Go Phishing: Rapid7 Lets Companies Test Their Own Networks10:15 AM EST Fri. Dec. 07, 2012
Rapid7 has released a new version Metasploit Pro, which adds capabilities to simulate phishing and social engineering attacks.
With the growing emphasis on social engineering and phishing, Metasploit 4.5 has been updated to help security managers and channel partners assess the degree to which networks are vulnerable to this attack vector.
According to the Boston-based company, phishing attempts account for more than 500 million emails per day and lead to several billion dollars' worth of financial losses every year.
[Related: The 10 Biggest Security Stories Of 2012]
"Five to ten years ago, the emphasis was mostly on server-side exploits," said HD Moore, chief architect of Metasploit and chief security officer for Rapid7. "These days, almost every single breach starts with a compromised desktop or laptop that is being used as a stepping stone to the rest of the network. Compromising those machines usually translates to phishing campaigns aimed at internal user accounts."
Version 4.5 enables the setup of simulated phishing campaigns aimed at supporting the case for technology updates or additional employee education. Employees who fall for the exploit can be routed to a website that directs them to educational supplements, or IT managers can rely on a social engineering report and then follow up with the individuals on a personal level.
"A lot of companies do quarterly pen testing and in-house security, but they don't necessarily have a platform for doing the type of defense and awareness training around phishing itself in-house," Moore continued. "This product enables someone who doesn't necessarily have a strong security background to be able to produce a realistic phishing campaign and build awareness within the organization through that campaign. In addition, they can see how well the mitigating controls within the environment really operate. For example, you can see if your gateway scanners are actually catching email coming in with malicious attachments, and you can see with your Web proxies are actually catching malicious phishing URLs."
Metasploit Pro provides conversion rates on the number of people who clicked on a mock phishing email, how many people entered their usernames and passwords on a fake website, and how many systems would have been compromised, if the attack had been genuine.
Tools related to penetration testing are sometimes criticized for giving more capabilities to hackers as opposed to just helping the white hats. But Moore said the enhancements to Metasploit Pro do not give the black hats capabilities they do not already possess.
"The attackers do a pretty good job of building up their own campaigns," he said. "The security tools being used by pen testers are not typically the same tools being used by the same black hats because they don't need them. They have their own custom exploit kits and environments and spam cannons. So if anything, this evens the playing field between the white hats and the attackers who are coming in with full-scale infrastructures to launch attacks."
The updated version of Metasploit Pro is available immediately through the Rapid7 website. Free trials are also available.
PUBLISHED DEC. 7, 2012