The evolution of Pentesting High Security Environments
Joe McCray & Chris Gates
This presentation focuses on pentesting high security environments, new ways of identifying/bypassing common security mechanisms, owning the domain, staying persistent, and ex-filtrating critical data from the network without being detected. The term Advanced Persistent Threat (APT) has caused quite a stir in the IT Security field, but few pentesters actually utilize APT techniques and tactics in their pentests. This presentation picks up where Joe left off in last year’s Def Con presentation “You Spent All That Money And You Still Got Owned” and takes it to the next level. Joe will also be releasing a new tool as well
Do you remember the old days of pentesting…. before everybody was a CISSP!
Today life is different! how many of you actually read the report that you send your customer. I mean after the first time you write it!
Companies are getting owned and staying owned. With intruders getting into a network and maintaining full admin access for over a year. How? These companies have IDS/IPS, regular pentested…
APT Countermeasures are being bypassed… Attackers don’t rely on a vulnerability being present in the network. If nothing is being exploited, then being fully patched and AV up to date won’t help you! Your IPS won’t stop it! Once an attacker has access they steal creds and no IDS/IPS is going to stop a valid session with a valid logon.
If it’s easier to steal it than to develop it, then somebody is going to steal it!
Who got owned!
- IOC & UN
- Booz Allen Hamilton
Are you telling me these companies aren’t PCI/ISO compliant… they aren’t pentesting… We’re missing something.
Alongside these big companies, scores of small/medium companies were also owned. It’s just not bug news. Information stolen is not only related to research and development, but also management techniques and marketing strategies.
These threat actors are being paid a 9-5 job which is to own your company to steal your stuff!
- Too many people think it’s about “advanced” hacking (0-day exploits, bleeding edge hacking, custom encryption…)
- Although that advanced stuff can be part of it, it’s more about “persistence, tactics, and most importantly meeting objectives”
- Less “persistent” and more “determined”
APT vs. Pentesting
- Current pentesting scope and strategies aren’t matching threats
- Domain admin is a stupid goal! It’s about the data
- Detection of attack/exfiltration isn’t usually a goal in a pentest
- What level of attacker can you detect… what level can you test at!
Capability based assessment
More focused on an organisations ability to respond to attacks and issues in their environment
- Can you detect service modification
- Can you detect registry modification
- Data exfiltration
- Account creation
- Suspicious usage
Vulnerability driven industry
IT Security is focused on minimizing the presence of vulnerabilities. Hacking isn’t about this anymore, it’s about access!
We need to change this focus and really focus on the way attackers are working.
APT doesn’t rely on vulnerabilities
Data Driven Assessments
- More like capture the flag.
- Identify what is important to your company and test ways to gain access to that.
- Hard to get a customer to specify this… they just don’t know!
Can you detect things at each level of the test!
- Level 1 –> Skiddie
- Level 2 –> Sysadmin, got some game
- Level 3 –> Hacker for hire
- Level 4 –> State-sponsored attacker
An attacker will only use the skills needed… why burn your 0day when you can use public exploit tools to do the job. Emulate lesser levels to make companies think you’re less skilled than you really are.
- Phase 1: Targeting
- Phase 2: Initial Entry
- Client-side exploit < 1 year old –> emulate a Level 1
- Client-side exploit < 90 days old –> emulate a Level 2
- Phishing for creds
- File format exploits
- User-Assist / “no exploit” attacks (eg. Java Applet)
- Custom Exploit / 0day
- Phase 3: Post-Exploitation
- Simple privilege escalation attempts (eg. meterperter, getsystem)
- Simple data pilfering
- Simple persistence (eg. registry modifications)
- Advance persistence (custom backdoors)
- Phase 4: Lateral Movement
- Simple file transfer via admin shares
- Execution via net/at commands
- NT Resource kit
- tasklist on remote boxes to look for desired processes (eg. MMC)
- Phase 5: Data Exfiltration
- Sample data exfiltration via port/protocol
- Sample data exfiltration via HTTP/DNS
- Exfiltration via HTTPS
- Authenticated proxy aware exfiltration
- Custom protocols or abuse of existing permitted protocols (eg Skype)
Security operations aren’t talking about this stuff. They’re talking about virus outbreaks, worms… they should be looking for attackers already moving through the network. Why is your domain controller talking out to the internet.
Vuln driven vs. Capability driven
Today’s information assurance program compromise of vuln/patch management, user awareness and documentation of those processes. However vulnerabilities are transient, when are you finished with patching?
Everyday you patch, everyday there’s more to patch.
Instead of doing this and saying you have 500 highs and 1200 mediums. Say “you’re able to respond to attackers of skill level X (see above levels). Is this enough. Are you being targeted by hackers for hire and state-sponsored attackers?
What about threat modelling and risk assessment?
This is close to something like STRIDE. But this is different in several ways. The tester doesn’t know everything about your business, so they can’t always have a complete threat model. They each have a purpose and value… do both!
Just don’t stay with a traditional program if you really care about not getting owned!