Behind of the Penetration testing

J@50n L33

AGENDA

1. WHO I AM!!

2. PENETRATION TESTING

3. WHY DO YOU NEED THE PENETRATION TESTING

4. HOW DO YOU PERFORM THE PENETRATION TESTING

5. WHAT ABOUT THIS, THERE IS DIFFERENT WAY TO USE IT FOR

6. CONCLUSION

2015-07-22 Knowing You're Secure 2

WHO I AM!!

Who I am!!

Since 1991

Instructor

Developer System

Engineer

Security Practitioner

Security Tester

Security Researcher

Offensive Evangelist

2015

2015-07-22 Knowing You're Secure 4

Research: Security Testing Methodology based on blind testing approach (2007) Way to secure web application using secure libraries (2007) Application Testing Methodology for SDLC (2008) Security Testing Methodology based on static analysis (2009) Penetration testing Methodology for Nuclear Power Plants (2012) Offensive Analysis as a Security assessment for Critical-Safety Systems (2013)

PREFACE

007; Sky-fall (2012)

2015-07-22 Knowing You're Secure 6

PENETRATION TESTING

What do you call it?

• Hiring someone to hack your company for good reason.

– Penetration testing

– Tiger teaming

– Intrusion testing

– Ethical hacking

– Vulnerability Analysis

– Even, Security Assessment

2015-07-22 Knowing You're Secure 8

*

资料来源：

Characteristics of Pentesting

• Focusing on tools and technology, and very small potion on methodology

• Interpreting the result

• Protecting the innocent

• Politics and processes

• Testing dangers

2015-07-22 Knowing You're Secure 9

Security = Physics

• Penetration testing is

– the pinnacle of thought-provoking security activity

– Touching on the simplistic nature of security

– The act of exploiting vulnerabilities with good reasons

2015-07-22 Knowing You're Secure 10

Sneakers(1992)

2015-07-22 Knowing You're Secure 11

WHY DO YOU NEED THE PENETRATION TESTING

Hacking Impacts

• Resources

– Core services, object code, disk space …

• Information

– Loss, disclosure and integrity.

• Time

– Anything consumes time will consumes money and will cause the financial loss

• Brand and Reputation

2015-07-22 Knowing You're Secure 13

The Hacker

• Hacker leads destruction? Only misuse of term.

• Hacker

– Investigate the workings of computers for fun and a challenge

– Not to penetrate or perform malicious acts

• Cracker

– Break computers to use them for free or use system resources

• What is correct word for the hacker who do malicious act in the present

– Hacker(Cyber Criminal) or Malicious Hacker

2015-07-22 Knowing You're Secure 14

Types of Hackers

• Script Kiddies

– Unstructured

– Structured

– Determined

• Independent hackers

– Malicious

– Solvers

– Hacktivist

– Vigilante

• Organized hackers

– State-Sponsored

– Extortion

• Hitman

• Terrorist

– Espionage

2015-07-22 Knowing You're Secure 15

Motives

• What Maelstrom said

– I just do it because it makes me feel good, as in better than anything else that I’ve ever experienced.

• What Kevin Mitnick described

– You get a better understanding of cyberspace, the computer systems, the operating systems, how the computer systems interact with on another; that basically was my motivation behind my hacking activity in the past.

– It was just from the gain of knowledge and the thrill of adventure, nothing that was well and truly sinister as trying to get any type of monetary gain or anything

• Six Fundamental drivers for hackers

– Addiction to computers

– Curiosity of the possible

– Excitement

– Social status

– Power

– Betterment of society

2015-07-22 Knowing You're Secure 16

Can you survive?

2015-07-22 Knowing You're Secure 17

Threats

Hacking Impacts

Hackers

Types of Hackers

Motives

HOW DO YOU PERFORM THE PENETRATION TESTING

2015-07-22 Knowing You're Secure 18

Many organization do pentesting every year

• Penetration testing become mainstream

– How many time you do penetration testing to your organization?

– How many different penetration testing team you hire?

– Do you likely ask your pentesting team to do different activities?

– Do you have any idea what they are using for pentesting?

2015-07-22 Knowing You're Secure 19

Framework

• What is Framework?

• How does it apply to attacking a system?

• Is a framework a methodology?

2015-07-22 Knowing You're Secure 20

Planning Operations Reconnaissance Enumeration Analysis Exploitation Deliverable Integration

Selected options

Options not selected

Options not available because other options not employed

Options wanted, but not available

Determining the impact on value based on selected options

Concern for penetration testing phase

Planning the test

Sound operatio

ns

Reconnaissanc

e

Enumeration

Vulnerability An

alysis

Exploitation

Final Analysis

Deliverable

Integration

2015-07-22 Knowing You're Secure 21

Mitigation

Defense

Incident Management

The Software Vulnerability Asymmetry Problem

• Defender must fix all vulnerabilities in all software, but attacker wins by finding and exploiting just one vulnerability

• Threat change over time – state-of-the-art in vulnerability finding and attack technique changes over time.

• Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle

Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.

Exploit Economics

ROI = Gain from Investment – Cost of Investment

Cost of Investment

Attacker ROI = Attacker Gain – Attacker Cost

Attacker Cost

Attacker Gain = Gain

Opportunity x N Opportunities

Attacker Cost = Vulnerability Cost + Exploitation Cost

Attacker ROI

Gain

Opportunity x N Opportunities ( ) - Vulnerability Cost + Exploitation Cost ( )

Vulnerability Cost + Exploitation Cost ( ) =

Exploit Economics

• We can decrease Attacker ROI if we are able to…

• Increased attacker investment – increased cost to find usable vulnerabilities

• Varies by platform and vendor and technology

• New tools and automation help w/bug mining, but on some platforms the watermelons are already harvested

• Increased attacker investment required to write reliable (and stealthy) exploits

• Exploit vulnerability and breakout of sandbox / defeat additional protections and mitigations

• Boutique bespoke software development house w / ever expanding requirements

• Decreased attacker opportunity to recover investment

• Fewer opportunities via artificial diversity & improved updating

• Ever improving detection of exploits & follow on actions

• Fewer resale ? Reuse opportunities

Result: Stealthy, reliable attacks require significant engineering; working exploits become more scarce and valuable and shorter lived(?)

Attacker ROI

Gain

Opportunity x N Opportunities ( ) - Vulnerability Cost + Exploitation Cost ( )

Vulnerability Cost + Exploitation Cost ( ) =

Exploit Economics

• Maturing Industry – Specialized & horizontal

• Also now vertically reintegrated at state level

• Squeezed from the bottom

• $500 PC with / IDA Pro & BinDiff

• Squeezed from the top

• Ever expanding list of cyber capable countries

• $500M investment returns Tier1 capability

Finder Exploiter Malware house Organized Attacker

Organized

Attacker

Malware house

Exploiter

Finder

THERE IS DIFFERENT WAY TO USE THE PENETRATION TESTING

2015-07-22 Knowing You're Secure 26

2015-07-22 Knowing You're Secure 27

CONCLUSION

2015-07-22 Knowing You're Secure 28