Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Penetration Testing

SureCloud responds to the public release of Pen Testing Tool, Modlishka

SureCloud responds to the public release of Pen Testing Tool, Modlishka
Written by

Adam Govier

Published on

20 Jan 2019

SureCloud responds to the public release of Pen Testing Tool, Modlishka

 
 
 

Our Principal Cybersecurity Consultant, Adam Govier, was recently approached to provide commentary in response to the public release of the penetration testing tool, Modlishka.

Modlishka, which acts as a point and click 2FA-busting phishing attack exploit kit, has been released onto GitHub by the developer. 

What is the effect of penetration testing tools such as these being released into the public domain where they can be used by the black as well as white hats – do the benefits outweigh the risks in your opinion? And what are the benefits and risks involved?

Regardless of the purpose of many security tools that are released either open-source or commercially there will always be a split between black-hat and white-hat usage. Where penetration testing tools, such as this phishing tool, are released to the public this can open the door to organizations (that may not have granular and subject-matter expertise) to be able to perform their own internal phishing engagements, or for third-party security professionals to be able to perform these sorts of assessments more easily. The tools that are released by security researchers are always the ‘tip of the iceberg’ in relation to what is already used by black hats. Many hacking organizations would already have some sort of framework or process for performing spear-phishing or mass-phishing attacks with relative ease, so this would, of course, allow them to implement this within their arsenal; however, the Modlishka toolset (and others like it) would more than likely be used by white-hats and their red-teams.

However, there are certainly still real-world risks associated with releasing security frameworks and tools. The first and foremost is opening the door to wider threat actors due to the simplicity of the setup and execution of tools such as the Modlishka phishing framework. For any attackers actively deploying a phishing campaign, there are already many pathways, tools, and other resources available online to provide a baseline for these engagements.

Overall, I would say that the benefits of these penetration testing tools being released open-source far outweigh the potential risks associated with them, primarily because security professionals of all experience levels now have the ability to see what is possible, can repeat the attack process themselves and actively implement a mitigation plan following this.

What should enterprises be doing to ensure that their networks are not susceptible to exploit kits such as Modlishka?

Attacks performed using the Modlishka, or similar penetration testing tools, are, at the heart of it, simply phishing platforms. There are many different systems out there that provide some form of website duplication functionality, others that can handle two-factor authentication forwarding or code harvesting. The main mitigation that organizations can implement is a strong security awareness programme internally. Educating staff to the risks, ideally with examples of an attack, can greatly improve the baseline security posture of your organization. Users should ensure that they check the URLs of the pages they are visiting, comparing the expected URL against the one shown in the browser. They should also be made aware of when emails are sent from an external domain in the case of an attacker emulating a corporate resource, which a technical control can be integrated via an email rule prepending an email’s content with “THIS IS AN EXTERNAL EMAIL” or something similar.

Multi-factor authentication is a must-have in organizations that value a strong security posture. There is also a multitude of third-party solutions that aim to aid in phishing mitigation, such as utilizing threat-intelligence feeds or honeypot email addresses against the sender’s email address. Some web browsers also have an integrated ‘bad domain’ check, where any untrusted domains or websites reported as being a security risk present a warning message to the user.

Learn more SureCloud’s Cybersecurity Services here.