[Dailydave] Incident Response Response.
Dave Aitel
dave at immunityinc.com
Wed Jan 27 12:58:13 EST 2016
As much as I love CANVAS (and Impact and MSF), for penetration testing,
there are times when we have to replicate much more realistic attacks
for our clients, especially relating to post-compromise long term data
ex-filtration and lateral movement.
In particular, there is an ongoing theme of "Incident Response Response"
that we see. Chris Gates points out some features of this in his recent
talk on "Purple teaming"
<http://carnal0wnage.attackresearch.com/2016/01/purple-teaming-lessons-learned-ruxcon.html>
but I wanted to go further and look at what INCIDENT RESPONSE RESPONSE
really is.
Lucky for me, around minute 10, one of our engineers goes into detail as
to what INNUENDO does when the IR team starts to block its C2. This is
the exact moment I realized what we could do that CANVAS/MSF/etc cannot.
https://vimeo.com/153178215 (This is the second video, but watch this first)
https://vimeo.com/153154139 (First video, but watch this second.)
There's both ENGINEERING and a completely different set of mental
concepts for how you do penetration in here. Everyone else is so
obsessed with maintaining a connection to your target. But for INNUENDO,
the design goal is "Target may only be at Starbucks for 2 hours a week -
we still want full capability".
-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160127/91d8b5fa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160127/91d8b5fa/attachment.sig>
More information about the Dailydave
mailing list