8/8/2019 SANS Penetration Testing Summit 2010

1/24

The Good, The Bad,and the RidiculousSANS Penetration Testing Summit 2010

14 JUNE 2010

8/8/2019 SANS Penetration Testing Summit 2010

2/24

About MeW H O I S T H I S D U D E ?

Vinnie LiuManaging Partner @Stach & Liu

Penetration testingprofessionally since1999

Background in GovIntel, Big 4, F100

2

8/8/2019 SANS Penetration Testing Summit 2010

3/24

3

Simulate a real world

attack against atarget network or

application.- EVERYBODY

8/8/2019 SANS Penetration Testing Summit 2010

4/24

4

Real World Pen Testing

8/8/2019 SANS Penetration Testing Summit 2010

5/24

5

It answers the

question, couldsomeone break in?

- ME

8/8/2019 SANS Penetration Testing Summit 2010

6/24

Types of Testing J U S T A F E W

6

Penetration Testing

Vulnerability Assessment

Risk Assessment

8/8/2019 SANS Penetration Testing Summit 2010

7/24

7

8/8/2019 SANS Penetration Testing Summit 2010

8/24

8

Proficient

80%*I MADE THESE NUMBERS UP

8/8/2019 SANS Penetration Testing Summit 2010

9/24

Proficient Pen TestersC A N T H A C K O U T O F A W E T P A P E R B A G

Runs tools, validatesresults, adheres tochecklist

Standard vulnerabilityknowledge

Performs simplisticmanual testing

9

8/8/2019 SANS Penetration Testing Summit 2010

10/24

10

These arent the droids

were looking for.

8/8/2019 SANS Penetration Testing Summit 2010

11/24

Over Reliance on Tools

11

8/8/2019 SANS Penetration Testing Summit 2010

12/24

12

Productivity

8/8/2019 SANS Penetration Testing Summit 2010

13/24

13

Productivity

8/8/2019 SANS Penetration Testing Summit 2010

14/24

14

Advanced

15%

8/8/2019 SANS Penetration Testing Summit 2010

15/24

Advanced Pen TestersB E Y O N D T O O L S

Understand the nature of

exploratory testing Passionate aboutlearning on their own Able to perform morecomplex exploitation

15

8/8/2019 SANS Penetration Testing Summit 2010

16/24

How Do You Get Better?

16

8/8/2019 SANS Penetration Testing Summit 2010

17/24

17

Expert

5%

8/8/2019 SANS Penetration Testing Summit 2010

18/24

Expert Pen TestersA R E N A T U R A L S

Synthesize disparatedata points

Find patterns inseemingly unrelatedinformation

Build attack avenues intheir mind

18

8/8/2019 SANS Penetration Testing Summit 2010

19/24

Synthesis and PatternsC A N B E B O T H G O O D A N D B A D

19

8/8/2019 SANS Penetration Testing Summit 2010

20/24

Attack VisualizationL I K E B O B B Y F I S C H E R

20

8/8/2019 SANS Penetration Testing Summit 2010

21/24

21

Master

8/8/2019 SANS Penetration Testing Summit 2010

22/24

22

Until a man is twenty-five he still thinks, every sooften, that under the right circumstances he could be

the baddest motherf@*&! in the world. If [he] movedto a martial-arts monastery in China and studied realhard for ten years. If [his] family was wiped out byColumbian drug dealers and [he] swore [him]self to

revengeIf [he] just dropped out and devoted [his]life to being bad.

Hiro used to feel that way, too, but then he ran intoRaven. In a way, this is liberating. He no longer has

to worry about being the baddest motherf@*&! in theworld. The position is taken.

- SNOWCRASH

8/8/2019 SANS Penetration Testing Summit 2010

23/24

Master Pen TestersA R E R E L E N T L E S S

They do all of the

aboveand they dontgive up.

23

8/8/2019 SANS Penetration Testing Summit 2010

24/24

Thank You

24