Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hackanalytics. With Tips and Tricks. Cyberpunk Fairytale DeepSec 2013 Edition


Published on

High tech brings Security struggle resulting in low life. Security Ninjas struggle to overcome obstacles of Enterprise world chaos in this Cyberpunk world.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Hackanalytics. With Tips and Tricks. Cyberpunk Fairytale DeepSec 2013 Edition

  1. 1. Hackanalytics What's hot What's not Cyberpunk Fairytale with Tips and Tricks By Alexey Kachalin Advanced Monitoring
  2. 2. Advanced Monitoring @kchln Credits as The Team Alexey Kachalin as Narrator Shiny IT as High Tech Security Struggle as Low Life [AK@DeepSec 2013 Nov 21]$ story begin_
  3. 3. @kchln
  4. 4. @kchln Security Struggle
  5. 5. @kchln Why Struggle? More Secure  Less Secure Insecurity System Evolution Incidents System Complexity ??? Positive link Negative link Enforcing loop Tool: System Diagrams Introduce Controls Response
  6. 6. Wanna skip to Ninjas part? 1. Choose methodology Technology specific  OWASP Task specific  PTES Domain specific  OSSTMM Result-oriented  CSC 2. Scoping … n. Rock’n’Roll! @kchln
  7. 7. @kchln 1 Security Ninja wasted. Continue [ y/N] _ Tool: Mindmap, brainstorm. Don’t read it all now – I made it for lols
  8. 8. Some Hack-o-sophy then? Creating stuff Engineering view User view Analytical thinking Critical thinking Out-of-box thinking *Technical expertise is required anyway @kchln
  9. 9. @kchln When are you? Understand Their protocols Enterprise runs hundreds of projects and processes when you happen’ … not going to stop Plan – Identify & Analyze Do- Develop Solution Check- …and Improve Solution Act – Implement Solution You better know Their context Tool: Deming cycle and whatever follows PMBOK, TIL, ISO9000
  10. 10. @kchln Pareto-zation. The benefit of hindsight 20% effort 80% $$$ Proves to be correct over and over Rarely used in planning Why? No Data Tool: Pareto, Knapsack problem Log don’t memorize Work out logs and use in planning
  11. 11. Suggest Project/Teamwork Strategy Waterfall – stages, WBS Agile concept Time-limited iterations Team work on component Tasks not assigned – taken Scope change tolerance Customer awareness Tool: WBS, T-Shirt estimate, Burndown @kchln
  12. 12. @kchln Broken communication – any project’s issue Phone call – I’ll call you back E-mail – ignored, maybe in spam? Checklist – too big – please e-mail Interview –please send checklist Discussion – I will do my way AaaRghh!!!
  13. 13. Communicating in and out tricks Fight fears Appreciative Inquiry (5Ds) Too sweet? Criticize! Constructive Controversy Explore causes 5 Whys Overcome egos Six Hats Tool: Communications scenarios. It’s not always the same @kchln
  14. 14. @kchln “Fairytale” Editor’s cut includes section Other Extremely Effective Communication tips
  15. 15. Skimming documentation Don’t read or rewrite or annotate Review and analyze Structure - what’s there, not there Any logic in bundle? Check consistency How up-to-date documents are? Authors available for comments? Tool: Structure schemes, Sequence Diagrams @kchln
  16. 16. Organize Chaos Track and Log * List * List of received documents List of created documents for the project UID * – use ID’s across artifacts ID’s used by customer are inconsistent… often Translation tables ID!=UID IP is not UID, MAC -? Don’t stop hallway through: Brainstorm Mindmap?  Actions! Tool: Affinity Diagram & workflow @kchln
  17. 17. @kchln Almost there? Report.Create Outline first – don’t generate texts List items and give Definitions Structure and facts Width/Depth Switching prototyping Get approval/corrections Get clarification Tool: Outline & Example first, WDS Prototype (am)
  18. 18. @kchln Avoid extremes Data and trends Visualization ex.#1 Obvious  Preconceived Simple  Complicated Boring  Fancy Report Texts Full description  Screenshots/logs only Boasting vulns  Hug problems Hack Slang  Baby talk ex.#2 Demonstrate. Communicate. Avoid
  19. 19. Don’t restrict ideas by sticking to standard forms but do not neglect them Tool: Standard vis tools in excel/calc etc. RTFM please! @kchln ?
  20. 20. @kchln Simple standard things. Use them right! ex.#1 Tool: Piecharts ex.#2
  21. 21. Even if You can explain it – it’s too much Tool: No idea. shrooms?? @kchln
  22. 22. Tool: Visualization Taxonomy (give it a look here) @kchln
  23. 23. Powerful complex general tools for fast analysis and check ideas. Don’t over engineer Tool: Grid analysis (services up/vulns found excel by am) @kchln
  24. 24. Got idea? Prototype. Don’t over engineer Tool: treemap (for services vis by am) @kchln
  25. 25. Report.Automate – Build your System Store Data (received/generated) Human readable Machine readable Itemized (lists) Well named Actionable Edit, Snippets takings Filters, Sorting Manage and service @kchln
  26. 26. @kchln Report.Repeat – They think they are all the same? No! Look!! They are sooo different Rep q1 Rep q2 Rep q3 Rep q4
  27. 27. Hurling results to “Them” Pitches that should’ve made it but could as well fail SQLi up to RCE for any registered user Any scary words like XSS Database vulnerability leads to full compromise Critical vulnerability in AAA config Doh! You’re gonna get hacked soon @kchln
  28. 28. @kchln Master “Their” language Bridge Current State Tool: for reference Desired new State SWOT Value chain 7S, McKinsey’s Decision Trees Comparison analysis Impact (Organization) analysis
  29. 29. That’s all, folks! Summary Philosophy and high-level concepts Planning and management Report crafting Communication tweaks Visualization demystified Organize chaos and keep tracking Craft tools and build Your own System Interpret results for presentation
  30. 30. Advanced Monitoring OpSec/R&D/Forensics/Trainings IT Security R&D Cooperation Worldwide Russia – Europe - Americas – Asia Alexey Kachalin, COO @kchln @kchln