Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: book

{Book Review} Offensive Countermeasures: The Art of Active Defense

A few months back at Blackhat, John and Paul were nice enough to give me a copy of their book “Offensive Countermeasures: The Art of Active Defense” to read. It’s been a whirlwind few months since then, but the quiet of Christmas has given me a chance to really sit down and soak up the contents.

offensive_countermeasures

Active Defense has been getting a bit of a bashing after all the “hack back” bullsh*t that people have been throwing around. John and Paul make a good effort to put some of this to rest by really discussing the things that an enterprise really can achieve without getting into the revenge of hacking the hackers business. Some of people’s main concerns in active defense have been the lack of information on what you can and can’t do in the eyes of the law. The first section of the book puts a spotlight on a few court cases that deal with differing degrees of hacking back or active defense… and not all successful ones. This section helps to put the books content in focus and aims to really explain the whys and whatfors to come in the sections that follow.

The main section of the book is split up into the 3 A’s. Annoyance, Attribution and Attack. Each section goes into depth on some of the options enterprises have to more actively defend their networks. Each section has a number of example tools, mostly focused around the ADHD distribution, that people can use to perform some of the actions discussed.

I found it particular interesting that the book finished off with a section dedicated to core concepts. Far too many companies think they can jump from 0 straight to 100 without building a secure base to build from. Active defense isn’t for everyone, and if you don’t have your basics all in-hand, then anything you do is more likely to backfire than help.

The book itself is compact, but is a good starting point for meaningful discussions about active defense that don’t devolve into legal arguments from moment one. Because of the compact size of the book, there are a few things that aren’t really discussed although they fall into the active defense category. These omissions where a little disappointing, but keeping true to the core of active defense makes sense for what has to be seen at the first introductory text on the subject. Here’s hoping that future revisions expand on the base and start covering fun things like honeytokens. Overall the information that is presented is useful for people looking for a quick schooling in how they can use active defense to improve their overall level of security, and as an education for people who jump straight to hacking back without considering any other options.

If this book is anything to go by, the discussion on what really is possible in defending your networks intelligently from attackers should be a very interesting one to follow. The time for standing still and just taking punch after punch is over. Time to duck and dodge, and make it harder for attackers!

Links:

{Book Review} Coding for Penetration Testers

The nice folks at Syngress were kind enough to let me review the new “Coding for Penetration Testers” book by Jason Andress and Ryan Linn.

It’s becoming more and more important for penetration testers (and all types of InfoSec professionals really) to know the ins and outs of scripting and programming. Automation is a key requirement of efficient and repeatable testing. Those that can’t grasp even the simplest principles of scripting are doomed to failure as testing becomes more and more complex.

With that said, everybody has to learn somewhere, and for those afraid to dive head-long into a dry book on the basics of Python, Ruby, <insert your chosen language here> , then there are various books that will take you from zero to scripting in a few easy hours. Books like “Gray Hat Python” and “Ruby by example” are a great start, but are sometimes a little too focused on specifics, or have no connection to security.

Coding for penetration testers crossed covers the space between. Not taking itself too seriously and wasting time and space discussing coding standards and whether or not to use hard tabs or spaces, but instead diving in and discussing the ins and outs of each language.

The first section of the book covers the basics of shell scripting, Python, Perl, Ruby, PHP and finishing up with the new kid on the block, Powershell. Each chapter takes the reader through some simply syntax of the language and then talks about how to use the language to achieve a simple task. The examples are sometimes a little on the basic side, but they cover enough to let the reader experiment further without needing the book.

The section portion of the book is dedicated to achieving tasks using your new-found skills. This is split up into sections on scanner scripting, information gathering, exploitation and post exploitation. These sections flow well enough, but seems to lose some focus towards the end with sections of the post exploitation section dedicated more to SQL Injection than to scripting IMHO.

Conclusion

I feel strongly that every penetration tester needs to know the basics of scripting. You don’t have to be the best coder in the world to achieve great things. All it takes is a little time and desire.

This book doesn’t

  • … cover every aspect of every language
  • … teach you the coding standards
  • … make you a master coder overnight

This book does

  • … give you a good grounding in scripting basics
  • … help you get a kick-start into coding
  • … give you real world examples and scripts

For penetration testers that are already coding some parts of this book will be covering old ground. That said, there’s a lot of interesting parts to this book and enough variety in the languages to interest most readers. I read the book from cover to cover and don’t feel that this book really lends itself to that kind of reading style. Those that want to get the post out of their time should really take time to write out the examples and experiment to get the hands-on experience that I think brings the most out of this book.

Hacking Exposed: VOIP

0000ap892In preparation for the upcoming SANS London VOIP Security course, I’ve been reading through the Hacking Exposed: VOIP book. I finally got the chance to finish up the book over the weekend and must say, I came out the other end feeling a little disappointed. I’d skimmed the book before, and at first glance the contents seems really in-depth. However after reading the book cover to cover, the amount of repetition really began to become tiring. I found myself actually skipping sections as the tests discussed seemed to be repeats from earlier sections of the book, together with the same suggestions for blocking attacks. I understand the reasoning for this however, as there are only a certain amount of protections against  Denial of Service floods, spoofing or Man in the Middle attacks. However, that said the solutions could easily have been grouped together as a separate chapter to prevent the repetition.

VOIP has come a long way in the last few years, and the attacks mentioned in the book have probably been overtaken by newer exploits and attack vectors. Maybe this was simply a case of too little content to fill the book with new and exciting attack types. Here’s hoping that the second edition will be reformatted to make the most of the information held within.

Follow

Get every new post delivered to your Inbox.

Join 129 other followers