CONNECT  2017  Security  Consulting  Services,  Which  is  the  best  option  for  me  ?

Understanding  the  offering

AGENDA

• Who  we  are  • Security  Consulting  Services• Penetration  Test  and  Red  Team• Software  Security  Assessment

L E A R N M O R E

Diego  SorSecurity  Consulting  Services,  

Director

Core  Security

About  meTechnical• Started  experimenting  with  8-­‐bit  home  computers• BASIC  was  my  first  approach  to  programming• Hardware  and  communications  fan• Electronic  engineer  degree• In  1998  Joined  a  mobile  phone  fraud  prevention  company• In  2001  Joined  Core  Security  as  windows  device  driver  developer• In  2006  Moved  to  the  SCS  team  as  a  security  consultant• Have  been  managing  Consulting  team  since  2012

Not  so  Technical• DYI,  Music,  Architecture  and  playing  with  my  daughter

Security  Consulting  ServiceWho  we  are

We  are  a  group  of  security  engineers  working  along  with  customers  to  secure  their  information  technology  systems

• SCS  conduct  security  consulting  service  since  1997• We  think  and  act  like  attackers  • We  do  vulnerability  research• We  keep  up  to  date

Security  Consulting  ServiceWhy  do  customers  call  us  ?

• Recent  public  breaches  made  them  understand  that  real  attackers  are  targets  organizations  like  them

• Want  to  protect  PHI  or  other  sensitive  information• Stakeholders  want  to  understand  their  security  posture• Interested  in  exercising  their  security  team  • New  application  features  will  be  put  in  production  soon• Want  to  measure  their  security  operations  center  capabilities• Deployed  new  systems  information  infrastructure• Stick  to  compliance  programs

Security  Services  TermsTerminology  nightmare

SECURITY SERVICES

RED TEAM

PENETRATION TEST

SOFTWARE SECURITY ASSESSMENT

Security  Consulting  ServicesOur  Services

SECURITY SERVICES

RED TEAM

PENETRATION TEST

Security  Consulting  ServicesRed  Team  and  Penetration  Test

S C O P E

Systems  and  components  under  test.  Things  you  want  to  secure

O B J E C T I V E S

Something  to  achieve.  Concerns  you  may  have  and  want  to  be  

evaluated

Initial  Information  Key  conversation  between  consultants  and  customers

A C TO R S

Are  the  individuals  carrying  out  actions.  Consultants  will  mimic  attackers  using  defined  profiles

Red  TeamYou  know  you  secured  your  environment

Evaluate  the  resilience  of  your  organization  against  real-­‐world  attackers.  Consultants  will  find  and  exploit  vulnerabilities  while  using  tactics  an  techniques    (TTP)  to  avoid  detection  and  persist.

INCLUSIVE

SCOPE

Attackers  move  freely.  Include  as  many  components  as  possible.Scope  limitations  create  artificial  barriers.

THINK  OF  THREATS

OBJECTIVES

Think  of  worst  case  scenarios:

1.  Cloud  admin  creds  stolen2.  IP  documents  extracted

ATTACKERS

ACTORS

Consultants  acting  mimicking  attacker’s  techniques  and  tactics.  Liaison  with  internal  security  team  is  optional

F INAL  REPORT

OUTCOME

Vulnerabilities  exploited  and  attacks  paths.  Description  of  techniques  and  tacticsLevel  of  readiness  of  you  defense  teamFixes  and  mitigations

Red  TeamSteps  to  success

• Process  is  iterative

• Achieve  defined  objectives  while  minimizing  noise  and  detection

• May  or  may  not  fine  tune  repetitive  by  liaising  security  staff

reconnaissance compromise  then  escalate persist lateral  

move/pivoting cleanup

reconnaissance

report

Penetration  TestWant  to  challenge  your  security  posture

Evaluate  the  resilience  of  your  organization  against  real-­‐world  attacks.  Consultants  will  find  and  exploit  vulnerabilities  to  get  access  to  privileged  systems  and  information

INCLUSIVE

SCOPE

Enumerate  components  and  systems.  Networks,  applications  and  users  are  usual  targets

THINK  ON  THREATS

OBJECTIVES

Think  of  worst  case  scenarios

1.  Cloud  admin  creds  stolen2.  IP  documents  extracted

ATTACKERS

ACTORS

Consultants  mimicking  attacker’s  techniques

FINAL  REPORT

OUTCOME

Vulnerabilities  exploited  and  attacks  paths.  Description  of  techniques  and  tacticsFixes  and  mitigations

Red  Team  vs  Penetration  TestI  see  a  lot  similarities

• It  is  about  challenging  the  security  of  an  organization• Attackers  can  be  external  and  internal  to  the  organization  (insider  threat)• Red  Team  revisits  the  initial  penetration  test  concept,  where  noise  and  

detection  avoidance  were  part  of  the  equation• Penetration  Test  has  evolved  in  many  different  practices  creating  a  softer  

definition  and  leaving  space  for  Red  Team  to  create  some  additional  specification

• Key  concept  is  mimicking  the  attacks  you  find  in  real-­‐world  scenarios• A  sophisticated  real-­‐world  attacker  will  leverage  trust  relationships  to  gain  

access  to  more  valuable  information  assets• Liaison  with  internal  security  staff  lead  to  the  Purple  Team  concept

Red  Team  and  Penetration  TestWhat  is  in  scope  ?

• Time-­‐boxed• You  get  X  hours  of  attackers  challenging  your  security,  let’s  see  what  they  can  do!

• Attackers  do  not  ask  for  permission,  the  use  any  available  means• External  facing  servers  and  services• Internal  servers  and  services• Hybrid  systems  – Cloud  and  on  premise• Organization  individuals

• Phishing  campaigns• Social  engineering  activities

KNOWLEDGE

VULNERABILITY  ASSESSMENT

Initial  steps  to  secure  your  organization.  It  finds  as  many  vulnerabilities  as  possible.  Mostly  automatic  tests.  

RESILLIANCE

PENETRATIONTEST

You  know  you  secured  your  organization.  Sophisticated  attackers  will  challenge  you  security  posture

RESILLIANCE  AND  READINESS

RED TEAM

More  sophisticated  attackers  will  challenge  the  security  and  readiness  of  your  organization

Security  Services  Lifecycle

AUDITORS ATTACKERS

MATURITY  LEV

EL

TIME

SECURITY SERVICES

SOFTWARE SECURITY ASSESSMENT

Security  Consulting  ServicesSoftware  Security  Assessment

Software  Security  AssessmentDefinition  and  key  objectives

Assess  the  security  of  an  application  or  group  of  applications,  their  ability  to  resist  attacks.  Evaluate  your  defensive  programming  practices

• In  this  context  an  application  is  a  system  or  groups  of  systems  that  are  logically  connected  and  cooperate  to  do  something

• Consultants  to  find  as  many  vulnerabilities  as  possible• Consultants  to  evaluate  the  code  quality  in  terms  of  security• Consultants  to  create  running  proof-­‐of-­‐concepts  of  the  findings• Assessing  a  single  isolated  application  is  not  exactly  a  Penetration  Test

Software  Security  AssessmentBy  Approach

Dynamic  Analysis• Tests  carried  out  on  a  running  application• May  or  may  not  have  access  to  source  code• Consultants  mimicking  attackers  with  no  or  some  level  of  knowledge  of  

the  applicationStatic  Analysis• Full  access  to  the  source  code  and  application  design• Deep  level  of  understanding  of  the  source  code  being  tested• Consultants  mimicking  attacker  full  source  code  knowledge• Consultants  acting  as  security  quality  assurance

Software  Security  AssessmentBy  Source  Code  Access

White-­‐box

• Consultants  have  access  to  source  code  and  documentationGray-­‐box  

• Consultants  have  some  access  to  source  code  and  documentation• Source  code  for  sensitive  functions  crypto,  storage,  authorization  and  

authenticationBlack-­‐box  

• Consultants  have  zero  access  to  source  code  and  documentation• Focused  on  the  exposed  interfaces

Software  Security  AssessmentVulnerability  Categories

Design

• Fundamental  mistake,  the  application  does  what  is  supposed  to  do,  but  it  is  wrong  due  to  failed  specification

Implementation  

• The  code  usually  doing  that  it  should  do  but  there  is  a  security  problem  in  the  way  specific  action  is  carried  out

Operational

• These  problems  arise  when  looking  at  context  in  which  the  software  operation.  Has  to  do  with  the  code  but  also  with  the  operation  and  environment

DESIGN

OPERATIONALIMPLEMENTATION

Software  Security  AssessmentWhite-­‐box  Assessment

• Project  setup  cost  can  be  high• Code  isolation  from  3rd party• Sharing  intellectual  property• Interaction  with  developers

• Time  and  cost  intensive  • Testers  looking  for  security  bugs  and  bad  code  practices• More  in-­‐depth  analysis  than  black-­‐box  counterpart• Include  the  following  tasks

• Code  analysis  tools• Check  the  code  and  then….check  the  code  again

Software  Security  AssessmentBlack-­‐box  Security  Assessment  AKA  Application  Penetration  Test

• Uncover  what  is  visible  and  exposed• Short  time  frame  and  quick  results• QA  or  testing  environment  can  be  used  for  testing• Works  better  having  access  to  source  code• Uncovering  Vulnerabilities  may  include

• Dynamic  analysis  tools• Fuzzing• Reverse  engineering  /  Decompiling• Debugging• Instrumentation

Application  Types  

Web Mobile Desktop IoT

Final  WordsApproach  that  works  for  you

• Consultants  to  understand  customer  needs  and  maturity  level• Think  about  threats

• The  ones  you  envision  should  work  as  initial  objectives

• Do  not  force  a  hard  scope  definition  when  you  do  not  know• Unless  you  are  sure,  be  as  broad  as  possible

• Be  incremental  and  continuous• Combine  services  and  approaches• Services  should  be  able  to  adapt  to  your  SDLC

THANK  YOU