As we noted earlier this week, there’s been a lot of action in the information-security industry around automation of tasks that typically get labelled as either penetration testing or “red teaming.” The two are related but not quite the same—and there are obvious limits on how much can be passed off to an “as-a-service” type solution. But Ars has been looking at some of the early movers in security-testing tools for some time, and one is about to put a totally different spin on what “as-a-service” can do.
Penetration testing generally involves checking systems for vulnerabilities that can be exploited to gain access. Red teaming, on the other hand, tests the full spectrum of security by introducing human elements—social engineering with crafted phishing messages, exploiting information for further attacks, and the like. While they can benefit from automation, those are things that can’t be fully passed off to a bunch of software robots in the cloud.
Scythe, a software company that spun out of the security-testing company Grimm, has been working for the past few years on a platform that allows corporate information-security teams to build security-testing campaigns—creating “synthetic malware” and crafting phishing campaigns or other attacks that mimic the techniques, tactics, and practices of known threat groups. And unlike some of the automated penetration-testing or threat-simulation products out there, Scythe retains the human in the loop—making it a useful tool to both internal security testers and external “red team” consultants.