Session Description: Compliance and Best Practices tell us to do a Penetration Test, but there is not real definition. We are asked to do Vulnerability Scanning, but are the scores relevant? What about this huge audit we went through? All those tests and all those boxes checked.... is our company more secure? As a tester and defender I am SICK of seeing people pay for testing and have no idea what the tester did, how they did it, or what value it provides. Unless we follow a methodology that is repeatable, understand the business and its assets, and work on both the Red Team AND Blue Team.....we are defending our networks with the same stacks of cash the attackers are trying to steal. This session will talk about practical testing and defense, getting the most out of your testing dollar, and < surprise face> how to track the growth of your InfoSec program from its management systems all the way out to the magical question "how are we REALLY?"

1. Of security testing and assessment

17. Pain in the arse
Loudmouth
Hacker Punk
Tells lies (professionally)
Is called all sorts of bad words.. That I will likely say
throughout this talk
Cant code well
Talks $hit
Drinks a LOT
Is an overall J3rk

24. LARES

31. OSINT
SIGINT
TSCM/ Bug Sweeping
Exploit Development
Tool Creation
Attack Planning
Offensive Consultation
Adversarial Intelligence
Competitive Intelligence
Attack Modeling
Business Chain Vuln Assessments
Custom Physical Bypass Tool Design
Reverse Engineering
Other stuff I can’t write down…

33. Traditional InfoSec
• Typical services
• Proposed value (Sales BS)
• Set up for failure
• WYSIWYG
Enhancing Services Value
• Doing services right
• Mo’ value, less money
• Eliminating failure
• Custom Delivery
New Skool InfoSec
• Red Teaming (CAST:Converged Attack Surface Tesing)
• Insider Threat Assessment
• Adversarial Modeling
• IDCa (interactive defense capability assessment)
• BCVa(business chain vulnerability analysis)

34. Doing the same thing and expecting different results.

37.  A vulnerability assessment is the process of identifying, quantifying,
and prioritizing (or ranking) the vulnerabilities in a system.
 http://en.wikipedia.org/wiki/Vulnerability_assessment

38. Reasons to Conduct
 Identify potential vulnerabilities
 Provide scoring of risk & prioritization
of remediation
 Manage environment vulnerabilities
over time to show security program
improvement, defense capability
increase and compliance with ongoing
patch, system and vulnerability
lifecycle
How it’s usually done
 Run a bunch of scanners
 Generate a report
 **Sometimes** Generate a custom
report consisting of copy/paste data
from the Vulnerability scanners and
TRY to make sure you delete the word
Nessus, qualys… and/or the previous
clients name

39.  Do not run “Dangerous or Experimental Checks” *instant 30%+ reduction in results
and overall accuracy*
 Do not perform Denial of Service
 Do not run thorough checks
 Do not run Web checks
 Only run ONE brand of scanner
 Limit only to known network checks
 Only scan once

41.  A penetration test is a method of evaluating the security of a computer system or
network by simulating an attack from a malicious source... The process involves an
active analysis of the system for any potential vulnerabilities that may result from poor
or improper system configuration, known and/or unknown hardware or software flaws,
or operational weaknesses in process or technical countermeasures.
 http://en.wikipedia.org/wiki/Penetration_test

43. Reasons to Conduct
 Identify if attackers can readily
compromise the security of the
business
 Identify potential impact to the
business
 Confirm vulnerabilities identified
 Gain a “Real World” View of an
attackers ability to “hack” the
environment and resolve issues
identified
How it’s usually done
 Do all the steps in Vulnerability
Assessment listed previously
 Run metasploit/Core/Canvas against
hosts
 Try a few other automated tools
 Call it “SECURE” If those don’t work

44.  Do not allow the exploitation of systems
 Restrict testing to non production systems
 Restrict the hours of testing
 Restrict the length of testing
 Improperly scope / fail to include ALL addresses
 Only perform externally
 Patch/fix BEFORE the test
 Only allow directed attacks ( no SE/ Phishing)
 Lack of focus on BUSINESS risk and increased focus on technical issue

46. The IT risk management is the application of risk management to
Information technology context in order to manage IT risk.
Information security risk assessment is the process used to identify and
understand risks to the confidentiality, integrity, and availability of
information and information systems. In its simplest form, a risk
assessment consists of the identification and valuation of assets and an
analysis of those assets in relation to potential threats and vulnerabilities,
resulting in a ranking of risks to mitigate. The resulting information should
be used to develop strategies to mitigate those risks.
http://laresconsulting.com/risk.php

48. Reasons to Conduct
 Compliance with regulations
 Overall health check of the InfoSec
program
 Gain understanding of program
Effectiveness
 Baseline discovery
 To show 3rd parties and customers
they are “Secure”
How it’s usually done
 Whip out a checklist
 Check stuff off on checklist
 Have a TON of interviews
 Believe every word
 Do a tick mark legend and ask people
to provide “evidence” *which is usually
faked*
 Only assess controls that are in scope
of THAT specific assessment *often
information centric*

49.  Do not allow ACTUAL/TECHNICAL testing and validation
 Rely on all information provided as TRUE
 Minimize scope to only include assets and controls that are part of the selected
compliance regulation and NOT the ENTIRE BUSINESS
 Allow for “Compensating Controls” to be an answer to most issues
 Expect to become compliant through outsourcing
 Expect to become compliant through product purchase/implementation
 Be unprepared
 LIE

50. Stop cutting off your own fingers

54. TESTING

55.  Skip it!
 Do It yourself
 Use Scanners to identify Vulns
 Figure out a process to track them over
time
 Manage the reduction of Vulns over time
 Manage the MTTP ( Mean Time To
Patch)
 Do the rest and make your testers
WORK hard.

56. DON’T RUSH IT
PLAN FOR INTERACTION
ALWAYS “Ride Along”
Connect to the REAL impact (shells don’t matter)
GO FULL SCOPE
Don’t use firms that have “SECRET” processes or can not
explain every step of the test and HOW they do it
Attack like AN ATTACKER not like a script kiddie
Use a repeatable methodology

57. IF THE TESTING TIME LOOKS LIKE THIS, GET A NEW TESTER
Recon Scan Enumerate Exploit
Post-
Exploit
Write
Report

58. 1 • Pre-Engagement
2 • Intelligence Gathering
3 • Threat Modelling
4 • Vulnerability Analysis
5 • Exploitation
6 • Post-Exploitation
7 • Reporting

59. WWW.PENTEST-
STANDARD.ORG
HTTP://WWW.PENTEST-
STANDARD.ORG/INDEX.P
HP/PTES_TECHNICAL_GUI
DELINES

60. Common misconceptions
We will get owned, what's
the point
It will offend our users
Doesn’t provide enough
value
How it’s usually done
Send a 419 scam style
email
Track clicks
Write a report to show who
clicked

61. How it SHOULD be
done to generate
MAX value

62.  MAKE IT BUSINESS FOCUSED NOT IT FOCUSED
 Use multiple standards
 Remove silo’s and scope restrictions
 TEST, TEST, TEST (PBC docs ARE NOT SUFFICENT)
 A sample set does not show the ability to secure. I crack in certain parts of the
defense chain allow for the compromise of the ENTIRE COMPANY
 ALWAYS interview each and every executive to understand THEIR concerns and build
the solutions to address THEM and not always “just for the audit”
 Discuss the VALUE of systems in relevance to the business and re-weight scores
 NEVER allow a compensating control on a BUSINESS critical system. EVER

63. THIS is what the BIG BOYS do, catch up.

68. The term originated within the military to describe a team whose purpose is to penetrate
security of "friendly" installations, and thus test their security measures. The members
are professionals who install evidence of their success, e.g. leave cardboard signs
saying "bomb" in critical defense installations, hand-lettered notes saying that “your
codebooks have been stolen" (they usually have not been) inside safes, etc.
Sometimes, after a successful penetration, a high-ranking security person will show up
later for a "security review," and "find" the evidence. Afterward, the term became
popular in the computer industry, where the security of computer systems is often tested
by tiger teams.
How do you know you can put up a fight if you have never
taken a punch?

69. Electronic
• Network Pentesting
• Surveillance/ plants
Social
• In Person Social
Engineering
• Phone Conversation
• Social Profiling
Physical
• Lockpicking
• Direct Attack
EP Convergance
• Attacks on physical systems
that are network enabled
ES Convergance
• Blackmail
• Phishing
• Profiling
• Creating moles
PS Convergance
• Tailgaiting
• Impersonation
RED
TEAM

70. Reasons to Conduct
 Real world test to see how you will hold up against a highly skilled, motivated and funded
attacker
 The only type of testing that will cover a fully converged attack surface
 Impact assessment is IMMEDIATE and built to show a maximum damage event
 This IS the FULL DR test of an InfoSec Program

72. Reasons to Conduct
 Exercises in evaluating WHO your top5 most likely attackers are
 Full OSINT profiling on the Attackers and their capabilities
 Scenarios which are highly focused at Detecting, Confirming, Mitigating and Resolving
attacks that are the MOST likely to happen
 Testers are forced to use the capabilities of the likely attackers and train the team how to
be cool under fire
 The most relevant attacks are dealt with FIRST, you are not defending against the
pentester… you are prepping to the battle that WILL happen

74. What is it?
 Evaluate threat and risk from
employee/staff/contractor/executive/etc..
 Use company provisioned asset/standard access model (limited
priv’s)
 Identify what data/assets can be accessed through authorized
channels
 Identify elevation of privilege scenarios (exploit AND non-exploit
methods)

75. Why do it?
 Provides visibility into “what could happen”
 A user WILL be compromised at some point
 Evaluate security posture of corporate asset
 External testing doesn’t always provide accurate measurement of
internal sourced threats
 Identify insecure internal communication channels
 Evaluate covert channel resistance/prevention
 External assessments usually only measure (1) of these (if you’re lucky)
 Measure defense capabilities internally (beyond perimeter)
 System to system communication
 Level of “noise” detection
 Data leakage/exfil abilities
 Log/data correlation
 Incident response/forensics team’s level of knowledge/expertise

77. Reasons to Conduct
 Targeted at working BOTH sides of the test
 Active analysis on defense capability and impreovements / feedback can be real time
 Direct understanding of where process,policy and procedure break down in a REAL LIFE
EVENT
 Identification of Defensive Technology effectiveness

79. Reasons to Conduct
 Targeted at working on identifying BUSINESS vulns
 How much can/do partners hurt you
 Where can you better defend against Partners and 3rd parties
 Who what where when and why…. Of how the business works and how it can be
materially effected by relationships

80. Cnickerson@laresconsulting.com
WWW.LARES.COM