2018-040- Jarrod Frates discusses pentest processes

Jarrod Frates

Inguardians

@jarrodfrates

“Skittering Through Networks”

Ms. Berlin in Germany - How’d it go?

   

TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html

 

Takeaways

Blue Team:

- Least Privilege Model

- Least Access Model

    “limited remote access to only a small number of IT personnel”

“This user didn't need Citrix, so her Citrix linked to NOTHING”

“They limited access EVEN TO LOCAL ADMINS!”

- Multi-Factor Authentication

- Simple Anomaly Rule Fires

    “Finance doesn’t use Powershell”

- Defense in Depth

    “moving from passwords to pass phrases…”

“Improper disposal of information assets”

 

Red Team:

- Keep Trying

- Never Assume

- Bring In Help

- Luck Favors the Prepared

- Adapt and Overcome

Before the Test

• Talk it over with stakeholders: Reasons, goals, schedules
• Report is the product: Get samples
• Who, what, when, where, why, how
• Talk to testers (and clients, if you can find them)
• • Ask questions
  • Look for past defensive experience and understanding of your needs
  • • Bonus points if they interview you as a client
  • Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear
• Define the scope: Test type(s), inclusions, exclusions, permissions, accounts
• Test in ‘test/dev’, NOT PROD
• Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.

 

During the Test

• Comms: Keep in contact with the testers
• • Status reports (if the engagement is long enough)
  • Have an established method for escalation
  • Have an open communication style --brbr (WeBrBrs)
• Ask questions, but let the testers do their jobs
• Be available and ready to address critical events
• Keep critical stakeholders informed
• Watch your network: things break, someone else may be getting in, capture packets(?)

 

After the Test

• Getting Results:
• • Report delivered securely
  • Initial summary: How far did they get?
  • Actual report
  • • Written for multiple levels
    • No obvious copy/paste
    • Read, understand, provide feedback, and get revised version
• Next steps:
• • Don’t blame anyone unnecessarily
  • Start planning with stakeholders on fixes
  • Contact vendors, educate staff
• Reacting to report
• Sabotaging your test
• Future testing

 

Ms. Berlin’s Legit business - Mental Health Hackers

 

CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019

 

CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31

 

Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March

 

 

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!