2018-040- Jarrod Frates discusses pentest processes
Published November 19, 2018
81 min
    Add to queue
    Copy URL
    Show notes

    Jarrod Frates



    “Skittering Through Networks”

    Ms. Berlin in Germany - How’d it go?


    TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html



    Blue Team:

    - Least Privilege Model

    - Least Access Model

        “limited remote access to only a small number of IT personnel”

    “This user didn't need Citrix, so her Citrix linked to NOTHING”

    “They limited access EVEN TO LOCAL ADMINS!”

    - Multi-Factor Authentication

    - Simple Anomaly Rule Fires

        “Finance doesn’t use Powershell”

    - Defense in Depth

        “moving from passwords to pass phrases…”

    “Improper disposal of information assets”


    Red Team:

    - Keep Trying

    - Never Assume

    - Bring In Help

    - Luck Favors the Prepared

    - Adapt and Overcome

    Before the Test

    • Talk it over with stakeholders: Reasons, goals, schedules
    • Report is the product: Get samples
    • Who, what, when, where, why, how
    • Talk to testers (and clients, if you can find them)
      • Ask questions
      • Look for past defensive experience and understanding of your needs
        • Bonus points if they interview you as a client
      • Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear
    • Define the scope: Test type(s), inclusions, exclusions, permissions, accounts
    • Test in ‘test/dev’, NOT PROD
    • Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.


    During the Test

    • Comms: Keep in contact with the testers
      • Status reports (if the engagement is long enough)
      • Have an established method for escalation
      • Have an open communication style --brbr (WeBrBrs)
    • Ask questions, but let the testers do their jobs
    • Be available and ready to address critical events
    • Keep critical stakeholders informed
    • Watch your network: things break, someone else may be getting in, capture packets(?)


    After the Test

    • Getting Results:
      • Report delivered securely
      • Initial summary: How far did they get?
      • Actual report
        • Written for multiple levels
        • No obvious copy/paste
        • Read, understand, provide feedback, and get revised version
    • Next steps:
      • Don’t blame anyone unnecessarily
      • Start planning with stakeholders on fixes
      • Contact vendors, educate staff
    • Reacting to report
    • Sabotaging your test
    • Future testing


    Ms. Berlin’s Legit business - Mental Health Hackers


    CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019


    CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31


    Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March



    heck out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast



    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec


    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon


    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

        0:00:00 / 0:00:00