[Dailydave] Penetration Testing is Changing

Thu May 7 07:12:58 EDT 2015

Watch this new INNUENDO Video first: https://vimeo.com/126988596 . It is
amazing.

At INFILTRATE the Microsoft penetration testing team did the final
presentation. First of all, their goal is to move FASTER than log
replication. I know a lot of modern players are pretending to be able to
do their intrusion analysis in real time. REAL TIME IS NOT POSSIBLE. Not
even your brain
<http://images.chinatopix.com/data/images/full/6462/muhammad-ali-getting-hit-by-a-left-hook-from-joe-frazier-during-the-fight-of-the-century-in-madison-square-garden-in-1971.jpg>
works in "real time".

The basic theme of the talk was simple: Hit any one host in a large
domain. Grab all the LDAP data you can (Groups/Machines/Users) and then
sweep as much as you can across the domain to find out LastLoggedIn
data. Then exfil it as fast as possible. It'll be "moderately large"
(4GB) but you can download it reliably over DNS or ICMP even with a
modern system like INNUENDO. You can then remove yourself from the
network before the IR team has a chance to do anything.

With the data you retrieved, you can do all sorts of cool analysis that
will enable lateral movement or follow on attacks. Not coincidentally
Microsoft also released some interesting AD intrusion analysis
<http://blogs.technet.com/b/ad/archive/2015/05/04/microsoft-advanced-threat-analytics-public-preview-release-is-now-available.aspx>
tools this week which are worth a look.

Really there are several things changing:
1. Top level methodology is changing. The Microsoft team emphasized that
once they go in, and gather the right data, they can use advanced
machine learning and data analysis to show them exactly which users to
phish next, and how. They know once they get back in exactly which
machines they need to go onto to control the network. It's no longer a
guessing game. It's more deterministic. Looking at some of these
methdologies means how you buy penetration testing has to change. Once
you realize "The attacker at some point is going to get on one of the
boxes on my domain" you have to start testing lateral movement, data
exfiltration, and incident response from that perspective.

2. Advanced low level techniques are being commoditized, partially
because Kaspersky and co. are doing a good job writing giant white
papers on the things they catch in the wild. In INNUENDO's case this
means the public penetration testing community can get an advanced
implant including the in-memory loader, high-level language VM and API,
multiple channels, built in sniffer and debugger, and OPSEC workflow.

In short: if you just bought Mandiant or Crowdstrike or Carbon Black or
are using the new agents from Tenable or Qualys, then you are going to
want to test them with INNUENDO or a tool like INNUENDO to see if they
really work the way you think they do. Let us know if you want to try
this out! :)

-dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150507/e7d21cae/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150507/e7d21cae/attachment.sig>