It’s All About Quality

June 28, 2011

I recently joined Core Security, and one thing that strikes me is the difference in philosophy and approach to the development of exploits between our solutions and others on the market. Core Security offers each customer peace of mind in knowing that there is a dedicated group of Core employees tasked with writing and continually testing the exploits in our products. Core Security doesn’t pay bounties to third parties in an effort to produce exploits. Instead, we’ve developed a systematic approach to in-house exploit development and testing that is superior in this industry.

For more than 10 years, Core Security has hired and maintained a full-time, in-house team of dedicated Exploit Writers and Testers focused on producing safe and reliable commercial-grade exploits. Our customers often cite our in-house CoreLabs R&D  operation, our practice of anticipating future info security needs, and our dedication to innovation as key reasons for selecting Core Security’s solutions to carry out their proactive security testing and measurement efforts.

In this post, I’m going to talk about Core’s commercial-grade exploits and what we do to make them stable and consistent. I believe that our commitment to developing exploits in-house is one thing that separates our solutions from some other testing options. Furthermore, we maintain, update and improve our exploits as the product capabilities grow – so, for instance, they work while performing Man-in-The-Middle attacks over WiFi or when pivoting from multiple operating systems.  It is for these reasons, and the reasons listed below, that Core Security’s approach to writing and testing and releasing exploits to our customers is the best in the industry. 

It’s all about testing …

Our extensive library of exploits is continuously run through rigorous QA, using an effective combination of automated testing processes and close personal inspection. The testing teams work hard to reduce the chances that our exploits will have unpredicted or ancillary effects on tested systems or processes.

While the automation of testing for existing exploits is relatively easy, extensive testing of new, “work in progress” exploits is significantly harder and can only be done by hand. The Testing Team exhaustively tests the new exploits in a range of environments to eliminate or reduce the circumstances when those exploits could cause issues in the target environment.

It’s all about uptime …

The integrity of a system is directly related to its ability to operate in an unimpaired condition.   Core Security’s exploits are written and tested to a commercial-grade standard, and our agents are designed with the same care. Core Security seeks to not disrupt the integrity of tested systems while running exploits, and successful exploits will automatically deploy a payload - the patented Core Agent. This agent can be deployed as memory-resident, file-based or persistent. Memory-resident agents are run in RAM, and they are automatically removed under a number of circumstances. These include events such as when a user issues a cleanup command, a user loses connection to the agent, or the compromised service or machine is restarted. File-based agents or Persistent agents can be copied to a target’s file system and can be removed using our solutions’ Clean-Up capabilities or by hand.

In the rare cases where the agent is maintained on a device after a test is completed, it is automatically erased from the system’s memory the next time the tested machine is rebooted (if it was memory resident). For file and persistent agents that were not cleaned up, it is not possible for anyone else to communicate with that agent due to the authentication that is performed between the Impact workspace and agents it has deployed. However, it possible for Core Impact to reconnect to that exploit and “Clean Up.” Additionally, all information about how the agent was packaged is contained in the module logs of Core Impact solutions, providing enough information to remove the agent by hand.

It’s all about stability …

Some exploits - due to a factor of the vulnerability they are exploiting - could disrupt the stability of the targeted service. Consequently, while Core Security has a goal of providing only safe exploits, there occasionally is the potential to disrupt systems processes when executing some exploits. Before one of these specific exploits is executed, users are cautioned regarding the potential implications of running that exploit.

One goal of the Exploit Testing Team is to determine if an exploit will cause a loss of system stability. Of course, inadvertently putting a system into a degraded state during an assessment is typically not part of the Scope of Work of most security test and measurement assessments. Core Security therefore offers customers the peace of mind to know that our exploits are thoroughly tested, and that we have minimized the likelihood of crashing systems or making services unavailable.

It’s all about cleaning up …

Another common concern of security testers is ensuring that any agents/payloads that they deploy will establish a path by which attackers could someday find their own way into an organization’s networks or systems. During the penetration test, our product design of mutual authentication does not permit backdoor entry. And after the test is over, if communication with a file-based or persistent agent is lost, it is possible to reconnect to that running agent and issue the “Clean Up” command. Furthermore, Core’s products log all of their activities, meaning that agents can be easily found in the event that a manual clean up is required.

It’s all about trust [but verify] …

Over the years, many of our customers – including large US Federal Agencies – have conducted independent code reviews of our products to confirm their safety and predictability in sensitive IT environments. To my knowledge, these reviews have always resulted in the organization deciding to implement the solution.

It’s all about making the best use of your time …

What is most revealing about Core Security’s products is that they make an expensive, time-consuming and potentially disruptive process quicker, safer and easier.  While it might be possible to replicate the results provided by a Core Security product by hand (a highly skilled and trained hand), it’s clear to me that a better use case is to have that “skilled hand” use a commercial-grade product that stabilizes, standardizes and automates tasks that were previously resource-intensive and potentially risky – allowing them to focus their attention on those aspects of testing that benefit from a “wetware” based approach. As such, our customers don’t have to worry about the stability and security of exploits emanating from the public domain. Instead, they gain consistent and repeatable real-world testing capabilities – and they free up bandwidth to focus on really tricky things that are best suited to the human mind.

-- Brian Curry, Product Marketing Manager

  • Vulnerability Management

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!