Tech w23

Session ID:
Session Classification:
Kevin Johnson
CEO Secure Ideas
kevin@secureideas.com
TECH-W23
Advanced
Tactical Sec Ops:
A Guide to Precision Security Operations
John Strand
CEO Black Hills Information Security
john@blackhillsinfosec.com

► Christian, Father, Husband, Nerd
► Security Consultant at Secure Ideas
► Author of SEC542/642/571
► Web App PenTesting/Adv Web PenTesting/Mobile Security
► SANS Senior Instructor
► Open Source Project Lead
► SamuraiWTF, Laudanum,
Yokoso, WeaponizedFlash, etc.
Kevin Johnson
2

► Security Consultant at Black Hills Information Security
► Author of SEC580/464 and Offensive Countermeasures
► SANS Senior Instructor
► Member of PaulDotCom Security weekly
► Host of Hack Naked TV
► Member Active Defense Harbinger Distribution (ADHD)
John Strand

► Security Incidents are Increasing
► Types of Testing
► Network Scanning
► Web Application Testing
► User Awareness Testing
► Conclusions
Topics for Today
4

► Attacks have been happening for years!
► And we have been defending for almost as long
► Most organizations are vulnerable
► But it wouldn't happen to me right?!?!?!
Attacks are Rising?
► Source*
Verizon DBIR 2012

► So lets talk about some examples
► Based on public information
► John and Kevin have not worked on any of these cases!
► These are just a few of the organizations attacked
► But they are consistent samples based on our work
► These examples could be any of us!
► Are there any trends?
Some Examples…
6

► Many of these attacks are not l337
► Many of the vulnerabilities would have been easily
discovered through testing
► It would appear many organizations are focusing on the
same technologies
► Technologies which have failed us in the past
► Technologies which will fail us in the future
► Technologies which are failing us now
► But why are technologies failing us?
► Many tools are great
► Because we are expecting tools to fix our problems
► There needs to be people analyzing the data
Trends?

► Conclusions
Topics for Today
8

► Security testing takes many forms
► Most of which are not performed internally
► Testing types focus on a topic
► Network
► Web
► Users
► Mainly use vulnerability scanning
► Exploitation is usually reserved for penetration testing
► Many companies choose and use one tool for all testing
► “It says right on the box it does web scanning and network
scanning… And there is a toy.”
► Most companies ignore user testing
Types of Testing
9

► A common problem is consistency
► What are we measuring?
► Consistency has two types
► Consistent testing
► Consistent results
► What are you measuring?
► Number of High Vulns?
► Number of Criticals?
► External? Internal?
► These tend to be easy to track
► People tend to track things that are easy
Consistency
10

► Most people don't know how
► Just run tools!
► Or they think it's magic!
► (I wish!)
► Learn by doing
► Be careful
► Review the results
► Unfortunately, our views of risk and how to assess it are
from 5-10 years ago.
► Possibly, even the 80’s (Green book anyone?)
Learn How…
11

► Most people don't know how
► Just run tools!
► Or they think it's magic!
► (I wish!)
► Learn by doing
► Be careful
► Review the results
► Unfortunately, our views of risk and how to assess it are
from 5-10 years ago.
► Possibly, even the 80’s (Green book anyone?)
Learn How…
12

► Learning how requires us to have an environment for
testing
► Testing the tools and our skills!
► We have a few options available to us
► Production systems ( Not a good idea  )
► Lab environment
► Virtual machines
► One difficulty is building out the tool sets and the targets
► Lets use live DVDs for this!
► Many are available
► BackTrack
► SamuraiWTF
► MobiSec
► ADHD
Environments

► Samurai Web Testing Framework is a live DVD
► Bootable environment with a focus on web penetration testing
► Similar to Backtrack, but focused on web app manipulation tools
► Created by Kevin Johnson of Secure Ideas
and Justin Searle of UtiliSec
► It is freely available at:
► http://www.samurai-wtf.org
► Released in 2008 and continues to be actively updated
► SamuraiWTF is designed to be used as a pen testing
environment and a place to try out new tools
SamuraiWTF

► MobiSec is a live environment geared toward mobile security
► Released by Secure Ideas
► Funded by DARPA Cyber Fast Track
► It is based on Ubuntu and is open source
► Ubuntu 10.04 LTS
► It focuses on the following mobile security topics
► Penetration testing
► Secure development
► Forensics
► It can be downloaded from http://mobisec.secureideas.net
► Released in February of 2012
► Donated to OWASP and continued to be supported through that
organization
► Designed to work within an organization's processes
MobiSec Live Environment

► Finally, a Live environment for Active Defenses
► Not Hacking back per se.
► Free Virtual Machine for:
► Honeyports
► Callback Word Documents
► TOR Decloking
► Honeybadger
► Currently led by Ethan Robish and John Strand
► Think Poison, not Venom
ADHD

► Conclusions
Topics for Today
20

► Network scanning is more common
► Been around longer
► Easy
► Infrastructure is key
► Foundation to all
► Regularly performed
► Make it part of monitoring
Network Scanning
21

► Do a vuln scan
► But look from an exploit perspective
► Many people focus on the HIGH risks
► But most exploits I do use a combination of low
► Think about what is important to you
► Then what an attacker would want
► Put the pieces together
What to Look For…
22

► Conclusions
Topics for Today
25

► Testing web applications beyond QA
► And before it
► Looking for flaws in the process
► And the application handling
► We need to include all of our applications
► Test throughout development
► AND purchasing
► Many security people are afraid of web scanning
► It is not hard, it is just different
Web Application Scanning
26

► We need to find the flaws
► Without exploiting them greatly
► Common OWASP issues are a start
► Top 10, but more
► Don't forget logic and process attacks
► Harder to find but bigger impact
► If you used an automated scanner which checked for the
basics (XSS, Sqi, etc.).
► Then fixed those vulnerabilities
► Your applications would stump a large number of
security consultants.
Looking for Flaws
27

► Many people think active scanners and commercial vuln
assessment tools are the only (best) choice
► But many simple free or open source tools can be VERY
powerful
► With the right knowledge, an operations person can
quickly scan and assess a web application
► Saving the organizations significant costs and time
► Let's look at a few options now
► Fiddler
► Burp Suite
► Ratproxy
► Each of these tools have benefits and limits
Useful Tools

► Free web debugging proxy
► Runs on Microsoft Windows
► Provides simple interception within development and
operational environments
► Great for Windows shops
► Can be used as a proxy
or configured to grab
all HTTP(S) traffic
► Useful for non-proxy
aware application
Fiddler

► Burp Suite is a complete collection of tools
► Based around the interception proxy
► Available at http://portswigger.net
► Each of the pieces can be used separately
► But its power comes from combining them during a
test
► Burp Suite is a commercial project
► There is a mostly functional free version
► The free version is limited
► Missing features such as the scanner and search
► Also prevents saving or restoring state
Burp Suite

► RatProxy is a mostly passive scanner
► Can be instructed to actively scan based on traffic
► Released by Michal "lcamtuf" Zalewski
► http://code.google.com/p/ratproxy/
► Runs on Linux, Mac and Windows
► Can be chained with other
► Different tools have different features
► Decompiles Flash objects
► Actionscript 2.0
RatProxy

► Proxies can be chained together
► This allows for using the best features of each
► We have to be careful that they don't
overwhelm each other
► For example two active scanners running at the same time
► It's typically best to mix passive and active
software
► For example, ratproxy and Burp
► Our browser should connect to the passive one,
which would connect to the active one
Chaining Proxies
Web
Client
Active
Scanner
Passive
scanner

► Conclusions
Topics for Today
34

► Phishing attacks are pretty common
► We have all seen them
► But users think they are immune
► So let's prove otherwise
► Sending out typical emails
► And targeted ones (ok ok Spear I said it)
► Be careful of culture
► Or abuse it to win
► Why do many organizations skip this?
► Embarrassment?
► HR?
► Legal?
Phishing
35

► Social networks are huge
► You knew this was going to be mentioned right?
► Are you looking at postings?
► (Talk to HR and legal!)
► Check out the postings
► Not for violations but for information
► Don't stalk!
► But keep track privately (Not anonymously)
► Search for:
► Accounts mentioning your company
► Accounts which are already compromised
► Highly active users (they make great targets!)
Social Networks
37

► Conclusions
Topics for Today
40

► We need to test regularly
► But make it part of our existing processes
► Include all the attack points
► Network
► Web
► Users
► Track results over time
► Map improvements and detect regressions
Conclusions
41

Tactical Sec Ops:
Guide to Precision
Sec Ops

Tech w23

More Related Content

What's hot

Viewers also liked

Similar to Tech w23

More from SelectedPresentations

Tech w23