an attacker may talk with an unsuspecting user on the phone and convince him to visit a web page containing malicious code. Another example is for an attacker to convince a user to insert a USB thumb drive into his computing device, when the USB drive contains auto-executing malicious phishing code or a file containing phishing poisoned links. The user may be tempted to use the USB drive by getting it as a free handout in an exhibition, by finding it thrown out in a parking lot, etc.