Red Teaming your Risk Management Framework

yeah I guess I'll start I'm gonna have to take this thing off because I can't stay in one spot hi all right so most of my talks in the past have been largely physical that's kind of my specialty breaking or was breaking into buildings so I kind of focus a lot my talks on that I'm outside of the physical perspective I did a lot of the technical talks I kind of left the consulting field a little while ago and took a job as I see so so I'm not really doing the cold breaking and stuff anymore so I kind of want to switch my talks now to focus more on the compliance side and how to actually sell the red team type

testing to organizations because when I was doing the consulting I didn't really feel there was a correct selling method and the red teams weren't really being understood by a lot of security teams so this talk actually started out as a fire talk in b-sides Delaware on a really short notice that there was a slot open so he throw something together and I did a couple people liked it so we expanded it out into a 45-minute talk there's actually like 50 slides so it's gonna be kind of interesting so I'm doing this really quickly there's stuff about me because everyone always asks like what's your background I'm not gonna go into it this is me in a nutshell so I've been

kind of both sides of the security fence both the IT side and the physical security side a lot of sand certifications of Seck training I'm certified bodyguard jiu-jitsu instructor teacher so yeah I've been all over the field for the past 26 years and so that's what I do nothing I say here should reflect on my employer I'm not mentioning who they are but if you do some of my Google research it really interested you can figure it out anyhow because I can't stand still there's a lot of text in the slides I didn't write any of the text is a reason for it a lot of the text on the slides are pulled directly from NIST because the reason for it a

lot of the major control fin or risk management frameworks that are out there like PCI ISO they're all pulled essentially from NIST if you look the NIST controls are mapped directly into other risk management frameworks there's also a lot of confusion on the NIST framework it's very hard to decipher so we're gonna actually take common risk or common red team testing techniques tactics and actually map them into NIST just kind of to easier better understand what those controls are why they're important and how we have to actually do the testing to meet those specific controls so this is if there's actually three risk categories in this there's low moderate and high most commercial organizations private organizations will

never actually reach high unless you're dealing with like top secret or TSS see I take data high doesn't apply most commercial businesses are gonna be at like moderate level so most of the slides in here that I'm focusing on for testing controls are going to be at moderate if you meet moderate you obviously meet low most of the slides that are in here they're gonna be based off of child's categories of the major families so if I'm calling like CAE which is certification and accreditation number eight it'll be like CAA too if you meet ca2 you obviously meet ca8 doesn't make any sense when we get to the slide ask me what it is and I'll

explain it better because right now probably does make any sense if you've never seen this before all right so for the technical stuff this is all the stuff that usually happens from you know a sales perspective during a pen test it's common for a bridge for everyone in here we're testing like the web apps were testing network devices we're testing Wireless we're doing OSINT we're doing fishing we're doing fishing all the cool stuff they would like to do when we're breaking stuff which is cool but how do we map it into the red team's and there's a lot of definitions on whatever team is if you go to three different consulting companies that do red team's they'll give you three

different definitions down to like we red teaming web apps I especially love that one this is this definition my definition of a red team is full scope it's like we will do everything well come on well like pickle ox will break doors will own your systems internally then go back outside it will break it again that's my view whatever team is but this isn't this definition I'm not gonna read all the sides to you because it'll waste time and it's kind of dumb to read the slides so if I go too fast to ask me the wine rewind and I'll pull it back from a testing perspective and again we're gonna focus specifically on NIST these

are the controls that are going to say a red team or what type of testing needs to be done so the first two are do you do security assessments okay so if we do a red team this is the control we're gonna mean CA to certification and coordination number two right is it done by an independent Assessor which it should be done in-house red team's are fine but there needs to be a third parties actually go to validate what testing was actually done and how the controls were actually implemented did you do a penetration test that's I don't they need to explain that one did you do a red team red team's internist actually aren't required unless you're doing a

high classification system however we can use the red team to actually validate a whole bunch of controls so using a properly executed full scope red team you're gonna cross over about six different role families and like forty different controls which will go through shortly again a lot of it's very complex very convoluted so if something that I say doesn't make sense so the slide doesn't make sense just raise your hand do not try to explain it but again there's a lot of data in here so I'm gonna try to blow through this very quickly without speaking too fast I have a bad habit of doing it I'm originally from New York City so we speak fast by

nature we also usually curse a lot I've gotten better over the years of not dropping the f-bomb in every sentence especially now it's being recorded and don't usually do this I'll try not to curse alright so starting out with the first control and I go sequentially I don't go an order of preference if I did I'd start with physical but I'm trying to go from top to bottom as this defines it so count management if we pop a system and someone like makes an account his pen testers do that you know is there some kind of system place that kind of automatically without someone actually going onto a system and he's logged on is there some way that system

is going to alert something someone's compromised a system that sounds ridiculous or does it actually mean I like spunk so if I'm hauling logs into spunk and spunk or term actually says hey the counter was created is there an alert that's automatically generated based on that I'll say Windows notification that tells someone hate account was generated how we do at the pen test obviously if we pop something when you can account the circle starts non perlers ties back to you know a situ if I create an account and then I elevate privileges or assign myself to an admin account is there a system place that's going to detect that okay again tying back into any sim I pick on Splunk

that's going to actually detect that our tivity so when me as a pen tester pops your box creates an account other than myself the admin group is just some automated functionality it's going to detect that and alert on it and notify the appropriate persons admin accounts I think a couple of other talks have mentioned this if someone pops an admin account and starts doing things there's some automated notification that those activities are being performed if I'm logging into sixteen different systems within five minutes with an admin account is there something god I hope so that's gonna notify that this admin account is doing that if I start doing things like reading services on sixteen different

accounts within a five minute window is there something's actually going to notify on that and you're all talking back to you things as the red team's out of common activities do you go to like spray WMI for example the old SMB exact across an entire domain common to all said what we've all been using now how is it going to tie into what are we going to test with a house this how we're testing it these are controls were actually going to test again that's kind of the focus of this it's not other controls but how we're actually going to test the individual controls so when we want to actually sell a red team to

whatever company and they say well how can we justify this this is what we're gonna start breaking down here I don't think I need to divide to find this one on successful login attempts so if I'm brute-forcing with like Hydra or Metasploit or whatever is someone getting alerts that you know there's 5,000 failed login attempts which god I hope you aren't giving as a pen tester but it happens actually permitted without identification or authorization if I'm starting to like forced execution of commands in there failing common activities and forcing on pen tests but is there some automated mechanism that's gonna detect for all those actions and notify the appropriate person root access if I owe some freak chance you're

running my peep or wet because you'd be surprised me post show using it and I get creds and then I started VPN again is there something that's going to monitor for VPN activities coming into the network if I pop at admin account and I chart a VPN in here something's gonna say hey this is bad activity what's going on again is there some kind of automated notification that's going to tell you know the network guys secured you guys whomever that this is actually happening what type of encryption is actually being used on the VPNs common stuff that we test for in every every kind of home abuse effort every pin test but is your some again

some automated mechanism in place that's going to say hey some bad guy is trying to like strip out SSL he's trying to actually like degrade what type of encryption we're forcing on the VPNs so in most VPN devices there is usually some type of configuration management going on so if by some freak chance I get on to a Cisco box and I start adding or they're like endpoints to it I create my own like point-to-point govt tunnel is there something in place that's going to actually detect those automatic changes that are being made on again das a Cisco the Juniper or whatever so as soon as I fire up a GRE tunnel it's going to say hey you know someone pop

your box they've made these changes Wireless is a interesting one we're getting some over an on-site thing but you support how many people I guess we're requesting the use of weapon peep still wet repeat as a wireless deployment in an actual production network oh I mean how how many people still be surprised that they're out there I guess it's a question I mean yeah i funny started with this there are some consultants actually still deploy WEP networks and one of the the most amusing started heard was well if he give it a big enough key is just as secure as a WPA network 32 seconds later we were on the network of course billion part of

what we have to do and again due diligence and it's I pick on this a lot when you're especially doing the red team's it's just because you know you know what's there and you know can be broken and leaving it there because you know it can be broken going after the cooler things due diligence the peep is there break it if weapons there break it demonstrate the issue it sounds like a lot of people will take that into account just like yeah we're gonna do it just because may be surprising on people that just don't do it say well it's low-hanging fruit well what do you think the bad guys are actually going to go

after first the low-hanging fruit just like everything else you know ms eight oh six seven isn't cool and sexy but we're the most pen testers gonna use once they find it the analogy should still be the same that well ms eight or six seven is common of you soul time well why don't we go after the weapon peach still shoot sir yeah yeah and a lot of it depending on who you talk to I mean managed access control point when they're the key thing was well you have different access control points and depending on what type of software half of the network posts can also become access control points whether it can be soft or hard access control points so

even if they have multiple VPN controllers at different network segments or even some of the the Intel pcs they're actually have like stun VPNs on them or they Namek manage access control points I'm trying to define all those and leverage others during the routine test it should be considered should be actually executed on I fortunately somebody's on that way the part of the reason that why is because we have such a I mean we usually have such a short amount of time to execute the read test you can't find all those like the soft manage access control points hard ones are easy to find a soft ones not so much sure first yeah from my perspective yeah I mean if

you're leveraging those organizationally allowed soft soft access points and you obviously pop one of those and that's how you get in then yeah and that's your obviously you're still going back to validating those controls if they've defined that as legitimate access point into the network and they're using whatever what 17-3 here whatever maps into whatever fit yeah you should be testing it if you know about it they've defined it in there saying we allow this on every PC well that's cool now I have 4,000 systems I can go ever go after and they're all in scope because you're allowing this all right touched on the encryption once am I going to go into it again zr1 have not nowhere like the peep

WEP thing I think everyone here probably does is just based on all the the giggles when I said it cool so full disk encryption hold description whatever you want to call it a lot of guys don't take that into consideration even the organizations like well we don't really worry about it or we already have it so we're not going to include it if by some free chance you know we happen to get into a building and there's like a crap ton of laptops hanging around we want to take those into consideration you actually want to test those I want a fire punch the laptop see if they're actually all fully encrypted because if one's not

encrypted well we know what's gonna happen there because what we need is one just like you only need one system to be compromised so if you're actually physically in the building there's a pile of laptops start turning them on why because we want to verify this make sure every device is actually encrypted

all right what can people do so if we send someone an email and has like the cold like macro script in in it not go see or a macro in there it's gonna push in PowerShell they're gonna do something do they actually restrict outbound traffic from user land can we just push it over whatever court we want to can it go over like EAD kidding over 8081 it can it go over whatever but we also don't want to start going through sick my machine just trying to guess ports going out using that vector but do they actually have egress access controls in place but obviously want to test that

it's one of the common red team pen tests we still go back to the USB drives we have USB drops we have the DVD drops we have whatever we dropped some cool you know Mouse on the ground with something we reprogrammed so when they plugged it that was saying does cool PowerShell stuff do they have any controls in place to get a restrict employees from bringing in outside devices I say USB is still the biggest one if we have an employee there goes into you they found USB Drive outside they bring it in and they plug it in does something happen outside of it executing or whatever on that Drive still be accessible common way around

this is soon as you plug a USB Drive in that the organisation doesn't recognize those in hasn't authorized something fires up it actually encrypts the drive wipes it encrypts it rather than having a bunch of cool documents there that they can open up and start seeing like spreadsheets and how much money people make which of course goes into participe in compromised most pen testers actually use this vector all the time I should say all the time but it's a common common tactic how many people do ocean couple so we obviously we always go through what's out there you want to go through all the PDFs all the word Docs all the spreadsheets all the powerpoints

everything that they post because we want to look for cool and interesting information that we can use to get into systems this ties into that so when we're doing our oesn't when we're doing those gigs through everything on their website there needs to be control in place that's going to limit what people can post onto the organizations public website so all the documents being cleanse properly before they're being put out there or is it just being left this organizational usernames and domain names being stored the documents that someone like us so the bad guys are going to rip out there and start attacking the systems based on that information so a lot of our position

we work with have security awareness programs in place and it's a big buzzword hopefully everyone has been through their security witness training but often don't bring into effect like insider threat type training you know it's the common you know if you get an email and it's a Word document don't click on it that's like the majority of our security awareness training it's not hey if you see some dude and he's like or not dude because bad guys or girls team if you see some individual walking through the building and they start plugging like raspberry pies in the network and they duct EBIT to the bottom of the table that's probably suspicious you should report that this is how you

should report it defining that entire path for them explicitly detailing who they should be reporting to when they should report it by and why they need to report it especially making them aware of you know the why because a lot of people still don't understand the why they understand that they're supposed to do stuff but not why they're supposed to do stuff so obviously when we are doing our coal like on-site physical break into buildings and you know talking to internal employees and trying to figure out where all the cool people sit and where time they're actually get here what time they leave those are obviously indicators of insider threats that we need to be trading the employees on so

that's how we meet this a.m. I'm kind of blowing through the control sequentially so if you guys have any questions just stop me or if it hasn't been fully covered and I'll stop and try to answer it and otherwise I'll just keep rolling through these things all right so as we're going through the systems and you know where Eddie accounts to this or compromising VPNs and whatever we're making changes all the stuff we do is pen testers what's recording all those changes that we're making is there anything actually recording all the changes that we're making our role the security device is actually integrated into a centralized data correlation logging server a lot of organization organizations I've been to they don't

they have like VPN stuff goes here firewall stuff goes here you know the IT operations stuff goes here and those three systems never actually seen each other so there's no correlation between those so when something happens here they usually don't know about it over here so while maybe doing the logging and the individual systems they're not tying it together to see the big picture so as part of the testing need to kind of help them understand why the big picture is more important than the individual logging so their meetings and the logging controls that we'll discuss later but they're not actually bringing all those logs together all right it's when they detect changes that are being

actually being made to the systems what do they actually have to do or the required to actually do anything have it defined the path of incident handling incident response so once these things start coming in as far as I've logged into your router I've added routes I've created you know new tunnels I've had accounts to the systems I've moved myself into better groups more access how is that coming back into the major system of for the blue team to know what to do when they have to do it and this is kind of going to tie back into general security awareness training know Incident Response do they actually have an instant response program a lot of

companies I've been to the incident response policies that say you know you must report something when you see it but then when they report something you know it goes into kind of an abyss so is there actually an incident response plan the back end that the technical end or physical people and I'm gonna pick on later because you know a lot of times you focus just on the tech stuff at these conferences we don't really think about the physical security guys but is there an actual overall plan for technical and physical so when something happens what's the actual requirements they have to start following where they have to do once an employee erection reports whatever their CD drivers

opening and closing their camera has turned on there's some weird individual follows in a parking lot so all these things tie back into the intern responsive once the end once the employee reports it what do they have to start doing

and of course my favorite subject hi so physical is going to tie into pretty much like the all the incident response type stuff so do we have access controls at every entrance and exit and I say that the entry and exit because that's very important but most organizations only think about entry into the buildings we're concerned with stopping people from getting into the building you know we have the dock the locks and the doors and the cameras and the guards and they're stopping people from getting in not from getting out she's just as important both ways because once I get in and I actually physically steal stuff and I'm working out with boxes there needs to be some kind of control in

place it's gonna stop me from getting out that's all they're tied back into their overall acts you know physical protection plan so seem control of staff and some fringe seem closed up getting someone someone from getting out someone else to monitor in the system just like the IT guys you know they have their Cole Sims would it be Splunk or whatever those are guys need the same exact program something has to work them that there's some bad dude or woman walking around the building give me soft picking stuff up walking out of the building we want to make sure that as the good guys that there's no way to actually get to if we have copper fiber or whatever is

it protected as the red team guys I was one my favorite targets how do you want to really irritate someone they can access to the fiber because when the internet goes down and there's a big axe cut in the very outside whoa that's a major impacts business how are they protecting it are they protecting it did the even realize they need to protect it part of the job with red teamers is obviously to kind of exploit that stuff it's just someone actually monitoring the lawns when our big ones like to pick on is closer for television cameras everywhere is anyone actually monitoring them 9% of the time no it's just like that IDs is if we're having IDs and no

one's watching it what's the point emergency shutoff you'll find them everywhere we're in the show for power for water if you really want to irritate someone turn off the water for the entire building this should be your actual control someplace monitoring for that as well so if by some chance somewhat actually physically makes it to those moves you shut offs whether it's for the power for the water someone needs to be alerted hey there's some individual that's in the basement it's three o'clock in the morning in there staying outside the emergency shutoff valve we should be alerting on that delivery removal there's some guy here in a white truck and he claims he has some stuff he's gonna deliver here okay

I can't take the number times they've actually used that to get into locations go down to enterprise my ready truck and they throw some fake stickers on the side of it that said like FedEx and rolled up and people were like yeah sure and you know comes down to your physical protection plan and there's a piece of monitors and controls in place to not only law of those but alert on those are the deviations do we have normal times of deliveries to to a location if someone shows up outside of that time we should be notifying that alerting on that physical security personnel if you're showing up and asking for to identify themselves do the web

developers do any testing before they push stuff the public I would say the internal red team guys destroy this external red team guys also destroyed this but or the times they don't have as much as it pains me to say it and you know the whole a wasp push in web dead Bob sec there still is not a lot of testing done before custom or in-house build code is pushed out we obviously need to validate that you know the external stuff maybe they have some control someplace but internally we found in majority of times there's just nothing in place they don't bother because it's on the inside and then of course if we walked in the door

because we've said we're from FedEx and now we're sitting down you know plugging pies into the network that we're gonna start tunneling through your guy work using like you know Open VPN or whatever and just report the inside so do they do what do they do what is their framework what do they clean - if anything is actually being done yeah all the times before the test the start would straight up a sauna it's like what's your development framework you know they're like oh it's agile that's great it's like well what's your testing process and you know if there's a hesitation the answer that you know if the testing process is then that's just you know go

through analyse validate it's like yes you have no internal or no external public-facing no code validation or input validation being performed and it's it's common that we do that should they we preach that but for internally obviously it's where the majority of our testing nowadays is very PowerShell focused we're looking at you know passing the hashes we're not looking at the testing actual internal web applications if you go to majority of the talks that aiding the security conscious I quoted word majority of our team talks on PowerShell we don't really do too much web app stuff anymore we still have a couple of classes that let go through the web apps but it's very it's we've

lost lost focus on where the actual information actually is it's like the web apps habit and the web apps are being tested or obviously input isn't being validated properly according to industry defined requirements or recommendations or wasp that's where the cool information is and it's even easier to get to it if the developers are being lazy and the organization isn't Conant developers on that some more stuff on the red team's side that we should be testing so once we're in the buildings we you know we have our our footholds we've elevated we've now ramped up and our boxes are there and we walk out and we you should are destroying them inside just don't lose sight of what else needs

to be tested outside of just the cool of the PowerShell stuff there's a lot of things that I'm not touching on here or usually at the bottom of it and hopefully everyone's actually seeing a lot of these but it's like these bullets here stuff that we can't really test as red teamers or as pen testers or whatever but after stuff we should be recommending is that there as part of their vulnerability and remediation plans or if you're from government your your poems you know defining what their plans are what the remediation timelines are who's responsible remediation stuff that we can't do but stuff that we should be recommending because in the cool like ridiculously large reports that we

sometimes write that kind of stuff needs to be addressed not just the you know what the issue is and how to exploit it and how to fix it it kind of detailing out the plan as well this is going to fly more toward the outside side the outside side boundary protection looking from the outside in so are there actual proper access controls in place have they defined the boundaries outside once we get into the inside having to find the internal boundaries so if you pop a box in the DMZ can you then start bouncing over internally because there's no firewall rules at all restricting access from Gansey internal we're kind of going through trying to

validate that not just trying to look for the pinholes if they're there so is it wide open we can pretty much map that out you want to do that as an afterthought starting to like trying to map that out to make sure that those rules aren't in place because we start trying to like add map entire internal network segments based off ARP tables you can be setting off alarms but usually as the as the wrap-up for the testing it's like okay we got into these systems meaning you use that use this to get into this every test was completed we went back and validated that you know there's no internal access controls between DB segment and inside this is how we did it

let's go again just defining or explaining to them how the boundaries aren't properly defined so sd70 contracts done earlier we're looking at the multiple if there are multiple multiple points of entry into a network so if they have multiple points of entry if whatever reason they have one router one location one router another view graphic location but those two segments are tied together you can get how one how flaws in one one segment will allow accent to another segment so example I have a router in Atlanta Georgia and I have another router in Philadelphia Bom I popped it out of here Nick myself a tunnel and then I talked about Internet work here and find that I can get to you

know Atlanta Georgia because there's no internal access controls kind of pointing out that because there's multiple points of entry into the network and there's flaws in one and it allows for complete internal compromise

for the data that's actually residing on the system's how are they protecting it majority organizations now our starter take like database encryption seriously even information arrest if started just contain create containers double other information containers and just need those containers closed from not using it place when we get onto systems and we start finding the interesting information verifying we're validating whether or not they're actually doing any kind of like data data address encryption that our access controls based on whether the information stored if it's sitting on a windows share for example who has asked access to the share is it set to everyone one of these examples yeah so just find where the interesting stuff is and just validate who were who

has control of it who can access it how it's being protected if it's being encrypted or not do they have malicious code I mean antivirus is common I mean do they have it is it being updated when we obviously can test that you don't want to because we don't want to start pushing bad code or you know code that's gonna be detected and at least not until after we've done our cool stuff we want to verify that it's actually there that it's being updated that's it's catching you know though the common self so after we push our coal power shells and we could yay or whatever go back and actually start throwing stuff that we

know is getting know should be detected just to make sure that those things are actually functioning can't in Gnome times that you know India virus actually get on a system but it has been updated in like 10 years the date was a little hold he was like three or four years actually but if it's not being updated you shouldn't even be there there's no point to it it's taking a processor space memory space so it's not being updated needs to be called out and it actually needs to be tested a lot of us don't actually do that type of type of testing we're doing the pen test doing the red team so we pop the boxes you

know you do whatever fail to encode it push it out there make sure it's not being detected but we actually need to once the testing is actually to go back and actually verify that everything's actually working make sure the malicious code is actually functioning as it's supposed to be so point out the same thing already do they have something in there that's pulling all the logs together and we did this as the fire talked someone so what do you what do you recommend it's like well spunk is good with my favorite you throw it out there it's pretty point click literally dump all the logs into it you want to make reports you just say this

this and this and hit go it's why we're the easiest Sims to use card one of the cheapest aside about security onion they need to have something in place they have to have something in there to pull everything together from all the systems especially public facing you know all internal critical so they don't have something that's going to generate that kind of intelligence for them the real-time alerting when someone's assuming anything even remotely suspicious it needs to be called out and obviously we can we could detail this really easy we're popping boxes and no one's knowing about it they need to be made aware of it I can't just be oh oh we did this

this mystic well you know any better monitoring tools you need better logging capability I mean you did it better to get a correlation all going to a single log source or from multiple log sources that being pulled into one major log sauce and then you're doing your analysis correlation they're in this to control is kind of tied back into the last one again it needs to be not really history can't really be historical based a lot of organizations especially smaller ones they don't have the staff so it's always well we don't have the staff to deal with real-time analysis a lot of the Sims nowadays it's going to allow you to have that kind of

functionality once you start taking all the logs in there you generate all your alerts whatever just based off the information anything that's deemed as critical you know send off your your emails your alerts whatever how you have it set up but without the real-time analysis again it's kind of pointless it's like having the video cameras that no one's monitoring so unless you're I our plan is going to go historical based and dealing with someone to pop the boxes you know Friday at midnight you're coming in Monday morning now it just needs to reports their attention so do the systems actually generate alerts which is another one we used to find all the time like their DMZ systems someone

just decided to not enable ordering on the systems so everything was yet you know all the windows boxes for example I'm ordering was just no to everything because it was taking up log space and we're you know in the past I brought to their attention no other orders had found it so just going through and verifying that order Dean's actually taking place after you pop the boxes as an afterthought and you don't enter cool stuff go back and make sure that the systems actually generating alerts are they generating alarms are the event logs actually being generated for creating account need adding myself domingre the starting new services if it's not being not being done obviously

they're gonna have issues with it meeting these kind of controls outside of that when someone pops your boxes now if you steal stuff they're never going to know about it all the colas plunking in the world isn't going to help them if the date is not there are they doing any kind of integrity checks especially on public facing systems so when I go in there and I start replacing like whatever adding 130 QD ll replacements or adding new dll's is something that's going to say hey someone's making or generating creating new files editing this editing not is there anything actually being done to detect that or is it mean pulled into a central posit or e all their

looks being generated on it so once where are you generating the Lords what's actually going to happen so this is going to go back into the IR plan surfing never saying that I've been seeing or battling about very quickly has to tie back into the overall instant response plan so as part of the instant response plan not only dealing with like in userland fusions reporting in hey I clicked on this or I opened up this word document with the macro blah blah blah how was the IRT not responding to integrity checks failing if they were new new files created if files replaced like two o'clock in the morning does IR that IR plan actually deal with that

thing where does your spam protection do they have anything how often is are the signatures on their spam whatever actually being updated they're using a semantic box for example how often the signature is being updated are they being updated you know did it go out of support like a year ago and we just haven't bothered because it's just spam and those kind of engines gonna be the ones dealing with majority of like our external phishing attacks so when we're generating the word dots with the macro or whatever stuff in it cool things if there's nothing there it's gonna keep you know up-to-date with the latest and greatest stuff there spam protection is failing

so information input validation is already they touched on this a lot of the controls are repetitive I'm not sure why but this is one of the ones that were as part of the developer testing developer and development in general you know they kind of touched on this but yes they wanted to bring the point again to make sure that it's actually being tested or input validation is actually being performed so are they actually doing proper filtering form or trying to do like joins is there some mechanism place that say you know you can't do join statements in whatever a get or a post and then how does that all tie back into their intern response plan so when

they see a joint statement on the post that shouldn't be going to a certain application is it being alerted in near-real-time back to you know the ir guys error handling you know and that's part of just the normal web application development but they wanted to call it out again you know how has ever had error handling be done is it being done what kind of errors are being presented to you know general user base versus administrator users how they how those users being I'm assuming how the error is actually being generated team the specific individuals individual of being an internal developer versus a general user now of course what the error messages actually reveal if anything

yeah so there was a lot and I'm sorry I'd like through like 50 slides into 45 minutes but it's a lot of stuff and to be honest with you I didn't really cover even more of it because a lot of controls that I kind of like were stood there very quickly were the minor controls the minor control was actually tied back into the major controls the major controls were like paragraphs longer if you've never actually read to the NIST documentation it's a lot of words it's painfully long in a former life we did a lot of government work with NIST so I kind of built everything that did kind of round that framework so when someone wanted

testing done and you know how can we sell this I tied it back to notes like the compliance my compliance has kind of got a bad rap because we're all obviously most of us are very technical in the room so we're all like this hacked that and you know but we would actually want to like sell the stuff we have to go back to the risk management frameworks the compliance remarks because that's what the executives that's what they're more concerned with the compliance officers who actually make the majority of the decisions the CSIs and make the majority of the decisions then we come back down to you know what controls are you gonna meet when you do this cool sexy pen test and

pop up myself and it's been like the common theme that it's though it's we're still trying to get across to to everyone so next time you're trying to like sell the pen tests you like to see servers do the compliance officers to whatever executive it is it's far easier to sell compliance perspective at least in my opinion I've had a lot of success that way if you disagree cool we can argue about it later because I have five minutes up for questions so I'll stop for now and take questions sir yeah sex semantics here's the recording our night yes a lot of vendors are doing that intentionally now they give you a like half the error message and if you want

the other half get to go into the console and dig like six layers down and actually find it and actually get the full useful error message like if someone triggered and whatever that oh you try to open it up this word doc was located on this drive in this location you'll get the alert saying something was actually something happened but to find out what happened you actually have to go into the console for a lot of owners yeah they're doing that intentionally which irritates me now that I'm actually on blue team again because it's like well this should be like default if I'm like pushing code to a box I should be able to see Lakota

push 2 of ox and an error message because if I'm Blue Team guy which I am now I don't want to have to spend my time digging through six different systems trying to find that because it's a waste of time I have better things to do but yes no else no I mean they're all a lot I talks about the are fee I'll see if it's like DEFCON listen to the large guys I mean every red team talk I should say everywhere I'm Tina Joker red team talk so you know I'm always doing the badge thing and the badges that they're talking about even the vendors themselves nowadays they're saying don't use these anymore because they're broken

but a lot of the resellers still have these things and stop and they're trying to get rid of them but honestly if you're out working with a working with a customer has like the old I forgot my badges if you have like the old style I still keep them around just because don't sell like hid badges the dual frequency badges that are going high-low that are still easily cloneable one of the easiest things just you get the shields it's like a dollar fifty from that are like fips-compliant that prevent the whole badge cloning thing it's always gonna be a viable I should say always there's gonna be a viable vector for a long time just because the

busted systems are out there on the vendor still have them but even if you go to hit now and say hey I need a new system they're gonna go with like ultra high-frequency badges that right now you can't clone them but I mean everything that's obviously based on some algorithms need Buster at some point but yeah yeah and even it's gonna be even coming down to like multiple layers so if you have a badging system don't rely on a badging system you know something you have something or something no go back to the idiocy of like you know just general old-school IT so if you have a badge that's great but couple it with something else couple it with a PIN

number I can't tell you how many customers I've been to it's like yeah I cloned your badge and it was useless because I once I walked up to the battery or I badges in the cold or the light went green then you know I had to like either do the retinal literally I had to do a retinal picture or I had to like punch in the code so a couple it was something so do you like the badge readers couple but with threatened holes or with punching it up in because in them and then stand the door or have like a long-range telephoto lens so watch what your employees are punching in which also has been done but then

requires more time for me to sit outside there anyone else all right cool well thank you