2018-040- Jarrod Frates discusses pentest processes


Manage episode 221481688 series 124251
By Bryan Brake and Bryan Brake - CISSP | Information Security | Vuln Management. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Jarrod Frates



“Skittering Through Networks”

Ms. Berlin in Germany - How’d it go?

TinkerSec’s story: https://threadreaderapp.com/thread/1063423110513418240.html


Blue Team:

- Least Privilege Model

- Least Access Model

“limited remote access to only a small number of IT personnel”

“This user didn't need Citrix, so her Citrix linked to NOTHING”

“They limited access EVEN TO LOCAL ADMINS!”

- Multi-Factor Authentication

- Simple Anomaly Rule Fires

“Finance doesn’t use Powershell”

- Defense in Depth

“moving from passwords to pass phrases…”

“Improper disposal of information assets”

Red Team:

- Keep Trying

- Never Assume

- Bring In Help

- Luck Favors the Prepared

- Adapt and Overcome

Before the Test

  • Talk it over with stakeholders: Reasons, goals, schedules
  • Report is the product: Get samples
  • Who, what, when, where, why, how
  • Talk to testers (and clients, if you can find them)
    • Ask questions
    • Look for past defensive experience and understanding of your needs
      • Bonus points if they interview you as a client
    • Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear
  • Define the scope: Test type(s), inclusions, exclusions, permissions, accounts
  • Test in ‘test/dev’, NOT PROD
  • Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.

During the Test

  • Comms: Keep in contact with the testers
    • Status reports (if the engagement is long enough)
    • Have an established method for escalation
    • Have an open communication style --brbr (WeBrBrs)
  • Ask questions, but let the testers do their jobs
  • Be available and ready to address critical events
  • Keep critical stakeholders informed
  • Watch your network: things break, someone else may be getting in, capture packets(?)

After the Test

  • Getting Results:
    • Report delivered securely
    • Initial summary: How far did they get?
    • Actual report
      • Written for multiple levels
      • No obvious copy/paste
      • Read, understand, provide feedback, and get revised version
  • Next steps:
    • Don’t blame anyone unnecessarily
    • Start planning with stakeholders on fixes
    • Contact vendors, educate staff
  • Reacting to report
  • Sabotaging your test
  • Future testing

Ms. Berlin’s Legit business - Mental Health Hackers

CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019

CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31

Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon


#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

292 episodes