penetration testing fundamentals - north carolina€¢the goal of a professional pen test is to...
TRANSCRIPT
Penetration Testing FundamentalsFebruary 1, 2017
Presented by
Mike Weber, VP Coalfire
Housekeeping
• Submit questions during the webinar using
the question area in the control panel on
the right side of your screen.
• We will answer as many questions as possible
during the Q&A portion of the webinar until the
top of the hour. We respond to all remaining
questions via email after the webinar.
• Attendees will receive a PDF of the slide
presentation and a link to the recorded webinar.
Coalfire at a Glance
• Thought-leader and trusted advisor in the fast-growing cybersecurity market
• More than 1,400 customers across a broad set of industry sectors
• More than 500 employees in 12 locations in North America and Europe
• A sophisticated portfolio of cyber risk advisory and assessment services
• Industry-leading ethical hacking and technical testing team
• Cyber solution selection and design services to optimize overall security environment
• Cloud-based CoalfireOne℠ Enterprise Risk and Compliance Platform,used by more than 800 clients
• Backed by the Carlyle Group and Chertoff Group
Technical Testing Capabilities
Offensive Capabilities
• Network penetration tests
• Red team operations
• Application/mobile testing
• Physical and social engineering
Defensive Capabilities
• Vulnerability assessments
• Threat hunt operations
• Digital/Data Forensics
• Assessment program accelerators
Tools development
• Cortana Pack
• CrackMapExec
• Doozer
• Egress-Assess
• Empire
• Eyewitness
• Hashbot
• KrbCredExport
• Malleable C2 profiles
• Minions
• PowerSploit
• PowerTools
• PowerForensics
• Uproot
• Veil-Evasion
Thought Leadership
Speaker Introduction
Mike Weber, VP Coalfire
Mike Weber oversees operations, including penetration testing, application
security assessments and compliance validation, digital forensics services,
and incident response services, for Coalfire.
He has more than 18 years of experience in senior security positions in
various technical fields, including enterprise security planning and policy
development, network engineering, vulnerability assessment, risk
assessment, penetration testing, system administration, and programming.
He is an expert in the development and management of information security
programs tailored to highly regulated industries such as government,
healthcare, banking, and utilities.
Agenda
• What Is A Vulnerability Assessment?
• What Is Penetration Testing?
• Types Of Penetration Tests
• Know Your Pen Tester
• Testing “Maturity Model”
Time To Discover A Breach
Source: Verizon DBIR 2016, page 10
Learning About A Breach
Source: Verizon Data Breach Investigations Report
First Things First…
Engaging in technical testing means:
• Unexpected traffic will be generated!
• There will be impact.
• There may be disruption.
Prerequisites for any engagement
• Define scope
• Vet methodologies with client
• Approve access to systems
• Establish dates and times
• Exchange contact information
Vulnerability Assessment
What’s A Vulnerability Assessment?
• A vulnerability assessment
is not a penetration test.
• It’s a testing process that identifies
components with known flaws within
an organization’s IT infrastructure and
applications.
• The goal of a vulnerability assessment
is to prioritize remediation as part of
an organization’s vulnerability
management program.
Vulnerability Assessment
Scoping
Technical information
Number of systems
Physical locations
Methodology
Technical tool delivery
Vulnerability scanner-driven
Machine-identifiable vulnerabilities
Standardized vulnerability ranking
Considerations
Credentialed or uncredentialed?
Wireless included?
Working hours or after hours?
Exclusion lists / known issues?
Data destruction policies?
[Generalized] Methodology
• Engagement Planning
• Vulnerability Analysis
• Reporting
Vulnerability Assessment
Key takeaways
• Defines scope based on systems to be assessed
• Mostly uses automated scanners
• Discovers known vulnerabilities
• Finds only technical shortcomings
• Provides tactical recommendations in a lengthy report
• Facilitates internal security management processes
Penetration Testing
What Is A Penetration Test?
• A penetration test is a real-world attack performed by security experts
on a company’s IT infrastructure to discover exploitable security flaws.
• Ultimately, a penetration test is a security professional emulating a threat, acting on
the attack surface with one or more attack vectors that comprise
an “attack scenario.”
• The goal of a professional pen test is to discover vulnerabilities so they can be
addressed and remediated before the “bad guys” find them and exploit them.
Penetration Test
Scoping
Scoped based on test objectives
and environment to be tested
Number of Systems / Physical
Locations
Different testing objectives
necessitate different levels of
effort
Results in a “time-box”
Methodology
Delivery augmented with technical
tools but this is not the primary
driver
Human-driven
Finds technical and logical
vulnerabilities
Findings ranked based on impact
Considerations
Narrow or broad scope?
Impact on response teams
Working hours or after hours?
Exclusion Lists / Known issues?
Data destruction policies?
Penetration Testing
KEY COMPONENTS
• Threat Emulation
• Attack Surface
• Attack Vectors
• Attack Scenarios
• Methodology
Threat Emulation
Defined: What’s dangerous?
• Your adversary
• Anonymous Attackers
• Trusted third-parties (vendors, integrators)
• Malicious / compromised customers
• Malicious insiders
• Non-malicious insiders
Attack Surface
Defined: What can be attacked?
• Network gear
• Wireless
• Security appliances
• Applications
• Operating systems
• Workstations
• “People” / “processes”
• Facilities
• Databases
Attack Vectors
Defined: Ways to attack something
• Operating system vulnerabilities
• Brute force attacks
• Denial of service
• Physical access / forensics
• Phishing
• Application flaws
• Business logic flaws
Attack Scenarios
Defined: Emulation of a threat carrying out a given attack vector
on an attack surface.
• External “anonymous” attacker finding web application vulnerabilities
in an organization’s publicly accessible web application.
• Attacker who has a foothold on an internal device and is sniffing
the network to capture password hashes or other sensitive data.
• Compromised third party with access to part of the environment, who
then attacks what can be “seen” through a limited access environment.
• External attacker attempting to gain a foothold on a user-level workstation
or account through phishing campaigns delivering malware.
[Generalized] Methodology
• Engagement Planning
• Reconnaissance / OSINT
• Attack Planning / Threat Modeling
• Vulnerability Analysis
• Exploitation
• Post-Exploitation
• Reporting
Pen Test vs. Vulnerability Assessment
• A vulnerability assessment (scan) is “an inch deep and a mile wide.”
• A penetration test is the opposite: a narrow focus, specific to the client, taking
exploitation to the furthest extent possible.
Methodologies Compared
Penetration Testing
Engagement Planning
Reconnaissance / OSINT
Attack Planning / Threat Modeling
Vulnerability Analysis
Exploitation
Post-Exploitation
Reporting
Vulnerability Assessment
Engagement Planning
Vulnerability Analysis
Reporting
Types of Penetration Tests
• Network Penetration Test
• Application Penetration Test
• Appliance / Internet Of Things (Iot) Penetration Test
• Enterprise Penetration Test
• Red Team
• Reverse Engineering / Zero-day Research*
Network Penetration TestAttacks against operating systems, services,
and infrastructure that support an organization
• Threat emulated
– External: anonymous attackers across
the Internet
– Internal: adversaries that have gained
access to the internal environment
• Attack surface
– Operating systems
– Infrastructure
– Commercial off-the-shelf (COTS) products
PENETRATION TEST TYPES
Application Penetration Test
Attacks against an application and its supporting
infrastructure with the objective of gaining enhanced
access or privileges to the application
• Threat emulated: credentialed
and uncredentialed adversaries
• Attack surface: the accessible portions
of an application
PENETRATION TEST TYPES
Appliance / Embedded / IoT
An attack against a physically or logically deployed product
and its supporting infrastructure with the objective of
compromising the system or negatively impacting the
integrity of the solution for others
• Threat emulated: an attacker that has gained physical
access to a device
• Attack surface: the physical and logical devices,
network connectivity to the device, and backend systems
PENETRATION TEST TYPES
Enterprise Penetration TestAttacking all of an organization’s attack surface –
including the technology, people and processes that
support it – with the objective of gaining as much
access as possible in each scenario.
• Threat emulated: unique per each selected scope
• Attack surface: specified by client, thorough
testing, includes all appropriate attack vectors
• Approach: Covert or Cooperative
• Comprehensive service
PENETRATION TEST TYPES
Red Team Operations• Emulate the tactics of real-world threat actors
• Training of Blue Team / Incident Response staff
• Actively exercise the full incident response loop
• Gauge minimum time to detect, minimum time to recover
• Post-exploitation offensive data analysis
PENETRATION TEST TYPES
Reverse Engineering / Zero-day
PENETRATION TEST TYPES
• Research engagement
• Performed on discrete software
components
• Clients are solution vendors
Penetration Testing
Key Takeaways
• Requires one or more objectives for a successful test
• Scope is based on the attack scenarios
• Effort is ‘time-boxed’
• Discovers both technical and logical vulnerabilities
• Reports should be succinct
• Recommendations are strategic
• Enhances internal security operations processes
Know Your Pen Tester
Know Your Pen Tester
• How large is their staff?
• What is their reputation in the industry?
• What are their qualifications?
• Do they do background checks on new hires?
• Do they participate in and support industry
associations, forums, and events?
• Do they have a quality assurance program?
• Do they use quality commercial products
as well as freeware and shareware?
• Do they make their own tools / known for coding
capabilities?
Testing “Maturity Model”
Testing Maturity Model
• Vulnerability Assessment
• External Network Penetration Testing
LOW
• Application / Solution Penetration Testing
• External and Internal Penetration Testing
• Enterprise Penetration Testing
MODERATE
• Red Teaming
• Hunt Operations
HIGH
• No / weak security policies and awareness
• Minimal Vulnerability Management program
LOW
• Security checkpoints in dev lifecycle
• Dedicated security products in-house
• Staff with defined security responsibilities
MODERATE
• Functional Security Operations Team
• Well developed security governance
HIGH
Your Maturity Level Recommendation
