2. Testimonial
"With Clarified Networks we
had true situational
awareness...
...This way we received better
return than ever before ...
...Similar agility is very seldom
achieved even with teams
working in the same room."
• - Jaan Priisalu, Head of IT Risk
Management / Swedbank Baltic
15. Get Comprehensive
Understanding
Trained
Caller ID
verification
Access
l
Contro
Access
Control
s
tiviru ention
-An Prev
on g
rusi ewallin
-Int -Fir
n g
lt eri ns
t Fi ke
n ten -exe To
Co -zip eN
-... red ls N
ecu ina
S m
r
Te
33. How We Can Collaborate?
• Tools (now)
• Clarified Analyzer
• Codenomicon Defensics
• Whitelabeled SecAudit
Collabs (~6 months)
Editor's Notes
Validation of Collaborative Approach
Customer is able to steer & participate in a lightweight manner -> higher customer satisfaction
You are able to dynamically utilize several teams
Your Seniors can participate in several engagements as a part of the virtual team
You are able to leverage information instantly
For example Social Engineers may utilize information gained from Web Application Testing in their Phishing
Two topics today:
Collaboration (Process)
Traffic Audits (Technical, practical example on how tools and people collaborate)
Infrastructure, tools and services for you to get more out from your security audits
Based on real observations from your customer’s network you will help them with
Network related fact finding,
network discovery and documentation and
identifying weak spots
Traffic audit will help you to pinpoint:
Access control leaks,
misconfigured hosts and
real traffic profiles.
Tools will contribute:
Tight integration: Clarified Analyzer
Loose integration: Defensics, Nessus, Nmap,
People: Your specialists, customer, customer’s contractors
Infrastructure: A wiki-based environment, supporting XMLRPC interface for tool integration, graphingwiki for easy handling and visualization of semantic data
Complex Networks -> we need to understand them to give more valuable/accurate results
A myriad of different audit methods: we need to synthesize the results
With Collab we are able to utilize larger teams with domain specific specialists.
Different specialists may collaborate:
For example web application testers find XSS vulnerabilities -> Social Engineers will utilize
- We do not merely upload documents (e.g. Like in sharepoint...)
- We chop the information to pieces and synthesize it in the Collab environment
Analysts and customer sees the results from their viewpoint, not from the analysts viewpoint
‘Web Servers Applications were secured, however the web server runs a vulnerable FTP server, which is accessible from the proxy found in Traffic Audit’
This example shows how NMap results and Clarified Analyzer Traffic Audit results can be shown in the context of IP-addresses. Above is a list of devices and their addresses documented with Clarified Analyzer
Customer and your seniors can monitor the progress of the service deployment in ‘real-time’.
RecentChanges
RSS feeds
Situational visualizations (GraphingWiki)
Analyst A does Open Source Reconnaissance (Intelligence) and uploads the information to the right Collab instance. Phisers will utilize this information and tag the status as they go. Senior Analyst sees how testing progresses. Customer is able to comment: ‘These addresses are admins, they should not be phished as that will blow our cover.’
Benefit: You’re understanding of Customer’s social/technical setting will grow significantly during the deployment:
You are able to give more valuable results as you put them to the right context
You are able to adjust your plans on the fly as you see the customer’s strong and weak spots
- Increase system performance by removing needless traffic
- Eliminate potential vulnerabilities by removing unnecessary protocols
- Discover violations in Access Control
- Document, or eliminate ad hoc workarounds that bypass security policies
- Find hosts and protocols which do not conform to organisation policy
It used to be simple: just servers and clients and simple protocol in between.
Then we evolved: messages are passed within a complex system, using several different types of protocols. It is hard to:
Discover weak spots (‘You have build a lots of security features but did you know that the user input travels all the way to the core of your network. These inputs may exploit the vulnerabilities inside your net’.)
When something really goes wrong, the path from symptoms to root cause is long.
A more practical example. The network in the bottom of the picture is considered totally isolated. In reality there is a number of traffic flows traveling in and out. (This example contains only few use cases: user joins to the network and updates his presence).
Still, our assumption is this: only one well guarded route in. (Dragons and soldiers are watching.)
Understanding complexity based on actual (and detailed) traffic has been hard.
Thanks to the tools we’ve build it is now considerable simpler.
Analyzer setup:
Recorders collect traffic and do real-time indexing (flows vs packets)
You may run the recorders on standard PC hardware with Linux-based OS (Centos distro recommended)
Analyzer will give you easy access to the collected information
Analyzer will transparently upload/download notes from Collab environment
Tunneling leaks.
Trivial vulnerabilities that were not discovered earlier due to complexity of the system under testing.
The following picture is from hugely complex VoIP setup, which included a number of security features (VPNs, ACLs, etc)
As we gained understanding of the target, we discoverd that forging the caller ID is simple, even when you are using standard mobile phones.
As a side note: mobile phones happily showed the name even they were not in the address book. (Tarja Halonen is the president of Finland)
Compromised servers.
End-to-End testing.
-This example runs Codenomicon Robustness Testing tools to test if SIP proxy can be bypassed with fuzzed packets
Detailed but understandable analysis for found issues.
Here we use Clarified Analyzer’s Next Gen topology view for documenting a malware ‘topology’.
Once you have the documentation, you have easy access for flows and packets from certain time and certain host(s)
Easy start: simple tool sales
When you have gained experience using some of our tools, we can take the next step and deploy Infrastructure, Tools and Services for collaborative security audits.
