behind of the penetration testing - secuinsidesecuinside.com/archive/2015/2015-1-2.pdf ·...
TRANSCRIPT
Behind of the Penetration testing
J@50n L33
AGENDA
1. WHO I AM!!
2. PENETRATION TESTING
3. WHY DO YOU NEED THE PENETRATION TESTING
4. HOW DO YOU PERFORM THE PENETRATION TESTING
5. WHAT ABOUT THIS, THERE IS DIFFERENT WAY TO USE IT FOR
6. CONCLUSION
2015-07-22 Knowing You're Secure 2
WHO I AM!!
Who I am!!
Since 1991
Instructor
Developer System
Engineer
Security Practitioner
Security Tester
Security Researcher
Offensive Evangelist
2015
2015-07-22 Knowing You're Secure 4
Research: Security Testing Methodology based on blind testing approach (2007) Way to secure web application using secure libraries (2007) Application Testing Methodology for SDLC (2008) Security Testing Methodology based on static analysis (2009) Penetration testing Methodology for Nuclear Power Plants (2012) Offensive Analysis as a Security assessment for Critical-Safety Systems (2013)
PREFACE
007; Sky-fall (2012)
2015-07-22 Knowing You're Secure 6
PENETRATION TESTING
What do you call it?
• Hiring someone to hack your company for good reason.
– Penetration testing
– Tiger teaming
– Intrusion testing
– Ethical hacking
– Vulnerability Analysis
– Even, Security Assessment
2015-07-22 Knowing You're Secure 8
*
资料来源:
Characteristics of Pentesting
• Focusing on tools and technology, and very small potion on methodology
• Interpreting the result
• Protecting the innocent
• Politics and processes
• Testing dangers
2015-07-22 Knowing You're Secure 9
Security = Physics
• Penetration testing is
– the pinnacle of thought-provoking security activity
– Touching on the simplistic nature of security
– The act of exploiting vulnerabilities with good reasons
2015-07-22 Knowing You're Secure 10
Sneakers(1992)
2015-07-22 Knowing You're Secure 11
WHY DO YOU NEED THE PENETRATION TESTING
Hacking Impacts
• Resources
– Core services, object code, disk space …
• Information
– Loss, disclosure and integrity.
• Time
– Anything consumes time will consumes money and will cause the financial loss
• Brand and Reputation
2015-07-22 Knowing You're Secure 13
The Hacker
• Hacker leads destruction? Only misuse of term.
• Hacker
– Investigate the workings of computers for fun and a challenge
– Not to penetrate or perform malicious acts
• Cracker
– Break computers to use them for free or use system resources
• What is correct word for the hacker who do malicious act in the present
– Hacker(Cyber Criminal) or Malicious Hacker
2015-07-22 Knowing You're Secure 14
Types of Hackers
• Script Kiddies
– Unstructured
– Structured
– Determined
• Independent hackers
– Malicious
– Solvers
– Hacktivist
– Vigilante
• Organized hackers
– State-Sponsored
– Extortion
• Hitman
• Terrorist
– Espionage
2015-07-22 Knowing You're Secure 15
Motives
• What Maelstrom said
– I just do it because it makes me feel good, as in better than anything else that I’ve ever experienced.
• What Kevin Mitnick described
– You get a better understanding of cyberspace, the computer systems, the operating systems, how the computer systems interact with on another; that basically was my motivation behind my hacking activity in the past.
– It was just from the gain of knowledge and the thrill of adventure, nothing that was well and truly sinister as trying to get any type of monetary gain or anything
• Six Fundamental drivers for hackers
– Addiction to computers
– Curiosity of the possible
– Excitement
– Social status
– Power
– Betterment of society
2015-07-22 Knowing You're Secure 16
Can you survive?
2015-07-22 Knowing You're Secure 17
Threats
Hacking Impacts
Hackers
Types of Hackers
Motives
HOW DO YOU PERFORM THE PENETRATION TESTING
2015-07-22 Knowing You're Secure 18
Many organization do pentesting every year
• Penetration testing become mainstream
– How many time you do penetration testing to your organization?
– How many different penetration testing team you hire?
– Do you likely ask your pentesting team to do different activities?
– Do you have any idea what they are using for pentesting?
2015-07-22 Knowing You're Secure 19
Framework
• What is Framework?
• How does it apply to attacking a system?
• Is a framework a methodology?
2015-07-22 Knowing You're Secure 20
Planning Operations Reconnaissance Enumeration Analysis Exploitation Deliverable Integration
Selected options
Options not selected
Options not available because other options not employed
Options wanted, but not available
Determining the impact on value based on selected options
Concern for penetration testing phase
Planning the test
Sound operatio
ns
Reconnaissanc
e
Enumeration
Vulnerability An
alysis
Exploitation
Final Analysis
Deliverable
Integration
2015-07-22 Knowing You're Secure 21
Mitigation
Defense
Incident Management
The Software Vulnerability Asymmetry Problem
• Defender must fix all vulnerabilities in all software, but attacker wins by finding and exploiting just one vulnerability
• Threat change over time – state-of-the-art in vulnerability finding and attack technique changes over time.
• Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle
Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.
Exploit Economics
ROI = Gain from Investment – Cost of Investment
Cost of Investment
Attacker ROI = Attacker Gain – Attacker Cost
Attacker Cost
Attacker Gain = Gain
Opportunity x N Opportunities
Attacker Cost = Vulnerability Cost + Exploitation Cost
Attacker ROI
Gain
Opportunity x N Opportunities ( ) - Vulnerability Cost + Exploitation Cost ( )
Vulnerability Cost + Exploitation Cost ( ) =
Exploit Economics
• We can decrease Attacker ROI if we are able to…
• Increased attacker investment – increased cost to find usable vulnerabilities
• Varies by platform and vendor and technology
• New tools and automation help w/bug mining, but on some platforms the watermelons are already harvested
• Increased attacker investment required to write reliable (and stealthy) exploits
• Exploit vulnerability and breakout of sandbox / defeat additional protections and mitigations
• Boutique bespoke software development house w / ever expanding requirements
• Decreased attacker opportunity to recover investment
• Fewer opportunities via artificial diversity & improved updating
• Ever improving detection of exploits & follow on actions
• Fewer resale ? Reuse opportunities
Result: Stealthy, reliable attacks require significant engineering; working exploits become more scarce and valuable and shorter lived(?)
Attacker ROI
Gain
Opportunity x N Opportunities ( ) - Vulnerability Cost + Exploitation Cost ( )
Vulnerability Cost + Exploitation Cost ( ) =
Exploit Economics
• Maturing Industry – Specialized & horizontal
• Also now vertically reintegrated at state level
• Squeezed from the bottom
• $500 PC with / IDA Pro & BinDiff
• Squeezed from the top
• Ever expanding list of cyber capable countries
• $500M investment returns Tier1 capability
Finder Exploiter Malware house Organized Attacker
Organized
Attacker
Malware house
Exploiter
Finder
THERE IS DIFFERENT WAY TO USE THE PENETRATION TESTING
2015-07-22 Knowing You're Secure 26
2015-07-22 Knowing You're Secure 27
CONCLUSION
2015-07-22 Knowing You're Secure 28