Tag Archives: attack tools

Introducing SexyDefence

After a long time of no updates, I’m finally back to a “normal” schedule, but as always – there’s some new project that emerges from just being around extremely smart people and accessibility of alcohol…

So, during an exciting tweeting session at the SecurityZone green room (which is never green BTW), where all of us geeks were relaxing and instead of actually talking to each other (again – we are all in the same room), we were exchanging gestures and an occasional snicker as we “discussed” things on twitter. At one point, the question of “why on earth can’t we make defense as sexy as we managed to make offense?” (in the context of information security of course).

That started what we call “SexyDefence”.Bar Refaeli in soldier uniform

The parties to blame are: James Arlen, Stefan Friedly, Chris Nickerson, David Kennedy, Wim Remes, Dave Marcus, Chris John Riley, Georgia Weidman, and yours truly. We managed (in 30 the 30 minutes we had before we went back to “normal” con business and ran a panel on SexyDefence) to set up a space where this new initiative would be panned out. Here are the main points (just a beginning) of what we consider as the SexyDefence “manifesto” 🙂

0. Rediscover your passion for the job you have instead of whining about the job you don’t have.
1. Wake the fuck up and learn how your company works (for realz – not just the techie stuff)
2. Use everything you have. whatever the “bad” guys use is fair game for u as well. research vulns on attack tools…
3. Intelligence. Gather it. On you, on your threat communities. Now use it. Intelligently.
4. You have more information at your disposal than you think (logs. Lots of them). Figure out a way to use it.
5. Remember that it’s the users (humans) that will screw you up. Make sure your “plans” include dealing with them (not just tech)

Feel free to take a look (and as always contribute – see PTES) here: http://wiki.doinginfosecright.com/index.php?title=Main_Page

Happy hacking!

p.s. – Yes, I figured that a picture of the local model Bar Refaeli in uniform would be better that the one used on James’ blog of RightSaidFred…


Defense through Offense, and how APT fits there

I’m guessing that having “APT” in anything that goes outside for public consumption these days is mandatory, but this post actually has a good reason to do so. If you look back just one post in the past, we were discussing the new initiative to define “Penetration Testing”. The post, and the proposed standard itself really take a good look at what organizations need, and how to address such needs from a practical point of view, rather than from a compliance or a “check-box ticking” perspective.

For me this is one of the things that the security industry has done a great disservice to. It is exactly why companies are announcing that for every time they get breached, it was an advanced attack. An attack so sophisticated, that managed to stay persistent in their network and exfiltrate lots of sensitive information, that no reasonable control could have prevented or detected it. The all dreaded “APT”.

However, if you take a look at how organizations prepare themselves for such attacks you may find yourself staring at a blank page. Since regulatory compliance dictates a very basic “box checking” methodology for a very narrow and specific aspect of information security, and the product vendors on the other hand provide solutions that are “compliance oriented”, organizations are left with a very weak defense mechanisms. This is without even mentioning the biggest security gap in most organizations – the employees.

The lack of self-testing, of a real-world simulation of what an attack would look like, and how the organization would cope with, hinders most organizations from putting reasonable defenses in place. The lack of proper training, awareness campaigns, and exercises that stress out the human factor as well are leading us to a situation where even simple attacks that utilize off-the-shelf (and even FREE) attack tools, manage to go through an organizations control mechanisms with aggravating ease.

I’m looking back at what the penetration testing execution standard defines for its basic testing methodology, and I can clearly see how every element of the recent “APT” attacks would have been simulated, and probably in a more rigorous scenario. Such a test would have clearly left the tested organization with a roadmap that would bring it to a much higher security standard. And that’s the power of testing – of understanding the adversary’s techniques and strategies, and running exercises that reflect them in order to identify security gaps and close them as efficiently as possible. And yes – that also (and perhaps mainly) applies to human related processes and policies rather than just to technology.

So to sum things up – you may be compliant, but do not think for a moment that this compliance has anything to do with the security of your information. Until regulatory compliance does not mandate proper security testing in order to protect the data in question, such compliance is only going to hinder your “security vision”. Get proper testing, set up an internal team that would be responsible for understanding the threat communities you are dealing with (or hire an external one ), and make sure you set yourself a goal to have an unbiased understanding of what your gaps are and how well you can face a standard attack (yes – the same standard attack that you are going to call an “APT” if it would hit you unprepared).