[Dailydave] reach for the sky vs stay airborne

Konrads Smelkovs konrads.smelkovs at gmail.com
Wed Oct 28 11:28:52 EDT 2015 

Nice product plug :)

If I'd be a defensive CISO and someone would pentest my org and show me how
he got domain admin, I'd tell them, "that's really great, but if you'd have
a normal C2 working for some period of time, my crystal-ball based anomaly
detection system would have picked it up and we'd IR/hunt you down" and the
red team bros would have nothing to reply because, they, well didn't have a
C2 going for a while and I would keep my bonus.

It is in the interest of the auditor/red-teamer to do this as much as it is
in the interest of a genuinely concerned customer who wants to know how
good they are.






--
Konrads Smelkovs
Applied IT sorcery.

On Wed, Oct 28, 2015 at 1:59 AM, Kristian Erik Hermansen <
kristian.hermansen at gmail.com> wrote:

> es that would be ideal but unfortunately there is always pushback due to
> perception of privacy impact to staff / employees and also risk of
> accidentally nuking the entire organization due to "unexpected changes".
> You can try though and I wish you luck getting executives to sign off on
> that risk. Or you could just buy Immunity Innuendo for $50K or Cobalt
> Strike with beacon for about 1/10th that and get close to "APT
> simulation"...
>
>
> On Tuesday, October 27, 2015, Konrads Smelkovs <konrads.smelkovs at gmail.com>
> wrote:
>
>> In my view, security improvements in organisations are driven by breaches
>> and red team exercises/pentests. While breaches give hard lessons learned,
>> red teams often don't and that's because we reward red teamers for a
>> "domain admin" rather than longer term persistent access.
>>
>> This is what I call reach for the sky/rocket launch: you get domain
>> admin, get a screenshot of CEO's e-mail and declare job done. In reality, a
>> good simulation would be to "stay airborne" - take a screenshot of CEO's
>> e-mail/exfil PST every week.
>>
>> That's not to say that there isn't a scenario where desctruction of
>> assets is the end-goal of an attacker, but even then, I would argue that
>> red teamers ought to put an .exe in autoruns for every PC they wish to have
>> done a simulated wipe.
>>
>>
>>
>> --
>> Konrads Smelkovs
>> Applied IT sorcery.
>>
>
>
> --
> Regards,
>
> Kristian Erik Hermansen
> https://www.linkedin.com/in/kristianhermansen
> https://google.com/+KristianHermansen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20151028/9b1539d0/attachment-0001.html>

More information about the Dailydave mailing list