Upload
haydn-johnson
View
192
Download
3
Embed Size (px)
Citation preview
@haydnjohnson
Automation of Pentesting- What | Why | Future
@haydnjohnson
whoami
@haydnjohnson
OSCP | GXPN
Pentester - with an approach to work with blue teams
Enthusiast
Presenter - hopefully I will be back
Australian who lives in cold Canada.
@haydnjohnson
On My Own Time & Dime- My opinions only!
@haydnjohnson
Talk Outline
❏ The trend for automation of pentesting❏ Pentest Puppy mills❏ Small & Big business reasons for pushing automation❏ Pentesters | Exploit Devs - what does this mean❏ What to do to fight back!
@haydnjohnson
The Trend
@haydnjohnson
Automation of Pentesting - The Trend
Pentesting - for less $$$$
● Fighting to under-cut each other
Vulnerability Assessment as a Pentest
● Customers are being sold a VAs not Pentests!
Not Liable
● If I am hacked, I do not want to be legally liable
@haydnjohnson
Automation of Pentesting - The Trend
Commoditization
@haydnjohnson
Pentest Puppy Mills
@haydnjohnson
Pentest Puppy Mills
● Scan● Scan● Scan● Report● Make report look nice● Make report look nicer● Send
@haydnjohnson
Outsourcing
Cheaper
@haydnjohnson
Business Reasons for Automation
@haydnjohnson
Small Business - No money | no budget
@haydnjohnson
Small Business - Can’t Keep talent
@haydnjohnson
Large Business - all the money | complex
@haydnjohnson
Large Business - Old policies
@haydnjohnson
Small Business
● I want security, but how?● As longs as the network is up!
@haydnjohnson
Big Business
● I am not responsible for security● Red Tape galore
@haydnjohnson
Defenders - blinky boxes
● Even for the blue side, they have the culture of buying blinky boxes over human talent.
@haydnjohnson
Terminology Confusion
http://winterspite.com/security/phrasing/
@haydnjohnson
A whole blog for Terminology!
Vulnerability Assessment
Intrusion Detection
Blue Team
Penetration Testing
Adversarial Emulation
Purple Team
SRSLY GO READ IT:http://winterspite.com/security/phrasing/
@haydnjohnson
VA Pentest Redteam - what does it mean?
● Firms sell Pentests then execute a VA● Clients ask for a VA to be called a
Pentest● Red Team ??
@haydnjohnson
Will we need exploit Devs??
@haydnjohnson
We just Scan right?
Environments too big to not scan.
Understand vulnerabilities
Business risk!
Quantitative and Qualitative
@haydnjohnson
Expertise needed
Exploit development
Bug Hunting
Finding Vulnerability
Exploit Found Added to Scanner Scanning for exploit
Look for other exploits
@haydnjohnson
Skill Spectrum
Scanning Pentesting Exploit Development
Scanning
Now
Future
@haydnjohnson
World is FUBAR’ed
@haydnjohnson
A more insecure world
● Lack of vulns found● Vulns sold on black market
@haydnjohnson
WHAT DO??
@haydnjohnson
What can we do from the front line?
● Educate managers● Educate Clients● Promote valuable security
@haydnjohnson
Clarity on terms
Vulnerability Assessment
The point of a vulnerability assessment is to identify and categorize the vulnerabilities on a system or network.
Issues identified and categorized.
@haydnjohnson
Clarity on terms
Penetration Test
A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities.
Tests are goal-oriented
https://www.coresecurity.com/penetration-testing-overview
@haydnjohnson
The differences
Vulnerability Assessment
List Oriented
Penetration Testing
Goal Oriented
https://danielmiessler.com/study/vulnerability-assessment-penetration-test/
VULN A
VULN B
VULN C
Phishing
Local Admin
Dump Hashes
Domain Admin
@haydnjohnson
Education - Sales / Managers
Yes VA brings money, but it's small $$ and small value.
Great to show different potential vulns.
What about show the business impact?
Can it be exploited?
Difficult of exploitation?
Any controls to mitigate damage?
@haydnjohnson
Thank you
Remember to provide real security
Fight against the PenTest Puppy Mills.
@haydnjohnson
Questions?
Please ask away
Tell me I am wrong, discuss.
Got an opinion? Share it
Clapping, welcome!