Dailydave mailing list archives

Re: reach for the sky vs stay airborne

From: Konrads Smelkovs <konrads.smelkovs () gmail com>
Date: Wed, 28 Oct 2015 15:28:52 +0000

Nice product plug :)

If I'd be a defensive CISO and someone would pentest my org and show me how
he got domain admin, I'd tell them, "that's really great, but if you'd have
a normal C2 working for some period of time, my crystal-ball based anomaly
detection system would have picked it up and we'd IR/hunt you down" and the
red team bros would have nothing to reply because, they, well didn't have a
C2 going for a while and I would keep my bonus.

It is in the interest of the auditor/red-teamer to do this as much as it is
in the interest of a genuinely concerned customer who wants to know how
good they are.






--
Konrads Smelkovs
Applied IT sorcery.

On Wed, Oct 28, 2015 at 1:59 AM, Kristian Erik Hermansen <
kristian.hermansen () gmail com> wrote:

es that would be ideal but unfortunately there is always pushback due to
perception of privacy impact to staff / employees and also risk of
accidentally nuking the entire organization due to "unexpected changes".
You can try though and I wish you luck getting executives to sign off on
that risk. Or you could just buy Immunity Innuendo for $50K or Cobalt
Strike with beacon for about 1/10th that and get close to "APT
simulation"...


On Tuesday, October 27, 2015, Konrads Smelkovs <konrads.smelkovs () gmail com>
wrote:

In my view, security improvements in organisations are driven by breaches
and red team exercises/pentests. While breaches give hard lessons learned,
red teams often don't and that's because we reward red teamers for a
"domain admin" rather than longer term persistent access.

This is what I call reach for the sky/rocket launch: you get domain
admin, get a screenshot of CEO's e-mail and declare job done. In reality, a
good simulation would be to "stay airborne" - take a screenshot of CEO's
e-mail/exfil PST every week.

That's not to say that there isn't a scenario where desctruction of
assets is the end-goal of an attacker, but even then, I would argue that
red teamers ought to put an .exe in autoruns for every PC they wish to have
done a simulated wipe.



--
Konrads Smelkovs
Applied IT sorcery.



--
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

reach for the sky vs stay airborne Konrads Smelkovs (Oct 27)
- Re: reach for the sky vs stay airborne Darkpassenger (Oct 29)
- Re: reach for the sky vs stay airborne Kristian Erik Hermansen (Oct 29)
  - Re: reach for the sky vs stay airborne Konrads Smelkovs (Oct 29)
- Re: reach for the sky vs stay airborne Terry Bradley (Oct 29)