.

Defending the Castle by Actively Abusing It

<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Mar 27, 2011 11:18 am

Defending the Castle by Actively Abusing It

The following paper was submitted as my thesis for the RWSP certification. Thought others may find interest in it.

Abstract

Research indicates that current trends in information security threats outpaces the security controls that reduce and or eliminate information security vulnerabilities. This document examines the approach of achieving maximum information security defensibility, by utilizing effective offensive testing. Compared are the differences in the effectiveness of security testing by performing a controlled test – referred to as “vanilla” testing, and a responsibly orchestrated blackhat test. Contrary to popular industry belief, realistic “adversarial” testing can be accomplished in a responsible manner without the consequences of “bringing down the house,” contrary to popular belief. Offered, are arguments, costs associated with testing, and counterpoints against organizational decisions that disallow certain types of testing. Blackhat based testing is similar to what a malicious and structured attacker would perform and it is believed that by performing “blackhat” testing, we are taking a “realistic” approach to vulnerability testing. This is the proper route to take to ensure fully scoping the potential vulnerabilities in a given environment in an effort to maintain proper defensibility.

http://www.infiltrated.net/defending-the-castle.pdf

For those seeking more information about the RWSP:

The RWSP is based on an individual's ability to handle and react to real-world security situations. Security within the RWSP is approached from both an offensive and defensive perspective. The RWSP is a peer reviewed certification that is composed of three (3) primary components:

1) The Real World Security: Attack, Defend, and Repel training course is an intensive, hands-on course for intermediate to advanced security professionals. Students are split into two (2) teams allowing for one (1) day focused on offensive aspects and one (1) day focused on defensive aspects. The simulations are real, but based on a fictional storyline. The training course allows for the practical demonstration of skills and allows the students of the course to review the participation, leadership, and contributions of each RWSP candidate students.

2) Knowledge Metric: Immediately following the completion of the Real World Security: Attack, Defend, and Repel course a knowledge metric (test) is given to those individuals wishing to become a candidate for the RWSP certification. After successfully passing the knowledge metric with a 70% or better, the individual becomes an RWSP candidate.

3)Peer Reviewed RWSP Project: This practical written project is an information security focused around a topic of interest to the RWSP candidate. Initially, RWSP candidates are given 60 days to complete the project based on a given collegiate writing standard, such as APA or MLA. In this format, papers are expected to cover the subject thoroughly and end up at approximately 15 pages.


http://www.rwsp.org
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Sun Mar 27, 2011 12:19 pm

Re: Defending the Castle by Actively Abusing It

Sil, it never ceases to amaze me the sheer volume of text you seem to produce.  Thanks yet again for a nice piece of reading.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Mar 27, 2011 12:39 pm

Re: Defending the Castle by Actively Abusing It

Great read, sil, as always!  Thanks.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Mar 27, 2011 1:02 pm

Re: Defending the Castle by Actively Abusing It

yatz wrote:Sil, it never ceases to amaze me the sheer volume of text you seem to produce.  Thanks yet again for a nice piece of reading.


:( And I've been actually trying to tone down the volume! I responded to an "article" (say that lightly) and both my responses to the "author" were probably longer than every article he ever wrote collectively (https://infosecisland.com/blogview/1269 ... cture.html) ...

Paper was a bit difficult due to the nature (APA format)... I needed to include images to have readers understand it (mind you APA = no pictures). Nevertheless, its this same approach I take to perform testing: "Let me do what I need to do... Otherwise you're selling yourself short on a pentest." I tried to write it not only as a thesis, but as a paper to allow others in this industry the necessary relevancy in pitching blackhat style (realistic) testing to managers, while explaining to managers why they need to allow their workers to do what needs to be done. "You can't run that tool!!!" Sure I can and its advisable that you allow me to
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Mar 27, 2011 1:47 pm

Re: Defending the Castle by Actively Abusing It

sil wrote:"You can't run that tool!!!" Sure I can and its advisable that you allow me to."


<nod> and amen!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

AndyB67

User avatar

Full Member
Full Member

Posts: 100

Joined: Fri Jan 14, 2011 7:13 am

Location: UK

Post Sun Mar 27, 2011 2:48 pm

Re: Defending the Castle by Actively Abusing It

Nice bit of testing and great write up.

I take it that the mind-set you put across about the testing, as in don't test it too hard as you may break it, is prevelent out there? 
Net+ Sec+ More to come
<<

skitch

User avatar

Newbie
Newbie

Posts: 5

Joined: Thu Oct 23, 2008 10:17 pm

Location: Southsea

Post Sun Mar 27, 2011 2:51 pm

Re: Defending the Castle by Actively Abusing It

Nice read! I liked your points stressing the importance of client side assessments and the definitions/approaches of the different types of attackers. While maybe outside the scope of this paper, it would have been nice to see a counter-argument to a "reckless" audit from a corporate perspective.

The cost analysis for the red team and its comparison to a breach was also a nice touch, thanks for sharing :]
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Mon Mar 28, 2011 1:24 am

Re: Defending the Castle by Actively Abusing It

sil wrote:I tried to write it not only as a thesis, but as a paper to allow others in this industry the necessary relevancy in pitching blackhat style (realistic) testing to managers, while explaining to managers why they need to allow their workers to do what needs to be done. "You can't run that tool!!!" Sure I can and its advisable that you allow me to


This is spot on, very nice write up!  And I agree w/ skitch on the cost analysis bit.  I know I'll be re-reading this and using some of the points you've made in future discussions with my company.  Thanks again for sharing! :)
GSEC, eCPPT, Sec+
<<

R3B005t

Newbie
Newbie

Posts: 43

Joined: Wed Mar 09, 2011 9:03 am

Location: NVA/D.C.

Post Mon Mar 28, 2011 6:41 am

Re: Defending the Castle by Actively Abusing It

Sil I continue to be impressed by your unique views and insight.    I think you and I are in pretty much the same boat; I’ve got 2 kids 2 and 3, work, school, heavy metal, video games etc... Where does one find the time to compose such well thought out responses? I caught your response to the SCADA article and must admit I LOLd a bit.  +1 for the KFC reference!
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jun 11, 2011 10:59 am

Re: Defending the Castle by Actively Abusing It

sil - you got some attention, today.  Dave Aitel (Immunity) tweet'd a link to your paper on slideshare, today.  Was nice to see your doc pop up again.  ;-)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sat Jun 11, 2011 1:54 pm

Re: Defending the Castle by Actively Abusing It

Dave & co >= pimp*
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jun 11, 2011 2:14 pm

Re: Defending the Castle by Actively Abusing It

LOL
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Mon Jun 13, 2011 12:24 pm

Re: Defending the Castle by Actively Abusing It

sil wrote:
Paper was a bit difficult due to the nature (APA format)... I needed to include images to have readers understand it (mind you APA = no pictures). Nevertheless, its this same approach I take to perform testing: "Let me do what I need to do... Otherwise you're selling yourself short on a pentest." I tried to write it not only as a thesis, but as a paper to allow others in this industry the necessary relevancy in pitching blackhat style (realistic) testing to managers, while explaining to managers why they need to allow their workers to do what needs to be done. "You can't run that tool!!!" Sure I can and its advisable that you allow me to

Thank you very much for this paper!

I presented it to my managers and they bought it. It really helped me. After few months of fighting I start to see a change in their attitude towards security. One of them told me that before they were looking for IT security specialists with a lot of experience in doing all kind of documents and processes. Now he will look more for technical skills.

Keep up the good writing.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jun 13, 2011 1:08 pm

Re: Defending the Castle by Actively Abusing It

alucian, I'm glad it helped. I just scribbled something on infosecisland a bit similar called: "Security - Stupid is as Stupid Does" https://infosecisland.com/blogview/1432 ... -Does.html worth reading if you have some spare time. Its not technical, more of like "techie vs. management"
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Mon Jun 13, 2011 2:57 pm

Re: Defending the Castle by Actively Abusing It

Nice article. Already commented on the other site.

Thanks!

PS How do you think that internal audit can help the security department? In some institutions they have a lot of power, but is it used in the right way?
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software