Tag Archives: hacking

An obituary to pentesting?

I just saw a blog post in which Mike Kemp discovers the realities of 2010 (linkedin). (disclaimer – I know Mike and love him as a person, and this is my way of poking at him a bit – no disrespect here, but pretty much the opposite)

Now, go read that post (yes, I know, it’s long, but trust me).
This isn’t new (albeit very honest, direct and true),but here are a couple of comments I have:

  1. Penetration Testing is dead. Overrated, and abused by fancy vulnerability scanning, it died a few years ago. If you are still paying for one – check carefully what you are actually getting…
  2. Automation is king. I actually argue that 80% of what’s sold as a pentest by the major providers can/should be automated. All those scanner monkeys should be fired or forced to step up their game and actually do some work.
  3. Compliance? Really? Do you really want to go there? It’s got nothing to do with security, and if you thought so for a second I want to have what you were on when you did.
  4. Standards. This is where Mike touches on a sensitive topic for me (yes, PTES…). I’d actually challenge Mike to show me how PTES (which he mentions in the post – but you already know that because you read it, right?!) restricts providers by providing the engagement steps – which they should follow. There’s no restriction to scope, and I have personally used PTES in red team engagements. Full scope, no bars held. But still with a standard to follow, and something the client can also keep track of and know what to expect (and demand).
  5. I fully agree on the “pass the wealth” point where you should call in someone else who’s an expert to deal with a specific client request. Done that many times, and have never lost a customer that way.

Last but not least – yes, I do think that most pentesters can be replaced with a script. As they should. I do however have a solid advice to Mike and others who are still valuable professionals that have skills which are not replaceable by automation: demand a proper engagement model. And yes – I’m referring to the PTES again. You’d notice that threat modeling is part of it. Done properly threat modeling achieves multiple goals:

  • Forces the discussion to be around security rather than compliance, price or other factors that have nothing to do with security.
  • Scope goes out the window as threat models focus on the BUSINESS and not the TECHNOLOGY.
  • Enables the organization to test itself against its adversaries (threat actors/communities) rather than against pentesters. Much more rewarding, and correct.
  • Enables the provider (if it can muster to perform a decent threat model with the client) to charge decent rates for its services. You can clearly show how this isn’t some automated software running and spitting out reports, but skills and experience playing. It’s then your responsibility to follow through on it and make sure the final deliverable also looks like that (otherwise you are looking at a very short success rate for trying to adopt only part of this approach).

I actually welcome the hordes of scanner monkeys and tool-jockeys. They make the real professionals look even better. And although professionals don’t often have the marketing/sales power of the big-[number], trust me – they are busy, and doing work that the “big” and “trusted” suppliers can’t even start to put on their canned proposal templates.

Yes, you knew exactly what you were walking into…

I’m writing this in response to a very well put together article written by my friend Dave Lewis on CSO Online: “Are you a legitimate military target?“.
In the article Dave talks about how security researchers, practitioners, and security vendors are suddenly “surprised” to find themselves potentially being under the scrutiny of foreign (and guess what – domestic) governments and militaries.

Dave quotes Mikko Hypponen, F-Secure’s Chief Research officer who keynoted the FIRST conference last week in Berlin, saying “I didn’t sign up for this”.
Well, sorry to take the other side – but you did. We all did. Even those of us who have been in the industry for almost 20 years. We grew up on movies like “War Games“, on the stories such as Cliff Stoll’s “The Cuckoo’s Egg“, and those of us who were pushing the boundaries and practicing security research, also knew that we were playing fast and loose with the law a lot of times (successfully for those of us with a clear record).
Well ,guess what, just like a nuclear physicist becomes a target (legitimate or not) for a foreign nation because they are associated with another nation’s nuclear program, so are we.

Any new piece of information that may allow an advantage in the greater scheme of things is highly sought after by nation states, and if you are not aware of it, well, good luck to you.

I join Dave’s closing comment on the difference between espionage and warfare. We all need to understand though that there are governments and their intelligence services behind both of these. So yes, we all knew very well what we were walking into when we found our first 0-day, vulnerability, or realized that we can bypass controls, processes, hardware, software or whatever it is we hack our way through. This kind of knowledge and skill is a far cry from a new crocheting technique.

p.s. I’ve mentioned the law here, and if you know me you know that one of my advice to any fellow practitioner is usually “get a lawyer”. This isn’t just for fun – law is just as hackable as cheap knockoff Chinese firmware, or a shady Israeli device driver. I highly encourage everyone to at least study your local legislation in relation to computer “stuff”, as well as dabble a bit in the international aspects of it.

Post RSA musings

So it finally happened – I’ve had my first RSA in 9 years.

And what an experience. Suffice to say that I ended that week with no voice, a bad back, and minimally functioning knees, but given the premise of the show I’d peg is as a huge success.

First – having BSides to catch up with friends and colleagues was a perfect beginning to the week (not to mention the weekend in Napa right before – thanks for having me, Tenable!). There still is a huge value that I see in BSides, and BSidesSF specifically. Albeit the great venue (thanks OpenDNS), some more hallway-con was sorely missed. Be it the way the venue is laid out (preventing from more active/vocal discussions from happening other than outside), or the decision to run a dry venue (not even bring your own alcohol), I’d want to see how peer-engagement gets more focus there.

Second – the ability to “hack” RSA from a technical person’s perspective, and yes, I still consider myself somewhat technical, regardless of my ability to don on a suite and behave like a business guy. Which is sort of what hacking RSA is… It was intriguing having interactions with people outside of the echo-chamber (aka infosec) who deal with security and having them take a preconceived notion of me as a sales person. Or with those who gravitated to me as “I needed to talk to someone who is technical” – probably after snooping around a bit and choosing their approach based on existing conversations 😉

Last (and I saved the downer for here) – the show floor. After getting over the sheer size of the convention (no worries – BlackHat has a way to go until it becomes an RSA), I had my expectations adjusted a bit. Walking through the halls, you get into a realization that a lot of the companies showing there (especially the south hall) should probably have no reason to exist. The same regurgitation of “threat intelligence”, “endpoint protection” (i.e. APT, 0day, etc…), and your usual “trust me, I’m an engineer” approaches, were becoming comical to a point where I’d need to keep my gaze pointed far away and ignore the noise while walking around. I truly expected to see some new innovative approaches to security, and companies who would break out of the circle-jerk of security vendors. Unfortunately I didn’t see many, the reason for which I can’t really put my finger on (maybe the cost of entry to RSA?).

Overall, a great experience (and yes – lots of new business too), so yes, I believe my #notatrsa streak has come to an end. Or maybe I’m just getting old 😉

2015-04-21 15.57.44

Yes – you can engage with other evangelists at RSA! (and what seemed like a weird obsession – collect truckloads of branded t-shirts and vendor giveaways).

May the force? May in full force…

Lack of updates here usually means that time constraints are in effect… But apparently all that work is paying off as some of the research we have been working on is starting to get front-and-center stage.
May marks a busy month where I’ll be bouncing around a few places (São Paulo, North Carolina, and locally here in NYC) to talk about it.
Stay tuned for details 😉

ISTS12 Keynote and Red Team

I’ve had the pleasure and the honor to keynote this year’s ISTS (Information Security Talent Search) that ran at the Rochester Institute of Technology (RIT). Additionally I was also fortunate to get a seat with the Red Team during the event itself and work closely with some of my friends and colleagues.

It has been a while since I had the chance to work with students (mostly with my Alma Mater from the IDC during freshmen orientation, and the “CS for Real” series for CS students). And I honestly didn’t know how to address this initially. Thankfully, Jared and the ISTS team were pretty open to my suggestion of combining a “here’s how I got here” rant with some technical examples of challenges and engagements.

The keynote wasn’t recorded (thankfully?) but here are the slides that were used as the backdrop for it. I ended up coming back with some insights from the keynote (as I usually try not just to provide information, but also learn new things), and thanks to some awesome questions from the audience (students, red teamers, and apparently faculty which I haven’t realized were also there…) it ended up a really great session for me!

The next day was spent with the red team, which was a great opportunity to catch up on some skills that I left behind (always pick the task that you are less familiar with!), and really kick some ass with the team. Chris Gates has written a great wrap-up blog on it here: http://carnal0wnage.attackresearch.com/2015/03/ists12-thoughts-notes-feedback.html

Really looking forward to working more closely with people who are just starting their way in the industry – if the feedback doesn’t lie, it seemed to be somewhat beneficial to them, and from a completely selfish perspective, I had a chance to learn a few things myself too!