BSidesDFW is tomorrow, Saturday November 2, and we have one last opportunity to highlight one more of the incredible lineup od sessions they have planned.
APT-style attacks have become more and more popular with those seeking to exfiltrate sensitive information from nterprises, government, and those who administer our critical infrastructure.
In response, organizations are implementing the latest shiny anti-APT appliances which are consistently failing to detect even the most basic of attacks.
Ryan Reynolds (@reynoldsrb) and Tony James (@tx3_) seek to demonstrate some of the ways these attackers may attempt to escalate privileges throughout the network without the use of zero-days and without tripping any alarms.
Reynolds has been with Crowe Horwath for six years and manages their penetration testing services, and he has a wide range of knowledge and experience in system administration and networking, including expertise in security applications and controls. Reynolds has presented at several conferences prior, such as Defcon and BlackHat.
James is a Senior Information Security Consultant at Crowe, and has been a member of the penetration testing team for three years. He is a technical lead for all engagements including application, network, and infrastructure penetration testing on both internal and external systems as well as social engineering and physical security assessments.
This talk is geared towards anyone that is concerned with external and internal attacks, and they will not only be demonstrating attack techniques, but also providing recommendations for IT/IS teams that are reasonable and cost effective.
“Most often, attackers break in, steal all the info and don’t even battle with any of a company’s defenses,” James said. “As a result the company buys a pentest in order to test their security, and so a firm gets hired and runs Appscan, Nessus or Metasploit, then informs management of all the holes in the environment, but this doesn’t mimic a real world attack.”
James notes that the bad guys aren’t running Nessus or Nmap in order to breach a company and steal their data, and so this session will look at the most common ways attackers are able to breach an internal network and steal data without tripping any alarms.
“This talk will go beyond a standard pentest/vulnerability assessment and will be a demonstration of how the bad guys use the company’s systems against them and the ways real attackers break in under the radar,” James said.
“We will look at techniques such as using built-in host functionality, network reconnaissance methods, routing protocol insecurities, abusing security agents that are supposed to increase security, and some popular DLP bypass techniques,” James continued.
“A wide range of pentest techniques will be discussed, but more importantly we will provide solutions for all the blue teams out there that can thwart the attacks and also won’t break the bank.”
James and Reynolds hope that administrators, security engineers, management, and the typical employee will become more aware of what may happen within their company’s network in the event of an attack by showing how simple it is to escalate privileges and exfiltrate data from networks.
“Our goal is to make everyone aware of the real world attack techniques performed by malicious outsiders and insiders, and the need for realistic penetration testing versus basic vulnerability assessments in order to fully understand the organizations security posture,” James said.
James said that implementing some of their recommendations may cause some false positives on legitimate traffic, and so taking the time to properly identify malicious traffic against legitimate traffic with your SIEM product is critical.
“Implementing security doesn’t happen overnight, it is a time consuming process, but there are also some quick/basic wins that can dramatically help,” James said.
As more technologies are implemented, the threat landscape will keep on growing, and this highlights how an organization’s culture must also change along with security advancements.
“Will Administrators continue to patch their most critical systems and implement the latest solutions to help counter the security implications that your typical employee will encounter? Will HR/Security continue to properly train their employees from a Security Awareness standpoint?” James asks.
“Only time will tell…”
Related BSides Articles:
- Security Requirements: Required to Fail
- Killer CTF Competition Techniques and Tactics
- Grounding Anti-Phishing Programs in Cognitive Foundations
- Exploiting SOHO Routers to Gain Root
- The Object Monitor for Enhanced Network Security (OMENS)
- Fun with WebSockets Using Socket Puppet
- Open Source Pentesting and Forensic Distribution
- Vulnerabilities in Application Whitelisting
- Effective Communication in IT Security
- Baking Assurance into Software
- Wireless Pen Testing and Assessments
- Using Machine Learning for Security Analytics
- Wireless Pen Testing and Assessments
- No Magic Bullets
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock