behind of the penetration testing - secuinsidesecuinside.com/archive/2015/2015-1-2.pdf ·...
TRANSCRIPT
![Page 1: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/1.jpg)
Behind of the Penetration testing
J@50n L33
![Page 2: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/2.jpg)
AGENDA
1. WHO I AM!!
2. PENETRATION TESTING
3. WHY DO YOU NEED THE PENETRATION TESTING
4. HOW DO YOU PERFORM THE PENETRATION TESTING
5. WHAT ABOUT THIS, THERE IS DIFFERENT WAY TO USE IT FOR
6. CONCLUSION
2015-07-22 Knowing You're Secure 2
![Page 3: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/3.jpg)
WHO I AM!!
![Page 4: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/4.jpg)
Who I am!!
Since 1991
Instructor
Developer System
Engineer
Security Practitioner
Security Tester
Security Researcher
Offensive Evangelist
2015
2015-07-22 Knowing You're Secure 4
Research: Security Testing Methodology based on blind testing approach (2007) Way to secure web application using secure libraries (2007) Application Testing Methodology for SDLC (2008) Security Testing Methodology based on static analysis (2009) Penetration testing Methodology for Nuclear Power Plants (2012) Offensive Analysis as a Security assessment for Critical-Safety Systems (2013)
![Page 5: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/5.jpg)
PREFACE
![Page 6: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/6.jpg)
007; Sky-fall (2012)
2015-07-22 Knowing You're Secure 6
![Page 7: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/7.jpg)
PENETRATION TESTING
![Page 8: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/8.jpg)
What do you call it?
• Hiring someone to hack your company for good reason.
– Penetration testing
– Tiger teaming
– Intrusion testing
– Ethical hacking
– Vulnerability Analysis
– Even, Security Assessment
2015-07-22 Knowing You're Secure 8
*
资料来源:
![Page 9: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/9.jpg)
Characteristics of Pentesting
• Focusing on tools and technology, and very small potion on methodology
• Interpreting the result
• Protecting the innocent
• Politics and processes
• Testing dangers
2015-07-22 Knowing You're Secure 9
![Page 10: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/10.jpg)
Security = Physics
• Penetration testing is
– the pinnacle of thought-provoking security activity
– Touching on the simplistic nature of security
– The act of exploiting vulnerabilities with good reasons
2015-07-22 Knowing You're Secure 10
![Page 11: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/11.jpg)
Sneakers(1992)
2015-07-22 Knowing You're Secure 11
![Page 12: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/12.jpg)
WHY DO YOU NEED THE PENETRATION TESTING
![Page 13: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/13.jpg)
Hacking Impacts
• Resources
– Core services, object code, disk space …
• Information
– Loss, disclosure and integrity.
• Time
– Anything consumes time will consumes money and will cause the financial loss
• Brand and Reputation
2015-07-22 Knowing You're Secure 13
![Page 14: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/14.jpg)
The Hacker
• Hacker leads destruction? Only misuse of term.
• Hacker
– Investigate the workings of computers for fun and a challenge
– Not to penetrate or perform malicious acts
• Cracker
– Break computers to use them for free or use system resources
• What is correct word for the hacker who do malicious act in the present
– Hacker(Cyber Criminal) or Malicious Hacker
2015-07-22 Knowing You're Secure 14
![Page 15: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/15.jpg)
Types of Hackers
• Script Kiddies
– Unstructured
– Structured
– Determined
• Independent hackers
– Malicious
– Solvers
– Hacktivist
– Vigilante
• Organized hackers
– State-Sponsored
– Extortion
• Hitman
• Terrorist
– Espionage
2015-07-22 Knowing You're Secure 15
![Page 16: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/16.jpg)
Motives
• What Maelstrom said
– I just do it because it makes me feel good, as in better than anything else that I’ve ever experienced.
• What Kevin Mitnick described
– You get a better understanding of cyberspace, the computer systems, the operating systems, how the computer systems interact with on another; that basically was my motivation behind my hacking activity in the past.
– It was just from the gain of knowledge and the thrill of adventure, nothing that was well and truly sinister as trying to get any type of monetary gain or anything
• Six Fundamental drivers for hackers
– Addiction to computers
– Curiosity of the possible
– Excitement
– Social status
– Power
– Betterment of society
2015-07-22 Knowing You're Secure 16
![Page 17: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/17.jpg)
Can you survive?
2015-07-22 Knowing You're Secure 17
Threats
Hacking Impacts
Hackers
Types of Hackers
Motives
![Page 18: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/18.jpg)
HOW DO YOU PERFORM THE PENETRATION TESTING
2015-07-22 Knowing You're Secure 18
![Page 19: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/19.jpg)
Many organization do pentesting every year
• Penetration testing become mainstream
– How many time you do penetration testing to your organization?
– How many different penetration testing team you hire?
– Do you likely ask your pentesting team to do different activities?
– Do you have any idea what they are using for pentesting?
2015-07-22 Knowing You're Secure 19
![Page 20: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/20.jpg)
Framework
• What is Framework?
• How does it apply to attacking a system?
• Is a framework a methodology?
2015-07-22 Knowing You're Secure 20
Planning Operations Reconnaissance Enumeration Analysis Exploitation Deliverable Integration
Selected options
Options not selected
Options not available because other options not employed
Options wanted, but not available
Determining the impact on value based on selected options
![Page 21: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/21.jpg)
Concern for penetration testing phase
Planning the test
Sound operatio
ns
Reconnaissanc
e
Enumeration
Vulnerability An
alysis
Exploitation
Final Analysis
Deliverable
Integration
2015-07-22 Knowing You're Secure 21
Mitigation
Defense
Incident Management
![Page 22: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/22.jpg)
The Software Vulnerability Asymmetry Problem
• Defender must fix all vulnerabilities in all software, but attacker wins by finding and exploiting just one vulnerability
• Threat change over time – state-of-the-art in vulnerability finding and attack technique changes over time.
• Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle
Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.
![Page 23: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/23.jpg)
Exploit Economics
ROI = Gain from Investment – Cost of Investment
Cost of Investment
Attacker ROI = Attacker Gain – Attacker Cost
Attacker Cost
Attacker Gain = Gain
Opportunity x N Opportunities
Attacker Cost = Vulnerability Cost + Exploitation Cost
Attacker ROI
Gain
Opportunity x N Opportunities ( ) - Vulnerability Cost + Exploitation Cost ( )
Vulnerability Cost + Exploitation Cost ( ) =
![Page 24: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/24.jpg)
Exploit Economics
• We can decrease Attacker ROI if we are able to…
• Increased attacker investment – increased cost to find usable vulnerabilities
• Varies by platform and vendor and technology
• New tools and automation help w/bug mining, but on some platforms the watermelons are already harvested
• Increased attacker investment required to write reliable (and stealthy) exploits
• Exploit vulnerability and breakout of sandbox / defeat additional protections and mitigations
• Boutique bespoke software development house w / ever expanding requirements
• Decreased attacker opportunity to recover investment
• Fewer opportunities via artificial diversity & improved updating
• Ever improving detection of exploits & follow on actions
• Fewer resale ? Reuse opportunities
Result: Stealthy, reliable attacks require significant engineering; working exploits become more scarce and valuable and shorter lived(?)
Attacker ROI
Gain
Opportunity x N Opportunities ( ) - Vulnerability Cost + Exploitation Cost ( )
Vulnerability Cost + Exploitation Cost ( ) =
![Page 25: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/25.jpg)
Exploit Economics
• Maturing Industry – Specialized & horizontal
• Also now vertically reintegrated at state level
• Squeezed from the bottom
• $500 PC with / IDA Pro & BinDiff
• Squeezed from the top
• Ever expanding list of cyber capable countries
• $500M investment returns Tier1 capability
Finder Exploiter Malware house Organized Attacker
Organized
Attacker
Malware house
Exploiter
Finder
![Page 26: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/26.jpg)
THERE IS DIFFERENT WAY TO USE THE PENETRATION TESTING
2015-07-22 Knowing You're Secure 26
![Page 27: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/27.jpg)
2015-07-22 Knowing You're Secure 27
![Page 28: Behind of the Penetration testing - SECUINSIDEsecuinside.com/archive/2015/2015-1-2.pdf · Characteristics of Pentesting ... THE PENETRATION TESTING 2015-07-22 18 Knowing You're Secure](https://reader034.vdocument.in/reader034/viewer/2022051800/5ac5983e7f8b9a57528dba66/html5/thumbnails/28.jpg)
CONCLUSION
2015-07-22 Knowing You're Secure 28