Preview Mode Links will not work in preview mode

Nov 19, 2018

Jarrod Frates

Inguardians

@jarrodfrates

“Skittering Through Networks”

Ms. Berlin in Germany - How’d it go?

   

TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html

 

Takeaways

Blue Team:

- Least Privilege Model

- Least Access Model

    “limited remote access to only a small number of IT personnel”

“This user didn't need Citrix, so her Citrix linked to NOTHING”

“They limited access EVEN TO LOCAL ADMINS!”

- Multi-Factor Authentication

- Simple Anomaly Rule Fires

    “Finance doesn’t use Powershell”

- Defense in Depth

    “moving from passwords to pass phrases…”

“Improper disposal of information assets”

 

Red Team:

- Keep Trying

- Never Assume

- Bring In Help

- Luck Favors the Prepared

- Adapt and Overcome



Before the Test

  • Talk it over with stakeholders: Reasons, goals, schedules
  • Report is the product: Get samples
  • Who, what, when, where, why, how
  • Talk to testers (and clients, if you can find them)
    • Ask questions
    • Look for past defensive experience and understanding of your needs
      • Bonus points if they interview you as a client
    • Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear
  • Define the scope: Test type(s), inclusions, exclusions, permissions, accounts
  • Test in ‘test/dev’, NOT PROD
  • Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.

 

During the Test

  • Comms: Keep in contact with the testers
    • Status reports (if the engagement is long enough)
    • Have an established method for escalation
    • Have an open communication style --brbr (WeBrBrs)
  • Ask questions, but let the testers do their jobs
  • Be available and ready to address critical events
  • Keep critical stakeholders informed
  • Watch your network: things break, someone else may be getting in, capture packets(?)

 

After the Test

  • Getting Results:
    • Report delivered securely
    • Initial summary: How far did they get?
    • Actual report
      • Written for multiple levels
      • No obvious copy/paste
      • Read, understand, provide feedback, and get revised version
  • Next steps:
    • Don’t blame anyone unnecessarily
    • Start planning with stakeholders on fixes
    • Contact vendors, educate staff
  • Reacting to report
  • Sabotaging your test
  • Future testing

 

Ms. Berlin’s Legit business - Mental Health Hackers

 

CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019

 

CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31

 

Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March

 

 

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec