David Kennedy is the founder and CEO of TrustedSec, former CSO for Fortune 1000, former Marine Corps. He is the author of The Social-Engineer Toolkit, Fast-Track and Artillery and other open source tools. He was previously on the BackTrack development team and Exploit-Database development team.
David is also a cofounder of DerbyCon and has presented at a big number of security conferences including Black Hat, DEF CON, ShmooCon, Security B-Sides, Hack3rCon, ISSA, RSA, and many more. David is the author of the book: “Metasploit: The Penetration Tester’s Guide”. He is the founder of the Penetration Testing Execution Standard (PTES); the only standard for penetration testing.
The reason of this interview was David’s presentation on his tool called Artillery. We start asking about the tool and then move to other aspects of David’s work and experience.
So, Artillery was designed to be the early warning system with abilities to block the attacks. It is fully free and open source, native Python written tool. It works on Windows and Linux. The features include:
• Monitoring and alerting for file changes
• Monitoring ports for scans and attacks
• Alerting on Insecure configurations
• SSH brute force detection
• Threat intelligence feed (servers deployed all over the world – looking for attacks and reporting to the central server)
• Anti DoS protection
• Apache monitoring
– So, Dave, with so much involvement into offensive side like exploits and The Social-Engineer Toolkit, how come you started creating Artillery – a defensive tool?
– When I look at security, I see it both in the red and blue team side of the house. There are times to be offensive and identify what your exposures are, but in the same light – we need to be able to defend against the different attacks out there. Artillery was made to serve a specific purpose in showing different ways to prevent attackers from gaining access to systems and catch them in the early stages of an attack. Being a hacker, I think in a way that understands how we go and target systems and ultimately how we need to defend against them.
– It’s easier to attack than to defend. Artillery is more than half a year old; how successful has it proven to be? Does it prevent attacks in the range it was planned to do?
– I think both have their challenges. It all depends on how well the defensive capabilities are implemented and how soon they can detect you. I think it’s challenging on both sides. Artillery has been a great project with a lot of community support, definitely where I want it to be and continue to build.
– Most recently, we added the threat intelligence feed which takes servers with Artillery deployed and centralizes the attacker IP addresses in order to help identify where attackers are coming from.
– How does Artillery help prevent phishing?
– Phishing is primarily on the client side of the house – Artillery is more designed for perimeter and internal defenses. In the event that an individual was compromised, the attacker would in most cases attempt to further compromise additional systems. Having Artillery in place could help detect post exploitation type scenarios.
– You wrote you received great support from community working on Artillery. In what area was this support most valuable and what parts of the project would have been impossible without it?
– Ideas are the most for me. I love writing people’s ideas and coding it into the tool. People that place it in their environments and say: “Oh it would be cool if this was added.” I usually try to code it in a few hours for them :)
– What modules/parts of the Project Artillery did you have the most problems with?
– Windows integration. Much harder to do than on the Linux side of the house.
– If I am right, to be more successful Artillery needs more feeds to report about attacks. How quickly is the number of feeds growing?
– Artillery doesn’t take in feeds from other Artillery servers that aren’t trusted, only ones that I set up across the map. They grow as time permits however, doesn’t need a large and expanding number in order to detect different attacks.
– Honeypots are an effective and cheap defense tactic, great ROI. How often do you advise companies utilizing honeypots? Do you see honeypots are on the rise?
– Honeypots have always been a great defense, but something that never quite stuck in most organizations. I think they are great indicators for early warning symptoms of an attack.
– Artillery vs. The Social-Engineer Toolkit – who wins?
– I think they are two separate types of tools. Artillery is more on the defense blue team side on perimeter and internal networks whereas SET targets individuals through social engineering. Both have compliments on each side of the house.
– SET is continuously updated all the time – the most recent version 5.1 incorporates a better attack vector for Microsoft SQL Servers as well as better powershell injection capabilities. It continues to grow and features added based on suggestions from the community and what I run into on penetration tests.
– Is that profile thing ready for SET, where you enter the name of the company and it shows you the best way to attack?
– Not yet, still in development. Lots of moving parts and variables to account for. Haven’t worked on it in a while.