12 July 2016
John Butters
Running Tiger Teams
- What’s the point?
12 July 2016
Agenda
•Outline what we do
•Do’s and don’ts
12 July 2016
What is it?
•Using the techniques of hackers or crackers under legitimate and in controlled
environment to find and/or exploit security vulnerabilities
Includes
Typical Findings
•Internal
•Technical - missing patches
- misconfigurations
- no IDS
•External
•Social Engineering
•War Dialling
•Wireless
•Application
•Vulnerability Scans
•Non-technical - human practices
- poor processes to
monitor & respond
- poor reaction times
•Trophies - access to wide range of resources
sensitive and non-sensitive
Anatomy of a hack
Infiltrate
Through
Network
Gain
Privileged
Access
Gain User
Access to a
Computer
Penetrate
External
Perimeter
External
Attacker
Identify
Target
Systems
Internal
Attacker
12 July 2016
Video Clips
•Trace route
•Password Cracking
•Bank hack
12 July 2016
12 July 2016
12 July 2016
12 July 2016
War Stories
Global Oil Company
Able to administer process control unit for a
gas pipeline
Global Chemicals Company
Access to HR information, strategic merger
target information; personal credit card
details, secret formulas/recipes
Large Utilities Company
Control of large portion of network including
business critical systems
Global Hotel Chain
Central reservation system, business plans,
board report, executive compensation, guest
and credit card details
12 July 2016
Why do people buy it? Example one
Buyer
- internal audit
Objective
- 1) To prove inadequacy of security
- 2) To score points, personal cudos
Scope
- known weak application
- limited by budget
- “safe” targets
- single site external attack
12 July 2016
Scenario one - Results
•Technical report for IT to address (Symptomatic response)
•Exec summary saying “you’re vulnerable to hackers”
•Increased distrust and animosity between IT and IA
•High profile, resulting in total focus on solutions to the findings
•After actions to address report everyone relaxes because – “we’ve had
our security tested and we’ve fixed all the holes.
•Report to the business customers and the world that we’re OK because
we have regular testing and have addressed all the vulnerabilities.
Conclusion: The exercise has done more harm than good.
12 July 2016
Scenario two
Buyer
– Global CISO
Objective
– Determine vulnerability of corporate websites to
defacement or DoS at time of global launch of brand
($40million spend)
Scope
- Corporate websites with specific emphasis on
vulnerability by external attack to DoS or defacement
Result
- Some issues to address pre launch
- comfort that reasonable steps taken to protect
corporate brand during period of launch.
Conclusion
- Right tool for the right purpose. Happy client.
Pro’s and Con’s
12 July 2016
Pro’s
Cons
•Attention & awareness
•FUD (fear, uncertainty, doubt)
•Positive result implies weakness
•Potential agendas, internal conflicts
•Relatively quick and inexpensive
•Unbalanced view of security
•Keeps people on their toes
•Negative result doesn’t ensure security
•Useful component of overall
assurance programme
•May be unrelated to business context
•Highlights problems not solutions
•Tells techies nothing new
•Results misused to give false assurance
•Legal and risk implications
•Professional ethical hackers don’t know all
that the underground hacking world does
•Focus on perimeter – perimeters are
breaking down
Like a baseball bat – a useful tool for the right purpose, but more improper than proper uses
12 July 2016
Doing it for the right reason
•As part of overall security programme/assurance function or for a
specific purpose
•Clear objectives & scope
•Report relating to
- Objectives
- The business
- Addressing causes as well as symptoms
•Consider presentation alterations
•Clear follow-up actions
•Manage, politics, legal issues & risk
Scoping & Objectives
Develop Penetration
Tests Used By Threat
Groups
Internet Attack
Business Input
Web Browser Attack
Perform Tests
Simulating Threat
Groups
Assess Threats
Remote Dial Up Attack
Internal Attack
Social Engineering
Short Term Fixes
Medium term actions
Strategic Actions
Exposure Feedback
12 July 2016
Questions