Behind of the Penetration testing. L33

Transcription

1 Behind of the Penetration testing L33

2 AGENDA 1. WHO I AM!! 2. PENETRATION TESTING 3. WHY DO YOU NEED THE PENETRATION TESTING 4. HOW DO YOU PERFORM THE PENETRATION TESTING 5. WHAT ABOUT THIS, THERE IS DIFFERENT WAY TO USE IT FOR 6. CONCLUSION 2

3 WHO I AM!!

4 Who I am!! Since 1991 Instructor Security Practitioner Security Tester Developer System Engineer Security Researcher Offensive Evangelist 2015 Research: Security Testing Methodology based on blind testing approach (2007) Way to secure web application using secure libraries (2007) Application Testing Methodology for SDLC (2008) Security Testing Methodology based on static analysis (2009) Penetration testing Methodology for Nuclear Power Plants (2012) Offensive Analysis as a Security assessment for Critical-Safety Systems (2013) 4

5 PREFACE

6 007; Sky-fall (2012) 6

7 PENETRATION TESTING

8 What do you call it? Hiring someone to hack your company for good reason. Penetration testing Tiger teaming Intrusion testing Ethical hacking Vulnerability Analysis Even, Security Assessment * 资 料 来 源 : Knowing You're Secure

9 Characteristics of Pentesting Focusing on tools and technology, and very small potion on methodology Interpreting the result Protecting the innocent Politics and processes Testing dangers 9

10 Security = Physics Penetration testing is the pinnacle of thought-provoking security activity Touching on the simplistic nature of security The act of exploiting vulnerabilities with good reasons 10

11 Sneakers(1992) 11

12 WHY DO YOU NEED THE PENETRATION TESTING

13 Hacking Impacts Resources Core services, object code, disk space Information Loss, disclosure and integrity. Time Anything consumes time will consumes money and will cause the financial loss Brand and Reputation 13

14 The Hacker Hacker leads destruction? Only misuse of term. Hacker Investigate the workings of computers for fun and a challenge Not to penetrate or perform malicious acts Cracker Break computers to use them for free or use system resources What is correct word for the hacker who do malicious act in the present Hacker(Cyber Criminal) or Malicious Hacker 14

15 Types of Hackers Script Kiddies Unstructured Structured Determined Independent hackers Malicious Solvers Hacktivist Vigilante Organized hackers State-Sponsored Extortion Hitman Terrorist Espionage 15

16 Motives What Maelstrom said I just do it because it makes me feel good, as in better than anything else that I ve ever experienced. What Kevin Mitnick described You get a better understanding of cyberspace, the computer systems, the operating systems, how the computer systems interact with on another; that basically was my motivation behind my hacking activity in the past. It was just from the gain of knowledge and the thrill of adventure, nothing that was well and truly sinister as trying to get any type of monetary gain or anything Six Fundamental drivers for hackers Addiction to computers Curiosity of the possible Excitement Social status Power Betterment of society 16

17 Can you survive? Hacking Impacts Hackers Threats Types of Hackers Motives 17

18 HOW DO YOU PERFORM THE PENETRATION TESTING 18

19 Many organization do pentesting every year Penetration testing become mainstream How many time you do penetration testing to your organization? How many different penetration testing team you hire? Do you likely ask your pentesting team to do different activities? Do you have any idea what they are using for pentesting? 19

20 Framework What is Framework? How does it apply to attacking a system? Is a framework a methodology? Planning Operations Reconnaissance Enumeration Analysis Exploitation Deliverable Integration Selected options Determining the impact on value based on selected options Options not selected Options not available because other options not employed Options wanted, but not available 20

21 Concern for penetration testing phase Planning the test Exploita tion Final Analysis Sound operatio ns Vulnera bility An alysis Delivera ble Mitigation Defense Reconn aissanc e Enumer ation Integration Incident Management 21

22 The Software Vulnerability Asymmetry Problem Defender must fix all vulnerabilities in all software, but attacker wins by finding and exploiting just one vulnerability Threat change over time state-of-the-art in vulnerability finding and attack technique changes over time. Patch deployment takes time vendor must offset risks to stability & compatibility, customer waits for servicing cycle Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.

23 Exploit Economics ROI = Gain from Investment Cost of Investment Cost of Investment Attacker ROI = Attacker Gain = Attacker Gain Attacker Cost Attacker Cost Gain Opportunity x N Opportunities Attacker Cost = Vulnerability Cost + Exploitation Cost Attacker ROI = Gain ( x N Opportunities ) - ( Vulnerability Cost + Exploitation Cost ) Opportunity ( Vulnerability Cost + Exploitation Cost )

24 Exploit Economics Attacker ROI = Gain ( x N Opportunities ) - Vulnerability Cost + Exploitation Cost Opportunity ( ) ( Vulnerability Cost + Exploitation Cost ) We can decrease Attacker ROI if we are able to Increased attacker investment increased cost to find usable vulnerabilities Varies by platform and vendor and technology New tools and automation help w/bug mining, but on some platforms the watermelons are already harvested Increased attacker investment required to write reliable (and stealthy) exploits Exploit vulnerability and breakout of sandbox / defeat additional protections and mitigations Boutique bespoke software development house w / ever expanding requirements Decreased attacker opportunity to recover investment Fewer opportunities via artificial diversity & improved updating Ever improving detection of exploits & follow on actions Fewer resale? Reuse opportunities Result: Stealthy, reliable attacks require significant engineering; working exploits become more scarce and valuable and shorter lived(?)

25 Exploit Economics Maturing Industry Specialized & horizontal Finder Finder Exploiter Malware house Organized Attacker Also now vertically reintegrated at state level Squeezed from the bottom $500 PC with / IDA Pro & BinDiff Squeezed from the top Ever expanding list of cyber capable countries $500M investment returns Tier1 capability Organized Exploiter Malware house Attacker

26 THERE IS DIFFERENT WAY TO USE THE PENETRATION TESTING 26

27 27

28 CONCLUSION 28