David Kennedy is the founder and CEO of TrustedSec, former CSO for Fortune 1000, former Marine Corps. He is the author of The Social-Engineer Toolkit, Fast-Track and Artillery and other open source tools. He was previously on the BackTrack development team and Exploit-Database development team.
David is also a cofounder of DerbyCon and has presented at a big number of security conferences including Black Hat, DEF CON, ShmooCon, Security B-Sides, Hack3rCon, ISSA, RSA, and many more. David is the author of the book: “Metasploit: The Penetration Tester’s Guide”. He is the founder of the Penetration Testing Execution Standard (PTES); the only standard for penetration testing.
The reason of this interview was David’s presentation on his tool called Artillery. We start asking about the tool and then move to other aspects of David’s work and experience.
So, Artillery was designed to be the early warning system with abilities to block the attacks. It is fully free and open source, native Python written tool. It works on Windows and Linux. The features include:
• Monitoring and alerting for file changes
• Monitoring ports for scans and attacks
• Alerting on Insecure configurations
• SSH brute force detection
• Threat intelligence feed (servers deployed all over the world – looking for attacks and reporting to the central server)
• Anti DoS protection
• Apache monitoring
– So, Dave, with so much involvement into offensive side like exploits and The Social-Engineer Toolkit, how come you started creating Artillery – a defensive tool?
– When I look at security, I see it both in the red and blue team side of the house. There are times to be offensive and identify what your exposures are, but in the same light – we need to be able to defend against the different attacks out there. Artillery was made to serve a specific purpose in showing different ways to prevent attackers from gaining access to systems and catch them in the early stages of an attack. Being a hacker, I think in a way that understands how we go and target systems and ultimately how we need to defend against them.
– It’s easier to attack than to defend. Artillery is more than half a year old; how successful has it proven to be? Does it prevent attacks in the range it was planned to do?
– I think both have their challenges. It all depends on how well the defensive capabilities are implemented and how soon they can detect you. I think it’s challenging on both sides. Artillery has been a great project with a lot of community support, definitely where I want it to be and continue to build.
– Most recently, we added the threat intelligence feed which takes servers with Artillery deployed and centralizes the attacker IP addresses in order to help identify where attackers are coming from.
– How does Artillery help prevent phishing?
– Phishing is primarily on the client side of the house – Artillery is more designed for perimeter and internal defenses. In the event that an individual was compromised, the attacker would in most cases attempt to further compromise additional systems. Having Artillery in place could help detect post exploitation type scenarios.
– You wrote you received great support from community working on Artillery. In what area was this support most valuable and what parts of the project would have been impossible without it?
– Ideas are the most for me. I love writing people’s ideas and coding it into the tool. People that place it in their environments and say: “Oh it would be cool if this was added.” I usually try to code it in a few hours for them :)
– What modules/parts of the Project Artillery did you have the most problems with?
– Windows integration. Much harder to do than on the Linux side of the house.
– If I am right, to be more successful Artillery needs more feeds to report about attacks. How quickly is the number of feeds growing?
– Artillery doesn’t take in feeds from other Artillery servers that aren’t trusted, only ones that I set up across the map. They grow as time permits however, doesn’t need a large and expanding number in order to detect different attacks.
– Honeypots are an effective and cheap defense tactic, great ROI. How often do you advise companies utilizing honeypots? Do you see honeypots are on the rise?
– Honeypots have always been a great defense, but something that never quite stuck in most organizations. I think they are great indicators for early warning symptoms of an attack.
– Artillery vs. The Social-Engineer Toolkit – who wins?
– I think they are two separate types of tools. Artillery is more on the defense blue team side on perimeter and internal networks whereas SET targets individuals through social engineering. Both have compliments on each side of the house.
– SET is continuously updated all the time – the most recent version 5.1 incorporates a better attack vector for Microsoft SQL Servers as well as better powershell injection capabilities. It continues to grow and features added based on suggestions from the community and what I run into on penetration tests.
– Is that profile thing ready for SET, where you enter the name of the company and it shows you the best way to attack?
– Not yet, still in development. Lots of moving parts and variables to account for. Haven’t worked on it in a while.
– Hopefully still the leader in social-engineering attacks :) I definitely don’t see these types of attacks going away anytime soon.
– With so many tools adding up like SET, Fast-Track, Artillery – is it difficult to keep them all updated and provide support?
– Naw.. Pretty easy once you have a similar structure in place. I may focus on one more than the other at times depending on the need, but still easy to manage.
– Are you still often questioned on the morality behind creating SET?
– Nope – never have actually. It’s a pretty simple argument: the bad guys are using these techniques everyday. How do we defend against them? We need to be able to test. Never had anyone question the morality of the tool.
– Have you heard of any big breaches which took advantage of SET?
– As a father of SET, would you like SET to have an even greater success rate or would like people to be able to defeat it?
– I think it’s important to show what is possible and what technologies really don’t work. SE comes down to the people and the defenses we put into place there. There is an over reliance in technology in the security industry and the majority of it is vaporware. I think when SET can be defeated and there’s no purpose, then awesome and I can move on to a different project. I still think SET will be around for a very long time :)
– Are phishing attacks still as successful as, say, 3 years ago? Is it easier or more difficult to prepare for a successful phishing attack now?
– Depends on the definition of phishing. If you are talking about standard PDF or document attacks, then yes, but more difficult. Targeted phish’s not using that method, I would say even easier than before.
– Is the attack utilizing Java applet still as effective as before? Are people still full of trust?
– Java applet is working out better now than before actually. The attack vectors have matured and the attacks have got more believable. Java also moving more towards code signing certs and making them more trustworthy has helped us out significantly. Never been easier to get a code signing certificate and use that for hacks.
– Out of 100 attacks, how often do you choose Java applet, credential harvester or browser exploits or other types of attacks?
– I almost always just use the Java Applet and Credential Harvester method.
– What methods of social engineering work best against a small company where everybody knows each other?
– Very good question. Impersonating individuals becomes much more challenging – have to come in as a partner or something they know but not that well. A lot of times we’ll come in as a vendor giving them free stuff because they do business with us.
– Are scareware/ransomware tactics effective in making people click what you need?
– Naw, don’t typically go that route. Scare tactics and inciting fear has a less probable chance of being successful in social engineering.
– Do you keep an eye on exploit kits darkmarket?
– I don’t typically, try to keep things I research inside SET.
– How soon will we see a new great tool from you?
– As I’m typing this actually… 5.1 is getting released in the next hour :)
– Have you considered making a closed source tool?
– Never – always like the open source community and giving back and sharing the learning that I do.
– What project do you want to run but constantly lack free time for it?
– Writing books.
– After a book on Metasploit, are you planning a new one?
– I’m currently working on a Python for penetration testers book. Something that teaches people from the ground up how to code hack jobs and get things working fast on a penetration test. I’m excited because when I was coming up in the industry, I felt like there wasn’t anything out there for me. I had to pick up Python by myself and no real rhyme or reason. This book teaches you why and how.
– You started your career working for government, what do you think of government’s approach to security?
– Not so good. At least not yet. I think it’s getting a lot of recognition from the people that it needs in order to be successful, but I think they really need to look at the private sector and some companies that are doing a great job on the security front for ideas. They are going into this far behind the game.
– Little can be found about your role in Operation Iraqi Freedom, could you please speak about it?
– That’s intentional :) I worked for the intelligence community and spent about two years in Iraq.
– Your tools are popular, your experience grows, do gov guys invite you back?
– I’m pretty much out of that sector, focus primarily on the private sector. My buddies are still in and some great folks that use tools like Artillery and SET and get to hear about it. Otherwise – not really anymore at all.
– And have you ever been contacted by black hat / bad guys with offerings?
– Contacted – yeah, don’t really respond to that side of the house. Very focus on the white hat side and nothing else.
– DerbyCon community and the number of speakers grow. What new are you planning for DerbyCon 3.0?
– What have you learned running DerbyCon?
– That the community is just freaking awesome and the people inside of it are amazing. Our community is full of so many bright and talented people that it’s just crazy. People that haven’t spoken before, people we haven’t heard of, and people we have heard of. All coming together on one platform to share information, learn and collaborate. What I’ve learned from all of this is that the community that I’m a part of is one of some amazing folks that I learn from everyday.
– You have done a presentation with Kevin Mitnick at DerbyCon, besides that, do you have any mutual projects?
– Kevin and I are good friends and do things together quite often. He’s an amazing individual with a ton of experience and history. We work well together and have a great amount of respect for one another. He’s just awesome.
– You are always so friendly and it seems you have a lot of friends – but do you have enemies?
– I’m sure there are enemies out there – I seem to get along with everyone somehow :) My personal belief is to like everyone and give them the amount of respect they deserve because we all have different experiences, different paths, different ways of thinking. That’s what makes us awesome and unique. If someone doesn’t like my opinion or something I say – I love that and hope they let me know. No one is wrong in any regard, and everyone has the right to be heard. Great people all around and I’ve been very fortunate to know some great friends and people.
– Have you ever been hacked?
– I’m sure I have. Naive to think that I’ve never been. I reload things quite frequently just out of paranoia. Try to put enough things in place to prevent or minimize the damage.
– As a pen tester, have you met an organization with super strong and effective security where all your breach attempts failed?
– Sure – but it’s all depending on time. I’ve been on a penetration test for a week where a customer had three IP addresses and nothing on their externally facing perimeter. Social engineering was out of scope and had no real-world way of attacking them. It happens :)
– During your conference talks you often speak about real-world examples from your work. Could you please speak about the most ultimate / strange case from your pen testing experience?
– I think one of the greatest times I’ve had on a penetration test was recently. Doing a penetration test for a bank and we had broken in through an externally facing application. We ran into some hurdles and didn’t understand the systems, so we figured out how the administrator was for this application and called him up impersonating someone else in the company. The individual was more than happy to give us all the information and understanding we needed in order to successfully wire some money out of the company. I think whenever there’s a test between logical and the human element – it gets super exciting.
– What irritates you in infosec? What technology is missing in infosec?
– My biggest pet peeve and one that I’m passionate about is companies that are attempting to solve their security through pointed solutions and fixes. Our industry is rampant with pieces of software and hardware that just doesn’t work or may work a little tiny bit. Companies are spending millions on technologies that solve little to no problems of the root cause. Instead of doing hard work and building up a security program from the ground up, we are looking for shortcuts to get us there faster and completely forget about everything else. The attacks I get to use on penetration tests are these sexy zero days or some insane leet hack. It’s basic, basic, basic stuff that we don’t pay attention to. Default credentials, MS08-067, default installs, misconfigurations – stuff we should know how to fix by now.
– How successful are you in changing your customers’ security values and outlook?
– It really depends on if the customer is doing the security services for the right reason. If it’s for PCI or HIPAA or whatever, then in most cases they don’t care and just want to pass. If the company is trying to fix their security, I think the message can be put in a way that relates to their business and how to protect their assets. In that case and when you can talk business and business impact – companies typically change or at least start to get it. Some really get it and just need us to show them the way.
– You vs. China Cyber Command – how will you defend?
– The funny thing about China Cyber Command is the attacks they are using are no different than anything we’ve seen out there. Nothing highly sophisticated or zero-dayish (although they may on certain occasions). If we focus on detection, focus on layers, and focus on education of our business…I think we can successfully defend or at least minimize what happens. That takes hard work, time, budget, and a staff to do it.
– Overall, what is your number 1 protection advice?
– In order for any security program to be successful – it has to start with education and awareness. When I was a CSO of a Fortune 1000 company, I would fix peoples home computers if they brought them in. I would be troubleshooting Active Directory issues at 2AM, I would be implementing the latest patch to systems to fix a bug. I would overly communicate what we were doing, why, and how people would be impacted. Would sit there and listen to their complaints and not dismiss them and see how I could figure out a way for both solutions. You have to show people that you aren’t big brother and the reason you are doing this is out of the protection of the business and to help. When you have that sort of awareness in a company – the culture changes and security takes hold. Everything else will fall into place.