Crossbow offers live fire cybersecurity vulnerability testing

Sometimes the best defense is a good offense. That was the philosophy behind the SCYTHE security company’s efforts to create the Crossbow vulnerability assessment platform. Deployed using either software as a service (SaaS) or through an on-premises installation, Crossbow is a virtual threat sandbox, allowing administrators to load up and deploy actual historical attacks like WannaCry, Goldeneye or Haxdoor, or create new threats from scratch. Once loaded or created, those attacks can be sent against a protected network to probe for any vulnerabilities.

Crossbow is perhaps one of the most dangerous defensive programs that CSO has ever reviewed. All of the attacks that it can load or create are real, using actual techniques and tactics that have historically broken through cybersecurity defenses at many organizations. Only the payload is neutered, and even then, that part is optional. This makes Crossbow one of the most realistic tools out there for accessing, testing and managing vulnerabilities. To put it in perspective, Crossbow is much more akin to a live fire exercise in the military than a simulation, because the virtual threats Crossbow fires are real.

The engineers at SCYTHE created Crossbow to test three legs of cybersecurity defenses that exist at almost every organization: employees, security products and the IT staff. Campaigns can be crafted to test individual defenses, such as sending a phishing attack against employees to see how they react, or implanting a corrupt agent on a client machine using administrator credentials – to simulate a compromised admin account – and seeing how long it takes IT teams to notice and react. Because Crossbow provides real-world attack tools, simplified in an easy-to-use interface, campaigns can be created to test, and hopefully strengthen, any aspect of an organization’s cybersecurity.

The main interface of Crossbow most resembles a do-it-yourself malware attack kit, like the kind you might find or purchase on the dark web. But most of those only offer one or two attack methods. Crossbow seems to cover every vulnerability that can be used to infiltrate a network or compromise a host, and you can mix and match them as desired. When using a historical campaign, a couple clicks is all that is required to arm it.

John Breeden II/IDG

Building your own threat is not too much more difficult that picking a successful one from history. Everything is set up with easy-to-use building blocks, with no programming skill required. So, you can mix and match capabilities, such as installing a keylogger and then using HTTP or DNS to extract the data. Crossbow is well-versed in the most cutting-edge attacker techniques too, like using Twitter as a command and control server, or embedded images for malware delivery.

Even though the interface is extremely easy to use, the types of attacks that can be built and deployed through Crossbow are top-of-the-line, the stuff of nightmares for cyber defenders. Attacks can also be very tightly configured. For example, we could set up a malware strain that existed on keydrives, which could then be spread out in an employee parking lot to see how the staff would react. Another attack relied on tricking users into visiting a compromised website. Crossbow was extremely helpful in setting that site up, and loading it with the proper malware for the drive-by attack.

John Breeden II/IDG

Because attacks can be extremely targeted, Crossbow can be used to test either employees, existing IT tools, or the IT staff. For example, if you think that a new cybersecurity program is protecting your network against a certain type of attack, you can craft an attack and test it out. There is even a scheduling option, so you could test, for example, your marketing department the first week of every month and then engineering during week two.

John Breeden II/IDG

Crossbow is careful during the malware creation process. Most malware is deployed through agents, and they can be tightly configured. A good example is the ransomware agents that use encryption. They can be set to make good copies of all files that they encrypt for backup. Agents are also given a valid date range during their creation, so they can’t exist beyond whatever time you set as their expiration date, or before their start time. This way, should the unlikely scenario happen where the test malware cascades beyond the scope of the trial, it won’t last long in the wild, or while rampaging through your network.

Everything that the test attacks do to their targets is recorded by the main Crossbow console. Because successful attacks involve outbound communications, any data that arrives provides solid confirmation that an attack has been successful. We were able to witness everything that the malware was doing on a compromised server, including giving a view of the main display. If instead the attack is stopped, Crossbow will show what defensive program, device or administrator should get credit for the save.

John Breeden II/IDG

Crossbow’s form of vulnerability assessment is one of the most active, and arguably realistic, on the market. Instead of relying on simulations or network scans, it enables administrators to become penetration testers themselves, targeting advanced persistent threats like a laser aimed at any part of a network’s cybersecurity defenses. The only downside is that this requires active participation from administrators – someone must craft, plan, execute and monitor the attacks in order to generate that valuable data. If an organization already has a “red team” tasked with launching attacks, then Crossbow can simply become a huge force multiplier for them. Otherwise, someone will need to be put in charge of the attack-based testing.

Organizations that want to test their defenses against real-world threats in a safe environment should give Crossbow a try. Like a real crossbow, the program is a dangerous tool that can become an invaluable link in defenses when wielded by capable defenders.

More on vulnerability management

• How to build a top-notch vulnerability management program
• Vulnerability management: The basics
• Security and vulnerability assessment: 4 common mistakes
• What’s the difference between a vulnerability scan, penetration test and a risk analysis?
• Organizations get vulnerability maturity model