2018-040- Jarrod Frates discusses pentest processes

Jarrod Frates Inguardians @jarrodfrates "Skittering Through Networks" Ms. Berlin in Germany - How'd it go?     TinkerSec's story:  https://threadreaderapp.com/thread/1063423110513418240.html   Takeaways Blue Team: - Least Privilege Model - Least Access Model     "limited remote access to only a small number of IT personnel" "This user didn't need Citrix, so her Citrix linked to NOTHING" "They limited access EVEN TO LOCAL ADMINS!" - Multi-Factor Authentication - Simple Anomaly Rule Fires     "Finance doesn't use Powershell" - Defense in Depth     "moving from passwords to pass phrases…" "Improper disposal of information assets"   Red Team: - Keep Trying - Never Assume - Bring In Help - Luck Favors the Prepared - Adapt and Overcome Before the Test Talk it over with stakeholders: Reasons, goals, schedules Report is the product: Get samples Who, what, when, where, why, how Talk to testers (and clients, if you can find them) Ask questions Look for past defensive experience and understanding of your needs Bonus points if they interview you as a client Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear Define the scope: Test type(s), inclusions, exclusions, permissions, accounts Test in 'test/dev', NOT PROD Social Engineering: DO THIS. Yes, you're vulnerable. DO IT ANYWAY.   During the Test Comms: Keep in contact with the testers Status reports (if the engagement is long enough) Have an established method for escalation Have an open communication style --brbr (WeBrBrs) Ask questions, but let the testers do their jobs Be available and ready to address critical events Keep critical stakeholders informed Watch your network: things break, someone else may be getting in, capture packets(?)   After the Test Getting Results: Report delivered securely Initial summary: How far did they get? Actual report Written for multiple levels No obvious copy/paste Read, understand, provide feedback, and get revised version Next steps: Don't blame anyone unnecessarily Start planning with stakeholders on fixes Contact vendors, educate staff Reacting to report Sabotaging your test Future testing   Ms. Berlin's Legit business - Mental Health Hackers   CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019   CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31   Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March     heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec