|Preview Brothers in arms: pentesting and incident detection 03 2017|
We offer to your attention our new issue: ‘Brothers in Arms: Pentesting and Incident Detection’.
In this full of expert opinions issue you will find discussions about the role of penetration testing in the incident response process.
Rapid7 and Trustwave in their articles will explain how crucial the connection between Incident Response and Penetration Testing is, while Kroll will show you practical examples of attack response. We hope you will enjoy these contributions , prepared for you by world-wide corporations.
RUNESEC will describe a simple methodology that was used during the engagement to debug the interception of encrypted traffic between an application and a server.
Apart from corporate contributions, inside you will find another enthusiastic piece from Lior Barash, who will continue his discussion about cyber security autonomy.
Praveen J Vackail and Chris Bullock, who are international security experts, provided articles about incident response, fully based on the real-life, practical experience.
Frederick L. Haggerty, who is a Forensics and Malware Analyst and supports the U.S. Marine Corps’ cyber operations, contributed an interesting piece, in which he discusses current challenges of Incident Response process.
The issue is closed by contributions by Jorge Mario Ochoa and Marcelo Mansur. Jorge will talk about the problem of human factor and the threat is causes for company. Marcelo shared with us the final piece of Ben Chester’s chronicles.
Hope you will enjoy reading this issue,
Editorial Team of PenTest Magazine
TABLE OF CONTENTS
Brothers in Arms: How Incident Detection and Pen Testing Can Work Together to Improve Outcomes
by Eric Sun, Rapid 7
Regardless of how many arms they may feel they’re working with, however, most companies’ security teams largely fail to detect pen testers on the network. Response teams don’t have the context they need for effective triage and are flooded with false-positive alerts; in the chaos, red teams easily sneak by. Add this to the fact that during incident investigations, response teams often are even further bogged down in the tedious work of retracing user or attacker behavior. And it’s these two realities that often prevent responders from detecting and catching intruders - whether it’s during a company test or a malicious attack.
Experience Share about Interconnection of Pentest and Incident Response Process by Chris Bullock
by Chris Bullok
As a veteran CISO, Chris have always created the personnel, process, and technology structures of my programs with the implementation of a risk validation team (red team) and an incident response team (blue team). This has become commonplace in the industry amongst CISOs globally. Where he has seen the waste and error in the industry is through the failure of CISOs in not using one to fortify the other, particularly when performing their regular penetration testing.
Offensive Security Automation: for the greater good Part II
by Lior Brash
Let’s consider automation as the unattended occurrence of a predefined task that can be triggered either manually or by an occurrence of another event, and once the process started, there will be no need for any sort of intervention until the next closest break point in which the operation might have came to its end or another process/subprocess is supposed to start. This might be a portion of a larger set of instructions or the complete set; either way, the rules apply.
Incident Response and the Role of Penetration Testing
by Will Harmon & James Antonakos, Trustwave
Cybersecurity threats continue to increase quicker than organizations can implement measures against them. Attacks have grown significantly in complexity, rendering the majority of “off the shelf” detection solutions, such as commercial antivirus programs, ineffective. It is estimated that over one million new malware variants are released every day. At that pace, it’s inevitable that a compromise will occur and organizations need to continually ensure the time between compromise, incident detection, and incident containment, is minimized as much as possible. Penetration testing is an excellent capability to use to add value to the incident response process.
Subject: Don't Waste Your Time and Money If You're Not Going to Test It!
by Frederick Haggerty
One of the best ways an organization can properly protect its assets is to have an effective Incident Response Plan (IRP). In this new age of cyber related attacks, there are plenty of media reports that highlight the latest damaging and embarrassing data breach that paints the picture that cyber defenders are failing or having a difficult time protecting their expanding threat landscape.
Physical Security and its Impact on the Overall Security Posture of an Organization
by Davide Capote
One often overlooked aspect of an overall robust, well architected, mature security program is the physical security posture of the organization. In fact, physical security is often an easy target for Hackers and Pentesters. In this article we’ll explore some of the advantages of having strong physical security, how not having it can lead to a breach, and what to look for when testing for physical security.
Debugging the Interception of Encrypted Traffic
by Nicolas Markitanis, Marios Nicolaides, Simon Loizides, RUNESEC
We were recently contacted to test out an online, multi-player game, where we needed to be able to proxy the encrypted traffic sent from the game client to the server. We were not aware of the underlying protocol beforehand, only that the communication took place over TLS. The purpose of this article is to describe a simple methodology we used during this engagement to debug the interception of encrypted traffic between an application and a server, where the interception is not simply a case of installing any self-signed certificate in the trust store of the browser or operating system.
Incident Response and the Role of Penetration Testing in that Process
by Ömer Gençay
Have you heard the term “False Positive/Negative” recently? I think when you are trying to be sure whether an incident coming from an SIEM system is real or not, one of the most challenging things is the verification of it. And here comes the importance of an incident handling team with strong penetration testing skills.
Risk-Based Pen-Testing as an Enhancer of Cyber-Security Incident Management Capability
by Praveen Joseph Vackayil
Recent incidents, such as the DYN Attack, the Bangladesh Bank attack and the Ukraine power-grid shut down, indicate a trend of substantial targeting and extreme complexity in cyber-attacks. Corporations are recognizing the need for a robust incident detection and management capability, and are fortifying their borders with increased spending on cyber security incident management. VAPT teams, SIEM solutions, forensic investigation tools, etc. are deployed to augment overall cyber security incident response capability. When faced with a real incident, however, challenges continue to persist with regard to achieving exceptional degrees of performance.
Malware Analysis Report Part II: RawPOS Malware: An Intruderʼs Toolkit
by Devon Ackerman & Brandon Nesbit, Kroll
In 2016, Kroll’s Cyber experts had the opportunity to focus on a collection of malware related to the RawPOS family, and Kroll proceeded to identify numerous tools that the attacker(s) had dropped into the enterprise environment in order to expand their foothold, target specific machines, collect additional information about the compromised environment, and prepare that data for exfiltration. Through the following report, Kroll is pleased to share the research conducted on the malware and the intruder’s toolkit with the greater information security community.
Psychological Acceptability Keep it Simple
by Jorge Mario Ochoa
One of the most important challenges that must be taken into account in safety design is the human factor, since the controls we will only be effective if psychological acceptability exists. To reach this objective, we must work together with the users to find an optimal balance between safety and operability. I have had the opportunity to participate in implementations of standards, such as ISO 27001 and ISO 22301, and the common denominator I have identified in compliance audits is the human factor.
The Chronicles of Ben Chester
by Marcelo Mansur