All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

Similar documents
IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

How Breaches Really Happen

The Rise of the Purple Team

Protect Your Organization from Cyber Attacks

Cybersecurity Today Avoid Becoming a News Headline

Building Resilience in a Digital Enterprise

Choosing the Right Security Assessment

Security!Maturity Oc O t c o t b o er r 20 2, 0,

Vulnerability Assessments and Penetration Testing

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Cyber Security Audit & Roadmap Business Process and

ICS Penetration Testing

Cybersecurity The Evolving Landscape

An ICS Whitepaper Choosing the Right Security Assessment

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Department of Management Services REQUEST FOR INFORMATION

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Penetration testing a building automation system

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Becoming the Adversary

to Enhance Your Cyber Security Needs

Live Adversary Simulation: Red and Blue Team Tactics

CYBER RESILIENCE & INCIDENT RESPONSE

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

RiskSense Attack Surface Validation for IoT Systems

How Cyber-Criminals Steal and Profit from your Data

External Supplier Control Obligations. Cyber Security

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Building a Resilient Security Posture for Effective Breach Prevention

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

SECURITY TESTING. Towards a safer web world

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber Security. Building and assuring defence in depth

10 FOCUS AREAS FOR BREACH PREVENTION

Cyber Protections: First Step, Risk Assessment

Managing an Active Incident Response Case. Paul Underwood, COO

RastaLabs Red Team Simulation Lab

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Machine-Based Penetration Testing

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

CompTIA. PT0-001 EXAM CompTIA PenTest+ Certification Exam Product: Demo. m/

Nebraska CERT Conference

Readiness, Response & Resilence:

Think Like an Attacker

Operationalizing the Three Principles of Advanced Threat Detection

Advanced Security Tester Course Outline

Train as you Fight: Are you ready for the Red Team?

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Insiders: The Threat is Already Within

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Cloud Transformation Program Cloud Change Champions June 20, 2018

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Penetration Testing: How to Test What Matters Most

CYBERSECURITY MATURITY ASSESSMENT

Cybersecurity for Service Providers

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Device Discovery for Vulnerability Assessment: Automating the Handoff

Application Security Approach

RSA IT Security Risk Management

Machine-Based Penetration Testing

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

Doxxing, Dissidents, And. Digital Extortion. Fortify Your Digital Risk Defenses. Nick Hayes, Senior Analyst

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Take Risks in Life, Not with Your Security

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Sage Data Security Services Directory

Reinvent Your 2013 Security Management Strategy

Is Your z/os System Secure?

To Audit Your IAM Program

SHARE Session Protecting Critical Data on a z/os Mainframe: A New Attitude

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

Lessons Learned from 4,000 Security Assessments. Sadik Al-Abdulla Security Practice Director, CDW

Trustwave Managed Security Testing

how dtex fights insider threats

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

ANATOMY OF AN ATTACK!

THE CLOUD SECURITY CHALLENGE:

A Risk Management Platform

Incident Scale

RELEVANT IMPACT: Building a Successful Threat Management Program. NTX ISSA 3 rd Semi-Annual Cyber Security Conference

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Chapter 5: Vulnerability Analysis

Think Like an Attacker

align security instill confidence

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Transcription:

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too? Exploring Different Approaches to Penetration Testing Cara Marie NCC Group ISSA-LA Aug 2017

Obligatory About Me NCC Group Principal Security Consultant Pentested numerous networks, web applications, mobile applications, etc. Hackbright Graduate Ticket scalper in a previous life @bones_codes cara.marie@nccgroup.com Not me, but sometimes I channel her ;)

Why? 1. What are your most important assets in your company? 2. How would an attacker get access to them? Likely not through a single system or application probably through a combination of things 3. Hence Red Team

Red Team Benefits Understand the impact of a security breach Identify weaknesses in development and testing processes Test incident response capabilities Demonstrate security controls justify security spending

Nobody likes a sad panda...

Security Assessment Flavors Vulnerability Assessment Penetration Test Red Team

Breadth Vulnerability Assessment Penetration Test Depth Red Team

Threat Model (environment, system, application, etc.) 1

Hard Candy Outside, Soft Gooey Center Guaranteed results from an external-only approach to security

Insider Threats Employee Third-party Contractor Client Deliberate / Malicious Compromised / Accidental

Trust your employees, but don t allow unrestricted access across the organization

Threat Model (environment, system, application, etc.) 1 2 Vulnerability Assessment

Vulnerability Assessment Identify as many vulnerabilities as possible Prioritize these vulnerabilities for remediation Goals / Purpose Exploitation is NOT a requirement

BUILD YOUR DEFENSE

We Run [INSERT VULN SCANNER] We Don t Need A Pentest Yes, this is an argument I ve heard...

Gaps in Automated Vulnerability Scanning Ratings lack context Risk ratings can be wrong/misleading More noise than signal (if misconfigured) Encourages set-and-forget

Threat Model (environment, system, application, etc.) 1 Penetration Test 2 Vulnerability Assessment 3

Trust but VERIFY

Penetration Test Goals / Purpose Assess the risk of compromise Scoped to specific environment, system or application Does NOT provide an accurate demonstration of incident response systems

Last Hackers movie reference I promise...

A penetration test is, in the simplest of terms... Systems = Infra + App PT = Systems (Discovery + Exploitation) - For the Win!

Default credentials + HTTP PUT method against */* excellent configuration ESPECIALLY when exposed to the Internet...

Profit!

Red Team Assess end-to-end modeling of real-world threat actor techniques, tactics and procedures Identify and emulate attack path(s) Goals / Purpose Provides realistic assessment of incident response systems

Threat Model (environment, system, application, etc.) 1 Penetration Test 2 3 Vulnerability Assessment * Depending on the results of previous assessments 4 Red Team *

Red Team Phases Attacker Modeled Pentest Open Source Intelligence (OSINT)

OSINT (Recon)...data collected from publicly available sources to be used in an intelligence context.

Red Team Phases Attacker Modeled Pentest Open Source Intelligence (OSINT) Social Engineering, i.e. phishing

One of the better (if not the best) social engineering attacks Social Engineering The clever manipulation of the natural human tendency to trust.

Why phishing? 100% of the time, phishing works everytime Gain an idea of risk Improve user awareness Test internal processes

Red Team Phases Attacker Modeled Pentest Open Source Intelligence (OSINT) Social Engineering, i.e. phishing Physical Penetration Test (optional)

Physical Security Who s watching the watchers?

Getting In The trick is to look the part, act like you belong confidence gets you everywhere

Bypassing right to exit heat sensors from the wrong side

Red Team Phases Attacker Modeled Pentest Open Source Intelligence (OSINT) Social Engineering, i.e. phishing Physical Penetration Test (optional) Network Penetration Test (NPT)

I googled Hacker Ninja and this is what I got :/

Interesting deprecated service...

Define a job and profit!

Red Team Roadmap OSINT / Recon Social Engineering / Physical Intrusion Use Privileges Profit Escalate Privileges

Threat Model (environment, system, application, etc.) 1 Penetration Test 2 3 Vulnerability Assessment * Depending on the results of previous assessments Repeat Annually 4 Red Team * 0

Conclusion Drink the koolaid but only once the security program is mature enough to handle it. Benefits Round 2 The Final Round: Understand the impact of a security breach Identify weaknesses in development and testing processes Test incident response capabilities Demonstrate security controls justify security spending

Questions? @bones_codes cara.marie@nccgroup.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback