2018-040- Jarrod Frates discusses pentest processes
Published November 19, 2018
|
81 min
    Download
    Add to queue
    Copy URL
    Show notes

    Jarrod Frates

    Inguardians

    @jarrodfrates

    “Skittering Through Networks”

    Ms. Berlin in Germany - How’d it go?

       

    TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html

     

    Takeaways

    Blue Team:

    - Least Privilege Model

    - Least Access Model

        “limited remote access to only a small number of IT personnel”

    “This user didn't need Citrix, so her Citrix linked to NOTHING”

    “They limited access EVEN TO LOCAL ADMINS!”

    - Multi-Factor Authentication

    - Simple Anomaly Rule Fires

        “Finance doesn’t use Powershell”

    - Defense in Depth

        “moving from passwords to pass phrases…”

    “Improper disposal of information assets”

     

    Red Team:

    - Keep Trying

    - Never Assume

    - Bring In Help

    - Luck Favors the Prepared

    - Adapt and Overcome



    Before the Test

    • Talk it over with stakeholders: Reasons, goals, schedules
    • Report is the product: Get samples
    • Who, what, when, where, why, how
    • Talk to testers (and clients, if you can find them)
      • Ask questions
      • Look for past defensive experience and understanding of your needs
        • Bonus points if they interview you as a client
      • Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear
    • Define the scope: Test type(s), inclusions, exclusions, permissions, accounts
    • Test in ‘test/dev’, NOT PROD
    • Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.

     

    During the Test

    • Comms: Keep in contact with the testers
      • Status reports (if the engagement is long enough)
      • Have an established method for escalation
      • Have an open communication style --brbr (WeBrBrs)
    • Ask questions, but let the testers do their jobs
    • Be available and ready to address critical events
    • Keep critical stakeholders informed
    • Watch your network: things break, someone else may be getting in, capture packets(?)

     

    After the Test

    • Getting Results:
      • Report delivered securely
      • Initial summary: How far did they get?
      • Actual report
        • Written for multiple levels
        • No obvious copy/paste
        • Read, understand, provide feedback, and get revised version
    • Next steps:
      • Don’t blame anyone unnecessarily
      • Start planning with stakeholders on fixes
      • Contact vendors, educate staff
    • Reacting to report
    • Sabotaging your test
    • Future testing

     

    Ms. Berlin’s Legit business - Mental Health Hackers

     

    CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019

     

    CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31

     

    Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March

     

     

    heck out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast

    #Spotifyhttps://brakesec.com/spotifyBDS

    #RSShttps://brakesec.com/BrakesecRSS

    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec

    #SoundCloudhttps://brakesec.com/SoundcloudBrakesec

    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

    https://brakesec.com/BDSPatreon

    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

      15
      15
        0:00:00 / 0:00:00