Penetration Testing:
How to Test What Matters Most
Presenters:
Sam Pfanstiel, CISSP, CISM, QSA(P2PE), ETA CPP, Coalfire
John Stickle, OSCE, OSCP, OSWP, Coalfire Labs
Agenda
• Housekeeping
• Presenters
• About Conexxus
• Presentation
• Q & A
HousekeepingThis webinar is being recorded and will be made available in approximately 30 days.
• YouTube (youtube.com/conexxusonline)
• Website Link (conexxus.org)
Slide Deck • Survey Link – Presentation provided at end
Participants• Ask questions via webinar interface
• Please, no vendor specific questions
Email: [email protected]
Presenters Conexxus Host Moderator
Allie Russell Kara Gunderson
Conexxus Chair, Data Security Standards Committee
[email protected] POS Manager, CITGO Petroleum
Speakers
Sam Pfanstiel John Stickle
CISSP, CISM, QSA(P2PE), ETA CPP OSCE, OSCP, OSWP
Data Security Standards Committee SME Security Consultant, Coalfire Labs
Sr. Consultant, Coalfire [email protected]
About Conexxus• We are an independent, non-profit, member driven
technology organization
• We set standards…– Data exchange
– Security
– Mobile commerce
• We provide vision– Identify emerging tech/trends
• We advocate for our industry– Technology is policy
2018 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company
March 27, 2018Penetration Testing: How to Test What
Matters MostSam PfanstielJohn Stickle
Coalfire Systems
April 2018 Annual Meeting - -
May 2018 QIR Program Update Chris Bucolo ControlScan
Conexxus: Presentation Title7
Pen Testing: What is it?
• Human-based threat emulation
• Purpose: “discover exploitable security
flaws”
• Attack scenarios and targets vary
Conexxus: Penetration Testing: How to Test What Matters Most
Pen Testing: Why is it Needed?
Find vulnerabilities before the bad guys exploit them
Conexxus: Penetration Testing: How to Test What Matters Most9
Source: 2017 Verizon Data Breach Investigation Report
Attack Vector
Attack Surface
Enterprise
ExploitVulnerabilityBreach Asset ThreatExfiltration. .
. .. .. .
ProbabilityAttack Vector
Value
Impact
. . . .. ... .
Adversary
Assets and Compliance• PCI DSS
– Asset = cardholder data and CDE
– Recent pen testing guidance (September 2017)
• Internal
• External
• Segmentation & Scope Reduction Controls
– Network & Application Layer
– Layers• Application layer (6.5)
• Network– Incl. Wireless
• Systems
• Industry-accepted penetration testing approaches
• Quarterly and after significant changes
• Organizational Independence
• Contractual Compliance– Oil Brand / Distributor
– Information Security Policies
– Product Policies
• Other– NIST / ISO / SOC
– NERC SIP / EPA
Conexxus: Penetration Testing: How to Test What Matters Most11
Adversaries and Threats
Adversaries
• Profit-driven hackers
• Nation states and
Ideology-driven attacker
• Trusted Third-Parties
• Malicious Insiders
• Non-malicious Insiders
Threats
• Exfiltration of data
• Destruction of data
• Denial of Service
• Theft of property
• Physical destruction
• Contamination
• Brand damage
Conexxus: Penetration Testing: How to Test
What Matters Most12
Common Misconceptions
Vulnerability Assessment vs.
• “Screening” Technical Tests
• Automated Tools
• Known vulnerabilities
• Scope:– Systems
– Credentials
• Goal: Technical Report– IP / Host
– Vuln
– CVSS rating
– Tactical Recommendations
Penetration Testing• Multidimensional attack
• Security Experts
• Discover and exploit flaws
• Scope:– Objective (“Attack Scenario”)
– Systems, Networks, & Apps
– Level of Effort (Time-box)
• Goal: Fix security flaws– Findings
– Remediation recommendations
Conexxus: Penetration Testing: How to Test What Matters Most13
Types of Pen Testing
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Kill Chain Model
- Visualizes stages in attack lifecycle
- Threat modeling
- “Kill” one link, defeat the attack; Defense in Depth
- Testing targets entities’ ability to interrupt specific “link”
15 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Iterative Attack
16 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Social Engineering
• Attempt to manipulate users
– Divulging sensitive information
– Performing IT-related actions
17 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Network Testing• Threat emulated
– Anonymous attackers across the Internet
– Internal adversaries to internal environment
• Attack surface– Operating systems
– Infrastructure
– Commercial off-the-shelf (COTS) products
• Exploits:– MS17-010 – Unauthenticated Remote
Code Execution
Conexxus: Penetration Testing: How to Test
What Matters Most18
Conexxus: Presentation Title19
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Wireless Testing
• Capture handshake
• Crack authentication
• Exploit:
– WEP
– WPA-2
• Krack Attack
– Weak Passwords• Aircrack-ng
Conexxus: Penetration Testing: How to Test What Matters Most20
Conexxus: Presentation Title21
Application and API
Conexxus: Penetration Testing: How to Test
What Matters Most22
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
• Threat emulated:– Credentialed and
uncredentialed adversaries
• Attack surface:– Accessible portions of an
application
Conexxus: Presentation Title23
Case Study: Application
Conexxus: Penetration Testing: How to Test
What Matters Most24
• Browser-based Fuel Controller
– Leveraged known authenticationvulnerability
– Identified ability to upload payload to obtain remote code execution
– Access to Tank fuel, temperature levels
– Trigger or ignore sensor alarm
Conexxus: Presentation Title25
CVE-2017-6564CVE-2017-6565
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Appliance / Embedded / IoT• Threat emulated:
– Attacker has gained physical access to a device
• Attack surface:– Physical and logical devices,
network connectivity to the device, and backend systems
– Fuel controllers
– Car Wash
– Tanks and pumps
– Security systems
– Third-party vending• Car wash
• HVAC
Conexxus: Penetration Testing: How to Test What Matters Most26
Case Study: Car Wash
• Coalfire Labs Researcher
• Buffer Overflow
• Arbitrary Code Execution
• Potential Human Threat
Conexxus: Presentation Title27
Red Team
• People, processes and technologies
28 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Case Study: Casino• Red team attack
• Physical, social, and logical vectors of attack
• Harvesting of email addresses ofemployees from public sources
• Spearphishing attack with image vulnerability
• Retrieved logins and passwords
• Access to the internal network via the casino’s VPN
• Exploiting vulnerabilities found throughout the network, gained administrator-level access to the environment.
• See: https://www.coalfire.com/Documents/Case-Studies/Coalfire_Casino_Case_Study
Conexxus: Presentation Title29
Reverse Engineering
• Manipulate binary code to change
intended application behavior
• Can be used to bypass authentication to
grant access
30 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Conexxus: Presentation Title31
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Hunt Operations
• Identify adversaries already on network
32 Conexxus: Penetration Testing: How to Test What Matters Most
Enterprise Testing
• Mature security testing
• Comprehensive security program to test
all aspects of environment and response
33 Conexxus: Penetration Testing: How to Test What Matters Most
ActionCommand & Control
InstallExploitDeliverWeaponizeRecon
Penetration Testing
Considerations
Conexxus: Penetration Testing: How to Test What Matters Most34
Conexxus: Presentation Title35
Maturity
Impact vs. Disruption
• Every penetration test will have impact
– Logs
– Traffic
– Notifications
• Avoiding disruption takes planning and
communication
36 Conexxus: Penetration Testing: How to Test What Matters Most
Timing
• Time of day/week
• Time box for testing (point-in-time)
37 Conexxus: Penetration Testing: How to Test What Matters Most
Methodology
• Discovery:
Reconnaissance and
Vulnerability
Scanning
• Post exploitation
phase
Conexxus: Penetration Testing: How to Test What Matters Most38
Target and Scope
• Risk assessment (assets and threats)
• Compliance requirements vs. security
goals
• Attack surface, vectors and scenarios
• Prior notification and communication
39 Conexxus: Penetration Testing: How to Test What Matters Most
Skill Set• Certifications
– Offensive Security Certified Professional (OSCP)
• Offensive Security Wireless Professional (OSWP)
• Offensive Security Certified Expert (OSCE)
– GIAC Penetration Tester (GPEN)• GIAC Web Application Penetration Tester
(GWAPT)
– Certified Ethical Hacker (CEH)• Licensed Penetration Tester Master (LPT)
– CREST Registered Tester (CRT-Pen)
– CESG IT Health Check Service (CHECK) certification
• Skill Sets– Reputable firm
– Background check
– System and Technology-specific Training• MCSE
• AWS-CCP
– Security certifications and skillsets• CISSP
• CISM
• Other Security Certs
40 Conexxus: Penetration Testing: How to Test What Matters Most
Other Considerations
• System exclusion
• Data destruction
• Reporting
• Remediation support
41 Conexxus: Penetration Testing: How to Test What Matters Most
Conexxus: Penetration Testing: How to Test What Matters Most
• Website: www.conexxus.org
• Email: [email protected]
• LinkedIn Group: Conexxus Online
• Follow us on Twitter: @Conexxusonline
Conexxus: Penetration Testing: How to Test What Matters Most