Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Professionalizing Penetration Testing

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Agenda

The Penetration Test– What is it?– How is it done?

Problems in the current practice– Why do we need an improved approach?

Practical demonstration

What will we discuss today?

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Rationale:“Improving the security of your site by breaking into

it”

Dan Farmer & Wietse Venema, 1993http://www.fish.com/security/admin-guide-to-cracking.html

A plausible definition:A localized and time-constrained attempt to breach the information security architecture using an attacker’s techniques

What is a Penetration Test?

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Goals

To improve Information Security awareness

To assess risk

To mitigate risk immediately

To reinforce the Information Security process

To assist in decision making processes

To test the accuracy of the security policy in

place

What are the goals of a Penetration Test?

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Final Results

Clear description of scope and methodology

Reproducible and accountable process

High-level analysis and explanation (for

upper/non-technical management)

General recommendations and conclusions

Detailed findings

What are the final results?

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Growing Importance

Penetration tests have become an integral part of

standard security process

Governments beginning to mandate periodic

tests for certain agencies

Demand is rapidly increasing, and the process

needs to be able to keep up

Why do we care?

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Information Gathering

Information Analysis and Planning

Vulnerability Detection

Penetration

Attack/Privilege Escalation

Analysis and Reporting

Clean-up

How are Penetration Tests done today?

Information Gathering

VulnerabilityDetection Penetration

Attack/PrivilegeEscalation

InformationAnalysis andPlanning

AnalysisandReporting

Clean Up

Penetration Test Stages

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Information Gathering

Information Analysis and Planning

Vulnerability Detection

Penetration

Attack/Privilege Escalation

Analysis and Reporting

Clean-up

What works well today, and what does not?

Information Gathering

VulnerabilityDetection Penetration

Attack/PrivilegeEscalation

InformationAnalysis andPlanning

AnalysisandReporting

Clean Up

Penetration Test Stages

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

What are the problems today?

Problems with ‘Information Analysis and Planning’ Stage

Difficult and time consuming task of consolidating all

information gathered and extracting high-level conclusions

to help define attack strategy

Hard to keep an up to date general overview of the

components and their interaction

No specific tools aimed at addressing this phase

Experienced and knowledgeable resources required for this

stage, overall time constraint could limit the extent of their

work

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

What are the problems today? (cont.)

Problems with ‘Penetration’ Stage

Some tools available, but generally require customization and

testing

Publicly available exploits are generally unreliable and require

customization and testing

In-house developed exploits are generally aimed at specific tasks or

engagements (mostly due to time constraints)

Knowledge and specialization required for exploit and tool

development

Considerable lab infrastructure required for successful research,

development and testing (platforms, OS flavors, OS versions,

applications, networking equipment, etc.)

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

What are the problems today? (cont.)

Problems with ‘Attack/Privilege Escalation’ Stage

Some tools and exploits available, but usually require

customization and testing (local host exploits, backdoors, sniffers,

etc.)

Monotonous and time consuming task: setting up the new

“acquired” vantage point (installing software and tools, compiling

for the new platforms, taking into account configuration specific

details, etc.)

Considerable lab infrastructure required for research, development,

customization and testing

Lack of a security architecture for the Penetration Test itself

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

What are the problems today? (cont.)

Problems with ‘Analysis and Reporting’ Stage Manually gathering and consolidating all the log information

from all phases is time consuming, boring and prone to error Logging of actions is left up to the team members, does not

ensure compliance Organizing the information in a format suitable for analysis and

extraction of high level conclusions and recommendations is not trivial

Writing of final reports often considered the boring leftovers of the Penetration Test, security expertise and experience is required to ensure quality but such resources could be better assigned to more promising endeavors

No specialized tools dedicated to cover these issues

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

What are the problems today? (cont.)

Problems with ‘Clean Up’ Stage Requires detailed and exact list of all actions performed, but

logging of actions still manual

Clean up of compromised hosts must be done securely and without affecting normal operations (if possible)

The clean up process should be verifiable and non-repudiable, the current practice does not address this problem.

Clean up often left as a backup restore job for the Penetration Test customer, affecting normal operations and IT resources

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

So what does all that mean?

Inefficient due to reliance on disparate software packages and manual performance of tedious tasks

Informal and non-standardized

Difficult for companies to define and enforce their own methodology

Inconsistent in execution

Error-prone and sometimes NOT secure due to manual logging and clean-up

Difficult to centralize and share experience/knowledge across the firm

Expensive due to a steep learning curve and labor-intensiveness

Not very scalable

New tools are needed to improve the process

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

CORE IMPACT

Provides a framework for Penetration Testing

Increases productivity

Builds knowledge and security expertise

Provides an open and extensible architecture

Brings the practice to a new quality standard

One possible solution to these problems: CORE IMPACT

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

The Model:– Simplifies and abstracts all the components of the system and their relations

– Provides a foundation on which to build

– Provides a common language

Agents - “The pivoting point” or “the vantage point”– The context in which Modules are run

– Installable on any host

– Secure

– Remotely control other Agents

– Easy clean up

Modules - “Any executable task”– Information gathering, attacks, reporting, scripting of other Modules

– Simple and easy to extend

– Have access to every tool together, under the same framework

How does CORE IMPACT work?

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

What are the benefits?

Provides a framework that encompasses all the Penetration Testing phases– Enables customers to define and standardize own methodology– Enforces the following of their methodology and ensures quality

Drastically reduces time required to perform a Penetration Test– Agent/Module architecture simplifies target penetration and

privilege escalation– Automates monotonous and time-consuming tasks– Frees valuable resources to focus on most important and difficult

phases

Improves the security of the Penetration Testing practice– Reduces errors, particularly in the clean-up stage– Strong authentication and encryption between console and Agents

Enables knowledge acquisition and shared learning– Entity Database consolidates all work done for future reference and

use

Makes the Penetration Testing practice more professional and scalable

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

Back Office Network

DMZ

Pen Tester Console

INTERNET

IMPACT DEMO

Pro

fess

ionaliz

ing

Penetr

ati

on T

est

sC

OR

E S

EC

UR

ITY

TE

CH

NO

LO

GIE

S©

200

2

ht

tp://

ww

w.c

ores

t.com

44 Wall StreetNew York, NY 10005Tel: (212) 461-2345Fax: (212) 461-2346info.usa@corest.com USA

CONTACT INFORMATION

Jeffrey CassidyDirector of Business Development, USAjeffrey.cassidy@corest.com