Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack...
Transcript of Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack...
![Page 1: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/1.jpg)
Penetration Testing:
How to Test What Matters Most
Presenters:
Sam Pfanstiel, CISSP, CISM, QSA(P2PE), ETA CPP, Coalfire
John Stickle, OSCE, OSCP, OSWP, Coalfire Labs
![Page 2: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/2.jpg)
Agenda
• Housekeeping
• Presenters
• About Conexxus
• Presentation
• Q & A
![Page 3: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/3.jpg)
HousekeepingThis webinar is being recorded and will be made available in approximately 30 days.
• YouTube (youtube.com/conexxusonline)
• Website Link (conexxus.org)
Slide Deck • Survey Link – Presentation provided at end
Participants• Ask questions via webinar interface
• Please, no vendor specific questions
Email: [email protected]
![Page 4: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/4.jpg)
Presenters Conexxus Host Moderator
Allie Russell Kara Gunderson
Conexxus Chair, Data Security Standards Committee
[email protected] POS Manager, CITGO Petroleum
Speakers
Sam Pfanstiel John Stickle
CISSP, CISM, QSA(P2PE), ETA CPP OSCE, OSCP, OSWP
Data Security Standards Committee SME Security Consultant, Coalfire Labs
Sr. Consultant, Coalfire [email protected]
![Page 5: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/5.jpg)
About Conexxus• We are an independent, non-profit, member driven
technology organization
• We set standards…– Data exchange
– Security
– Mobile commerce
• We provide vision– Identify emerging tech/trends
• We advocate for our industry– Technology is policy
![Page 6: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/6.jpg)
2018 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company
March 27, 2018Penetration Testing: How to Test What
Matters MostSam PfanstielJohn Stickle
Coalfire Systems
April 2018 Annual Meeting - -
May 2018 QIR Program Update Chris Bucolo ControlScan
![Page 7: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/7.jpg)
Conexxus: Presentation Title7
![Page 8: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/8.jpg)
Pen Testing: What is it?
• Human-based threat emulation
• Purpose: “discover exploitable security
flaws”
• Attack scenarios and targets vary
Conexxus: Penetration Testing: How to Test What Matters Most
![Page 9: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/9.jpg)
Pen Testing: Why is it Needed?
Find vulnerabilities before the bad guys exploit them
Conexxus: Penetration Testing: How to Test What Matters Most9
Source: 2017 Verizon Data Breach Investigation Report
![Page 10: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/10.jpg)
Attack Vector
Attack Surface
Enterprise
ExploitVulnerabilityBreach Asset ThreatExfiltration. .
. .. .. .
ProbabilityAttack Vector
Value
Impact
. . . .. ... .
Adversary
![Page 11: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/11.jpg)
Assets and Compliance• PCI DSS
– Asset = cardholder data and CDE
– Recent pen testing guidance (September 2017)
• Internal
• External
• Segmentation & Scope Reduction Controls
– Network & Application Layer
– Layers• Application layer (6.5)
• Network– Incl. Wireless
• Systems
• Industry-accepted penetration testing approaches
• Quarterly and after significant changes
• Organizational Independence
• Contractual Compliance– Oil Brand / Distributor
– Information Security Policies
– Product Policies
• Other– NIST / ISO / SOC
– NERC SIP / EPA
Conexxus: Penetration Testing: How to Test What Matters Most11
![Page 12: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/12.jpg)
Adversaries and Threats
Adversaries
• Profit-driven hackers
• Nation states and
Ideology-driven attacker
• Trusted Third-Parties
• Malicious Insiders
• Non-malicious Insiders
Threats
• Exfiltration of data
• Destruction of data
• Denial of Service
• Theft of property
• Physical destruction
• Contamination
• Brand damage
Conexxus: Penetration Testing: How to Test
What Matters Most12
![Page 13: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/13.jpg)
Common Misconceptions
Vulnerability Assessment vs.
• “Screening” Technical Tests
• Automated Tools
• Known vulnerabilities
• Scope:– Systems
– Credentials
• Goal: Technical Report– IP / Host
– Vuln
– CVSS rating
– Tactical Recommendations
Penetration Testing• Multidimensional attack
• Security Experts
• Discover and exploit flaws
• Scope:– Objective (“Attack Scenario”)
– Systems, Networks, & Apps
– Level of Effort (Time-box)
• Goal: Fix security flaws– Findings
– Remediation recommendations
Conexxus: Penetration Testing: How to Test What Matters Most13
![Page 14: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/14.jpg)
Types of Pen Testing
![Page 15: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/15.jpg)
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Kill Chain Model
- Visualizes stages in attack lifecycle
- Threat modeling
- “Kill” one link, defeat the attack; Defense in Depth
- Testing targets entities’ ability to interrupt specific “link”
15 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 16: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/16.jpg)
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Iterative Attack
16 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 17: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/17.jpg)
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Social Engineering
• Attempt to manipulate users
– Divulging sensitive information
– Performing IT-related actions
17 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 18: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/18.jpg)
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Network Testing• Threat emulated
– Anonymous attackers across the Internet
– Internal adversaries to internal environment
• Attack surface– Operating systems
– Infrastructure
– Commercial off-the-shelf (COTS) products
• Exploits:– MS17-010 – Unauthenticated Remote
Code Execution
Conexxus: Penetration Testing: How to Test
What Matters Most18
![Page 19: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/19.jpg)
Conexxus: Presentation Title19
![Page 20: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/20.jpg)
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Wireless Testing
• Capture handshake
• Crack authentication
• Exploit:
– WEP
– WPA-2
• Krack Attack
– Weak Passwords• Aircrack-ng
Conexxus: Penetration Testing: How to Test What Matters Most20
![Page 21: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/21.jpg)
Conexxus: Presentation Title21
![Page 22: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/22.jpg)
Application and API
Conexxus: Penetration Testing: How to Test
What Matters Most22
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
• Threat emulated:– Credentialed and
uncredentialed adversaries
• Attack surface:– Accessible portions of an
application
![Page 23: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/23.jpg)
Conexxus: Presentation Title23
![Page 24: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/24.jpg)
Case Study: Application
Conexxus: Penetration Testing: How to Test
What Matters Most24
• Browser-based Fuel Controller
– Leveraged known authenticationvulnerability
– Identified ability to upload payload to obtain remote code execution
– Access to Tank fuel, temperature levels
– Trigger or ignore sensor alarm
![Page 25: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/25.jpg)
Conexxus: Presentation Title25
CVE-2017-6564CVE-2017-6565
![Page 26: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/26.jpg)
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Appliance / Embedded / IoT• Threat emulated:
– Attacker has gained physical access to a device
• Attack surface:– Physical and logical devices,
network connectivity to the device, and backend systems
– Fuel controllers
– Car Wash
– Tanks and pumps
– Security systems
– Third-party vending• Car wash
• HVAC
Conexxus: Penetration Testing: How to Test What Matters Most26
![Page 27: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/27.jpg)
Case Study: Car Wash
• Coalfire Labs Researcher
• Buffer Overflow
• Arbitrary Code Execution
• Potential Human Threat
Conexxus: Presentation Title27
![Page 28: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/28.jpg)
Red Team
• People, processes and technologies
28 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
![Page 29: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/29.jpg)
Case Study: Casino• Red team attack
• Physical, social, and logical vectors of attack
• Harvesting of email addresses ofemployees from public sources
• Spearphishing attack with image vulnerability
• Retrieved logins and passwords
• Access to the internal network via the casino’s VPN
• Exploiting vulnerabilities found throughout the network, gained administrator-level access to the environment.
• See: https://www.coalfire.com/Documents/Case-Studies/Coalfire_Casino_Case_Study
Conexxus: Presentation Title29
![Page 30: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/30.jpg)
Reverse Engineering
• Manipulate binary code to change
intended application behavior
• Can be used to bypass authentication to
grant access
30 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
![Page 31: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/31.jpg)
Conexxus: Presentation Title31
![Page 32: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/32.jpg)
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Hunt Operations
• Identify adversaries already on network
32 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 33: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/33.jpg)
Enterprise Testing
• Mature security testing
• Comprehensive security program to test
all aspects of environment and response
33 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
![Page 34: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/34.jpg)
Penetration Testing
Considerations
Conexxus: Penetration Testing: How to Test What Matters Most34
![Page 35: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/35.jpg)
Conexxus: Presentation Title35
Maturity
![Page 36: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/36.jpg)
Impact vs. Disruption
• Every penetration test will have impact
– Logs
– Traffic
– Notifications
• Avoiding disruption takes planning and
communication
36 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 37: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/37.jpg)
Timing
• Time of day/week
• Time box for testing (point-in-time)
37 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 38: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/38.jpg)
Methodology
• Discovery:
Reconnaissance and
Vulnerability
Scanning
• Post exploitation
phase
Conexxus: Penetration Testing: How to Test What Matters Most38
![Page 39: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/39.jpg)
Target and Scope
• Risk assessment (assets and threats)
• Compliance requirements vs. security
goals
• Attack surface, vectors and scenarios
• Prior notification and communication
39 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 40: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/40.jpg)
Skill Set• Certifications
– Offensive Security Certified Professional (OSCP)
• Offensive Security Wireless Professional (OSWP)
• Offensive Security Certified Expert (OSCE)
– GIAC Penetration Tester (GPEN)• GIAC Web Application Penetration Tester
(GWAPT)
– Certified Ethical Hacker (CEH)• Licensed Penetration Tester Master (LPT)
– CREST Registered Tester (CRT-Pen)
– CESG IT Health Check Service (CHECK) certification
• Skill Sets– Reputable firm
– Background check
– System and Technology-specific Training• MCSE
• AWS-CCP
– Security certifications and skillsets• CISSP
• CISM
• Other Security Certs
40 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 41: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/41.jpg)
Other Considerations
• System exclusion
• Data destruction
• Reporting
• Remediation support
41 Conexxus: Penetration Testing: How to Test What Matters Most
![Page 42: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/42.jpg)
Conexxus: Penetration Testing: How to Test What Matters Most
![Page 43: Penetration Testing: How to Test What Matters Most...Penetration Testing • Multidimensional attack • Security Experts • Discover and exploit flaws • Scope: – Objective (“Attack](https://reader036.fdocuments.in/reader036/viewer/2022063016/5fd61f0d43e3d162327fa68a/html5/thumbnails/43.jpg)
• Website: www.conexxus.org
• Email: [email protected]
• LinkedIn Group: Conexxus Online
• Follow us on Twitter: @Conexxusonline
Conexxus: Penetration Testing: How to Test What Matters Most