Penetrati netration on Test stin ing g Fundamentals February 1, 2017 Presented by Mike Weber, VP Coalfire
Housekeeping • Submit questions during the webinar webinar using the question area in t he control pane panell on the right side of you r scr ee een. n. • We will answer as many questions as possib le during th e Q&A Q&A portion of the webinar webinar until t he top of the hour. We respond to all remaining remaining questi ons vi a email email after the webinar. • At A t t en endee dees s w i ll r ec ecei eive ve a PDF of o f t he s li d e presentation and a link t o the recorded webinar.
Coall fi Coa fire re at at a Gl Gl anc nce e • Thought -le -leade aderr and and tr ust ed advis advis or in the fast-growing cybersecurity market • More than 1, 1,40 400 0 cu sto mers across a broad set of industry sectors • More than 500 empl empl oyees in 12 locations in North America and Europe sophistic ated portfol po rtfolio io of cyber risk advisory and assessment • A sophisticated assessment services • Industry-leading ethical hacking hacking and technical testing team • Cyber Cyber s olution sele selection ction and design services to optimize overall security environment • Cloud-based CoalfireOne Enterpris e Risk and Compliance Platfo Platfo rm, used by more than 800 clients ℠
• Backed by the Carlyl Carlyl e Group Group and Chertoff Group
Technical Testing Capabilities Offensive Capabil Capabil ities
Defensive De fensive Ca Capabilit pabilit ies
• Network penetration tests
• Vulnerability assessments
• Red team operations
• Threat hunt operations
Application/ ation/mobile mobile testing te sting • Applic
• Digital/Data Forensics
• Physical and social engineering
Assessment ment program pro gram accelera acc elerators tors • Assess Tool s d eve evelopm lopm ent
Thought Leadership
• • • • • • • •
Cortana Pack CrackMapExec Doozer Egress-Assess Empire Eyewitness Hashbot KrbCredExport
• • • • • • •
Malleable C2 profiles Minions PowerSploit PowerTools PowerForensics Uproot Veil-Evasion
Spea peaker ker Int Intro roduc ducti tion on Mike Weber, VP VP Coalfi re Mike Weber oversees operations, including penetration testing, application security assessments and compliance validation, digital forensics services, and incident response services, for Coalfire. He has more than 18 years of experience in senior security positions in various technical fields, including enterprise security planning and policy development, network engineering, vulnerability assessment, risk assessment, penetration testing, system administration, and programming. He is an expert in the development and management of information security programs tailored to highly regulated industries such as government, healthcare, banking, and utilities.
Ag A g en end da • What Is Is A Vuln Vuln era erabili bili ty Ass essment? • What Is Penetration Testi Testi ng? • Types Of Penetratio n Tests Tests • Kn ow Your Pen Tester Tester • Testing “Maturity Model”
Tim ime e To To Di sc scov ove er A Brea Br eac ch
Learn Lea rnin ing g About Abo ut A Bre Br each
First Things First… Engaging Enga ging in technical testing means: • Unexpected traffic will be generated! • There will be impact. • There may be disruption. Prerequis Prere quis ites for any engagement engagement • Define scope • Vet methodologies with client • Approve access to systems • Establish dates and times • Exchange contact information
Vul ulnera nerabi bili lity ty Assessment As sessment
What’s A Vulnerabi Vulnerability lity Assessment? Assessmen t? vulnerab ility assessmen as sessmentt • A vulnerability is not a penetration test. • It’s a testing process that identifies components with known flaws within an organization’s IT infrastructure and applications. • The goal of a vulnerability assessment is to prioritize remediation as part of an organizatio organization’s n’s vulnerability management program.
Vul ulnera nerabi bili lity ty Assessment As sessment
Scoping
Methodology
Considerations
Technical information
Technical tool delivery
Credentialed or uncredentialed?
Number of systems
Vulnerability scanner-driven
Wireless included?
Physical locations
Machine-identifiable vulnerabilities
Working hours or after hours?
Standardized vulnerability ranking
Exclusion lists / known issues? Data destruction policies?
[Generalized] Methodology • Engagement Planning • Vulnerability Analysis • Reporting
Vul ulnera nerabi bili lity ty Assessment As sessment Key takeaways • Defines scope based on systems to be assessed • Mostly uses automated scanners • Discovers known vulnerabilities • Finds only technical shortcomings • Provides tactical recommendations in a lengthy report • Facilitates internal security management processes
Penetration Testing
What Is A Pene Penett rati ration on Test est? ? penetrati on test tes t is a realre al-world world attack at tack performe pe rformed d by security sec urity expert ex perts s • A penetration on a company’s IT infrastructure infrastructure to discover exploitable security flaws. Ultimately, a penetration test is a security professional emulating a threat, acting on • Ultimately, the attack surface with one or more attack vectors that comprise an “attack scenario.” • The goal of a professional pen test is to discover vulnerabilities so they can be addressed and remediated before before the “bad guys” find them and exploit them.
Pene enett rati ration on Test
Scoping Scoped based on test objectives and environment to be tested Number of Systems / Physical Locations Different testing objectives necessitate different levels of effort
Methodology Delivery augmented with technical tools but this is not the primary driver
Narrow or broad scope?
Human-driven
Working hours or after hours?
Finds technical and logical vulnerabilities
Exclusion Lists / Known issues?
Impact on response teams
Data destruction policies? Findings ranked based on impact
Results in a “time“time -box”
Considerations
Penetrati netration on Test stin ing g KEY COMPONENTS •
Threat Emulation
• Attack Surface S urface • Attack Vectors • Attack Scenarios S cenarios •
Methodology
Thr hre eat Emu Emulati lation on Defined: What’s dangerous? • Your adversary Attackers • Anonymous Attackers • Trusted third-parties (vendors, integrators) • Malicious / compromised customers • Malicious insiders • Non-malicious insiders
Att t ac A ack k Su Surr f ac ace e Defin De fin ed: What can be attacked? • Network gear • Wireless • Security appliances • Applications • Operating systems • Workstations • “People” / “processes” • Facilities • Databases
Att t ac A ack k Vec ectt o r s Defin De fin ed: Ways Ways to attack so mething • Operating system vulnerabilities • Brute force attacks • Denial of service • Physical access / forensics • Phishing • Application flaws • Business logic flaws
Att t ac A ack k Sc Scen enar arii o s Defined: Emulation of a thr ea Defined: eatt carryin g out a giv en attack attack vect or on an attack su rface. • External “anonymous” attacker finding web application vulnerabilities in an organization’s publicly accessible web application. • Attacker who has a foothold on an internal device and is sniffing the network to capture password hashes or other sensitive data. • Compromised third party with access to part of the environment, who then attacks what can be “seen” through a limited access environment. • External attacker attempting to gain a foothold on a user-level workstation or account through phishing campaigns delivering malware.
[Generalized] Methodology • Engagement Planning • Reconnaissance / OSINT • Attack Planning / Threat Modeling • Vulnerability Analysis • Exploitation • Post-Exploitation • Reporting
Pen Te Test vs vs.. Vul Vulnera nerabi bili lity ty Ass A sse ess ssment ment • A vulnerability assessment assessment (scan) is “an inch deep deep and a mile mile wide.” • A penetration test is the opposite: a narrow focus, specific to the client, taking exploitation to the furthest extent possible.
Meth thodo odolo logies gies Comp ompa ared Penetration Testing
Vulnerability Assessment
Engagement Planning
Engagement Planning
Reconnaissance Reconnaissanc e / OSINT Attack Planning / Threat Modeling Vulnerability Vulnera bility Analysis
Vulnerability Vulnera bility Analysis
Exploitation Post-Exploitation Reporting
Reporting
Ty pes of o f Pene enett rati ration on Test ests s • Network Penetration Test Test • Application Penetration Test Test • Appliance / Internet Of Things (Iot) Penetration Test Pen etration Test Test • Enterprise Penetration • Red Team • Reverse Engineering / Zero-day Research*
PENETRATION PENETRA TION TEST TYPES
Netw Ne twor ork k Penetr Penetra at io ion n Te Test Attacks against operating systems, services, and infrastructure that support an organization • Threat emulated – External: anonymous attackers across the Internet – Internal: adversaries that have gained access to the internal environment • At t ack s ur fac e – Operating systems – Infrastructure – Commercial off-the-shelf (COTS) products
PENETRATION PENETRA TION TEST TYPES
Ap A p p l i c at atii o n Pen Penet etrr at atii o n Tes estt Attacks against an application and its supporting infrastructure with the objective of gaining enhanced access or privileges to the application • Threat Threat emulated: credentialed and uncredenti uncredentialed aled adversari adversaries es • At t ack su rf ace: the accessible portions of an application
PENETRATION PENETRA TION TEST TYPES
Ap A p p l i an anc c e / Emb Em b ed edd d ed / IoT Io T An attack against a physically or logically deployed prod uct and its supporting infrastructure with the objective of compromising the system or negatively impacting the integrity of the solution for others • Threat Threat emulated: an attacker that has gained physical access to a device • At t ack s ur fac e: the physical and logical devices, network connectivity to the device, and backend systems
PENETRATION PENETRA TION TEST TYPES
Ent nte erp rpri rise se Penetr Penetra ati tion on Test Attacking all of an organization’ organization’s s attack surface – including the technology, people and processes that support it – it – with the objective of gaining as much access as possible in each scenario. • Threa Threatt emulated: unique per each selected scope • At t ack s ur fac e: specified by client, thorough testing, includes all appropriate attack vectors • Ap pr oac h: Covert or Cooperative • Comprehensive service
PENETRATION PENETRA TION TEST TYPES
Red Re d Tea eam m Operati Operatio ons •
Emulate the tactics of real-world threat actors
•
Training of Blue Team Team / Incident Inciden t Response staff
Actively ly exercise exer cise the th e full incide i ncident nt response res ponse loop lo op • Active •
Gauge minimum time to detect, minimum time to recover
•
Post-exploitation offensive data analysis
PENETRATION PENETRA TION TEST TYPES
Revers Re verse e Eng Engin ine eerin ering g / Ze Zero ro-da -day y •
Research engagement
•
Performed on discrete software components
•
Clients are solution vendors
Penetrati netration on Test stin ing g Key Takeaways • Requires one or more objectives for a successful test • Scope is based on the attack scenarios • Effort is ‘time‘time-boxed’ • Discovers both technical and logical vulnerabilities • Reports should be succinct • Recommendations are strategic • Enhances internal security operations processes
Know Kn ow You ourr Pen Pen Test Teste er
K no now w Yo Yo ur Pe Pen n Test ester er • How large is their staff? • What is their reputation in the industry? • What are their qualifications? • Do they do background checks on new hires? • Do they participate in and support industry associations, forums, and events? • Do they have a quality assurance program? • Do they use quality commercial products as well as freeware and shareware? • Do they make their own tools / known for coding capabilities?
Testing “Maturity Model”
Test stin ing g Matu Maturi rity ty Mod ode el Your Maturi Maturi ty Level
Recommendation
LOW
LOW
• No / weak security policies and awareness • Minimal Vulnerability Management program
• Vulnerability Assessment Testing • External Network Penetration Testing
MODERATE
MODERATE
checkpoints in dev lifecycle • Security checkpoints • Dedicated security products in-house • Staff with defined security responsibilities
Penetration Testing Testing • Application / Solution Penetration Testing • External and Internal Penetration Testing • Enterprise Penetration Testing
HIGH
HIGH
• Functional Security Operations Team • Well developed security governance
• Red Teaming • Hunt Operations
Questions? Mike We Weber ber
[email protected] 877.224.8077 www.Coalfire.com
