SlideShare a Scribd company logo

Modern Security Medicine: Lessons from History on Improving Penetration Testing

Priyanka Aash
Priyanka Aash

The document discusses shortcomings of traditional penetration testing and proposes an attacker emulation approach. It notes doctors once performed unnecessary medical procedures without understanding effectiveness. Similarly, penetration tests focus on finding bugs but not how real attackers operate. The document advocates profiling attacker groups, rebuilding their playbooks, replaying the playbooks against organizations, and using the results to strengthen defenses. It provides examples of how different attackers operate and argues this method could improve security assessments.

Technology
1 of 41
Download to read offline
#RSAC Julian Cohen Intelligent Application Security @HockeyInJune
#RSAC Julian Cohen | @HockeyInJune Product Security | Flatiron Health Previously Application Security | Financial Services Vulnerability Researcher | Defense Industry Penetration Tester | Boutique Consultancy Adjunct Professor | New York University
#RSAC Parallel Industry Anecdote
#RSAC Tonsillectomies in 1930 “It is a little difficult to believe that among the mass of tonsillectomies performed to-day all subjects for operation are selected with true discrimination, and one cannot avoid the conclusion that there is a tendency for the operation to be performed as a routine prophylactic ritual for no particular reason and with no particular result.” http://ije.oxfordjournals.org/content/37/1/9.full
#RSAC Mammary Artery Ligations in 1955 “Both the patients who did have their mammary arteries constricted and those who didn’t reported immediate relief from their chest pain. In both groups the relief lasted about three months—and then complaints about chest pain returned. Meanwhile, electrocardiograms showed no difference between those who had undergone the real operation and those who got the placebo operation.” Predictably Irrational, Dan Ariely, 2009
#RSAC Modern Security Medicine Doctors were recommending the procedure and patients were having the procedure, regardless of its effectiveness The expected results of the procedure did not match with the actual results, but no one noticed or changed anything
#RSAC Penetration Testing
#RSAC The Status Quo Penetration Testers are our experts Methodologies built from experience and intuition Application Security programs focused on fixing bugs Continuous loop of discovering and fixing issues Organizations continue to get owned
#RSAC Penetration Testing Considered Harmful Haroon Meer, 2010, 44CON Limited Scope Bad Testers Poor OPSEC The penetration testing industry a market for lemons http://blog.thinkst.com/p/penetration-testing-considered-harmful.html http://www.econ.yale.edu/~dirkb/teach/pdf/akerlof/themarketforlemons.pdf
#RSAC Penetration Testing Market Survey http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf
#RSAC http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf
#RSAC Average Penetration Test Results depend on which testers are available Results depend on your tester’s mood Results depend on your kick-off call Results depend on your scope Testers focused on writing a “Nice Report” Testers focused on discovering cool vulnerabilities
#RSAC Pentests Avoid Highly Likely Attacks Penetration Testing Considered Harmful Haroon Meer, 2010, 44CON http://blog.thinkst.com/p/penetration-testing-considered-harmful.html
#RSAC The Wrong Things In The Right Places Penetration testing avoids highly likely attacks because the vulnerabilities that our penetration testers and our application security engineers find are not the vulnerabilities that real attackers find
#RSAC Attackers
#RSAC Everything You Know Is Wrong Defenders make bad assumptions about attackers Defenders do not understand attackers Defenders are not profiling attackers correctly And that’s why the attackers keep winning
#RSAC Attacker Fallacies Resourced Attackers Intelligent Attackers http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf http://blog.trailofbits.com/2013/05/20/writing-exploits-with-the-elderwood-kit-part-2/
#RSAC Attacker Fallacies Motivated Attackers Dumb Attackers https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf https://en.wikipedia.org/wiki/Operation_Aurora
#RSAC Insight From Offense All attackers are resource constrained Resourced constrained attackers favor low-overhead attacks Low-overhead requires good scalability
#RSAC Attacker Playbooks Attackers that have multiple targets care about repeatability and scalability
#RSAC Operational Efficiency Playbooks depend on: Who their targets are Intended success rate How fast they need to convert
#RSAC Attackers operate like efficient businesses • Experts at the top • Employees are cheap and complete simple tasks • Employees who don't meet their goals are fired • Inefficient organizations fail quickly Penetration testers operate like hobbyists • All employees are experts • Employees are expensive • Employees who do not produce are hard to fire • Organizations that do not produce do not fail • Customers rarely care about output
#RSAC Attackers In defense, we mistake attacker efficiency for inadequacy We are not being effective against certain attackers because we don’t understand how they operate
#RSAC Complexity of Solution If you don't like the game, hack the playbook… Peiter “Mudge” Zatko, 2011, Everywhere http://www.slideshare.net/scovetta/2011-11-07-cyber-colloquium-zatko
#RSAC Attacker Cost Graph Attacker “Math” 101 Dino Dai Zovi, 2011, SOURCE Boston, Summercon https://www.trailofbits.com/resources/attacker_math_101_slides.pdf
#RSAC Case Study: Syrian Electronic Army Also: Lizard Squad and Anonymous Politically-motivated, low-resourced attackers DNS hijacking by phishing DNS providers DDoS attacks with custom software Website defacing on shared hosting providers Conclusion: No web vulnerabilities used http://news.harvard.edu/gazette/story/2013/08/hack-attacks-explained/ http://www.infowar-monitor.net/2011/06/syrian-electronic-army-disruptive-attacks-and-hyped-targets/
#RSAC Case Study: Elderwood Also: PLA Unit 61398 State-sponsored, well-resourced attackers Mostly low reliability Internet Explorer bugs ASLR/DEP bypasses with Microsoft Office/Java Exploits delivered via phishing and watering holes Conclusion: Web vulnerabilities only when needed http://blog.trailofbits.com/2013/05/14/writing-exploits-with-the-elderwood-kit-part-1/ http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
#RSAC Case Study: ShadowCrew Also: Other organized crime groups Financially-motivated, well-resourced attackers Credit card data theft via SQL injection Typically targets one website at a time Scaled poorly with tools like sqlmap and havij Conclusion: One web vulnerability used at a time http://www.wired.com/2010/03/tjx-sentencing/
#RSAC Observations Real attackers don’t attack web applications (mostly) These vulnerabilities are not scalable and repeatable Attackers focus on inexpensive, but effective methods The only application security threat is sqlmap (sqlmap is not much of a threat)
#RSAC http://momentum.partners/docs/Cybersecurity_Market_Review_Q4_2015.pdf New Security Strategy
#RSAC Lockheed Martin’s Intrusion Kill Chain Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. 6th International Conference Information Warfare and Security (ICIW 11) http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
#RSAC Attacker Emulation Identify Attackers Profile Attackers Obtain Key Tactics Rebuild Playbook Replay Playbook Utilize Results
#RSAC Step 4: Rebuild Playbook Run sqlmap against your web applications
#RSAC Results Repeatable Precise Practical Effective
#RSAC Threat “Intelligence” Instead of ephemeral information like IP addresses, MD5 hashes, and other indicators of compromise, we should be collecting and sharing indelible information on techniques and procedures
#RSAC Free Business Ideas Intelligence on attacker tactics and procedures Attack emulation service Which attacker groups I am vulnerable to Identify Attackers Profile Attackers Obtain Key Tactics Rebuild Playbook Replay Playbook Utilize Results
#RSAC Conclusion The security industry lacks a focus on accurate attacker methodologies during assessments
#RSAC Future Work We are only discussing application security The same techniques can be applied to: Infrastructure Security and Lateral Movement Client-Side Security and Endpoint Security Reconnaissance and Social Engineering (Phishing)
#RSAC Attacker Emulation Example: RSA Identify Attackers: Economic Espionage Strategic Espionage Profile Attackers: State-Sponsored Well-Resourced Obtain Key Tactics: Phishing Watering Hole Client-Side Exploitation Rebuild Playbook: Public Reconnaissance Phishing Campaigns Client-Side Exploitation Replay Playbook: Launch Attack Utilize Results: Exploit Mitigation Sandboxing Execution Tree Analysis
#RSAC Thanks Justin Berman Nicholas Arvanitis Chris Sandulow Stuart Larsen Spencer Jackson Dino Dai Zovi Nick Freeman Brandon Edwards
#RSAC We’re Hiring! security@flatiron.com

Recommended

Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security TrendsPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!Priyanka Aash
 
Rise of the Hacking Machines
Rise of the Hacking MachinesRise of the Hacking Machines
Rise of the Hacking MachinesPriyanka Aash
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Knowjxyz
 

Recommended

Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security TrendsPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!Priyanka Aash
 
Rise of the Hacking Machines
Rise of the Hacking MachinesRise of the Hacking Machines
Rise of the Hacking MachinesPriyanka Aash
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Knowjxyz
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetLessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-upPriyanka Aash
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityRobert Herjavec
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDragos, Inc.
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Enterprise Management Associates
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security LandscapeArrow ECS UK
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerPriyanka Aash
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNorth Texas Chapter of the ISSA
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damentalSatria Ady Pradana
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008Jim Geovedi
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Cybersecurity fundamental
Cybersecurity fundamentalCybersecurity fundamental
Cybersecurity fundamentalSudipto Krishna Dutta
 

More Related Content

What's hot

The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetLessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityRobert Herjavec
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDragos, Inc.
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Enterprise Management Associates
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security LandscapeArrow ECS UK
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerPriyanka Aash
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNorth Texas Chapter of the ISSA
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008Jim Geovedi
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 

What's hot (20)

The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetLessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming Security
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damental
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
 

Similar to Modern Security Medicine: Lessons from History on Improving Penetration Testing

Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Chandrakanth Narreddy
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015Claus Cramon Houmann
 
AOA_Report_TrapX_AnatomyOfAttack-MEDJACK
AOA_Report_TrapX_AnatomyOfAttack-MEDJACKAOA_Report_TrapX_AnatomyOfAttack-MEDJACK
AOA_Report_TrapX_AnatomyOfAttack-MEDJACKSaul Rosales
 
First line of defense for cybersecurity : AI
First line of defense for cybersecurity : AIFirst line of defense for cybersecurity : AI
First line of defense for cybersecurity : AIAhmed Banafa
 
Designing Trustworthy AI: A User Experience Framework at RSA 2020
Designing Trustworthy AI: A User Experience Framework at RSA 2020Designing Trustworthy AI: A User Experience Framework at RSA 2020
Designing Trustworthy AI: A User Experience Framework at RSA 2020Carol Smith
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Top 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfTop 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfDipak Tiwari
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safePrayukth K V
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief inCYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief inOllieShoresna
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityAliyuMuhammadButu
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsBlack Duck by Synopsys
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”Priyanka Aash
 

Similar to Modern Security Medicine: Lessons from History on Improving Penetration Testing (20)

Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
Cybersecurity fundamental
Cybersecurity fundamentalCybersecurity fundamental
Cybersecurity fundamental
 
Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Insecure trends in web technologies 2009
Insecure trends in web technologies 2009
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Charan Resume
Charan ResumeCharan Resume
Charan Resume
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
AOA_Report_TrapX_AnatomyOfAttack-MEDJACK
AOA_Report_TrapX_AnatomyOfAttack-MEDJACKAOA_Report_TrapX_AnatomyOfAttack-MEDJACK
AOA_Report_TrapX_AnatomyOfAttack-MEDJACK
 
First line of defense for cybersecurity : AI
First line of defense for cybersecurity : AIFirst line of defense for cybersecurity : AI
First line of defense for cybersecurity : AI
 
Designing Trustworthy AI: A User Experience Framework at RSA 2020
Designing Trustworthy AI: A User Experience Framework at RSA 2020Designing Trustworthy AI: A User Experience Framework at RSA 2020
Designing Trustworthy AI: A User Experience Framework at RSA 2020
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
Top 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfTop 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdf
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safe
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief inCYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates News
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Modern Security Medicine: Lessons from History on Improving Penetration Testing

  • 2. #RSAC Julian Cohen | @HockeyInJune Product Security | Flatiron Health Previously Application Security | Financial Services Vulnerability Researcher | Defense Industry Penetration Tester | Boutique Consultancy Adjunct Professor | New York University
  • 4. #RSAC Tonsillectomies in 1930 “It is a little difficult to believe that among the mass of tonsillectomies performed to-day all subjects for operation are selected with true discrimination, and one cannot avoid the conclusion that there is a tendency for the operation to be performed as a routine prophylactic ritual for no particular reason and with no particular result.” http://ije.oxfordjournals.org/content/37/1/9.full
  • 5. #RSAC Mammary Artery Ligations in 1955 “Both the patients who did have their mammary arteries constricted and those who didn’t reported immediate relief from their chest pain. In both groups the relief lasted about three months—and then complaints about chest pain returned. Meanwhile, electrocardiograms showed no difference between those who had undergone the real operation and those who got the placebo operation.” Predictably Irrational, Dan Ariely, 2009
  • 6. #RSAC Modern Security Medicine Doctors were recommending the procedure and patients were having the procedure, regardless of its effectiveness The expected results of the procedure did not match with the actual results, but no one noticed or changed anything
  • 8. #RSAC The Status Quo Penetration Testers are our experts Methodologies built from experience and intuition Application Security programs focused on fixing bugs Continuous loop of discovering and fixing issues Organizations continue to get owned
  • 9. #RSAC Penetration Testing Considered Harmful Haroon Meer, 2010, 44CON Limited Scope Bad Testers Poor OPSEC The penetration testing industry a market for lemons http://blog.thinkst.com/p/penetration-testing-considered-harmful.html http://www.econ.yale.edu/~dirkb/teach/pdf/akerlof/themarketforlemons.pdf
  • 10. #RSAC Penetration Testing Market Survey http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf
  • 12. #RSAC Average Penetration Test Results depend on which testers are available Results depend on your tester’s mood Results depend on your kick-off call Results depend on your scope Testers focused on writing a “Nice Report” Testers focused on discovering cool vulnerabilities
  • 13. #RSAC Pentests Avoid Highly Likely Attacks Penetration Testing Considered Harmful Haroon Meer, 2010, 44CON http://blog.thinkst.com/p/penetration-testing-considered-harmful.html
  • 14. #RSAC The Wrong Things In The Right Places Penetration testing avoids highly likely attacks because the vulnerabilities that our penetration testers and our application security engineers find are not the vulnerabilities that real attackers find
  • 16. #RSAC Everything You Know Is Wrong Defenders make bad assumptions about attackers Defenders do not understand attackers Defenders are not profiling attackers correctly And that’s why the attackers keep winning
  • 17. #RSAC Attacker Fallacies Resourced Attackers Intelligent Attackers http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf http://blog.trailofbits.com/2013/05/20/writing-exploits-with-the-elderwood-kit-part-2/
  • 18. #RSAC Attacker Fallacies Motivated Attackers Dumb Attackers https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf https://en.wikipedia.org/wiki/Operation_Aurora
  • 19. #RSAC Insight From Offense All attackers are resource constrained Resourced constrained attackers favor low-overhead attacks Low-overhead requires good scalability
  • 20. #RSAC Attacker Playbooks Attackers that have multiple targets care about repeatability and scalability
  • 21. #RSAC Operational Efficiency Playbooks depend on: Who their targets are Intended success rate How fast they need to convert
  • 22. #RSAC Attackers operate like efficient businesses • Experts at the top • Employees are cheap and complete simple tasks • Employees who don't meet their goals are fired • Inefficient organizations fail quickly Penetration testers operate like hobbyists • All employees are experts • Employees are expensive • Employees who do not produce are hard to fire • Organizations that do not produce do not fail • Customers rarely care about output
  • 23. #RSAC Attackers In defense, we mistake attacker efficiency for inadequacy We are not being effective against certain attackers because we don’t understand how they operate
  • 24. #RSAC Complexity of Solution If you don't like the game, hack the playbook… Peiter “Mudge” Zatko, 2011, Everywhere http://www.slideshare.net/scovetta/2011-11-07-cyber-colloquium-zatko
  • 25. #RSAC Attacker Cost Graph Attacker “Math” 101 Dino Dai Zovi, 2011, SOURCE Boston, Summercon https://www.trailofbits.com/resources/attacker_math_101_slides.pdf
  • 26. #RSAC Case Study: Syrian Electronic Army Also: Lizard Squad and Anonymous Politically-motivated, low-resourced attackers DNS hijacking by phishing DNS providers DDoS attacks with custom software Website defacing on shared hosting providers Conclusion: No web vulnerabilities used http://news.harvard.edu/gazette/story/2013/08/hack-attacks-explained/ http://www.infowar-monitor.net/2011/06/syrian-electronic-army-disruptive-attacks-and-hyped-targets/
  • 27. #RSAC Case Study: Elderwood Also: PLA Unit 61398 State-sponsored, well-resourced attackers Mostly low reliability Internet Explorer bugs ASLR/DEP bypasses with Microsoft Office/Java Exploits delivered via phishing and watering holes Conclusion: Web vulnerabilities only when needed http://blog.trailofbits.com/2013/05/14/writing-exploits-with-the-elderwood-kit-part-1/ http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
  • 28. #RSAC Case Study: ShadowCrew Also: Other organized crime groups Financially-motivated, well-resourced attackers Credit card data theft via SQL injection Typically targets one website at a time Scaled poorly with tools like sqlmap and havij Conclusion: One web vulnerability used at a time http://www.wired.com/2010/03/tjx-sentencing/
  • 29. #RSAC Observations Real attackers don’t attack web applications (mostly) These vulnerabilities are not scalable and repeatable Attackers focus on inexpensive, but effective methods The only application security threat is sqlmap (sqlmap is not much of a threat)
  • 31. #RSAC Lockheed Martin’s Intrusion Kill Chain Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. 6th International Conference Information Warfare and Security (ICIW 11) http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
  • 33. #RSAC Step 4: Rebuild Playbook Run sqlmap against your web applications
  • 35. #RSAC Threat “Intelligence” Instead of ephemeral information like IP addresses, MD5 hashes, and other indicators of compromise, we should be collecting and sharing indelible information on techniques and procedures
  • 36. #RSAC Free Business Ideas Intelligence on attacker tactics and procedures Attack emulation service Which attacker groups I am vulnerable to Identify Attackers Profile Attackers Obtain Key Tactics Rebuild Playbook Replay Playbook Utilize Results
  • 37. #RSAC Conclusion The security industry lacks a focus on accurate attacker methodologies during assessments
  • 38. #RSAC Future Work We are only discussing application security The same techniques can be applied to: Infrastructure Security and Lateral Movement Client-Side Security and Endpoint Security Reconnaissance and Social Engineering (Phishing)
  • 39. #RSAC Attacker Emulation Example: RSA Identify Attackers: Economic Espionage Strategic Espionage Profile Attackers: State-Sponsored Well-Resourced Obtain Key Tactics: Phishing Watering Hole Client-Side Exploitation Rebuild Playbook: Public Reconnaissance Phishing Campaigns Client-Side Exploitation Replay Playbook: Launch Attack Utilize Results: Exploit Mitigation Sandboxing Execution Tree Analysis
  • 40. #RSAC Thanks Justin Berman Nicholas Arvanitis Chris Sandulow Stuart Larsen Spencer Jackson Dino Dai Zovi Nick Freeman Brandon Edwards