operationalizing red teaming for fun and profit
TRANSCRIPT
November15,2016
OperationalizingRedTeamingforFunandProfitIanAllison|SecurityTesting&RedTeam|devsecops.org
November15,2016
November15,2016
@iallison
• Commodore64-1984• 300BaudModem• LOAD"*",1,1• BBS• Lotsoftxtfiles
November15,2016
Background
• LargeScaleLinuxAdmin• ITSecurityAudit• CyberWargamesDesignerandOperator• OffensiveSecurityInstructor• PenetrationTester• EmbeddedDeviceSecurityTester• SecurityResearcher
November15,2016
ThisPathLeadsTo
• Developersarestupid• Developersdon’tcareaboutsecurity
• Developersjustcareaboutdeadlines
• DevOpsareevenworse!• Until….
November15,2016
ChasingtheRedRabbitA.K.ADevSecOps
• InmyfirstweekwriteamicroserviceAPIandgetitsecurelyintoproductioninthecloud
• Instantdeveloperempathy• Iteratecode,securityandsecuredeploymentinthecloud
• Allsecurityapplicationsarehostedinthecloud
November15,2016
SecondStepintoDevSecOps• Howdoyoumakesureall
yourbaselineimagesaresafe?
• HowdoyoudoitforthousandsofAWSaccounts?
• Youhavetowriteyourownautomation
• Learntheinnerworkingsofyourcloudprovider
November15,2016
ScannersSuck
• SprayandPray• Onlyasgoodastheirsignatures
• Remediationguidelinesarenotactionable
• Falsepositivesabound• Whoelselovesreading200pagePDFs?
November15,2016
ScannerVendorsSuck
• Usuallyhaveproprietaryonhostdatabases(killscloudiness)
• Hardtocorrelatesamevulnerabilityacrossmultiplevendors
• Don’tshareasmuchastheyshould
ByClarkStanley[Publicdomain],viaWikimediaCommons
November15,2016
TraditionalInfoSec• Compliance• Regulations• Appliances• Perimeter
A.K.A”BowtomyFirewall”–BrucePotter
November15,2016
InfoSecisSelfish
• GoodatsayingNO• Remediationisuptothedevelopers
• FeedbackisaScannerreport• Onlysolvesforsecurityandcompliancenotdevelopers
• Don’tliketoshare
November15,2016
TrendsintheMedia• SaaSforDevOpsSecurity• CollaborativeSecurity• Tools,CICD,appliancesandCASBsohmy
• ConfigurationManagementistheanswertoeverything
• Compliancewillhelpprotectyou
November15,2016
DevOpsJobsvsSecurityJobs
InfoSecJobs DevOpsJobs
http://www.indeed.com/jobtrends/
November15,2016
TheGoldenRatio
• ResearchvariesastotheratioofSecuritytoDevelopers
• 1to1000to8.5to100• 1to5000networkeddevices!
• WhatifSecurityandDevOpswereoneinthesame?
http://www.infosecisland.com/blogview/8327-How-Many-Information-Security-Staff-Do-We-Need.html
November15,2016
DevOps==Opportunity
• Canbeanamazingthingwhendoneright
• Fast,leanandefficientandsecure• IntegratesecuritycheckswithCICDandcatchlowhangingfruit
• Securityneedstolearnhowtoadaptandevolveoritcouldbecomeirrelevant
• WhenDevOpsisdonewrong...
November15,2016
ItLookslikeThis
November15,2016
HowDoWeMakeitBetter?
• AllowDevteamstoassumetheriskoftheirdecisions
• NomoreSecurityexceptionsorsignoffs
• Securityiseveryone’sresponsibility
• Testthecrapoutofyourownstufflikeanattackerwould
November15,2016
Reality• Scannersfindtheabsolutebareminimum
• BaddefaultconfigsareaHUGEproblemevenwithSaaSvendors
• Manualtestingcanuncoverdefectsthathavebeenhidingforyears
• Theattackersaremoreskilledandmotivated
November15,2016
GettingDirty
• Startedsmall,leanandfocusedonthecloud
• WorkedlikeanAgileDevOpsTeam
• Found,reportedandfixedthousands ofvulnerabilitiesnotfoundbyscanners
• Thiswasalldonemanuallywiththeuseofsometools
November15,2016
Whatisa RedTeam?• Usesametacticsasattackers• Onlyscopeis“Don’ttakedownproduction”
• Needtoadaptandevolvelikeanattacker
• Proveriskactuallyexists• Shouldbewritingtheirownexploits
• Shouldhaveongoingcampaignsthatmimicattackers
November15,2016
RedTeamMindset• Useapplicationsinwaystheyarenotintended.
• Notjusttechnologyfocused• SilentIntruders• PhysicalSecurity• SocialEngineering• Phishing/Spearphishing• Waterholeattacks
November15,2016
IllustratingRisk
November15,2016
RedTeam!=PenetrationTesting
• Pentestingistightlyscoped• Non-realisticattackscenarios
• 5%fun95%meetingsandreporting
• Quicklybecomingatypeofcompliance
November15,2016
SomeoftheToolsUsed• nmap• curl• BurpSuite• MetasploitFramework• Gauntlt• Github• Shodan.io• Jira– CaseManagement• Multiplecloudproviders• Jenkins– Forautomation/scheduling• Nexus– Forfindingbadlibs• Homemadetools
November15,2016
ImpactingReleaseSchedules• Defectscancausechurn• Cancauseescalationstouppermanagement
• Forcestradeoffsbetweenreleasesandsecurity
• CancreatecontentionbetweensecurityandDevteams
• Pivotingcanbehardfornonagileteams
November15,2016
LessonsLearned
• Youcanactuallymovetoofast• ThemoreautomationandAPIsyouprovidedevelopersthebettertheyrespond.
• Havingacentralsourceofrecondataiscriticaltofindingtargets
• Hardtoswitchcontextfromattackertohelper
November15,2016
SecurityDefects• DefectvsVulnerability• Securitypeoplesuckatspeakingdeveloper
• Understandingyouraudience(Developers)iscritical
• ClearlyexplainingtheissuewithaPoCisateachingopportunity
November15,2016
Reporting• DefectsgodirectlyintoaDevteam’sbacklog
• Graded(A– F)• DevTeamdecidespriorityofdefect
• Reportedallthewayup• Firstthingindefectticketisremediationguidance
• IncludeschecksforvalidatingremediationforDevTeams
November15,2016
From->ToOpenJMXandWebConsole
Scrolldownatleast198pagesin200pagePDF:
Solution:
SecureorremoveaccesstotheJMXand/orWebConsoleusingtheadvancedinstalleroptions.
RemediationRequired:
Removeaccesstothejmx-consoleandweb-consolefromJBossby:inJBOSS_HOME/common/deploy/remove:jmx-console.warInJBOSS_HOME/server/<node>/deploy/remove:jmx-console-activator-jboss-beans.xml
RemoveJBossWebServicesconsoleInJBOSS_HOME/common/deploy/remove:jbossws-console.warInJBOSS_HOME/server/<node>/deploy/remove:jbossws-console.warjbossws-console-activator-jboss-beans.xml
Ifconsolesareneeded.EnsureaccesstotheJBossJMXConsole(/jmx-consoleand/web-console)isrestrictedtosmallnumberofinternalIPaddressestopreventunauthorizedaccess.
ImplementstrongJMXconsoleadminpassword.
November15,2016
HowWe’reMakingitBetter• Feedbackisagift!• Showourupcomingtargetstheweekbefore
• Automatedattackingthelowhangingfruit
• Moretransparency• Metrics,MetricsandmoreMetrics
• Helpingourvendorswithbetterremediationguidelines
November15,2016
ButDoesitBlend?
• Weseealotofdatacomeacrossthewire
• Howdoyoufindtheneedleinthehaystack?
• Attackersandattacksareconstantlyevolving
• IttakesmorethanjustaRedTeam, ittakesaDevSecOpsteam
Source:https://www.flickr.com/photos/ciuu96/
November15,2016
SecurityDefectFunnel
Copyright©DevSecOpsFoundation2015-2016
November15,2016
CurrentState• FocusingonautomatingsecuritytestingintoCICD
• UsingJenkinsasourC&CforRedTeamandSecurityTestingActivities
• ScanningandattackingKubernetesandDockercontainers
• Gettingshellsbeforetheattackersthroughapplicationexploitdevelopment
November15,2016
GetInvolved&JointheCommunity
• devsecops.org• @iallison onTwitter• DevSecOpsGrouponLinkedIn
• DevSecOpsonGithub
HugeshoutouttoShannonLietzA.K.A@devsecops
November15,2016