Chris Nickerson – Red Team Testing
The reality of security – Don’t just say what could be done, show what can be done. Prove the sky is falling
Humans have know how to protect themselves for thousands of years, so why do we suck at it now. Just because it’s a computer.
Defending against a dynamic threat is complex.
How do you know your controls work if they’ve never been tested. How do you know you can put up a fight if you’ve never taken a punch ? If an attacker has no rules, why should the defenders. Hackers don’t have scopes, why should testers. Simulate real world attacks.
Compliance isn’t the end of the line, it’s the first step. testing 1% of your company assets doesn’t make your whole company secure.
It’s possible to have a process that is inconstant (without scope or limits) and yet have consistent results.
You never know the value of what you have until it’s gone.
Why traditional testing is dead ?
- It doesn’t focus risk on business, but on exposure of vulnerability
- Testing that replicates an attacker (sparring partner) has its hands tied
- The perimeter is DEAD
Attackers are moving to the client-side (8 of the 20 SANS Top 20 report are client attacks). Most attacks are not something that a perimeter can protect against. Direct and focused attacks are the new style.
- External Direct – Server / App Attack
- External Indirect – Client-side / Phishing / Phone calls
- Internal Indirect – Key/CD drops / Propaganda
- Internal Direct – Social engineering / Physical
- Exotic Attacks – Flash mob / Thinking out of the box
Figure out whats important to the company and steal it (physically take it). you can prove ROI if you can prove what you can steal (how much was that router I stole ?)
Best method of attack — Take the EASY way in. If you don’t get in, then you didn’t do enough information gathering.
Social networks are the best way to find out how to act like your target and find information.
Breaking into a company when people are out is the best plan. pick your timing. You can ignore people when they’re asking a question you don’t want to ask.
What you should have in your kit .:
- ID Cards
- Lock Picks
- Phones (to leave behind)
- leave behinds
- Biz Cards
- A lighter
- A Camera of Video recorder
- Mylar Balloons
- Blowup doll (not just for fun!!!)
- Call jammer
- Appropriate cables
- Lineman’s set
- Grappling hook and rope
- Audio recorder
Get costumes from different companies and locations so you can easily assume an identity. Speaking a foreign language, faking misunderstanding.
Remote observation with things like GSM bugs, spy camera pens, powerstrips (with wlan , video, audio), Wireless robots, fake alarm sensors,….
Remote key copying by taking a picture and reproducing it offsite. Dress like a janitor and go in like you’re meant to be there.
iPWN – Running iphones as a remote connection to the network.
Cell phone bugging – Flexispy – Alter settings on the phone to proxy things through a central location.
Cell phone tracking – http://www.instamapper.com, http://www.opengpstracker.com – Use mobiles for GPS trackers
If you hack a person, they are harder to reboot!
Get ready, Get set
- Time and date
- Memorizing Data
- Entrance Strategy
- Exit Strategy
- Plan B (C,D,E,F,G,…)
Last defense should be a fake get out of jail free letter – do they really check that ?
Always checkout local business service companies (like printers etc…) lots of sensitive data get left at these locations. Go and say your company left a copy of something last time they were in. Copy Centers are like the Disneyland of social engineering.
Badge Forgery – Make it look real, spend all the time you can to make it look perfect (RFID, Digital Camera picture, etc…)
Spoof calls with tools like SpoofApp.com – Various tools for the different platforms
- Breathing techniques
- Psychosomatic Presence
- Ekmann Coding
- Facial Feedback
- Temperature Reading
- Communication Stances
- Satir comm. Models
- Classic Con’s
Social engineering isn’t about lying, it’s a complex and scientific process. Find a process that works and use it.
Lock Picking – If a door stands in the way, pick it. Find a way to trigger the door (blow up doll to trigger a motion sensor)
Finally, Go for GOLD – Use what you’ve learned about people and the systems to get the information and access you need to prove the point. Get things that the business are interested in. Hackers don’t run the business, so why focus on things they think are important.
Automated tools to find things .:
- Any other DLP solution
- Powershell searches
- GREP (regex for what you want)
Don’t spend hours searching for the crown jewels, use automated scans and attach from outside to download the good stuff.
Pingback: Twitter Trackbacks for [BruCON] Red Team Testing « Ramblings of the änal security guy [c22blog.wordpress.com] on Topsy.com