Disrupting Nation States and Cyber Criminals with Attack Surface Management

thank you very much what a beautiful event you guys got going here like fantastic job from all the volunteers besides love it's gonna be there next year as well uh look at this Slide by the way disrupting nation states cyber criminals and there's animation turns out PowerPoint has a button called well it should have been called Pimp My slide but you could just click this assign button and Magic happens but yeah my talk will basically be revolving two concepts continuous attack surface management and what we have defined as always on pan testing trying to change up the game a little bit innovate a little bit and see if we can basically make our customers have better security uh Chris Dale I teach for sounds in fact the slide uh I'm also sorry also a founder of river security where we're a group of nine people now trying to make the world a bit harder to hack uh teacher stand so I travel all all over the world I travel U.S Europe Africa Middle East trying to preach you know trying to tell people how things can be done how it should be done and hopefully also make it actionable something that you can actually implement the next week in short I do a lot of penetration testing and unfortunately you might also see me commenting about instant response as well ransomware case has been a big one the past few years it's been a huge companies literally on the verge of dying and having to help them is is anything but fun so yeah alphabet soup of certifications a little bit about myself all right now a question for all of you why do we do pen testing I mean sometimes we got to go back to the basics and ask the simple questions why do we do pen testing to help a customer not get hacked tomorrow so they are safe to figure out which cves and bugs you need to patch so that we won't get popped anytime in the future to maybe stimulate long-term effectiveness of your security policies and make security better in the long term pen testing is for many a silver bullet that basically makes you a little bit more immune to hackers online and I don't necessarily agree with that there's a couple of problems with a traditional pen test I've been lucky enough to work on both sides of the table I spent three years working as a ciso for a company called surecat Solutions so I had to procure pen tests from some of the people here in the audience even and I've been working for many years on the other side of the table I've been providing pen tests and and making customers understand why they need to buy a pen test I've seen some problems on both sides of the table that are not necessarily being addressed by everyone at the moment for example as a client somebody who wants to buy a pen test what's the scope of the pen test I mean here I am wanting to have a pen test because I want to make sure that well hackers are not going to break in tomorrow and I'm gonna have to figure out what the scope is I gotta figure out which assets that I want to put in scope which assets that should be excluded from scope and I don't necessarily know how hackers operate I don't necessarily know how they do attack surface Discovery scanning and so on I'm not qualified to set my own scope of a pen test why because I have Shadow I.T I have dark data I don't know what the scope could be when a real hacker a real threat actor Targets this company my company for example they're gonna find the things that I didn't know about and when we do instant response guess what very rarely it's a com is a customer hacked by something super sophisticated or Advanced very often the customer is hacked by something that makes the entire company go oh no that server that user ah oh no they did that it's very often something stupid right and we are not buying pen tests for those systems because most likely they're not on our radar okay so that's a bit of a problem also it's a typically once a year approach we don't do it often enough I mean agile has been for years something developers do but pen testers not very much agile just yet we're trying to get there though providing a pen test what is the scope right how do you find the scope of a pen test well I got to do my reconnaissance my scanning my discovery of assets I gotta figure out what this company looks like but that's after the customer assigned a deal so you won't actually find out what the scope is until you start and maybe you do some scoping meetings and so on and you waste everybody's time you have still haven't signed any money on a paper yet so it's not very nice process in my honest opinion to figure out the scope before even well having any money on a table the scope also websites often infuriates pen testers because once you start working on the engagement you start to hack into the multitude of systems you discover other systems neighboring systems that are much so much more juicy you know oh I'm supposed to hack over here but I just found these other ones I really want to touch but I can't and I can be frustrated it can be sad and you really want to tell the customer but then you're in a dilemma of a scope creep nobody wants a scope grid because well more billable hours is going to cost a bit more expectations are not necessarily met and I don't want to ask you the threat actors out there or this one is animated too I didn't know that you again hit the magic button pimped my slide do attackers care about the scope a real threat actor who wants to get in doesn't care about scope whatsoever they're not going to look at you and say ah I better leave those assets alone I mean no the attackers don't care about scope and I found this beautiful video I hope some of you have seen before it's like a meme I want to quickly show you what it's all about somebody seen this one before it is awesome it's only 25 seconds I thought it was a minute but we'll see if this is the right one but this guy is a system it's basically saying hey shoot me hey come at me bro and he's like really come on come on pressed on hey ah they just bought their new destination firewall hit me and Panthers okay well right that's really what I see during incident response once we do the root cause analysis we figure out how they got broken into then it's it's often a problem that was previously considered to be something they knew about but they forgot about that old DNS server that system that should have been removed that was never removed that account that popped up uh after a migration to Azure it popped up an account that was all of a sudden available on the internet that shouldn't be on available internet on the internet attackers they don't care about scope they just care about monetization or breaking in somehow I did was to look at what we're doing try to innovate a little bit I would call it micro Innovation because we're not doing a whole lot but instead of saying hey let's do a pen test we can tell our customers say hey let's map out your digital Tax Service let's not say a pen Fest is one report one result let's say a pen test is actually two different deliveries it all starts with a digital attack service overview let the hackers show you what we can find let us complement your asset inventory with all the stuff that we find your social media accounts your leaked credentials that was leak from 50 either slog or Sudan told again so let us give you all of the ammunition make you as smart and clever as possible before we start negotiating and talking about a scope I can do a lot of great things by just looking at I.T assets I mean I ask a pen tester tell them have they ever had a hunch on how easy the system will be to hatch I mean there's no CSS template on the page it looks old it looks a bit wobbly has a PHP extension you go I really want to hack over here every hacker every pen tester will have some hunches and we can attribute those hunches down to specific metrics that says these systems are very attractive to an external penetration tester we really want to recommend these assets to be in scope and because we have already looked at those assets now we can even basically estimate the size and the time it will take us to pen test those assets so we can come up with maybe a fixed price say here's what it's going to cost and the customer can then maybe add their own systems to it they can remove their own systems and we can basically in a much better way agree on a scope makes sense right I think it makes sense and I know many of you know it feels that it makes sense now because I'm seeing more and more cyber security companies that are offering their clients to hey first let's map out the digital attack surface and figure it out it is a good exercise that gives high value early on in the engagement ensures trust between the parties and overall it's very fun to do and that takes us into attack surface management what is attack surface management then attack service management is basically the digital footprint exercise evolved into a continuous cycle of reconnaissance Discovery and scanning we want to take a look evolve not just one or like a snapshot in time this is you we want to look at those systems and those assets how they change throughout every day how the landscape evolves every company will innovate they will build they will have organic growth and we want to put that into a system that allows us to well detect those Deltas detect those changes that might give an attacker New Opportunities and that's what it's all about in my opinion because an attacker a real threat actor on the internet will base themselves upon what opportunities exists today on how to break into this company log4j all of a sudden happened the day after you had a pen test you go like oh do I need another repentance now can we look for log4j and absolutely you should be able to look for it you should be able to discover such opportunities and basically identify them as potential threats that should be something that you can do easily also Shadow I.T and dark data should be something that is harder to implement we can complement attack service management with features of the blue team blue team has DNS logs for example that you can go look through things like Amazon AWS buckets Google Cloud compute buckets for example Azure blob storage and you can find Shadow I.T true Corporation as well but there is basically the concept of attack surface management is basically hey let's put this digital attack surface that that report let's put that into a system that lets us continuously maintain and monitor the customer finding those doors that we left open you know this Meme here is Beautiful by the way I saw this highway apparently there is no sign this sign has been photoshopped on top of this meme but there we go some meme trivia for everybody but to typically when we are successful as pen testers and I hope many of the pen testers in the room can can confirm this with me but very often you can get a sense of you're if you're going to be successful Independence or Not by simply having a fantastic reconnaissance face by simply being very good at reconnaissance building very targeted nice beautiful word lists and building up that dossier of information preparing you to the inevitable launching of exploits to us that's the most important face what determines the success of a pen test of us breaking into a company typically hey reconnaissance that's where we get value for our money and to to to basically to improve your reconnaissance processes you want to look for what we call the path least traveled you wanna this is also for the bug bounty hunters out there if you're going to be successful in bug Bounty you probably want to find those new systems or those those systems that nobody else has found yet you want to find that hidden attack surface and you find that by having the best reconnaissance you find it by having targeted good neat word lists and processes that will let you be notified when there is a change to the attack surface so you can jump on that opportunity to quickly take advantage of it there is a dilemma from a business side they want to grow they want to build they want to release marketing maybe they have stuff that wants to go out information should be spread but from a cyber security perspective we want to slow things down right in fact cyber security for many has been all about saying no you want to move to the cloud hell no no you want to put some data out on a server on in a DMZ and expose potentially gdpr sensitive data true basic means of access controls we've been saying no no no no no however cyber security in my eyes is all about yes you want to do something yes but here's how it's done attack surface management and the digital footprint this allows hopefully the security teams to say a bit more yes let's support the organization let's not hinder Innovation let's not stop the company from growing let's say yes but and for the things that we cannot govern maybe a tax service management will help us conclude and reduce that risk I love seeing customers that they look like a tank from the outside all we see is a couple of websites and a lot of endpoint like VPN concentrators and so on and there's not not that much weed you know it looks very clean and neat from the outside that's an attack surface a digital attack surface which is hardened and nice every version number is the same and so on you can tell that the guys on it operations are governing this whereas in most organizations it's a lot of it's a lot of weeds a lot of like things growing left and right and you go like what is this version number from from 10 years ago end of life systems you find all kinds of stuff so what is always on pen testing then well always on pen testing is when we take ly the digital attack surface management and you pen test and verify all of the changes so when a port is opened when a new domain has been provisioned when you found something new of an opportunity when log4j comes out for example that's cve that burnability you want to be as fast as possible to quickly find out can you exploit the customer taking the pen test down to the opportunities as they happen instead of once a year once a quarter however fast that you can build this so instead of working my team instead of working in projects that are a week to trade long we are looking at projects that are hey let's look at this item 45 minutes later you're done let's look at another item and we have this huge sandbox with tons of assets that belong to our customers that would try to hack simultaneously it is a lot of fun working like this because it's working on in the same modus operandi as real trap actors always on pen testing it's basically us trying to real time as fast as we can figure out if we can conclude a possible opportunity down to actual exploitation where we say we take the vulnerability scanner we purchase those vulnerability licenses for necessary cannibals and and like rapid seven so on we will have those licenses we will scan your assets and take all those critical high-risk mediums and ask ourselves can we hack the customer now based on a vulnerability a new cve nist has just announced that hey there's a new CBE for Apache software for example Apache web server we're going to take that cve we know the customer is running Apache across a couple thousand assets maybe and we will ask ourselves based on the cve is there any reason for the customer to shut down the server and upgrade immediately or can we wait till the next patch window and that is very nice because now we get what we call High Fidelity alerts we get alerts that we can trust we can trust in these alerts because they've been verified by human people I'm not a big fan of crying wolf wolf all the time which is something this industry is specializing on it's kind of like we're proud of having a very many findings like the higher number of findings that we can get is very nice for many however you look at this from a business side you go should I patch any of these is there something for me to do do I need to act on these 127 vulnerabilities or am I safe I mean I know there's a vulnerability but I haven't been hacked yet it's because no nobody has looked yet what is the reason and the reason why you're not necessarily getting hacked immediately because you're running an end-of-life system or because you're running uh or you have a critical vulnerability on a web server it's most of the time vulnerabilities have dependencies the attacker might require an account on the system for example oh big vulnerability in WordPress only if you are assigning authors or users the author role only then will the server get popped and the pen testers can break in meaning that you can relax unless well you're currently giving random people on the internet to the authorship role or if any of those accounts get compromised so I like working like this in a traditional pen test it's kind of like we're slow we're Turtles very slowly but surely moving ahead well threat actors nation state attackers like the US NSA for example they have a fantastic talk on on YouTube from the usenix conference Rob Royce goes ahead and says look we are present every day the reason why we are successful in breaking into customers or victims you could say in foreign countries is because we end up knowing the target better than they know themselves their cheetahs super fast always moving always looking if you open up a port only for a couple of hours there's going to be somebody there to check hey Port open what is this I used to say pen tests it's like playing badminton but and real criminals they're playing tennis right until a guy arrested me on that and said well you know actually a badminton Bowl can move faster than a tennis ball and I'm like oh okay yeah but are we playing the same sport we gotta ask ourselves that a traditional pen test is that actually will that give us something really actionable for the long-term sustainability and security of a company and I think bug Bounty for example attack service management and so on has higher returns for customers because it is all about Speed and Agility inspired by the military which we are quite a bit in in River we believe that if we are faster than the treadbackers out there to observe changes to attack surface if we are faster to orient ourselves and ask yourself the question does this allow us to compromise the customer is Sir gdpr sensitive data is there a way for us to run code can we do a denial of service any risk to the customer if we can ask that question Orient ourselves really fast decide on an outcome and make the customer act on that rapidly multiple times every day we believe that we can have a chance against what the threat actors are currently doing to us we can beat them at least we can compete against them in the same Arena that they're playing this is based off the military and the military in a dog fight like these two fighter jets here typically what you would say is that the pilot who has the fastest repeating ooda Loops over and over and over is the pilot who's gonna win the dogfight the pilot who can quickest identify threats identify mountains up down velocity and so on over and over make the right decisions based on the information that you can see will win the dogfight it comes down to proactive and reactive we want to be and we have this slide here to to show you how companies could potentially mature in terms of cyber security because if you look at the Journey of a company today most companies they will invest in shiny nice next Generation firewalls antivirus and police detection response and so on if they have a problem if you get compromised you are the most reactive you can imagine you be you are now blocking attack you're trying to respond to an instant response that's a reactive type of approach when companies mature in terms of proactiveness most companies after they have invested in cyber secur