Dear PenTest Readers,
Another summer edition of our magazine is here, and it’s full of valuable infosec content. The two opening articles are related to the topic of Advanced Persistent Threats. Professor John Walker starts with presenting the interdependence of APTs and Advanced Evasion Techniques (AET). In the article he tries to answer the question why Persistent Threats and Evasions will not see any decline any time soon. Mariana Peycheva, in turn, presents the analysis of Advanced Persistent Threats and its methodology, giving a great overview the topic. As one of our reviewers said: “I wish that most of business leaders and managers would read this”.
Chris Cochran wrote a very interesting piece, which can be considered as a guide for those building, executing, or consuming threat intelligence. Abhi Singh is the author of a thought leadership article on securing the API economy. It describes, at a high level, what kind of processes and architecture it would take to make a secure and resilient API ecosystem. Pal Patel provides the readers with really interesting case study on the usage of Right To Left Override technique. You should definitely check this article out and find out more about this interesting trick!
Two of our regular contributors, Bohdan Ethics and Dinesh Sharma, provided new articles this month as well. Bohdan brought to the table a presentation of antivirus evasion basics. Dinesh presents the readers with different types of compliance audits, with a special angle on critical infrastructure. Ankit Giri emphasizes the significance of mobile exploit applications in article, Vlad Martin points our attention to the way in which black hats are collecting personal data in the Commonwealth of Independent States member-countries, and, last but not least, David Evenden and Kent Potter present the Collegiate Cybersecurity Education Program that they developed together.
Special thanks to all of the contributors, reviewers, and proofreaders involved in the process of creation of this issue.
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
This magazine is free to download, just register as a free user and enjoy your reading!
Table of Contents
Long-Armed Persistence of Threats
by Professor John Walker
Time is now long past that dictates a fresh way of delivering agile cyber-defense is now a must have, with the recognition that something, somewhere must change if we are to win the cyber-security race. No matter what we deploy, and how we operate those commercially procured systems and applications, one fact is certain – we will encounter a Persistent Threat on an every-day basis in some form – it may be a matter of such encountered threats are passive, awaiting their time to go malevolent at their opportune moment; or, active and already on a mission to avoid detection whilst delivering payload. It is now time to act, and look at Cyber-Security in a new way, with joined up thinking, along with a recognition and guarantee that we have been or will be breached.
Advanced Persistent Threats – Silent But Smart
by Mariana Peycheva
According to a study by ISACA, phishing is the most common way for launching APT as it gives the attacker an opportunity to gain initial access to the organization, and considering the human factor as one of the biggest vulnerabilities, makes the defense mechanism against initial attacks very difficult for design. It was evident from the study that 53.4% of the people believe APT is not much different from traditional attacking methods. However, 93.9% of the people agreed that APTs poses a significant threat to national security and economic stability. Among the critical findings in this survey paper are that 63% of the people believe that it’s just a matter of time before their organization becomes a victim of an APT attack, while only 60% believe that they are capable enough to stop such an attack.
The Threat Intelligence EASYButton
by Chris Cochran
Requirements are the foundation of an intelligence program. I have been a part of teams where this was not done. We would project our own thoughts and biases into our support of other teams without gathering the stakeholder’s thoughts or concerns. As you read this, I am sure you see how big of a misstep this is. However, this is not likely an isolated incident. In fact, many of the teams I have coached missed this crucial step. Luckily, this step is one of the easiest to fix. Open up the calendar and schedule meetings with your stakeholders. During the meeting, be present and listen more than you speak. Write down possible requirements and ask validation questions. You will then be on your way to building an effective program.
Securing the API Economy
by Abhi Singh
The network by virtue implements least privilege without relying on developers for it. This can be a manageability and scalability headache. One method to implement these capabilities is to use “Service Mesh”. This mesh will determine how each service discovers each other (discovery) and talk to each other (routing). This was previously done using load balancers in front of each service. Following this logic, most of these load balancers are manually managed and if you were to add a new service, you would open a change ticket that would be serviced by IT. Load balancers introduce a cost penalty and an agility penalty based on how fast an organization turns around the tickets, thereby defeating the overall purpose of rapidly scaling using microservices.
Right to Left Override (RTLO) Technique
by Pal Patel
The word RTLO stands for RIGHT TO LEFT OVERRIDE is a Unicode mainly used for the writing and the reading of Arabic or Hebrew text. Unicode has a special character, U+202e that tells computers to display the text that follows it in right-to-left order, A Unicode character that will reverse the order of the characters that follow it. RTLO has been used for phishing attacks for many years, where attackers insert the RTLO character in the filenames of attachments and try to trick users into thinking the attachment is safe.
Antivirus Evasion Basics
by Bohdan Ethics
Many antiviruses are designed to function analogous to the immune system of a human being. They operate by scanning the computers for available signatures corresponding to the binary pathogens and infections. The antivirus refers to a dictionary of the known viruses, and if any detail obtained within the file resembles the pattern in the dictionary, then the antivirus neutralizes it. Analogous to the human immune system, the content of the dictionary requires updates like the flu shots to provide considerate protection against emerging strains of viruses. Any antivirus counteracts to what it deems as harmful. The problem arises concerning the creation of new strains of viruses at a rapid rate at which the antivirus developers may not keep pace.
Compliance Audit for Critical Infrastructure
by Dinesh Sharma
Logical Access Control basically defines the access level of a user in an application. Just an application in enterprise network. There are many users in that application. Some of them are admins, some of them are basic users. Admins are from different-different departments. So different-different access provided to them.
The Significance of Mobile Exploit Applications
by Ankit Giri
With the ever changing scenario of mobile OS the limitations to root and jailbreak will lead to mobile exploit application being more significant. While these apps sit on an end user’s device they help steal data (say reading application logs), make the vulnerable unusable (logical DOS), bypass authentication and gain access (invoking exported activity) and at times farming clicks (tapjacking). Mobile exploit application development will be the next big thing, and there are people taking up such things already.
Black-Hats: How They Are Collecting Personal Data in the CIS Countries
by Vlad Martin
Imagine a system administrator working in a middle-sized company whose details were bought by a hacker from some random country. Because this hacker has his/her Data (passport, call detailing, SMS detailing, etc.), the attacker could easily hack this administrator (well, not that easily if he isn’t qualified enough) and gain access to his/her computer, then simply install a usual key logger and that’s it. Well, if it doesn’t sound convenient enough for you, imagine the system administrator being blackmailed for their SMS Messages or Phone Calls, and since he/she is scared that their data will be made public, he/she gives them access to the server, and that’s it. I mean, of course, these scenarios may sound a little bit unrealistic, but from my experience, this is possible.
How StandardUser is Working with Practitioners and Universities to Close the Talent Gap
by David Evenden and Kent Potter
Since we started in 2015, our team members have been on the front line of the cyber security industry from both an offensive and defensive position. Identifying the necessary skills, experience, and knowledge required to perform many of the most critical cyber security roles can be difficult for hiring managers and often impossible for recruiting teams. In response to this difficulty, we developed the Collegiate Cybersecurity Education Program (C2EP) to bridge the education and experience gap so that professionals can be poised for success in the field faster than ever before.