Post on 08-May-2015
description
Painting a Company Red and Blue
Ian Amit Director of Services
Hi
What is a Red Team?
What is a Red Team?
electronic
socialphysical
Red Team
electronic
socialphysical
Red Team
Why?
Why?
Red TeamPentestVuln Scan
Red TeamPentestVuln Scan
Compliant you are. Matter it does not.
There is security
outside of IT
What to look for in a team?
Skills Matrix
Electronic Physical Social
Bob 5 9 1
Joe 3 8 9
Jenny 9 4 7
*Neither Bob, Joe nor Jenny were hurt in making this slide
First rule
Go for the jugular !
• What can take the business down?
• Who is involved???
vs.
Second Rule
Give it all you’ve got
Second Rule
Give it all you’ve got
“You start as fast as you can go, and then slowly speed up” Krembo
Let’s paint!
Red Team Blue Team• Simulate real
intelligence gathering
• Create key personnel profiles
• Identify social weak points
!
• Identify and control public information
• Train key personnel on personal safety
• Work with HR on social issues
Wireless Network Penetration Testing Services
Confidential. Proprietary. [18]
Detailed Findings Tables
#RAPCON–1 Unauthenticated RAP Console Leaks IPSec Configuration
Device(s) RAP Console
Category Information Disclosure
Testing Method Black Box (Hardware)
Tools Used Firefox
Likelihood Medium (3)
Impact High (4)
Total Risk Rating High (12)
Effort to Fix Medium
Threat and Impact
The RAP Console is unauthenticated and displays information about the access point. Figure 1 shows a screenshot of the RAP Console home page.
Figure 1: Unauthenticated RAP Console
On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper debug logs. The rapper debug log will log the PAP Username:
IKE_EXAMPLE: Starting up IKE server
Wireless Network Penetration Testing Services
Confidential. Proprietary. [18]
Detailed Findings Tables
#RAPCON–1 Unauthenticated RAP Console Leaks IPSec Configuration
Device(s) RAP Console
Category Information Disclosure
Testing Method Black Box (Hardware)
Tools Used Firefox
Likelihood Medium (3)
Impact High (4)
Total Risk Rating High (12)
Effort to Fix Medium
Threat and Impact
The RAP Console is unauthenticated and displays information about the access point. Figure 1 shows a screenshot of the RAP Console home page.
Figure 1: Unauthenticated RAP Console
On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper debug logs. The rapper debug log will log the PAP Username:
IKE_EXAMPLE: Starting up IKE server
Wireless Network Penetration Testing Services
Confidential. Proprietary. [19]
setup_tunnel Initialized Timers IKE_init: completed after (0.0) (pid:16341) time:1999-12-31 16:37:53 seconds. Before getting PSK PSK:****** User:xiaobo1 Pass:******
A more serious information disclosure is the “Generate & save support file” option available on the home page of the RAP Console. The support.tgz file contained 73 files, including the ikepsk, pappasswd, and papuser files, as shown in Figure 2.
Figure 2: Contents of support.tgz
These files contain the encrypted IPSec pre-shared key, and the unique username and the encrypted password for this access point.
An attacker who has gained physical access to the access point or access to the RAP Console for the access point would be able to recover the credentials used by the access point to establish a VPN back to the controller. The credentials are encrypted with a static key, which can be easily decrypted.
Recommendations
The RAP Console has no security model. Disable it if possible.
Red Team Blue Team• Supply chain
compromise
• Piercing the perimeter paradigm
• Access internal resources without controls
!
• IT is solid - go beyond the technology
• Expand monitoring towards the “unknown”
• Role based access controls on top of location/asset based.
Red Team Blue Team• Uncover new/
undocumented assets
• Leverage technical issues in devices that control environment
• Combine environment control with social engineering
• Expand control base into additional aspects of business
• Recruit stakeholders
• Train and educate personnel from other business units, learn the details of their business
Red Team Blue Team• Access critical assets
out of their element
• Avoid triggering alarms on heavily guarded areas
!
!
• Scope secondary/tertiary locations for assets
• Correlate alerts for same asset category
Red Team Blue Team• Access non-production
equipment.
• Implant backdoors for later use
!
!
• Involvement in security should be started in early phases of design and testing
• Test-to-production should be scrutinized and no test setup should be relied on (same for default manufacturer settings)
Red Team Blue Team• Virtualized
environments and out of band management for servers compromises
• Completely bypass host security. Full access to bios level configuration, full KVM access remotely.
!
• Datacenter security - both physical, as well as internal and vendor support
• Logging and auditing of all access to assets - including correlation of local and remote access with additional footprints (doors, VPNs)
Blue Team Work
Quick response: assess, involve, minimize damage, control
environment, apply learning to process/people/technology
Trigger Warning:Business Speak!
• ROI
• Buy-In
• Identify Risks and Gaps
• Processes
• People
• Technology
• Reapply to Organization
Q1-1
20
40
60
80
Blue Red
• ROI
• Buy-In
• Identify Risks and Gaps
• Processes
• People
• Technology
• Reapply to Organization
Q3-2
20
40
60
80
Blue Red
Retest / VerifyYou can’t just click “go” again…
!
!
Retest/verify means reasserting core issue is
addressed - to create new scenario that includes it!
Deliver
Deliver
Deliver
Don’t sell
Questions?
Ian Amit @iiamit