Analysis and testing
This is – or can be – a very broad category. This year we looked the landscape over pretty closely and we saw a lot of the same things we've seen in previous years. Most vulnerability assessment (VA) and penetration testing tools look pretty much like they did for the past few years. And, while they certainly are effective, they showed no particular innovation.
Then we moved on to forensic tools, a perennial favourite of ours. Same story there. Nothing jumped out at us until we dug a bit deeper and came up with our Innovator for this year. Going back to the vulnerability assessment, we looked at some point solutions to single problems. How about web VA?
Vulnerability assessment and penetration of websites is not particularly unheard of so we didn't expect much until we remembered that we had tested a unique combination of cloud-based vulnerability assessment and human pen testing. We were quite pleased with the outcome of that test so we brought them in this year – innovative because of the way they approach the problem more than what they do (although that's pretty cool as well).
Analysis and testing can, as you see, take a lot of different forms. There are a lot of tools that do the routine tests and some do those tests on steroids – Metasploit and Core Security come to mind in the area of pen testing for example – but we look for original thinking not just mass appeal. That brought us to the two products we review this year.
Another issue we came up with was the notion of innovation, not just in the products, but in the company and the go-to-market strategy. If you are a new and/or small company, you are fighting the big dogs and you need to be crafty. In the case of the products we selected, that part of the innovation picture was a real deal-maker for us. These two companies certainly are crafty in getting their products in front of potential customers. So, with all of that in mind, let's dive into testing and analysis.
Flagship product IXTK (Internet Examiner Toolkit)
Innovation Building a forensic tool set that covers all aspects of an internet-based investigation all in a single, well-constructed and presented toolkit.
Greatest strength Breadth of coverage for an internet-based investigation.
This really is a Swiss Army knife of cyber-forensic tools. It is designed from the ground up to perform a complete digital forensic investigation. It looks at the computer, mobile devices, the internet, social media sites, the works. Not only is IXTK (Internet Examiner Toolkit) complete as any we've seen, the company takes the position that new forensic examiners might not be fully comfortable with a new tool beyond the tool set on which they learned.
One thing we found surprising is that this Innovator, in order to provide up-and-coming forensic practitioners with new skills, has an Academic Training Partner program and software licencing at no additional cost. A single one-time hardware cost is the only requirement (e.g., dongle) for classroom and individual instructor licencing. The minimal cost includes certification, which students can take with them into the workplace at no additional cost. This will help SiQuest develop a base of practitioners who are trained and certified on the tool kit.
When we looked at the updates to IXTK over the past year we found them remarkable for several reasons. First, there are a lot of them. Given that this is a very small company with limited resources, we found that the productivity of the development team exceeds productivity that we've seen in far larger companies. The second thing that was a pleasant surprise was the nature of the updates. One does not expect to see, all on the same tool kit, such things as downloading of YouTube videos, Cisco Web Classifications standard for categorisation of URLs, access to Google Map, along with parsing of latitude and longitude.
Another interesting function is its ability to build a dictionary of internet search terms derived from recovered cache and history files. Of course, we see the usual functions that one would expect, such as parsing of Kik Messenger. But we also found that this Innovator has added user-defined proxy server settings configuration for IXTK's built-in Chromium browser (to hide your IP address) for covert online investigations. That's a really nice feature for doing online investigations. Overall, we were pleased at how this product has progressed and amazed that, for its size, SiQuest has been surprisingly effective in its go-to-market strategy.
Vendor High-Tech Bridge
Flagship product ImmuniWeb
Price £392 per assessment (on-demand packages); £785 per month (24/7 continuous packages).
Innovation Hybrid automated and manual web vulnerability assessment and penetration testing using next-generation computing techniques.
Greatest strength Speed and ease with which they conduct their testing coupled with accuracy and superior support.
To our mind, this company epitomises what we mean by an ideal mix of next-generation techniques and the use of the human brain. On its website HightTech Bridge says its ImmuniWeb “combines the power of Machine Learning and the genius of human brain” That, in our view, is what computing is all about. Let the computer do what it does well and the human do what it does well. ImmuniWeb performs vulnerability assessment with or without the aid of the customer and then hands its results off to analysts at HightTech Bridge.
From the business perspective, HighTech Bridge is equally innovative. This Innovator's approach is to provide access to their machine learning portal 24/7. Their delivery method is unique – unlimited customer access. On the technical side, they apply machine learning and neural networks. This allows them to provide penetration testing but with far less human interaction than is needed for typical complete pen tests. They can employ human pen testing techniques in part by machine learning. Of course, humans need to be involved due to business and legal requirements and the complexity of security testing. That means the machine does the grunt work while the human, with the help of the next-generation computing power, does the thinking.
Staying current always has struck us as a challenge in penetration testing and vulnerability assessment. However, this Innovator takes the approach that there is nothing really new. There may be a few new vectors, but basic attack families change more slowly.
They try to make comprehensive collections of possible scenarios. This really is not particularly hard because of relatively static state of attack types or families. But the problem that is more likely is new vulnerabilities introduced by developers/customers as they update their web apps.
This Innovator tries to share knowledge with specialised groups and talk to partners and customers to gain as much threat intelligence as possible. That kind of sharing, of course, is most useful because not everyone knows everything as we all realise. We interacted with this vendor on a live production test and the results were excellent. But they were nothing like we expected or had experienced before. That's innovation in this business.