Dailydave mailing list archives
Re: reach for the sky vs stay airborne
From: Darkpassenger <darkpassenger () unseen is>
Date: Tue, 27 Oct 2015 18:55:47 -0700
i've got a couple of counterarguments here:- not every biz can deal with the reality of a red team get access to their shit forget about this in .sgov and serious .mil environments , despite all the claims. upstairs managers usually dont want external entities mess with the "current stability" of their area , even if they understand they might got problems . notice that i am referring to two concepts here : 1-stupidity and corruption , which is very often the case 2- the reality of nature of these biz . there are others who dont want red teams reveal how bad is the situation -- i have seen petrochemicals and secretive finance actors or even political organizations who do not even ready to hear of doing one read team exercise , let alone accepting recurrent existence of
external access of any kind- a red team successful in getting screenshots doesnt mean that the security measures afterward is going to protect against APT-type attacks . many of the breaches happened and will happen in environments who are already dealing with red teams . basically the adversary is better or gets lucky or is much more persistence and serious . a red team doesnt magic , if you are a target for a powerful player . therefore , having deals with red team vs whether you are a potential target or not is a much important problem to be wary of
- red teams are valueless in the case of insider-based threats . what i have
seen so far as extreme damages usually has insider factors . either an informed and motivated insider or stupid disillusioned ones- staying airborne often contradicts with organizations strategies , mostly
in IT developments . external entities make it hard and expensive formanagers to handle their work , the budget , their pretty beautiful figure for higher level managers..etc . even very educated and seasoned managers often prefer the illusion of being already good , than getting constant screenshots from
red teams . the headaches of this , the meetings it needs , the unhappyinside engineers who complain outsiders messing with their shit..are real facts in all sorts of organizations . so the predators get what they want and then there is blame game . how many times i have seen this cannt recount
- last but not least , what is called in infosec industry as "improvements" usually means "failures" in mindset of other components of the organization i understand pentesters and red teams may find it victorious and progress to get screenshots but this often doesnt have the same feeling for others who play different roles . there is inertial opposition mindset for role players in an organization against recurrent victories of red teams . the screenshots always results in whispers , unhappiness , and most importantly changes in
whatever exists and who likes that ?i know i sound harsh cynical toward organizations personnel , managers and overall "human factors" but i believe its realistic and factual . while as a trivial concept i trust a tangled "tangible" recurrent test procedure is a must
for an organization to stay afar from hack harms , i dont see the major reason behind most breaches and losses the lack of defensive arsenalsor not staying airborne . it is the mindsets , the personal feelings , the
social norms within the target human group and ..the FCKUPS . mustachy kisses and dudely hugs fly to all pentesters and the magicians who develop golden exploits ! plz do not cut and eat me alive :D -dp On 2015-10-27 06:22, Konrads Smelkovs wrote:
In my view, security improvements in organisations are driven by breaches and red team exercises/pentests. While breaches give hard lessons learned,red teams often don't and that's because we reward red teamers for a "domain admin" rather than longer term persistent access.This is what I call reach for the sky/rocket launch: you get domain admin, get a screenshot of CEO's e-mail and declare job done. In reality, a goodsimulation would be to "stay airborne" - take a screenshot of CEO's e-mail/exfil PST every week.That's not to say that there isn't a scenario where desctruction of assetsis the end-goal of an attacker, but even then, I would argue that red teamers ought to put an .exe in autoruns for every PC they wish to have done a simulated wipe. -- Konrads Smelkovs Applied IT sorcery. _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- reach for the sky vs stay airborne Konrads Smelkovs (Oct 27)
- Re: reach for the sky vs stay airborne Darkpassenger (Oct 29)
- Re: reach for the sky vs stay airborne Kristian Erik Hermansen (Oct 29)
- Re: reach for the sky vs stay airborne Konrads Smelkovs (Oct 29)
- Re: reach for the sky vs stay airborne Terry Bradley (Oct 29)