Okay, I guess we'll go ahead and get started.
Good afternoon.
I hope everyone's enjoying the conference.
So this is my first time to CypherCon.
So found out about it like a year or two ago, been interested in coming here.
So ran into Michael at GERCON last year and ended up speaking here.
So thanks everyone for joining today.
Yeah, it's only my second time in Milwaukee.
Before I was back in 2016 or 2017, I was pen testing for AT&T, working as a consultant for them and went to Madison, Wisconsin, so I just kind of passed through, so first time in Milwaukee.
This is a pretty cool place, I'd like to make it back again sometime.
So the title of my presentation is Optimal Offensive Security Programs, and this kind of came out of an experience I had at a company where I was a red team lead, it was a large global product consumer company, and the people within the organization, when you work in a certain area,
cybersecurity, you just kind of expect other people to know that area as well too, which is a mistake in a lot of cases, like I made.
An interesting thing was I realized that some of the other security folks and IT folks didn't know the difference between a red teaming operation or a pen test.
One of the things I didn't realize either is actually the CISO, the person that hired me, really didn't know the difference either, because it was a red team, but we were doing all these internal network pen tests, and active directory pen tests, it wasn't really truly red teaming,
but I created a single slide, a PowerPoint slide, for people in the organization to see the difference between the different assessment types.
One example is one time one of the directors there wanted a red team operation done against SAP app, you know, red team applications like that, and especially like an SAP system that's pretty delicate, could be easily taken down, and a lot of important information and apps were being used on that system.
So I kind of came up with a slide, and this really was the inspiration for this talk, and I kind of expanded a little bit further from the original talk and added some of the gaps you traditionally see in pen testing, and we'll cover that.
So a little bit about myself, for those of you that may not know me, I just started a role at Phosphorus, so I am the ex-IoT security evangelist there, recently got laid off from a company that did automated pen testing, or had an automated pen testing product.
So I've been in cyber security, January, May, 21 years, been on the offensive security side for over 12 years, former adjunct instructor, I used to teach pen testing, web app pen testing at Dallas College, and this is where I got the idea for my book,
The Pen Tester Blueprint.
It was originally a lecture for my students, which I turned into a conference talk, gave it besides Dallas-Fort Worth for the first time in November 2018.
I was in the Tribe of Hackers Red Team book, and Wiley Publishing said, hey, you have any ideas for any books you'd like to write?
And so I decided to turn it into a book, and so that's where some of the concepts and stuff from doing a lot of teaching and educating on pen testing, I found that this content's valuable to blue teamers and folks on the management side to better understand offensive security.
So I'm also a podcaster, I used to host the Hacker Factory podcast, and currently host the Philip Wiley Show.
So I've had some pretty well-known people in there, at least one person in the audience has been on my podcast in here.
So one of the things I like to describe about the podcast, I got some of the legends in the industry and some of the hidden gems.
So there's some people on there that I found out through meeting people at conferences like this and different cybersecurity meetups, they have some really interesting stories.
And one of the main reasons for this podcast, one of my core values is sharing content, as well as helping people and motivating people to want to get started in cybersecurity.
And so some fun facts about myself I like to share, I used to always just share this during career talks, but an interesting fact about me is my first professional endeavor wasn't pen testing or IT, it was actually pro wrestling.
So when I graduated high school, I didn't know what I wanted to do for a living.
And some of my classmates told me, hey, you should be a pro wrestler.
So I went to wrestling school and wrestled for a while.
And this is actually me wrestling a 750 pound bear.
So I was like 21 at the time, and people said, why do you do that?
And most of you know, guys, we do stupid stuff when we're young.
And so this is one of those things, but did that for a while.
And I went to wrestling school with The Undertaker, I wrestled the Road Warriors, Midnight Express.
I was what they referred to or called as a jobber or a job boy.
Because when you start out, you have to lose all the time.
And it's interesting how that works.
Unless you've got connections or you're related to someone, everyone starts out that way.
Even The Undertaker had to lose all the time starting out.
But I ended up getting out of it before I could ever get anywhere because I got married and I needed a job with benefits and a stable income.
Because my full-time job was working as a bouncer.
So wrestling was only part-time.
I was wanting to get into it full-time.
So I ended up going to a trade school, learning AutoCAD, moved into IT as a sysadmin, got into security, eventually pen testing.
And so this was actually the nightclub I was a bouncer at.
We put on a little independent match one time.
This ring and then me wrestling the bear was in that same place.
They had a special event where they brought in a wrestling bear.
Anyone could wrestle the bear.
But interesting enough, this was the second time I wrestled the bear.
And this is actually how I can tell is whoever did the best against the bear won this yellow T-shirt that said, I wrestled Samson the bear and lost.
So I switched into that shirt.
I'd also won a $40 bar tab.
And I knew the bartenders there.
So the bar tab was kind of unlimited.
Yeah, so in this picture, I'm actually drunk.
So it's actually funny because the bear wasn't muzzled and he ended up biting my ring finger.
And I remember the guy, the trainer, the guy in the white striped shirt dressed like a referee was saying, you know, hold still while I get your finger out.
But I was sober enough to know I'm going to get my finger out of the bear's mouth because I don't want it to be bitten off.
So it was an interesting story.
I woke up the next day with a hyperextended foot.
Had to go to the doctor and then get a tetanus shot since I was bitten by the bear.
And so if anyone's interested, you can check out my YouTube channel.
I've got some videos of my former wrestling matches on there.
So the agenda, we're going to do an intro to offensive security, discuss the different types of offensive security approaches, gaps in offensive security programs, as well as strategies to optimize and overcome those gaps.
So offensive security is basically using techniques that a threat actor would use, like hacking and social engineering are the ones that most commonly come into mind.
And physical breaches, sometimes people forget about, you know, that threat actors actually use a physical approach.
So this is a way to assess your security from a threat actor's perspective because you're always hearing in the news, hackers or nation states breach this company and there's no better way to assess that than using those type of techniques.
And as you get into the different types of assessments, you're using and leveraging more in-depth techniques and stuff, more like a threat actor and some is more realistic to what a threat actor does.
And we'll get into different assessment types and you can see how some are more realistic to an actual threat actor.
And one of the things about an offensive security approach, it tells you, it shows you what needs to be prioritized for remediation.
Because a lot of times companies have to file risk acceptance for vulnerabilities because maybe it's going to cost a lot of money for new hardware, software, maybe even new staff to remediate that issue.
And sometimes companies will write a risk acceptance to prevent that expense and it kind of gets frustrating sometimes.
One of the most interesting and frustrating risk acceptances that was filed for this company, I was doing an external pentest of this company and through a SQL injection vulnerability, I was able to get command line access, dump the password hash, crack it in like 30 seconds or less using John the Ripper and when I submitted the pentest report,
and this was like command line access to the server, they had XP command shell enabled on the server, I submitted the report and the customer said, oh, this is a development server, so we don't need to, you know, remediate this, we're just going to file a risk acceptance.
And I guarantee you that same password, because the password was password number one, all lower case, and using actual number one, the numeral.
And so you know well, darn well, that they were using that same password probably in other systems, but since the rules of engagement was for only this application pentest, I wasn't able to go any further than that.
But that's some of the frustrations that you deal with sometimes, and I know some folks even on the defensive side, you're wanting to remediate these things, but maybe you're not getting the budget to fix these things.
And it's interesting the way budgeting goes, I've worked on pentest before, we pentest this large law firm one time, there were five of us showed up on site, we had five days to test this law firm thoroughly, and the chief security officer was pointing out vulnerabilities in the environment,
because he's been trying to get the company to remediate for years, and sometimes companies try to get a little tone deaf when it comes to things that need to be done, and sometimes the consultant mentions it, they'll do it, and also maybe also for the fact it's documented,
and it's in written, and so it's kind of hard to avoid that, so he's pointing out issues in the environment.
So offensive security plus vulnerability management, so offensive security is an important complement to vulnerability management, it's a way to test to see how well your vulnerability management's working.
And so it's also a good way to fill in between those pentests, because sometimes pentests aren't done as frequently as you'd like, or really needed.
And some of the different assessment targets, and this is, you know, not an all-inclusive list, because this is going to increase over time, and a lot of you that's been in this field any amount of time, you know, think back, you know, 12 years ago or so,
when cloud really wasn't around, we were just kind of getting started, a lot of these things weren't as prevalent at that time, that more things would be added when, like, medical devices were created, people really didn't think there was a need to pentest those,
because who would harm someone's insulin pump or pacemaker?
And a lot of, over the years, people that build technology really don't think about security, never had to think about it, and do this later, so these type of targets need to be assessed.
Things like AI are becoming more popular and needing to be tested as they're more widely adopted.
And so, different approaches, so vulnerability management is one of the types, it's not an assessment type, but it's an important part of the overall program, vulnerability assessments, penetration testing, and red teaming, also known as adversary emulation.
So, a lot of times you'll see job descriptions, or about jobs, you'll see VAPT, that VA vulnerability assessment is part of that vulnerability assessment penetration test.
And so, I really want to document here to make sure that you see that vulnerability management is not an assessment type, but it's important, and we'll get into more of the details of that.
So, vulnerability management is the cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating vulnerabilities.
So, this could be anything, could be system related, could be software related, even physical security could be part of that as well.
So, one of the things that gets missed a lot of times is asset discovery.
So, if you really don't know what all you have in your environment, it's hard to assess and hard to secure.
So, it's one of the things that gets missed sometimes.
I've had pentests before when I worked at the company where I was the red team lead, we outsourced our web app pentest.
One year we had a half a million dollars to burn up, or we lost the budget, and we had to go through and it took like a couple weeks to get all the URLs for all these applications we had because they didn't have a good inventory.
And this goes towards anything, systems internally to a network, having those so that way you can make sure everything is being tested.
So, this is one of the things that gets missed sometimes on vulnerability management programs.
And then the vulnerability scanning, which is the more common piece that people realize, but then there's also the vulnerability remediation including patching that should be part of that program.
And this is a repeatable process.
You want to do this on a monthly basis, I'd say every two weeks or weekly if you can do that, if you're able to have the resources to do that on that basis.
And this is a good filler between your pentest.
You're able to find some things.
Kind of a story of the need for frequent pentests and also how vulnerability management, vulnerability scanning can help.
I did this pentesting once for this customer and they had a 90 day retest.
They only did annual pentests.
So, during that pentest, found criticals, highs, mediums, and lows.
And so when I came back 90 days later to retest, I was doing my initial vulnerability scanning that remediated all the criticals, highs, and mediums.
But now one of these low criticality vulnerabilities, someone had figured out how to exploit it.
They hadn't been actively exploited, but there is an exploit for it.
So if they hadn't had this follow up, this retest done, then that would have laid vulnerable for like another year or so.
And so that's one of the importance of why you want to pentest frequently and another reason why doing vulnerability scans in between can be helpful.
Because this was a simple CVE that was detected during a pentest that could have been detected just them doing vulnerability scans on their own.
So vulnerability assessments, this is kind of similar to vulnerability management, but you're also using other scanning tools.
You may use a secondary vulnerability scanner because sometimes Nessus may find something that Nexpo or Qualys doesn't find and vice versa.
So you see sometimes organizations will use multiple scanners to see if they can pick up something the other one didn't.
Doing manual testing, using a lot of manual testing techniques you'd use in pentesting, besides trying to exploit those, are also used.
And this is a good way to find, rule out false positives because you're validating the vulnerabilities that you find.
And you're also able to find some false negatives.
So maybe there's something the vulnerability scanner didn't find.
Maybe you're able to run something on Metasploit to find vulnerabilities that were missed.
And so this is a better effort than just the vulnerability scanning, but it's not quite pentesting yet.
Because you're not actually doing the exploitation, the actual hacking piece.
So pentests, this is similar to vulnerability assessments, but you go a step further outside of just validating.
You see if you can exploit any of those vulnerabilities.
And then once you see if those are exploitable, then you see if you can do any post-exploit activities like data exfiltration.
Privilege escalation, even accessing data.
Because sometimes you don't always have to be admin, root, or domain admin to access critical data, sensitive data.
And so the different pentest types.
So blackbox is more the hacker approach.
Basically you've got limited to no information on that.
One example was a pentest I did for a company, it was a full scope pentest, taking a blackbox approach.
We only had the physical location because physical security was in scope.
So it was up to us to do reconnaissance to try to find any of the IP addresses, domains, and subdomains.
And so during that test, one of the things that was valuable with the reconnaissance was I was able to find an FTP server in Indonesia that wasn't in those list of IP blocks I was doing during my reconnaissance.
And one of the things about this approach, it takes a lot more reconnaissance to find all those assets that need to be pentested.
And also it's one way that you can miss out on things that need to be tested.
So when you go to the graybox approach, the next step, this is a clearly defined scope.
So this is all the IPs, subnets, applications that are in scope.
And this is kind of a better way of doing things because you have everything in there, you're not going to miss anything in scope.
And the next type of test is whitebox, also known as crystal box or assumed breach.
This one became popular with application testing because there's different levels of access to a system and you want to test at the different levels of access.
This became popular with network pentesting because over the years, companies would go in to pentest an organization, maybe they couldn't get a foothold unless they had social engineering in scope.
And a lot of times they'd write up the pentest report and it would look like they were secure but that didn't take in consideration insider threats.
Because a lot of cases there's chances for insider threats, disgruntled employees, you hear of nation states implanting their people within organizations to get intellectual property and that type of thing.
I've seen, heard of instances where hardware companies or hard drive manufacturers had someone come in from China, implanted an organization to steal intellectual property.
Then it's a lot easier to get that data when you have actual authorization to access that data or even being on the network, you can do things further to access that.
And then you have disgruntled employees, leaked credentials, a lot of times people may reuse credentials that they use in their personal life, they got leaked.
And so there's some applications where you actually sign up online and you need to test that because just doing the black box approach has its weaknesses but it's a good thing to kind of combine.
So you start out the test, you may start an unauthenticated approach and then move on to the white box approach after that.
So if you're not able to get a foothold, because totally eliminating that unauthenticated approach, not trying to get that foothold, you may miss out on some vulnerabilities that are exploitable.
And so red teaming, so this one is, you're actually trying to emulate a threat actor using TTPs to emulate real world threat actors.
With a pentest, you're trying to find all the exploitable vulnerabilities and exploit them.
But with a red team operation, you're trying to find a single way in, you're leveraging more social engineering, sending phishing emails to try to get that foothold, and you're having to go undetected.
With a pentest, everyone in the organization knows what's going on, so that way if there's an outage, anything strange going on, you can report it, just in case there could be some malicious activity going on, you're reporting it.
But with a red team operation, there's a control group, and usually it's just the CISO, some other management outside of IT or the blue team, so that way they're actually testing the response time of the defense's team.
And one of the best outcomes I've heard of a red team operation was this company had an incident response team on retainer, in case they ever had any incidents.
And one day during this red team operation, the defenders reported to their CISO, they already brought in the IR team to investigate, and the CISO said, yeah, this is an authorized red team operation, but that's a good outcome.
Maybe they didn't block that attack, but they did identify it and started working to remove them from the environment.
So this is also a good way to test your incident response plan, because you hear people testing your business continuity and disaster recovery plans, but this is a good way to test your incident response plan, kind of in the same spirit of using your tabletops,
this is a way to take it further to the physical.
And you don't want to do just the red teaming.
This is kind of something after your organization is more mature, you add this, because you're just doing red teaming, you're going to miss out on a lot of exploitable vulnerabilities and leave a lot of vulnerabilities in your environment that can be exploited.
And so here's the slide I mentioned that I created for the organization.
So you see the differences between that.
There's asset discovery across all of these, but then it's more reconnaissance and vulnerability assessments, penetration testing, and red teaming.
But with the vulnerability management, this is asset discovery.
A lot of your vulnerability scanners have an asset discovery feature to it, and then other tools like Axonius and RunZero, you're able to do asset discovery.
And so this is a good way to keep up with that.
That way you're scanning everything in your environment.
And then you get into the remediation piece, which I didn't list here, but there's remediation across all those.
But it's a cyclical process that you're repeating, and more frequently, so as you get down more towards the red team, these are kind of less frequent.
Vulnerability assessment is, like we mentioned earlier, was basically a pen test without the exploitation.
And there's times that you want to do a vulnerability assessment over a pen test.
And one of the examples was I was doing a Wi-Fi pen test for a hospital once.
And I got into that environment, doing my initial scans, doing my reconnaissance, and I was noticing medical devices in the emergency room, in the operating room, that was connected to this Wi-Fi network.
And I went back to the CISO, and what we ended up doing was a vulnerability assessment and a wireless controller and access point configuration review to look for any vulnerabilities and kind of get the best of both worlds without endangering people and environment.
So if you had like a dev environment with these devices, you could have pen tested those, but we kind of opted to make it more secure.
And there's cases where you're maybe in an OT environment with ICS devices that you may not want to run a pen test against because you don't want to negatively affect those systems because they could injure people or even hurt companies' revenues.
And so you can kind of see the differences.
So once you get into the pen test, you're doing the exploitation and post-exploitation and the red teaming.
Your reconnaissance, you have to go a little more quiet, and you're having to use techniques that are more hard to discover and leveraging things like social engineering.
In some cases like this, you'll see more of the physical pen testing.
And so identifying gaps in offensive security programs.
So kind of a little brief history lesson on pen testing.
So pen testing really got popular and notarized through compliance-based pen testing like PCI, DSS.
It was a requirement.
Companies weren't doing this, so the nice thing about compliance pen testing is it brought awareness and people started to do pen testing.
Even some people that realized that they weren't under PCI requirements, they saw that it was a good idea.
So it brought awareness, but one of the things it did is it kind of limited the scope.
Companies had budget directly for PCI, so other areas weren't being pen tested that are still at risk.
And so it got to where it's so narrow.
Some of the things like social engineering and physical pen testing were taken out because of budgetary reasons and not really seen as a requirement.
Also, the assessment frequency.
So pen tests are referred to as a snapshot of your security posture or a time box test.
And time between tests is opportunities for threat actors.
And this goes back to that point where I was mentioning how you need to do frequent pen tests and even you can use vulnerability assessments and vulnerability management to kind of fill in between, although the optimal is more for the pen testing more frequently,
these are ways to optimize that to prevent these opportunities for threat actors to exploit.
And also overlook methods, physical security controls, social engineering, red teaming, assume breach assessments, and purple teaming.
Purple teaming is one of my favorite of the newer assessment types where you're able to work with the red team and the blue team together to collaborate on looking for different types of attacks, seeing if they're detected, and work on trying to tune your systems to block that.
And one of the things that's good too is building that collaboration because traditionally it's been an us against them type of scenario.
So working together as a team, they're able to share more likely to share and build that type of collaboration, which is very helpful.
And also other things that are missing out, the type of environments, wireless networks, OT and cloud, IOT can be leveraged by threat actors.
There was some Acura breach a while back where threat actors weren't able to get a foothold because of EDR systems, but they were able to attack an IP camera that was running a Linux operating system, so they were able to get a foothold through that.
And then also to overcome these, so one of the gaps is using pentesting frequency, also using vulnerability scanning and vulnerability management, vulnerability assessments on there too, also using autonomous or automated pentesting to help with that too.
There's some products out there that automate that and they're tools that can actually elevate and scale what your pentesters are doing, help them do more in less time.
When I worked at a bank, we had 13 pentesters and we had some kind of automation.
We could have done a lot better because we were only getting through half of our pentests each year for PCI and there were 13 of us on the team.
If we'd had some type of automation, we could have gotten through that multiple times.
And also implementing bug bounties and responsible disclosure programs are a good way to help with your external attack surface.
And then also overlooked methods, so make sure you're implementing social engineering and phishing campaigns.
And one of the things that gets overlooked with phishing campaigns, and Ed would probably know this too as well from his experience in social engineering and stuff, that companies overlook using traditional phishing campaigns or using some of these tools that is testing security awareness and for people to click on these links,
but they're not really testing what happens if someone clicks on malware.
You need to see what happens beyond that.
And even test, you know, if someone during that phishing campaign doesn't click on the malware, then you should really go in and do an assessment where you're clicking on that malware from a company system to see what you're able to do beyond that.
Also make sure you're testing physical controls.
And this is not always just your digital assets.
This is paper files or, you know, if you're a company that does telecom, you have trucks that you're using, you want to make sure these are safe.
If you're like a power generation or water treatment facility, you need to protect those.
So testing your physical security is important.
And then implementing purple teaming, also known as security controls validation, is important and helpful.
And so also making sure you're, to help remediate these, you're also using, testing wireless networks, cloud and IOT, including IOT cameras.
And even testing and going back to the IOT camera being breached, one of the big footholds now that people are using is Pentester, we would always use if we couldn't get a foothold, is always look at the printers because sometimes those can be accessed.
And as those IOT devices and printers are becoming to be a bigger target with how well the endpoint detection systems work, because, you know, having to be able to evade those endpoints are getting more difficult, and not only are Pentesters doing that,
so are the threat actors.
So that concludes my presentation.
We may have a couple minutes for questions.
I'm happy to answer any questions.
If you don't think of your question now, feel free to reach out to me on LinkedIn or Twitter, and if you just ever want to chat about security or I do a lot of mentoring around offensive security, I'm happy to have a chat with you.
So anyone have any questions, I'd be happy to answer.
Thank you.
Yes.
So certifications are good.
I would say if you're going to get like a certification, PNPT is good, OSCP is good.
CEH is going to be helpful if you're wanting to work, if you're doing work for the government.
But OSCP or PNPT, the hack-the-box certs are starting to gain traction, those are good.
And those where I recommend learning-wise, start out with TryHackMe, and then move on to hack-the-box, because hack-the-box just recently added like some OT stuff, and that was actually created in collaboration with Dragos, which is a very known OT security company,
so they've even added cloud stuff, so that's a really good place.
Get your feet wet, and TryHackMe, and then move on to hack-the-box, because they've got their academy where you can do, there's a lot of good learning content, and one of their directors there that runs that content used to work at eLearn Security before they were acquired by I&E,
so those are really good places, and some companies actually use hack-the-box labs and stuff for vetting process for pen testers.
So, a lot of times if you're going to hire on for a pen testing job, they will give you, you know, some physical, some actual digital hacking challenge, they'll give you a vulnerable machine to do a pen test against, and so you really need things that are practical like hack-the-box to practice hacking on.
So, those are really good, and those are some of the lower-cost options.
PNPT, the TCM security stuff is really catching on, getting more traction, a little more user-friendly, because with the OSCP, when it came about, it was really geared towards someone that had a little bit of experience, and now it's, you know, a lot more people are aware of it,
and there are lower-level classes you can take to build that up, but I would recommend something like hack-the-box or TryHackMe, because they're less expensive, they're constantly adding new content, and some of these other companies, their labs are kind of outdated,
but hack-the-box does a really good job of keeping up-to-date labs and stuff, but great question.
But go ahead and get certifications.
Certifications are kind of a check marks and help you get interviews and stuff, but if you, once you get good at pen testing, you can really get around those by just, because like I said, even if you have the certification, you may get a challenge where here,
you have to pen test this environment.
Good question.
Anyone else?
Doesn't look like anyone else has any questions, so that concludes.
Thanks everyone.