Nbt hacker fight

Editor's Notes

1. Thank you Marisa Let’s talk about evolving offensive security in our industry. Situation Traditional penetration testing is becoming synonymous with vulnerability scanning. Due to improperly scoped efforts, check the box attitudes, along with time and budget constraints. More and more consumers are asking for red teams because they feel a penetration test isn’t cutting it. Where did things go wrong? Why are organizations still getting hacked? BM What are the options for solutions? Red teaming? What is continuous security? Let’s find out! Let’s Fight!
2. Who is in the audience RR: Anyone in here a penetration tester? BM: Anyone a red teamer? Anyone switched sides to blue team in the last year? Anyone want to be a penetration tester or a red teamer? We’re hiring. Got Hax RR Anyone in here been hacked? BM Legally or illegally? During a penetration test or red team? During a real-world breach? TTPs RR Anyone feel like their organization is utilizing continuous security techniques, tools, procedures? BM Anyone have an internal red team?
3. BM Penetration Testing Top 3 reasons Compliance requirement Customer request for third-party security review Due diligence in preparation for breach or already got breached and want It’s an industry standard.
4. RR The industry as we know it evolved out of Big4 consulting professional services for security compliance, policy review, maturity of vulnerability scanning, and checking boxes. They do EVERYTHING! Which of course means they do not specialize and you get mediocre results more often than anyone wants. They primarily throw people at a problem instead of applying innovative techniques and lack the capacity to develop technology. Their TTPs are shit.
5. BM In my experience companies have “red teams” for various reasons and purposes. They operate differently varying on the company. For purposes of this talk I’ll be talking about the definition of ‘red team’ as the sort of red team I run which is full scope, reported to all hands, with a goal of behavioral change.
6. RR The success of a red team or a penetration test begins and ends with it’s scope. How should security assessments be scoped? What is wrong with traditional penetration testing? What is tricky with internal red team scoping? RR Usually when scoping, I have to ask “Why?” 3X “Well, why do you want a pentest? Really though, why?” Compliance forces customers to artificially attempt to reduce the scope. Hiding dirty laundry. Price is another factor that forces people to reduce scope, even if that adversely hurts the success of security improvements. BM In a red team… Ideally full scope. No limits. That’s not always feasible or desired for various reasons. Buy-in from stakeholders is key. Consent is the MOST important aspect of what is done. Keeping good relationships with other business units if essential to effectiveness of a red team. They should want to keep coming back to you after a red team. The red team is here to help. Might not want an area in scope bc it doesn’t make sense ie physical
7. BM What are you trying to accomplish? What is important to simulate from an adversary perspective? It’s all about goals and success criteria. OKRs Much wider scope from an internal red team because you can do sensitive actions like malware on laptops, pivoting to different environments and acquisitions. External testers right run into some problems there, rob what do you think? RR Sometimes the immediate goal is a compliance or legal obligation that needs satisfied. Nothing else. One solution to our experiences with limited scopes is that we should treat a security assessment as if it’s never completed. It’s only Phase 1. Security is never achieved. It’s like health. You never achieve health. You maintain it. Scope is a state of mind
8. BM to ask RR Stop focusing on number of IP addresses. This does not matter. At alllllll.
9. BM Without careful planning and the right people relaying red team results, the situation can turn adversarial and toxic very quickly. Red team leadership needs to be friendly, disarming, and somewhat charming. Getting visibility into the real issues that people are too afraid to talk about and putting them out for everyone to see and contemplate without blame is the real job of a red team. We could be big assholes, truly evil that triggered deepest and darkest fears. These are typically out of scope for obvious reasons. We will be fired and not be asked to red team there again.
10. BM Make money, get owned, make money model *cough* Marriot *cough* What other hotel chain are you going to sleep in at this point? Very few companies are put out of business from security breaches. Modeling adversarial behavior is an opportunity that is still under explored at most organizations. BM to RR: What was the reason the annual penetration testing missed the issues that led to the breach? RR Scope, duh! If we asked all the penetration testers in this room and all the red teamers to perform an assessment independently on the same targets. We would get completely different results, guaranteed. Do traditional security programs based on standards work? Standards provide guidance and balance in a world void of answers. NIST password recommendations is a prime example of something that needed to adapt and be updated. Were they useless? Did they work? They were better than nothing. What threats and vectors should be high priority to simulate? BM Most consumers of security services don’t have a good mental model of what a cyber attack looks like. They can’t imagine lame phishing attempts, malware that AV can catch, and they understand things they’ve seen and don’t know what they don’t know. Methods are not as important as goals. Ask yourself what would someone really want to steal and work you way back through all the “What if?” scenarios and rank likelihood that one or more of those can happen soon. There is a lack of information sharing on what real incidents look like. It is getting better compared to 10 years ago but we could do a lot better to open up about what we’ve seen in real-world breaches. RR Customizing and tailoring security assessments to each organization, network, application, group of stakeholders is key to improvement. Threats Opportunistic Internet wide scans for unpatched systems Motivated Wire fraud Persistent TAO
11. RR It was out of scope, duh! If we asked all the penetration testers in this room and all the red teamers to perform an assessment independently on the same targets. We would get completely different results, guaranteed.
12. Standards provide guidance and balance in a world void of answers. NIST password recommendations is a prime example of something that needed to adapt and be updated. Were they useless? Did they work? They were better than nothing.
13. BM Most consumers of security services don’t have a good mental model of what a cyber attack looks like. They can’t imagine lame phishing attempts, malware that AV can catch, and they understand things they’ve seen and don’t know what they don’t know. Methods are not as important as goals. Ask yourself what would someone really want to steal and work you way back through all the “What if?” scenarios and rank likelihood that one or more of those can happen soon. There is a lack of information sharing on what real incidents look like. It is getting better compared to 10 years ago but we could do a lot better to open up about what we’ve seen in real-world breaches. RR Customizing and tailoring security assessments to each organization, network, application, group of stakeholders is key to improvement. Threats Opportunistic Internet wide scans for unpatched systems Motivated Wire fraud Persistent TAO
14. RR ask BM How much money are you going to invest in offensive security? Calculating risk is complicated. Determining variables, nuances, and lack of data make likelihood determinations difficult. There is no easy answer. Evaluate and determine risk / reward payoff. Value determination is unique to each organization. This will take some soul searching and perhaps a lot of time, trial/error to really figure out. RR Current model is time-based fees for penetration tests. How much is your time worth?
15. BM ask RR This is an artifact from Big4 professional services. It’s not the only way though. It’s been the primary way for ~30 years. Kudos to bug bounty for pushing the envelope and introducing a new way to review external perimeters and key applications.
16. RR ask BM Determine how value is measured and demonstrated. People x Time = Cost Investment to hire more people is approved when proving there are problems to uncover. The costs of red teaming are not always obvious. Causing an incident may inadvertently cause loss in productivity and wasted time that is difficult to plan for and measure afterwards. RR Traditional penetration testing is extremely valuable investment if you put a lot of thought into the goals and build a detailed plan on your targets and approach before you start. Finding the best bang for the buck usually entrails estimating a range of options and focusing on top priorities for phase 1.
17. BM ask RR What with traditional penetration tests is the cost based on number of hours? Should it be value-based fees instead? We should explore replacing time-based fees with value-based fees. Bug bounty is another example of value-based fees instead of time-base fees. What else can we do based on value? Let’s innovate.
18. RR ask BM RR If Brianna’s manager is in the room, listen up! If she saves the company from a breach that would have cost millions in legal fees. She deserves a fat bonu$$$! BM If our goal is to improve security posture, and that’s the value of a red team. Ask “How much did the efforts of the red team improve the security posture of the company?” What should the metrics be? Forecasting for red teams (beta) is the solution. (maybe) Panel needs to be formed, trained against biased, or experienced. Predications are made about things like number of laptop compromises in the next quarter Track results Measure change/differences Improve Red team and pentests alone are not going to improve the security posture.
19. BM ask RR What is continuous assessment RR Github sensitive info disclosure, AWS config monitoring, external attack surface discovery, etc
20. We are using it, but we need more! What if we had daily visibility in to changes on the perimeter and bubbled up alerts for offensive exploitation?
21. We’re still building tools to do things one run at a time, one target at a time, we’re not catching regressions, we’re not scaling, or being efficient. RR Talk about prospective pentest customer interaction from yesterday.
22. BM Logging failure example from recent past… What is asset management? What is 100s or 1000s of changes to core application code deployed every day? When will you get around to finding vulns in those? Annually? Really?
23. BM Internal red teaming is best when the risk of a breach is so costly that it’s worth the investment. RR Unfortunately only the top 1% of the top 1% of companies have Building continuous assessment tooling is not worth it for small company red teams, because you are only targeting one organization and it costs HEAPS in AWS, coding, maintaining. But it becomes well worth it for a consultancy with hundreds of clients. RR Keep traditional penetration testing for IoT product security reviews, wireless penetration tests, deep dive application assessments, etc Replace traditional pentesting with continuous assessment for your EPT, unauthenticated exposures, CI/CD pipeline, detecting sensitive information leaks (NIMBY) Let’s setup a platform to identify exposures in the most common ways attackers break-in. Unpatched systems, misconfigurations, app vulns, sensitive info leaks, weak passwords.
24. BM ask RR It’s an offensive MSS!
25. RR Do more with less effort! Continuously. BM Predict security like the weather, but better!