Reviewed by Matthew Hreben & Michael Diehl
Price: Starting at $20,000.
What it does: Simulation platform that provides highly customizable attack templates.
What we liked: Simple to use software.
AttackIQ presents FireDrill, an attack simulation platform that provides multiple tools such as security controls validation, response and remediation exercises, and performance analytics for the purpose of discovering security gaps before they are breached. Efficient in a manner that is not possible with manual penetration testing, FireDrill uses automation to disseminate a variety of adversarial techniques and scenarios. The result is new insights and accurate feedback about the strength of an organization’s security posture.
AttackIQ found 40 percent of customers exploring in this space have broken elements within their security pipelines. This finding particularly resonates for smaller organizations that may have high compliance requirements, but don’t necessarily have a lot of money to hire senior security engineers or make arrangements for one penetration test annually but still want and need better visibility into what is and is not working. FireDrill meets these needs and offers tremendous additional value.
The platform works on distributed client-server architecture, on-premises or in the cloud. It first deploys agents, which AttackIQ calls test point engines, into the test environment where they are ready to engage in authentic pinpoint attacks that are safe and do not negatively impact the production environment. Prepackaged installers come in the form of downloadable executables that will install on everything from Windows XP Embedded to current OS versions of Linux and Mac, and across platforms: desktops, laptops, VMs and the like.
After deployment comes the assignment of scenarios. AttackIQ maintains an extensive scenario library that has more than 1,000 scenarios built on and correlated to the Mitre ATT&CK framework, a renowned public repository of adversarial techniques and methods. In one scenario, FireDrill deployed five agents on five different ATM machines, performing very simple windows harvesting. Of the five ATMs, four were safe, as security measures detected the attack and blocked them. But on one machine, the testing agent was able to harvest credentials. Then, making a lateral movement – one of the 11 tactics identified by ATT&CK – the attacking agent was able to harvest credentials from 300 other ATMs. FireDrill demonstrated this situation was possible – crucial data for the client.
AttackIQ reports having a very active community of 2,000 security teams, DevOps teams and companies ranging from largest in the world in their respective fields to traditional institutions such as banks and healthcare firms. Users can download shared scenarios and customize them, adding or manipulating data they wish to try to exfiltrate, and specify how they want the test to attempt obtaining the data across the boundary, while deploying different test points to access security controls that would block this exfiltration attempt.AttackIQ has designed easy integration with a few endpoint protection platforms, such as CrowdStrike Falcon. It is completely automated and can run ad-hoc configurations.