Dailydave mailing list archives

Re: reach for the sky vs stay airborne

From: Darkpassenger <darkpassenger () unseen is>
Date: Tue, 27 Oct 2015 18:55:47 -0700

i've got a couple of counterarguments here:

- not every biz can deal with the reality of a red team get access totheir shitforget about this in .sgov and serious .mil environments , despite allthe claims.upstairs managers usually dont want external entities mess with the"current stability"of their area , even if they understand they might got problems . noticethati am referring to two concepts here : 1-stupidity and corruption , whichis veryoften the case 2- the reality of nature of these biz . there are otherswho dontwant red teams reveal how bad is the situation -- i have seenpetrochemicals andsecretive finance actors or even political organizations who do not evenready tohear of doing one read team exercise , let alone accepting recurrentexistence of

external access of any kind

- a red team successful in getting screenshots doesnt mean that thesecuritymeasures afterward is going to protect against APT-type attacks . manyof thebreaches happened and will happen in environments who are alreadydealingwith red teams . basically the adversary is better or gets lucky or ismuchmore persistence and serious . a red team doesnt magic , if you are atargetfor a powerful player . therefore , having deals with red team vswhetheryou are a potential target or not is a much important problem to be waryof

- red teams are valueless in the case of insider-based threats . what ihave

seen so far as extreme damages usually has insider factors . either an
informed and motivated insider or stupid disillusioned ones

- staying airborne often contradicts with organizations strategies ,mostly

in IT developments . external entities make it hard and expensive for

managers to handle their work , the budget , their pretty beautifulfigure forhigher level managers..etc . even very educated and seasoned managersoftenprefer the illusion of being already good , than getting constantscreenshots from

red teams . the headaches of this , the meetings it needs , the unhappy

inside engineers who complain outsiders messing with their shit..arerealfacts in all sorts of organizations . so the predators get what theywantand then there is blame game . how many times i have seen this canntrecount

- last but not least , what is called in infosec industry as"improvements"usually means "failures" in mindset of other components of theorganizationi understand pentesters and red teams may find it victorious andprogress toget screenshots but this often doesnt have the same feeling for otherswhoplay different roles . there is inertial opposition mindset for roleplayersin an organization against recurrent victories of red teams . thescreenshotsalways results in whispers , unhappiness , and most importantly changesin

whatever exists and who likes that ?

i know i sound harsh cynical toward organizations personnel , managersandoverall "human factors" but i believe its realistic and factual . whileas atrivial concept i trust a tangled "tangible" recurrent test procedure isa must

for an organization to stay afar from hack harms , i dont see the major
reason behind most breaches and losses the lack of defensive arsenals

or not staying airborne . it is the mindsets , the personal feelings ,the

social norms within the target human group and ..the FCKUPS .

mustachy kisses and dudely hugs fly to all pentesters and the magicians
who develop golden exploits ! plz do not cut and eat me alive :D

-dp

On 2015-10-27 06:22, Konrads Smelkovs wrote:

In my view, security improvements in organisations are driven bybreachesand red team exercises/pentests. While breaches give hard lessonslearned,
red teams often don't and that's because we reward red teamers for a
"domain admin" rather than longer term persistent access.
This is what I call reach for the sky/rocket launch: you get domainadmin,get a screenshot of CEO's e-mail and declare job done. In reality, agood
simulation would be to "stay airborne" - take a screenshot of CEO's
e-mail/exfil PST every week.
That's not to say that there isn't a scenario where desctruction ofassets
is the end-goal of an attacker, but even then, I would argue that red
teamers ought to put an .exe in autoruns for every PC they wish to have
done a simulated wipe.



--
Konrads Smelkovs
Applied IT sorcery.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

reach for the sky vs stay airborne Konrads Smelkovs (Oct 27)
- Re: reach for the sky vs stay airborne Darkpassenger (Oct 29)
- Re: reach for the sky vs stay airborne Kristian Erik Hermansen (Oct 29)
  - Re: reach for the sky vs stay airborne Konrads Smelkovs (Oct 29)
- Re: reach for the sky vs stay airborne Terry Bradley (Oct 29)