Penetration Testing 2.0:
Corporate Tiger Team
Tom Eston

Why are you here?
• Threats to your organization
• Why a Tiger Team?
• How can you do this?
• Real world scenario
• ...it’s one of the last talks of
the day!

Threats to your
organization
(Yes, Dan Kaminsky is a threat...)

No Tech Attacks

Social Engineering
“The clever manipulation
of the natural human
tendency to trust”
“Because there is
no patch for human
stupidity”

“Thief woos bank staff with chocolates...
then steals $28 million in diamonds”

64%

Dumpster Diving

Tailgating

This might be a
problem...

Shoulder Surfing

Buy his book!

Electronic Attacks

External Network
Attacks
• Web applications
• External servers
• Wireless
• DNS and BGP Internet
Routing

Help!
Their attacking our clients!
(aka: Internal Network Attacks)

Phishing

94%

Malfunction
• Software glitches
• Process breakdown
• Act of God/War/Terrorism
• Disruption

What is a Tiger Team?

What does a Tiger Team test?

Physical Security

Technology (Electronic)

Application

Security Awareness

Testing Methodology
• ISSAF/NIST 800-42
• OSSTMM v2
• OWASP Testing Guide
• Other Penetration Testing Methodologies

Team Formation

Internal Team

The need for “experts”
• Physical Security
• Network/Application Pentest
• Social Engineering and People Skills!

Third-Party Assisted

What to look for in a
3rd Party?
• Physical Security
• Social Engineering
• Network Penetration
• Inguardians
• Lares Consulting

Conducting the
Assessment

What’s the goal?

Get permission!

Reconnaissance

Maltego

Penetration and
Exploitation

Coordinate the Attack

Facility Walk Through

Reporting and Clean-up

Real World Assessment
Example

Tiger Team TV Show

Let’s Review...
• Threats to your
organization
• What is a tiger team,
what can it test
• Methodologies, how to
form your team
• Real world example