penetration testing: how to test what matters most...penetration testing • multidimensional attack...

Penetration Testing:

How to Test What Matters Most

Presenters:

Sam Pfanstiel, CISSP, CISM, QSA(P2PE), ETA CPP, Coalfire

John Stickle, OSCE, OSCP, OSWP, Coalfire Labs

Agenda

• Housekeeping

• Presenters

• About Conexxus

• Presentation

• Q & A

HousekeepingThis webinar is being recorded and will be made available in approximately 30 days.

• YouTube (youtube.com/conexxusonline)

• Website Link (conexxus.org)

Slide Deck • Survey Link – Presentation provided at end

Participants• Ask questions via webinar interface

• Please, no vendor specific questions

Email: [email protected]

Presenters Conexxus Host Moderator

Allie Russell Kara Gunderson

Conexxus Chair, Data Security Standards Committee

[email protected] POS Manager, CITGO Petroleum

[email protected]

Speakers

Sam Pfanstiel John Stickle

CISSP, CISM, QSA(P2PE), ETA CPP OSCE, OSCP, OSWP

Data Security Standards Committee SME Security Consultant, Coalfire Labs

Sr. Consultant, Coalfire [email protected]

[email protected]

mailto:[email protected]




About Conexxus• We are an independent, non-profit, member driven

technology organization

• We set standards…– Data exchange

– Security

– Mobile commerce

• We provide vision– Identify emerging tech/trends

• We advocate for our industry– Technology is policy

2018 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company

March 27, 2018Penetration Testing: How to Test What

Matters MostSam PfanstielJohn Stickle

Coalfire Systems

April 2018 Annual Meeting - -

May 2018 QIR Program Update Chris Bucolo ControlScan

Conexxus: Presentation Title7

Pen Testing: What is it?

• Human-based threat emulation

• Purpose: “discover exploitable security

flaws”

• Attack scenarios and targets vary

Conexxus: Penetration Testing: How to Test What Matters Most

Pen Testing: Why is it Needed?

Find vulnerabilities before the bad guys exploit them

Conexxus: Penetration Testing: How to Test What Matters Most9

Source: 2017 Verizon Data Breach Investigation Report

Attack Vector

Attack Surface

Enterprise

ExploitVulnerabilityBreach Asset ThreatExfiltration. .

. .. .. .

ProbabilityAttack Vector

Value

Impact

. . . .. ... .

Adversary

Assets and Compliance• PCI DSS

– Asset = cardholder data and CDE

– Recent pen testing guidance (September 2017)

• Internal

• External

• Segmentation & Scope Reduction Controls

– Network & Application Layer

– Layers• Application layer (6.5)

• Network– Incl. Wireless

• Systems

• Industry-accepted penetration testing approaches

• Quarterly and after significant changes

• Organizational Independence

• Contractual Compliance– Oil Brand / Distributor

– Information Security Policies

– Product Policies

• Other– NIST / ISO / SOC

– NERC SIP / EPA


https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf

Adversaries and Threats

Adversaries

• Profit-driven hackers

• Nation states and

Ideology-driven attacker

• Trusted Third-Parties

• Malicious Insiders

• Non-malicious Insiders

Threats

• Exfiltration of data

• Destruction of data

• Denial of Service

• Theft of property

• Physical destruction

• Contamination

• Brand damage

Conexxus: Penetration Testing: How to Test

What Matters Most12

Common Misconceptions

Vulnerability Assessment vs.

• “Screening” Technical Tests

• Automated Tools

• Known vulnerabilities

• Scope:– Systems

– Credentials

• Goal: Technical Report– IP / Host

– Vuln

– CVSS rating

– Tactical Recommendations

Penetration Testing• Multidimensional attack

• Security Experts

• Discover and exploit flaws

• Scope:– Objective (“Attack Scenario”)

– Systems, Networks, & Apps

– Level of Effort (Time-box)

• Goal: Fix security flaws– Findings

– Remediation recommendations


Types of Pen Testing

ActionCommand & Control

InstallExploitDeliverWeaponizeRecon

Kill Chain Model

- Visualizes stages in attack lifecycle

- Threat modeling

- “Kill” one link, defeat the attack; Defense in Depth

- Testing targets entities’ ability to interrupt specific “link”

15 Conexxus: Penetration Testing: How to Test What Matters Most





Iterative Attack




Social Engineering

• Attempt to manipulate users

– Divulging sensitive information

– Performing IT-related actions




Network Testing• Threat emulated

– Anonymous attackers across the Internet

– Internal adversaries to internal environment

• Attack surface– Operating systems

– Infrastructure

– Commercial off-the-shelf (COTS) products

• Exploits:– MS17-010 – Unauthenticated Remote

Code Execution


What Matters Most18

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010



Wireless Testing

• Capture handshake

• Crack authentication

• Exploit:

– WEP

– WPA-2

• Krack Attack

– Weak Passwords• Aircrack-ng


https://www.coalfire.com/The-Coalfire-Blog/February-2018/Cyber-Engineering-for-2018-and-Beyond

https://www.aircrack-ng.org/

Application and API


What Matters Most22



• Threat emulated:– Credentialed and

uncredentialed adversaries

• Attack surface:– Accessible portions of an

application

Case Study: Application


What Matters Most24

• Browser-based Fuel Controller

– Leveraged known authenticationvulnerability

– Identified ability to upload payload to obtain remote code execution

– Access to Tank fuel, temperature levels

– Trigger or ignore sensor alarm


CVE-2017-6564CVE-2017-6565

https://nvd.nist.gov/vuln/detail/CVE-2017-6564#vulnDescriptionTitle

https://nvd.nist.gov/vuln/detail/CVE-2017-6565



Appliance / Embedded / IoT• Threat emulated:

– Attacker has gained physical access to a device

• Attack surface:– Physical and logical devices,

network connectivity to the device, and backend systems

– Fuel controllers

– Car Wash

– Tanks and pumps

– Security systems

– Third-party vending• Car wash

• HVAC


Case Study: Car Wash

• Coalfire Labs Researcher

• Buffer Overflow

• Arbitrary Code Execution

• Potential Human Threat


Red Team

• People, processes and technologies




Case Study: Casino• Red team attack

• Physical, social, and logical vectors of attack

• Harvesting of email addresses ofemployees from public sources

• Spearphishing attack with image vulnerability

• Retrieved logins and passwords

• Access to the internal network via the casino’s VPN

• Exploiting vulnerabilities found throughout the network, gained administrator-level access to the environment.

• See: https://www.coalfire.com/Documents/Case-Studies/Coalfire_Casino_Case_Study


https://www.coalfire.com/Documents/Case-Studies/Coalfire_Casino_Case_Study

Reverse Engineering

• Manipulate binary code to change

intended application behavior

• Can be used to bypass authentication to

grant access






Hunt Operations

• Identify adversaries already on network


Enterprise Testing

• Mature security testing

• Comprehensive security program to test

all aspects of environment and response




Penetration Testing

Considerations



Maturity

Impact vs. Disruption

• Every penetration test will have impact

– Logs

– Traffic

– Notifications

• Avoiding disruption takes planning and

communication


Timing

• Time of day/week

• Time box for testing (point-in-time)


Methodology

• Discovery:

Reconnaissance and

Vulnerability

Scanning

• Post exploitation

phase


Target and Scope

• Risk assessment (assets and threats)

• Compliance requirements vs. security

goals

• Attack surface, vectors and scenarios

• Prior notification and communication


Skill Set• Certifications

– Offensive Security Certified Professional (OSCP)

• Offensive Security Wireless Professional (OSWP)

• Offensive Security Certified Expert (OSCE)

– GIAC Penetration Tester (GPEN)• GIAC Web Application Penetration Tester

(GWAPT)

– Certified Ethical Hacker (CEH)• Licensed Penetration Tester Master (LPT)

– CREST Registered Tester (CRT-Pen)

– CESG IT Health Check Service (CHECK) certification

• Skill Sets– Reputable firm

– Background check

– System and Technology-specific Training• MCSE

• AWS-CCP

– Security certifications and skillsets• CISSP

• CISM

• Other Security Certs


https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

https://www.offensive-security.com/information-security-certifications/oswp-offensive-security-wireless-professional/

https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/

https://www.giac.org/certification/penetration-tester-gpen

https://www.giac.org/certification/web-application-penetration-tester-gwapt

https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

https://www.eccouncil.org/programs/licensed-penetration-tester-lpt-master/

http://www.crest-approved.org/examination/registered-tester/index.html

https://www.ncsc.gov.uk/scheme/penetration-testing

Other Considerations

• System exclusion

• Data destruction

• Reporting

• Remediation support


• Website: www.conexxus.org

• Email: [email protected]

• LinkedIn Group: Conexxus Online

• Follow us on Twitter: @Conexxusonline
