|Product: Phobos Orbital Reconnaissance||Category: Attack Surface Management|
|Company: Phobos Group Inc.||Review date: April 2021|
This review is part of the April 2021 assessment of the Attack Surface Management (ASM) product category. If you haven’t read the category overview, you might want to check it out – it explains the category’s basics, use cases, and the general value proposition. Our testing methodology explains both how we interact with vendors and how we tested these products. In short, ASM products aim to discover and manage an organization’s external digital assets. This approach extends far beyond assets with an IP address, however, including everything from certificates to S3 buckets to DNS misconfigurations.
Founded in 2016 by Dan Tentler, Phobos has focused on conducting offensive and defensive-focused security services for its clients. The recently released Phobos Orbital Reconnaissance (Orbital for short) is the first step in the company’s efforts to transition into a ‘product first’ company.
Phobos is bootstrapped, headquartered in San Diego and employs five. Phobos is outspoken about its goal have a positive impact on the security industry by building products with strong commitments to the need of the customer, rather than compromise for financial and growth goals.
Phobos approached building Orbital from the perspective of both a security consultant and the client, receiving the results of an assessment. The consultant wants the client to understand the severity of threats and fix them quickly, but when too many issues are listed as critical, it all becomes noise.
Another issue in traditional consulting revolves around scoring. Many regulations require all issues above a certain score to be fixed, but what if 9 out of 10 of those issues won’t result in a compromise, but 3 out of 4 below the threshold could result in compromise? Orbital solves this problem by simply reporting issues that should be fixed, because they could result in immediate compromise.
Orbital produces ad-hoc reports on demand that include attack pathways, tech stack components, leaked credentials, a list of IP-based hosts found and screenshots of websites or remote access services (e.g. VNC, RDP).
Target Market: Orbital was designed to scale up to large enterprises. The current report format should scale fine into environments with thousands of external-facing assets.
Time-to-Value: Results in as few as 2 hours, or a few days at most, depending on the number of domains selected and the number of external assets to be assessed.
Maintaining Value: The only maintenance would be to periodically check the list of domains and to contact Phobos to update as necessary.
Total Cost: Orbital has a tiered payment structure based on the number of hosts analyzed. Promotions and discounts may be available for certain customers and in certain scenarios.
- 1-100 hosts - $2,500 per quarter
- 101-1000 hosts - $2,500 per quarter + $12.50 per host
- 1001+ hosts - $17,500 per quarter + $10.00 per host
For a mid-sized enterprise with 2,000 employees and 200 external facing assets, the annual cost for the product comes out to $12,500. We estimate an hour of analyst time to run and review the report. If running the report weekly, the labor cost comes to $2,423.04. The total cost to use this product every year, including product cost and labor would be $14923.04.
Strengths: The ability to run ad-hoc reports can be useful in some use cases. Report design clearly draws attention to the most critical issues.
Weaknesses: Orbital is missing quite a few features that can be found in competing ASM products. However, as the product is only a few months old, Phobos assure us that these features are in the works and will begin to arrive throughout the year.
Currently, Orbital is missing Additional features, such as continuous scanning, ability to manage finding status/risk levels, multi-user collaboration can be found in other ASM products at a similar price point.
Conclusion: A solid tool for getting a concise, prioritized list of what to worry about first.
Deployment and Configuration
At the time of account setup, the customer provides a list of domains. Once the customer has access, any or all these domains can be selected to run a report. According to Orbital, an assessment can take as little as 2 hours or as many as 48, depending on the size of the environment. Running against our test infrastructure of a few hundred assets took roughly 8 hours.
Orbital will send an email when the report is complete. The first thing we’re presented with are attack pathways, which list ways in which vulnerabilities or stolen credentials can be combined to compromise assets.
Next is a list of standalone findings (some of which would have already been featured in the attack pathways) and the number of times they were discovered, followed by a listing of tech stack components. The components are color-coded – yellow, ‘unfavorable’ items are out-of-date and green are fine.
Finally, is a list of domains explored and a summary of the findings for each (and yes, we explored and fixed all this before publishing). A glance at these findings highlights the spirit of ASM products – highlighting issues that traditional vulnerability scanners either bury as “informational”, or aren’t designed to discover at all. The average attacker knows that any host with a “dev”, “staging” or “old” subdomain is going to be worth a closer look.
Clicking any one of these domains opens a similar report, but with findings just specific to that domain. Orbit calls these subset reports.
The subset reports include a few additional sections. The first is a list of leaked credentials found. A list of hosts found is next, which can be filtered a number of ways (by finding, notably). Each entry includes IP, AS number, AS description, subdomains, ports, technologies and any relevant screenshots of websites or remote consoles. The final section is a list of screenshot thumbnails and the corresponding IP/port combination they were captured from.
“Discover Your True Attack Surface”
“The Phobos Orbital Reconnaissance Platform (Orbital, for short) exhaustively discovers publicly-facing company assets using a wide variety of discovery techniques, and analyzes the findings from the perspective of an attacker to show you the Attack Pathways that attackers would use to break in, or steal data.”
These are solid descriptions of what Orbital does - we can’t find any issue with Phobos’s claims here.
The folks at Phobos told us they were working on an update that would run reports on a schedule and notify customers about any changes from the previous report. This will be an important milestone, as it operationalizes the tool, turning it into a reliable watchdog service for busy security teams.
Security program fit
Phobos, like other products focused on discovering vulnerabilities and misconfigurations, fits solidly within the Identify column of the Cyber Defense Matrix.
Orbital is a young product with a lot of potential. It adds more options to the market as one of only two products designed to produce ad-hoc reports, making it ideal for consulting engagements, third party analysis and M&A due diligence in addition to the primary enterprise use case.