Dailydave mailing list archives
Penetration Testing is Changing
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 07 May 2015 07:12:58 -0400
Watch this new INNUENDO Video first: https://vimeo.com/126988596 . It is amazing. At INFILTRATE the Microsoft penetration testing team did the final presentation. First of all, their goal is to move FASTER than log replication. I know a lot of modern players are pretending to be able to do their intrusion analysis in real time. REAL TIME IS NOT POSSIBLE. Not even your brain <http://images.chinatopix.com/data/images/full/6462/muhammad-ali-getting-hit-by-a-left-hook-from-joe-frazier-during-the-fight-of-the-century-in-madison-square-garden-in-1971.jpg> works in "real time". The basic theme of the talk was simple: Hit any one host in a large domain. Grab all the LDAP data you can (Groups/Machines/Users) and then sweep as much as you can across the domain to find out LastLoggedIn data. Then exfil it as fast as possible. It'll be "moderately large" (4GB) but you can download it reliably over DNS or ICMP even with a modern system like INNUENDO. You can then remove yourself from the network before the IR team has a chance to do anything. With the data you retrieved, you can do all sorts of cool analysis that will enable lateral movement or follow on attacks. Not coincidentally Microsoft also released some interesting AD intrusion analysis <http://blogs.technet.com/b/ad/archive/2015/05/04/microsoft-advanced-threat-analytics-public-preview-release-is-now-available.aspx> tools this week which are worth a look. Really there are several things changing: 1. Top level methodology is changing. The Microsoft team emphasized that once they go in, and gather the right data, they can use advanced machine learning and data analysis to show them exactly which users to phish next, and how. They know once they get back in exactly which machines they need to go onto to control the network. It's no longer a guessing game. It's more deterministic. Looking at some of these methdologies means how you buy penetration testing has to change. Once you realize "The attacker at some point is going to get on one of the boxes on my domain" you have to start testing lateral movement, data exfiltration, and incident response from that perspective. 2. Advanced low level techniques are being commoditized, partially because Kaspersky and co. are doing a good job writing giant white papers on the things they catch in the wild. In INNUENDO's case this means the public penetration testing community can get an advanced implant including the in-memory loader, high-level language VM and API, multiple channels, built in sniffer and debugger, and OPSEC workflow. In short: if you just bought Mandiant or Crowdstrike or Carbon Black or are using the new agents from Tenable or Qualys, then you are going to want to test them with INNUENDO or a tool like INNUENDO to see if they really work the way you think they do. Let us know if you want to try this out! :) -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Penetration Testing is Changing Dave Aitel (May 07)