[Dailydave] reach for the sky vs stay airborne

Darkpassenger darkpassenger at unseen.is
Tue Oct 27 21:55:47 EDT 2015


i've got a couple of counterarguments here:

- not every biz can deal with the reality of a red team get access to 
their shit
forget about this in .sgov and serious .mil environments , despite all 
the claims.
upstairs managers usually dont want external entities mess with the 
"current stability"
of their area , even if they understand they might got problems . notice 
that
i am referring to two concepts here : 1-stupidity and corruption , which 
is very
often the case 2- the reality of nature of these biz . there are others 
who dont
want red teams reveal how bad is the situation -- i have seen 
petrochemicals and
secretive finance actors or even political organizations who do not even 
ready to
hear of doing one read team exercise , let alone accepting recurrent 
existence of
external access of any kind

- a red team successful in getting screenshots doesnt mean that the 
security
measures afterward is going to protect against APT-type attacks . many 
of the
breaches happened and will happen in environments who are already 
dealing
with red teams . basically the adversary is better or gets lucky or is 
much
more persistence and serious . a red team doesnt magic , if you are a 
target
for a powerful player . therefore , having deals with red team vs 
whether
you are a potential target or not is a much important problem to be wary 
of

- red teams are valueless in the case of insider-based threats . what i 
have
seen so far as extreme damages usually has insider factors . either an
informed and motivated insider or stupid disillusioned ones

- staying airborne often contradicts with organizations strategies , 
mostly
in IT developments . external entities make it hard and expensive for
managers to handle their work , the budget , their pretty beautiful 
figure for
higher level managers..etc . even very educated and seasoned managers 
often
prefer the illusion of being already good , than getting constant 
screenshots from
red teams . the headaches of this , the meetings it needs , the unhappy
inside engineers who complain outsiders messing with their shit..are 
real
facts in all sorts of organizations . so the predators get what they 
want
and then there is blame game . how many times i have seen this cannt 
recount

- last but not least , what is called in infosec industry as 
"improvements"
usually means "failures" in mindset of other components of the 
organization
i understand pentesters and red teams may find it victorious and 
progress to
get screenshots but this often doesnt have the same feeling for others 
who
play different roles . there is inertial opposition mindset for role 
players
in an organization against recurrent victories of red teams . the 
screenshots
always results in whispers , unhappiness , and most importantly changes 
in
whatever exists and who likes that ?

i know i sound harsh cynical toward organizations personnel , managers 
and
overall "human factors" but i believe its realistic and factual . while 
as a
trivial concept i trust a tangled "tangible" recurrent test procedure is 
a must
for an organization to stay afar from hack harms , i dont see the major
reason behind most breaches and losses the lack of defensive arsenals
or not staying airborne . it is the mindsets , the personal feelings , 
the
social norms within the target human group and ..the FCKUPS .

mustachy kisses and dudely hugs fly to all pentesters and the magicians
who develop golden exploits ! plz do not cut and eat me alive :D

-dp

On 2015-10-27 06:22, Konrads Smelkovs wrote:
> In my view, security improvements in organisations are driven by 
> breaches
> and red team exercises/pentests. While breaches give hard lessons 
> learned,
> red teams often don't and that's because we reward red teamers for a
> "domain admin" rather than longer term persistent access.
> 
> This is what I call reach for the sky/rocket launch: you get domain 
> admin,
> get a screenshot of CEO's e-mail and declare job done. In reality, a 
> good
> simulation would be to "stay airborne" - take a screenshot of CEO's
> e-mail/exfil PST every week.
> 
> That's not to say that there isn't a scenario where desctruction of 
> assets
> is the end-goal of an attacker, but even then, I would argue that red
> teamers ought to put an .exe in autoruns for every PC they wish to have
> done a simulated wipe.
> 
> 
> 
> --
> Konrads Smelkovs
> Applied IT sorcery.
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave


More information about the Dailydave mailing list