[Dailydave] Adversary Simulation
dave aitel
dave at immunityinc.com
Tue Nov 29 10:26:59 EST 2016
So obviously everything a penetration testing company does is at some
level "Adversary Simulation". I like to call it "Focused Training" -
because penetration testing is more about education than anything else,
but the WAY you do to that is by emulating and instrumenting some sort
of adversarial process.
Ok, that said, we have for the past year offered a special service
called /Adversary Simulation
<https://www.immunityinc.com/services/adversary-simulation.html>/ by
which we meant something quite specific. We go to some big financial
company, usually super under-dressed for the cold because we live in
Miami, and we install INNUENDO on a couple machines. Then we exfiltrate
a few terabytes of data over whatever protocols are working and we work
with the company to do a hardcore analysis of their detection systems
for that sort of thing.
That sounds simple. But in practice, every company at that size range
has multiple products trying to detect you, and they provide overlapping
coverage. Sometimes the Alerts are useful, and sometimes not. For
example, when you're doing DNS exfiltration, FireEye will alert on the
weirdness of the DNS packets. But it has no idea who the infected
endpoint is, because those DNS packets came from intermediary DNS
servers! :)
With web-based analysis systems I worry more about false positives, and
of course, false negatives. Detecting beacons from malware but not from,
say, DropBox is a hard problem. In theory, products like StealthWatch
work, but in practice, that depends on the team.
Likewise, there are gaps in the market itself: Who is looking at all
outbound e-mail to find data exfiltration channels? And on the host,
when faced with a new product, all the protection systems we've seen
have not detected INNUENDO. Some of them detect injection, but you don't
really need to do that. What if there is too much chaos on a big
company's desktop for reputation-based protection systems to work?
-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20161129/9a2ec3d9/attachment.html>
More information about the Dailydave
mailing list