Computer security gurus Kevin Mitnick and Dave Kennedy taking the floor at DerbyCon to explain the concept of adaptive pentesting and cover its advantages.
Dave Kennedy: Thanks everybody for coming for the talk! Obviously, Kevin Mitnick and myself wanted to get together and get a talk around adaptive penetration testing, which will be explained a little bit here.Kevin Mitnick: My book “Ghost in the Wires” is about kind of adaptive pentesting, a lot of that in the book. So, taking those concepts and using kind of the same stuff today – some of the same stuff still works but we’ll get into that later. We have a company and we do security assessments, but we usually take security assessments that are full compromise. We pick and choose, so it’s kind of fun. The only boring part of the work involved for pentesting is actually writing the report. But the actual work of pentesting is the awesome part. Dave is teaching me a little bit about social engineering, he wrote kind of a little toolkit. Dave it taking me under his wing. Dave: I have to say Kevin is the number one bug contributor to the Social-Engineer Toolkit. He constantly uses it and gets to fix all the bugs that I do on my horrible coding. About myself – I’m the creator of the Social-Engineer Toolkit, one of the founders of DerbyCon (see right-hand image). I have a book from NoStarch Press. I’m on the BackTrack Development Team and Exploit-DB Team, although I’ve been kind of inactive on the Exploit-DB Team lately. I’m also an exploit writer. And I’m Chief Information Security Officer and Diebold. And I give hugs.
So, a brief introduction about what we wanted to cover here, adaptive penetration testing. When we look at penetration testing as a whole, it’s becoming kind of a convoluted system that we are leveraging, because there is no standardization around penetration testing. And for us, what we wanted to do is show different scenarios that we leverage in real-world penetration tests that are outside the norm: things that you don’t think of unless you are a hacker, things that you try to do that haven’t been done before that actually have a large impact on the organization.Kevin: In a lot of penetration testing, what my clients talk to me about is they hire a company, they do scans with the common scanning tools, and then they package up something like a 400-page report with their logo and send it over to the CSO for review. In other words, they are not actually looking for the holistic vulnerabilities across the whole enterprise, where they could take several vulnerabilities that they have identified and put it together into something that’s really useful. They kind of stop at identifying the single vulnerabilities, put them in the report, send it over to the client, and it’s not of much use. That’s not every pentesting company that does it out there, but it’s a lot of them that I have encountered.
Dave: We are trying to come to a point in the security community where we can all come together and agree on the formal methodology around penetration testing that meets all of our needs. It requires actually having some skill to do penetration testing. That doesn’t mean you can’t grow through penetration testing; at the same time, we have to set some standards around actually performing penetration tests. That’s where the Penetration Testing Execution Standard was developed. Essentially, that standard defines what a penetration test should be. And basically, everybody in the community came together all over the world, people from god knows where, and said: “Listen, we’ve had enough, we want to define what this is, and this is what it’s going to be moving forward.”And so, I look at the industry and I say: “Have we forgotten what we’re trying to do during a penetration test?” A whole goal of a penetration test is to attack the organization and try to impact their ability to generate revenue, or try to hit them where it actually hurts (see right-hand image). And that’s what an actual attacker is going to do: they are going to target the infrastructure, they are going to steal intellectual property, ransoms, try to go after financial system – whatever their motives are. And really, that’s where we kind of need to go when it comes penetration testing. That’s not really where we are at right now.
Kevin: I encourage people that are doing penetration testing to kind of think out of the box. Again, as I mentioned before, a lot of it is canned, or they follow a simple checklist. They do some good work, but I like to think about thinking out of the box, looking at the enterprise, looking at the target and figuring any way you can compromise that target through compromising physical, technical or human factor vulnerabilities. So when we are doing our pentesting we look at everything holistically and then we look how to attack the target. With my company, I hire pentesting contractors, and depending on the scope of the job they may hire a team, kind of like a mission impossible team, where the people involved are especially skilled at attacking what that client particularly has exposed. That’s how we set it up, and it’s been very successful.Dave: And, obviously, there is something wrong. We are seeing an elevated number of breaches that are occurring. These statistics (see right-hand image) are taken from privacyrights.org. If you look at 2008 and 2011, there’s an exponential growth on companies actually receiving breaches. Somebody may say, hey, we might be getting better at detection elements. Well, generally speaking, around 70% of the companies had been in breach for several months or years without actually knowing that they were compromised. And so you think, with the industry growing larger and larger, we would actually start to be able to stop some of these exposures and actually start to stop some of these attacks. However, what we’re seeing is it’s not really happening.
Kevin: In fact, some old colleagues I used to work with, when they would compromise a target, the target would not get them out for years. I mean, once you get in, it’s extremely difficult to get the attackers out of the network, depending on their sophistication. But I have known guys who have been in for, like, a decade.Dave: …Ouch! And so we look at our spend, as far as Gartner goes, and year after year we continue to increase out spend when it comes to security. We buy those shiny products, right? While those products are great and they actually can assist in building your security program, you have to look at your foundation first and what that really is. So we spend more money on protecting our infrastructure and we buy the latest technologies protecting us from zero-days. And yet, we still see these guys (see right-hand image) running a muck.
Kevin: Yeah, these guys didn’t use super-sophisticated exploits. The LulzSec team used basic SQL injection and DDoS tools, not super-sophisticated. Anonymous – I think they recently compromised BART website, again, through simple SQL injection. It’s not rocket science. Why were they effective? Because there’s a lot of low-hanging fruit out there.
Dave: How long has SQL injection been around for? Thirteen years?
Kevin: Yes, years. And there are some in the industry that actually argue that pentesting is not valuable, like Marcus Ranum for instance. He argues that pentesting isn’t valuable, and I don’t agree with that. I think if these entities actually had tested their security ahead of time, probably the LulzSec or Anonymous crew wouldn’t have got in.
Dave: I guess it all goes into what they actually do to protect themselves. If they get a report that actually shows systemic weaknesses in their infrastructure that might be used to take down the company and compromise them, and they don’t fix it – well, that’s on them. But at the same time, it’s better for them to have that knowledge and actually fix them than not know at all.
Kevin: It’s interesting, because several companies have hired us to do security assessments; we package up the report, we find their vulnerabilities, and then what happens is they hire us next year to do the same thing. So what we do is we pull the old report, and you know what? 90% of the stuff isn’t fixed, because the only reason they are doing the security assessment is for compliance. They have to comply, whether it’s SOX, GLBA, HIPAA, whatever, and so it’s interesting because some companies don’t seem to really care much about security, they would just really care about complying.Dave: And so, this is how we build our security programs (see right-hand image). It’s true, right? We don’t want to know, because we’re scared. We tuck our heads in the sand and we hide from them. We fear guys like Anonymous and LulzSec.
Kevin: Those guys actually were kind of cool – because of their activities, I have three new clients. So thank you LulzSec! Thank you Anonymous!