New Age Red Teaming - Enterprise Infilteration

2
About
 Name: Shritam Bhowmick
 Professional Career:
o AVP, Labs @Lucideus Tech
 Application Security Assessments
 Research and Development @Lucideus Labs
o Application Security Trainer @CTG Security Solutions
 Application Security Trainer
 Training Scheduler & Advisor
o Red Team Lead, Security Specialist cum R&D @Defencely
 Client SPOC
 Penetration Tester
 Application Security Team Lead
 Red Team Coordinator and Engagement Specialist

3
And all of ‘em were my secret Hobbies too!
P.S: I do not use memes into presentations.

4
Pointers
1. One 2. Two 3. Three
4. Four

5
Abstract
Security Breaches (Statistical Analysis)
Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/

6
Abstract

7
Abstract

8
Abstract

9
Abstract
Security Breaches (Reasoning Analysis)
CRM, ERP, POS,
etc.
Servers, Desktops,
Laptops, etc.
Routers, switches,
network admins, etc.
IT Budget

10
Abstract
Application Code
Review, training, testing
Vulnerability
Management,
Policy Review, etc.
VA/PT, Firewall, SNA,
IDS, SSL. Etc.
IT Security
Budget

11
Abstract
IT Budget
Priority

12
Abstract
1. Code Maintainers unavailability
2. Developers do not understand vulnerabilities (Awareness factor)
3. Lack of IT Security Budget to cope up with current vulnerabilities
4. Affected codebase or part of code is owned by a third party
5. Applications deployed will be taken off n near future
6. Security solutions conflicts with business use cases
7. Compliance does not require fixing the issues
8. Feature enhancement is prioritized ahead of security fixes
9. Risk of exploitation and compromises are accepted

13
Security Assessment v/s Security Engagement
Security Assessment – It’s a part of risk assessment or more
particularly – IT Security Risk Assessment, and it’s also a
“quantified” value of the risks to which an IT firm could be
exposed. Some necessary ingredients are:
1. Threat Assessment
2. Risk Assessment
3. Security Compliances

14
Security Assessment v/s Security Engagement
Security Engagement– The first phase of accessed risks could be
verified by an ‘engagement’ procedure in place which gives
“qualitative” results if the previously accessed risks were positive or
negative, and this by default is either an ‘offensive’ or a
‘defensive’ engagement. This, again could be broken down to:
1. Code Review
2. Vulnerability Assessment
3. Penetration Testing
4. Red Team Engagement

15
Threat Assessment
Threat Agents
Particulars which can adversely affect business
1. Non Target Specific – Trojan Horses, Worm, Viruses,
Logic Bombs, CnC Driven Botnets, etc.
2. Internal/External Association – Employees, Staff,
Code Maintainers, Operational Personnel's, YOU!
3. Organized Crime – Finance driven, target driven
blackhat entities, credit card information stealers.
Reference:https://www.owasp.org/index.php/Category:Threat_Agent

16
Threat Agents
4. Corporation – Competitive Intelligence and
Offensive Information Warfare.
5. Human – Insider/Outsider with Intentional & Un-
Intentional threat agent behavior involved.
6. Natural – Earthquake, Thunderstorms, Flood, Fire,
Physical calamities driven by nature obstructing
electronic communications.
Reference:https://www.owasp.org/index.php/Category:Threat_Agent
Threat Assessment

17
Threat Modeling
A process of identifying threats and to meet security objectives
1. External Dependencies – List of items which are
external and not internal to the organization.
2. Entry Points – Interfaces through which potential
threat agents can interact or supply data. Each
entry point has a level of trust.
3. Assets – Items of interests to an attacker. Assets
could be physical or abstract.
Reference:https://www.owasp.org/index.php/Application_Threat_Modeling
Threat Assessment

18
Threat Modeling
4. Trust Levels – Cross referenced between entry
points and assets, these are access rights.
5. Data Flow Diagrams (DFD’s) – Logical connection
for the data flow. It ensures the structural overview
to clarify sub-systems and lover-level systems.
6. Threat Analysis – Accounting dependencies, entry
points, assets, trust levels and DFD’s to identify
design, functional or architectural threats.
Reference:https://www.owasp.org/index.php/Application_Threat_Modeling
Threat Assessment

19
Threat Assessment Results
Threat Assessment
Threat Agents + Threat Modeling = Threat Assessment
1. Do Nothing – hope for the best
2. Aware and Inform – warn threats and publicize
3. Accept the Threat – accept threat if cannot be remediated
4. Remediate Potential Threat – place technical countermeasures
5. Transfer the Threat risk factor – insurances against a certain threat
6. Terminate entirely the Threat – Pull off deployment or shutdown affected
Mitigation Outcome

20
Risk Assessment
Risk Assessment in security for an IT firm or any other retail, financial,
health, private, or educational sector is a procedural process to
reduce, control or eliminate business risks by performing an in-depth risk
analysis and risk management.
Risk Assessment and Threat Assessment are different and often confused.
1. Threats cannot be controlled – since they are always there and would
always be external trying to put an organization into risk. STRIDE and
DRIDE are models of accessing threats.
2. Risks can be controlled, reduced or eliminated since they are internal to
the organization and could be accessed via rational reasoning keeping
factors such as productivity, barriers, and costs associated by an
Organization. This depends on size and complexity of the concerned
Organization.

21
Risk Assessment
Risk Assessment could be broken into considerable two parts:
1. Likelihood Assessment – where probability is determined.
2. Impact Assessment – if probability is true, the impact of the risk

22
Risk Assessment
Risk Assessment – The Process
1. Identify Risks
• Financial entities – such as transaction details
• Informational entities – such as POS systems and HR
• Private Confidential entities – such as contractual data
• Technological entities:
o Servers – Availability of services
o Applications – Integrity interfaces for users
o Hardware Devices – Confidentiality of physical security systems
 Biometric security systems – elevated physical access systems
 Secure Footage systems – CCTV, surveillance systems, etc
 SCADA systems – Integrated machinery systems for Industries.

23
Risk Assessment
2. Analyze Risks
• perform security requirements and objectives study
• Access system architecture and network infrastructure
• Access interconnectivity of each previously accessed systems
• Quantify hardware for networking resources used in the organization
• Identify operating systems in use, software in use in both systems and servers
• Quantify assets of the organization and relate them to resources quantified
previously
• Relate functional entities – DBMS and files
• Network services open to external and supported protocols
• Current Security systems in use, any access control mechanisms or firewalls

24
Risk Assessment
3. Evaluate Risks
• Likelihood of compromises
• Impact of compromises based on likelihood
• Business Outcome of the end compromises
• Risk Rating dependent on Risk Scaling Factors:
o Negligible Loss – non-sensitive data
o Slight Loss – low level business loss
o Significant Loss – sensitive business data loss
o Major Loss – financial loss to business
o Operational Loss – Patent loss, Data Loss, Strategy Loss
o Critical Loss to Survival – Tier-A Confidentiality loss, Weapon classification
data, military base locations, troop locations, agent list, life losses

25
Risk Assessment Results
Risk Assessment
Risk Identification + Risk Analysis + Risk Evaluation = Risk Assessment
1. Implement no security at all.
2. Implement basic AV software.
3. AV + Basic Browser security settings and basic filtering.
4. Implement spyware and regulate routine patches for each operational units.
5. Router Hardening, policy changes, IDS implementation, Acceptable Usage Policy
6. More Policy Enforcement, ports closing, data security, DMZ Placement, Packet level filter
7. Strict and regulatory compliance auditing, monthly patching updates, backup copy
destruction, physical and hardware level security, host system level security, routine
penetration testing, intranet controlled subnet security
Mitigation Outcome

26
Security Compliance
Personal identifiable information e.g. email addresses, names, residential addresses,
etc. when transmitted from one system to another and stored should be protected
and this information go through industrial regulations.
Security Compliance is a formal process that helps an organization to demonstrate
that it has a high level of IT security management. They are required as standards for
the industry and in certain cases a continuous check by the government.
Compliance is a complete process of:
1. Carrying out compliance exercise to audit what information the business holds.
2. Vulnerabilities of the IT systems involved to keep the business functionality.
3. Elements of the IT system which is vulnerable and which could be locked down.

27
Security Compliance
Security compliance are for different areas:
1. Health care – HIPAA (Health Insurance Portability and Accountability Act)
2. Ecommerce – PCI-DSS (Payment Card Industry Data Security Standard)
3. Government – FISMA, DIACAP, FedRAMP
4. Financial – BITS Shared Assessment Program, NIST, ISO
Reference:https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/

28
…. Continuation
End of 1st Chapter

New Age Red Teaming - Enterprise Infilteration

More Related Content

What's hot

Similar to New Age Red Teaming - Enterprise Infilteration

New Age Red Teaming - Enterprise Infilteration