Forgot your password?
typodupeerror
Security IT

How Red Teams Hack Your Site To Save It 58

Posted by samzenpus
from the we-had-to-destroy-the-village-in-order-to-save-it dept.
Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities and other issues."
This discussion has been archived. No new comments can be posted.

How Red Teams Hack Your Site To Save It

Comments Filter:
  • by InvisibleClergy (1430277) on Monday November 12, 2012 @01:48PM (#41958213)

    ...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.

    • by Anonymous Coward

      ...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.

      Where by "the future", you mean the past decade?

    • by Giant Electronic Bra (1229876) on Monday November 12, 2012 @02:04PM (#41958401)

      Eh, I've taught security. I would dispute the "frequently" part of that, but of course pen testing and other forms of evaluation have been going on for years. The interesting part is how you do it. Most organizations could afford to learn a LOT about this subject...

    • by Synerg1y (2169962)

      What? lol... Penetration testing has been around forever, so has social engineering.

      Over the course of the discussion, it became clear that Jones sees the actual process of pentesting as a somewhat repetitive task

      Nor is this guy doing anything innovative. He set up a toolkit for testing various vulnerabilities and runs it against consumer configurations.

  • by Revotron (1115029) on Monday November 12, 2012 @01:53PM (#41958269)
    From Wikipedia:

    A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.

    • by interkin3tic (1469267) on Monday November 12, 2012 @02:08PM (#41958443)
      All this time, I thought the Red team was our enemy... they were really just trying to help us keep the flag more secure? Now I feel bad about killing them, t-bagging them, and calling them racist names.
    • by Kergan (780543)

      From Wikipedia:

      A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.

      Does that make them communists?

    • by Synerg1y (2169962)

      How is this different from a white hat?

  • by SecurityTheatre (2427858) on Monday November 12, 2012 @02:05PM (#41958409)

    With all due respect, WhiteHat Security is the Denny's of web application testing shops.

    Sure, they're one step above TrustWave (who are just "checklist compliance" shills and would qualify as the McDonalds of testing), but it's hardly what many places would call a proper "red team" approach.

    The run automated tools and do a basic level of validation against those tools. The problem is that with web applications, the automated tools only get about 40% of issues and have a 50% false positive rate (or higher) in my experience. Their tools are pretty fancy compared even to the commercial scanning bits, but they aren't perfect.

    There are plenty of boutique shops (and even some larger ones) that do more in-depth testing with more experienced testers. I'm not claiming that Mr Jones here isn't experienced, but more pointing out the general trend within some of the testing shops like WhiteHat.

    • Having been through a TrustWave audit, I have to agree.

      Although the TrustWave person did manage to crack the systems using publicly available exploits and such. It was very much a "checklist compliance" process.

      Management, as always, will take the advice of someone they just paid thousands of dollars when the exact same advice from the techs has been denied over and over.

    • by Zapotek (1032314) <{tasos.laskos} {at} {gmail.com}> on Monday November 12, 2012 @03:04PM (#41959017) Homepage
      It's really simple:
      • Automated tools are here to pick the low handing fruit;
      • You should always validate their findings manually;
      • You should, if you can afford it, hire someone who knows what he's doing to do a proper pen test.

      Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

      As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.

      Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.

      Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.

      • by fluffy99 (870997)

        Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

        Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).

        Unfortunately, management often puts too much stock in these automated tools, either insisting the site be fixed to remove non-is

        • by Zapotek (1032314)

          Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

          Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).

          Ah OK, I feel the need to point out that webappsec scanners and these sort of service fingerprinters are, operationally, completely different systems. Their designs may be similarly modular and web scanners may include some tests that rely on fingerprinting known vulnerable web apps or backdoor shells but the ones like mine and WhiteHat's Sentinel are focused more on fuzzing/injecting inputs.

          Paradoxically, this is harder to get right but on the other hand the responses you get can give you enough data to

    • by Crambone (16799)

      [For the purpose of full disclosure here, I work for Trustwave. I am also the head of their SpiderLabs organization.]

      I think you may have your security and compliance testing paradigms very much confused. Let me help explain these a bit.

      Trustwave is a Qualified Security Assessor (QSA) for the Payment Card Industry Security Standard Council (PCI SSC) and is authorized to perform security assessments for merchants and service providers against the Payment Card Industry Data Security Standard (PCI DSS). As a Q

  • by Anonymous Coward

    There's a nice little article over at the 360 Security blog on how penetration testing is a valuable exercise AND how sometimes penetration testing fails to improve security outcomes. It should not come as too much of a surprise to know that its one of those things where "you get out what you put in".
    Disclosure: I do red-team penetration testing for a living, and rarely have I seen anyone squeeze full value out of the exercise without a lot of coaching and encouragement!

    http://360is.blogspot.co.uk/2012/05/3

  • This was already posted here [slashdot.org].
    • by Megane (129182)
      It's a Nerval's Lobster post. It's apparently his purpose in life to cross-post SlashBI crap over here to the real Slashdot. If you checked the firehose [slashdot.org] regularly, you would be familiar with his submissions. About one in ten of his submissions actually get posted, which shows you just how relevant SlashBI is to the world of "News for Nerds".
  • Joke's on you, my website backend is all in XML! /duck

  • Every product, website, and idea should be tested against its opposition. If you own it, it helps you to test it against the opposition using fake opposition before you release it to the public.

    This is why the military has war games and big buildings have fire drills.

    However, one thing you find is that penetration testing from outside is not enough. Some of the worst enemies turn out to be within: either helpful employees who aid the bad guys, or people who panic and respond badly. Even worse are the malici

    • Any vendor who accepts a substantial number of credit card transactions is required to meet PCI-DSS standards which requires internal and external vulnerability assessments quarterly, as well as annual penetration testing exercises.

      It's not perfect, because the requirements are a bit odd in some areas, but it's a good start down that road.

  • I've been a pen tester, and what this guy is doing is not pen testing - it's vetting out false-positives a tool is telling him. As good as tools are, they'll never reveal vulnerabilities that may lead to the overall compromise of an environment. Things like business process flaws (like being able to manually modify prices or submit negative values during balance transfers), blind SQL injection (tools are worthless for those), parameter tampering (like changing an ID showing stuff that isn't yours) and param
  • Red team? (Score:2, Funny)

    by LoRdTAW (99712)

    I was under the impression Blue team was always trying to hack or destroy someone, usually Red team. Or is this supposed "Red" team really just Blue team with a red mask on? Someone needs to start spy checking.

    • by shentino (1139071)

      Actually the Red team mixes tactics of both White and Black hats, while the Blue team picks its tricks up in the field from real enemies.

  • This type of black-box penetration-test is pretty worthless in practice. Sure, you can patch some vulnerabilities afterwards, but these tests aim to get in fast, not to explore the whole attack surface. That takes way too much time and effort. Also, all you can really find with this type of test are beginners-mistakes. Sure, they are vulnerabilities too, but if you are vulnerable because of beginners mistakes, than you have a far deeper problem.

    What is needed instead is a careful white-box analysis of the s

  • A company I used to work for 10-15 years ago took the approach of reward based incentives towards security. It was widely publicised that the Red Team existed and their job was to try to break the organisations security and too see what weaknesses existed, Conversely anyone that caught a member of the Red Team attempting to hack their machine, bypass security protocols, social engineer security information or any such other violation of security protocols and then reported that violation would receive prize

One small step for man, one giant stumble for mankind.

Working...