The document outlines the security consulting services offered by Connect 2017, detailing their approach to penetration testing, red teaming, and software security assessments. It emphasizes the need for organizations to evaluate their security posture against real-world attacker tactics while providing insight into the roles of consultants and the methodologies used in these assessments. Additionally, it highlights the importance of customizable and adaptive security services tailored to client needs and maturity levels.

1. CONNECT
2017
Security
Consulting
Services,
Which
is
the
best
option
for
me
?
Understanding
the
offering

2. AGENDA
• Who
we
are
• Security
Consulting
Services
• Penetration
Test
and
Red
Team
• Software
Security
Assessment

3. L E A R N M O R E
Diego
Sor
Security
Consulting
Services,
Director
Core
Security
About
me
Technical
• Started
experimenting
with
8-­‐bit
home
computers
• BASIC
was
my
first
approach
to
programming
• Hardware
and
communications
fan
• Electronic
engineer
degree
• In
1998
Joined
a
mobile
phone
fraud
prevention
company
• In
2001
Joined
Core
Security
as
windows
device
driver
developer
• In
2006
Moved
to
the
SCS
team
as
a
security
consultant
• Have
been
managing
Consulting
team
since
2012
Not
so
Technical
• DYI,
Music,
Architecture
and
playing
with
my
daughter

4. Security
Consulting
Service
Who
we
are
We
are
a
group
of
security
engineers
working
along
with
customers
to
secure
their
information
technology
systems
• SCS
conduct
security
consulting
service
since
1997
• We
think
and
act
like
attackers
• We
do
vulnerability
research
• We
keep
up
to
date

5. Security
Consulting
Service
Why
do
customers
call
us
?
• Recent
public
breaches
made
them
understand
that
real
attackers
are
targets
organizations
like
them
• Want
to
protect
PHI
or
other
sensitive
information
• Stakeholders
want
to
understand
their
security
posture
• Interested
in
exercising
their
security
team
• New
application
features
will
be
put
in
production
soon
• Want
to
measure
their
security
operations
center
capabilities
• Deployed
new
systems
information
infrastructure
• Stick
to
compliance
programs

6. Security
Services
Terms
Terminology
nightmare

7. SECURITY
SERVICES
RED TEAM
PENETRATION TEST
SOFTWARE SECURITY
ASSESSMENT
Security
Consulting
Services
Our
Services

8. SECURITY
SERVICES
RED TEAM
PENETRATION TEST
Security
Consulting
Services
Red
Team
and
Penetration
Test

9. S C O P E
Systems
and
components
under
test.
Things
you
want
to
secure
O B J E C T I V E S
Something
to
achieve.
Concerns
you
may
have
and
want
to
be
evaluated
Initial
Information
Key
conversation
between
consultants
and
customers
A C T O R S
Are
the
individuals
carrying
out
actions.
Consultants
will
mimic
attackers
using
defined
profiles

10. Red
Team
You
know
you
secured
your
environment
Evaluate
the
resilience
of
your
organization
against
real-­‐world
attackers.
Consultants
will
find
and
exploit
vulnerabilities
while
using
tactics
an
techniques
(TTP)
to
avoid
detection
and
persist.
INCLUSIVE
SCOPE
Attackers
move
freely.
Include
as
many
components
as
possible.
Scope
limitations
create
artificial
barriers.
THINK
OF
THREATS
OBJECTIVES
Think
of
worst
case
scenarios:
1.
Cloud
admin
creds
stolen
2.
IP
documents
extracted
ATTACKERS
ACTORS
Consultants
acting
mimicking
attacker’s
techniques
and
tactics.
Liaison
with
internal
security
team
is
optional
FINAL
REPORT
OUTCOME
Vulnerabilities
exploited
and
attacks
paths.
Description
of
techniques
and
tactics
Level
of
readiness
of
you
defense
team
Fixes
and
mitigations

11. Red
Team
Steps
to
success
• Process
is
iterative
• Achieve
defined
objectives
while
minimizing
noise
and
detection
• May
or
may
not
fine
tune
repetitive
by
liaising
security
staff
reconnaissance compromise
then
escalate persist lateral
move/pivoting cleanup
reconnaissance
report

12. Penetration
Test
Want
to
challenge
your
security
posture
Evaluate
the
resilience
of
your
organization
against
real-­‐world
attacks.
Consultants
will
find
and
exploit
vulnerabilities
to
get
access
to
privileged
systems
and
information
INCLUSIVE
SCOPE
Enumerate
components
and
systems.
Networks,
applications
and
users
are
usual
targets
THINK
ON
THREATS
OBJECTIVES
Think
of
worst
case
scenarios
1.
Cloud
admin
creds
stolen
2.
IP
documents
extracted
ATTACKERS
ACTORS
Consultants
mimicking
attacker’s
techniques
FINAL
REPORT
OUTCOME
Vulnerabilities
exploited
and
attacks
paths.
Description
of
techniques
and
tactics
Fixes
and
mitigations

13. Red
Team
vs
Penetration
Test
I
see
a
lot
similarities
• It
is
about
challenging
the
security
of
an
organization
• Attackers
can
be
external
and
internal
to
the
organization
(insider
threat)
• Red
Team
revisits
the
initial
penetration
test
concept,
where
noise
and
detection
avoidance
were
part
of
the
equation
• Penetration
Test
has
evolved
in
many
different
practices
creating
a
softer
definition
and
leaving
space
for
Red
Team
to
create
some
additional
specification
• Key
concept
is
mimicking
the
attacks
you
find
in
real-­‐world
scenarios
• A
sophisticated
real-­‐world
attacker
will
leverage
trust
relationships
to
gain
access
to
more
valuable
information
assets
• Liaison
with
internal
security
staff
lead
to
the
Purple
Team
concept

14. Red
Team
and
Penetration
Test
What
is
in
scope
?
• Time-­‐boxed
• You
get
X
hours
of
attackers
challenging
your
security,
let’s
see
what
they
can
do!
• Attackers
do
not
ask
for
permission,
the
use
any
available
means
• External
facing
servers
and
services
• Internal
servers
and
services
• Hybrid
systems
– Cloud
and
on
premise
• Organization
individuals
• Phishing
campaigns
• Social
engineering
activities

15. KNOWLEDGE
VULNERABILITY
ASSESSMENT
Initial
steps
to
secure
your
organization.
It
finds
as
many
vulnerabilities
as
possible.
Mostly
automatic
tests.
RESILLIANCE
PENETRATION
TEST
You
know
you
secured
your
organization.
Sophisticated
attackers
will
challenge
you
security
posture
RESILLIANCE
AND
READINESS
RED TEAM
More
sophisticated
attackers
will
challenge
the
security
and
readiness
of
your
organization
Security
Services
Lifecycle
AUDITORS ATTACKERS
MATURITY
LEVEL
TIME

16. SECURITY
SERVICES
SOFTWARE SECURITY
ASSESSMENT
Security
Consulting
Services
Software
Security
Assessment

17. Software
Security
Assessment
Definition
and
key
objectives
Assess
the
security
of
an
application
or
group
of
applications,
their
ability
to
resist
attacks.
Evaluate
your
defensive
programming
practices
• In
this
context
an
application
is
a
system
or
groups
of
systems
that
are
logically
connected
and
cooperate
to
do
something
• Consultants
to
find
as
many
vulnerabilities
as
possible
• Consultants
to
evaluate
the
code
quality
in
terms
of
security
• Consultants
to
create
running
proof-­‐of-­‐concepts
of
the
findings
• Assessing
a
single
isolated
application
is
not
exactly
a
Penetration
Test

18. Software
Security
Assessment
By
Approach
Dynamic
Analysis
• Tests
carried
out
on
a
running
application
• May
or
may
not
have
access
to
source
code
• Consultants
mimicking
attackers
with
no
or
some
level
of
knowledge
of
the
application
Static
Analysis
• Full
access
to
the
source
code
and
application
design
• Deep
level
of
understanding
of
the
source
code
being
tested
• Consultants
mimicking
attacker
full
source
code
knowledge
• Consultants
acting
as
security
quality
assurance

19. Software
Security
Assessment
By
Source
Code
Access
White-­‐box
• Consultants
have
access
to
source
code
and
documentation
Gray-­‐box
• Consultants
have
some
access
to
source
code
and
documentation
• Source
code
for
sensitive
functions
crypto,
storage,
authorization
and
authentication
Black-­‐box
• Consultants
have
zero
access
to
source
code
and
documentation
• Focused
on
the
exposed
interfaces

20. Software
Security
Assessment
Vulnerability
Categories
Design
• Fundamental
mistake,
the
application
does
what
is
supposed
to
do,
but
it
is
wrong
due
to
failed
specification
Implementation
• The
code
usually
doing
that
it
should
do
but
there
is
a
security
problem
in
the
way
specific
action
is
carried
out
Operational
• These
problems
arise
when
looking
at
context
in
which
the
software
operation.
Has
to
do
with
the
code
but
also
with
the
operation
and
environment
DESIGN
OPERATIONALIMPLEMENTATION

21. Software
Security
Assessment
White-­‐box
Assessment
• Project
setup
cost
can
be
high
• Code
isolation
from
3rd party
• Sharing
intellectual
property
• Interaction
with
developers
• Time
and
cost
intensive
• Testers
looking
for
security
bugs
and
bad
code
practices
• More
in-­‐depth
analysis
than
black-­‐box
counterpart
• Include
the
following
tasks
• Code
analysis
tools
• Check
the
code
and
then….check
the
code
again

22. Software
Security
Assessment
Black-­‐box
Security
Assessment
AKA
Application
Penetration
Test
• Uncover
what
is
visible
and
exposed
• Short
time
frame
and
quick
results
• QA
or
testing
environment
can
be
used
for
testing
• Works
better
having
access
to
source
code
• Uncovering
Vulnerabilities
may
include
• Dynamic
analysis
tools
• Fuzzing
• Reverse
engineering
/
Decompiling
• Debugging
• Instrumentation

23. Application
Types
Web Mobile Desktop IoT

24. Final
Words
Approach
that
works
for
you
• Consultants
to
understand
customer
needs
and
maturity
level
• Think
about
threats
• The
ones
you
envision
should
work
as
initial
objectives
• Do
not
force
a
hard
scope
definition
when
you
do
not
know
• Unless
you
are
sure,
be
as
broad
as
possible
• Be
incremental
and
continuous
• Combine
services
and
approaches
• Services
should
be
able
to
adapt
to
your
SDLC

25. THANK
YOU