[Dailydave] reach for the sky vs stay airborne
Darkpassenger
darkpassenger at unseen.is
Tue Oct 27 21:55:47 EDT 2015
i've got a couple of counterarguments here:
- not every biz can deal with the reality of a red team get access to
their shit
forget about this in .sgov and serious .mil environments , despite all
the claims.
upstairs managers usually dont want external entities mess with the
"current stability"
of their area , even if they understand they might got problems . notice
that
i am referring to two concepts here : 1-stupidity and corruption , which
is very
often the case 2- the reality of nature of these biz . there are others
who dont
want red teams reveal how bad is the situation -- i have seen
petrochemicals and
secretive finance actors or even political organizations who do not even
ready to
hear of doing one read team exercise , let alone accepting recurrent
existence of
external access of any kind
- a red team successful in getting screenshots doesnt mean that the
security
measures afterward is going to protect against APT-type attacks . many
of the
breaches happened and will happen in environments who are already
dealing
with red teams . basically the adversary is better or gets lucky or is
much
more persistence and serious . a red team doesnt magic , if you are a
target
for a powerful player . therefore , having deals with red team vs
whether
you are a potential target or not is a much important problem to be wary
of
- red teams are valueless in the case of insider-based threats . what i
have
seen so far as extreme damages usually has insider factors . either an
informed and motivated insider or stupid disillusioned ones
- staying airborne often contradicts with organizations strategies ,
mostly
in IT developments . external entities make it hard and expensive for
managers to handle their work , the budget , their pretty beautiful
figure for
higher level managers..etc . even very educated and seasoned managers
often
prefer the illusion of being already good , than getting constant
screenshots from
red teams . the headaches of this , the meetings it needs , the unhappy
inside engineers who complain outsiders messing with their shit..are
real
facts in all sorts of organizations . so the predators get what they
want
and then there is blame game . how many times i have seen this cannt
recount
- last but not least , what is called in infosec industry as
"improvements"
usually means "failures" in mindset of other components of the
organization
i understand pentesters and red teams may find it victorious and
progress to
get screenshots but this often doesnt have the same feeling for others
who
play different roles . there is inertial opposition mindset for role
players
in an organization against recurrent victories of red teams . the
screenshots
always results in whispers , unhappiness , and most importantly changes
in
whatever exists and who likes that ?
i know i sound harsh cynical toward organizations personnel , managers
and
overall "human factors" but i believe its realistic and factual . while
as a
trivial concept i trust a tangled "tangible" recurrent test procedure is
a must
for an organization to stay afar from hack harms , i dont see the major
reason behind most breaches and losses the lack of defensive arsenals
or not staying airborne . it is the mindsets , the personal feelings ,
the
social norms within the target human group and ..the FCKUPS .
mustachy kisses and dudely hugs fly to all pentesters and the magicians
who develop golden exploits ! plz do not cut and eat me alive :D
-dp
On 2015-10-27 06:22, Konrads Smelkovs wrote:
> In my view, security improvements in organisations are driven by
> breaches
> and red team exercises/pentests. While breaches give hard lessons
> learned,
> red teams often don't and that's because we reward red teamers for a
> "domain admin" rather than longer term persistent access.
>
> This is what I call reach for the sky/rocket launch: you get domain
> admin,
> get a screenshot of CEO's e-mail and declare job done. In reality, a
> good
> simulation would be to "stay airborne" - take a screenshot of CEO's
> e-mail/exfil PST every week.
>
> That's not to say that there isn't a scenario where desctruction of
> assets
> is the end-goal of an attacker, but even then, I would argue that red
> teamers ought to put an .exe in autoruns for every PC they wish to have
> done a simulated wipe.
>
>
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
More information about the Dailydave
mailing list