How to Frustrate a Penetration Tester - Justin Forbes

JUSTIN FORBES Over the past several years, most penetration tests have shared several common steps in the attack path. These commonalities between engagements allow penetration testers quick access to critical systems and lead to full network compromise. Most penetration testers, and attackers, will work only as hard as necessary to complete the objective. By forcing them to work harder, organizations will either get a better report or discover they need a better pen tester. This talk will examine some of the typical ways in which a penetration tester might approach an engagement, including anonymized stories from real assessments. We will look at common initial access, privilege escalation, and lateral movement techniques. For each technique, we will look at how to detect an active attack. Additionally, we will apply the concepts of defense in depth to identify multiple overlapping, preventative measures which can be used to stop the attacks. By implementing the discussed detective and preventive security controls, a penetration tester cannot rely on the same techniques used in years past, ultimately forcing the tester to work harder. Justin Forbes is the team lead of the Applied Network Defense team at CMU/SEI/CERT. He has been leading penetration testing teams for the past five (5) years targeting federal, state, local, and critical infrastructure organizations. Justin earned his Masters in Telecommunications from the University of Pittsburgh in 2010 and his Bachelors in Information Sciences in 2008. His typical Primanti Brothers order is the ragin cajun chicken sandwich and a tall IC light.