How Red Teams Hack Your Site To Save It 58
Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities and other issues."
This is actually common in corporations... (Score:4, Informative)
...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.
Re: (Score:1)
...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.
Where by "the future", you mean the past decade?
Re:This is actually common in corporations... (Score:4, Insightful)
Eh, I've taught security. I would dispute the "frequently" part of that, but of course pen testing and other forms of evaluation have been going on for years. The interesting part is how you do it. Most organizations could afford to learn a LOT about this subject...
Re: (Score:3)
What? lol... Penetration testing has been around forever, so has social engineering.
Over the course of the discussion, it became clear that Jones sees the actual process of pentesting as a somewhat repetitive task
Nor is this guy doing anything innovative. He set up a toolkit for testing various vulnerabilities and runs it against consumer configurations.
Re:This is actually common in corporations... (Score:4, Funny)
Re: (Score:2)
This is /. What would we know about penetration?
Well, Microsoft shills still somehow manage to get accounts.
Re: (Score:1)
What, no mod flag for "whoosh" factor?!
For Those Left Wondering... (Score:5, Informative)
A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.
Re:For Those Left Wondering... (Score:5, Funny)
I'm confused... (Score:2)
I'm confused... are we at war with Eurasia today?
Red is the new blue (Score:2)
.. enough said ..
Re: (Score:2)
From Wikipedia:
A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.
Does that make them communists?
Re: (Score:2)
How is this different from a white hat?
Re: (Score:2)
AFAIK the term is derived from the Dungeons and Dragons roleplaying game.
In the Dragonlance series of books, the various classes of mage were dressed differently depending on their nature. Good=white, neutral=red, black=evil.
Re: (Score:2)
AFAIK the term is derived from the Dungeons and Dragons roleplaying game.
In the Dragonlance series of books, the various classes of mage were dressed differently depending on their nature. Good=white, neutral=red, black=evil.
I think that's wishful thinking. It arises from blue-team (us, i.e., the good guys) vs. red-team (us pretending to be them, i.e., the bad guys) military exercises. In other words, a red team is a bunch of good guys pretending to be bad guys against whom the blue team can practice.
Re: (Score:2)
"whitehat" hackers
"redhat" linux
"blackhat" convention
In regards to the summary, yes, a red team comes from the red team / blue team system.
I was not addressing the submitter, however, in fact my response was a reply to
http://slashdot.org/comments.pl?sid=3247105&cid=41958715 [slashdot.org]
who expressed curiosity as to the origin of the term "white hat".
Thank you, and have a lovely day.
Re: (Score:2)
Interestingly enough the redhats use tactics of both blackhats and whitehats.
There also seems to be a new bluehat type that learns its tricks through experience, from being subject to actual hostile attacks.
Re: (Score:2)
WhiteHat Security.... McDonalds (Score:5, Interesting)
With all due respect, WhiteHat Security is the Denny's of web application testing shops.
Sure, they're one step above TrustWave (who are just "checklist compliance" shills and would qualify as the McDonalds of testing), but it's hardly what many places would call a proper "red team" approach.
The run automated tools and do a basic level of validation against those tools. The problem is that with web applications, the automated tools only get about 40% of issues and have a 50% false positive rate (or higher) in my experience. Their tools are pretty fancy compared even to the commercial scanning bits, but they aren't perfect.
There are plenty of boutique shops (and even some larger ones) that do more in-depth testing with more experienced testers. I'm not claiming that Mr Jones here isn't experienced, but more pointing out the general trend within some of the testing shops like WhiteHat.
Mod parent up. (Score:3)
Having been through a TrustWave audit, I have to agree.
Although the TrustWave person did manage to crack the systems using publicly available exploits and such. It was very much a "checklist compliance" process.
Management, as always, will take the advice of someone they just paid thousands of dollars when the exact same advice from the techs has been denied over and over.
Re:WhiteHat Security.... McDonalds (Score:5, Interesting)
Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?
As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.
Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.
Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.
Re: (Score:2)
Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?
Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).
Unfortunately, management often puts too much stock in these automated tools, either insisting the site be fixed to remove non-is
Re: (Score:2)
Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?
Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).
Ah OK, I feel the need to point out that webappsec scanners and these sort of service fingerprinters are, operationally, completely different systems. Their designs may be similarly modular and web scanners may include some tests that rely on fingerprinting known vulnerable web apps or backdoor shells but the ones like mine and WhiteHat's Sentinel are focused more on fuzzing/injecting inputs.
Paradoxically, this is harder to get right but on the other hand the responses you get can give you enough data to
Re: (Score:1)
[For the purpose of full disclosure here, I work for Trustwave. I am also the head of their SpiderLabs organization.]
I think you may have your security and compliance testing paradigms very much confused. Let me help explain these a bit.
Trustwave is a Qualified Security Assessor (QSA) for the Payment Card Industry Security Standard Council (PCI SSC) and is authorized to perform security assessments for merchants and service providers against the Payment Card Industry Data Security Standard (PCI DSS). As a Q
Penetration Testing how to get the most out of it! (Score:2, Interesting)
There's a nice little article over at the 360 Security blog on how penetration testing is a valuable exercise AND how sometimes penetration testing fails to improve security outcomes. It should not come as too much of a surprise to know that its one of those things where "you get out what you put in".
Disclosure: I do red-team penetration testing for a living, and rarely have I seen anyone squeeze full value out of the exercise without a lot of coaching and encouragement!
http://360is.blogspot.co.uk/2012/05/3
dupe! (Score:1)
Re: (Score:2)
Re: (Score:1)
It's from the military side of cyberspace:
http://www.networkworld.com/news/2008/042508-red-team-blue-team-how.html
SQL injection vulnerabilities? (Score:1)
Joke's on you, my website backend is all in XML! /duck
Some of the worst enemies are within (Score:2)
Every product, website, and idea should be tested against its opposition. If you own it, it helps you to test it against the opposition using fake opposition before you release it to the public.
This is why the military has war games and big buildings have fire drills.
However, one thing you find is that penetration testing from outside is not enough. Some of the worst enemies turn out to be within: either helpful employees who aid the bad guys, or people who panic and respond badly. Even worse are the malici
Re: (Score:2)
Any vendor who accepts a substantial number of credit card transactions is required to meet PCI-DSS standards which requires internal and external vulnerability assessments quarterly, as well as annual penetration testing exercises.
It's not perfect, because the requirements are a bit odd in some areas, but it's a good start down that road.
Not pentesters (Score:1)
Red team? (Score:2, Funny)
I was under the impression Blue team was always trying to hack or destroy someone, usually Red team. Or is this supposed "Red" team really just Blue team with a red mask on? Someone needs to start spy checking.
Re: (Score:2)
Actually the Red team mixes tactics of both White and Black hats, while the Blue team picks its tricks up in the field from real enemies.
Basically worthless (Score:2)
This type of black-box penetration-test is pretty worthless in practice. Sure, you can patch some vulnerabilities afterwards, but these tests aim to get in fast, not to explore the whole attack surface. That takes way too much time and effort. Also, all you can really find with this type of test are beginners-mistakes. Sure, they are vulnerabilities too, but if you are vulnerable because of beginners mistakes, than you have a far deeper problem.
What is needed instead is a careful white-box analysis of the s
Re: (Score:2)
I am not thinking in 100% security, but admittedly quite a bit more than a web-shop or the like needs. I should also say that my statement is for custom software. While I have done some penetration-testing and supervised more, what really helped to find out were matters stand is code-review. And yes, on advice of our team (and others of course, we do not have that much clout) at least one pretty expensive project was scrapped, because it had zero chance of getting where it needed to get security-wise. The m
reward based learning (Score:2)