There are plenty of reasons to conduct a pen test, or red team assessment, on your organization’s technical environment. Today’s typical enterprise network is no longer an enclosed and controlled environment, like it may have been just a few years ago. A penetration test is a good opportunity to begin with a clean state as well as prioritize issues and fixes. These assessments also provide a very powerful wake-up call to executive leadership that may have been pushing these types of changes off to reduce costs.
If you are reading this blog post, you have survived 2016. By most accounts, it was a rough year in regards to the state of security in healthcare. Cyber attacks have been no exception to this calculation. We saw the announcements of some of the biggest breaches in history, the continued proliferation of ransomware, and even the recent reports that Russia was meddling in U.S. politics through attacks on IT security.
There are many important aspects to consider in any given penetration test. I have talked at length in other blog posts about many of these considerations. There is one important aspect I have not written much about. It is critically important to determine the amount of foreknowledge that the tester should get. This aspect has a plethora of names but is almost always referred to with the “box” descriptor. In college, I was taught white box, gray box, and black box as the three levels of disclosure related to a penetration test. Many, including CynergisTek, use the term “crystal” in place of “white”. Really, the names are just descriptors – the concept remains the same and that is what’s most crucial.
Background Around 8:00 p.m. on September 20th hackers who were upset about being outed by Brian Krebs, a well-known security and IT journalist, attacked his website with what was then the largest Distributed Denial of Service (DDoS) attack in history. The attack against krebsonsecurity.com was perpetrated using a previously hypothesized piece of malware that takes control of Internet of Things (IoT) devices and uses them to create a powerful bot net (a network of infected systems that will do whatever the controlling party tells it to). This bot net is created using simple vulnerabilities that exist on a large portion of the world’s IoT devices.
Most corporate systems, whether end-user systems or core servers, are guarded by various malicious software protections. These usually present in the form of anti-virus (AV), data-loss protection (DLP), and host-based intrusion detection (HIDS). These protections are useful for the defenders as they help the systems to remain safe, secure, and free from malicious code. At the very least, the hard drive, or non-volatile memory, is typically kept safe.
Recently, in performing my daily due diligence to keep up with the latest news and changes in information security, one article in particular caught my attention. Its topic of SSL encryption, and the related research, are particularly fascinating and nascent to me as an offensive security professional. The first article was in Dark Reading, and while its title was a bit “click-bait like” it is still true: more than 40% of attacks abuse SSL encryption. This did not catch my attention because it was any sort of surprise, but more because it is actually true, and I know it is from personal experience.
Serious Vulnerability in Non-Bluetooth Wireless Human Interface Devices (HIDs) Overview Over the last week, I have been working to better understand the MouseJack hack and how easily it could be exploited. It turns out that this is a very concerning attack. Without purchasing any hardware (mostly because I have several different Logitech keyboards and mice), I was able to re-flash the firmware on a standard Logitech Unifying receiver.
Black Hat Last week marked my third year in Las Vegas for the annual “hacker conferences,” BSides Las Vegas (which I was unable to attend), DEF CON and Black Hat. Black Hat is two days of briefings, tool demos, workshops, and a very large array of security vendors. Finally, the week affectionately known as “hacker summer camp” by attendees is capped off with the largest, longest-running, hacker conference in the world – DEF CON.
As I am writing this particular blog post, I am just eight days from flying to fabulous Las Vegas, Nevada. Why on earth would I, or anyone not required to, go to the middle of the desert during the hottest possible time of the year (the first week in August)? Because that weekend is the biggest, and oldest, hacker gathering in the world. The gathering I am talking about is the 24th annual DEF CON where more than 10,000 hackers and security geeks will descend upon the Bally’s and Paris Casinos for four days of nothing but hacking and networking (with people, not the IT sense of the word).
My previous posts have examined the myriad advantages of a penetration test in general and how increasing the scope for each subsequent test can exponentially increase the value of an offensive assessment. We have also discussed the merits and changes to our penetration testing methodology and approach. This blog post will take things a step further and look in-depth at advanced offensive assessments, primarily focusing on the red team and adversary simulation, as this is an assessment that will help hone malware and ransomware defenses and test the Security Operation Center’s (SOC) ability to detect ongoing or advanced intrusions.