Pen Testing VS Red Teaming, and how to get more from your reports

so both are very knowledgeable so Thomas is penetration testing first red team and having better reports the reason for this park is because I hear red team thrown a lot throwing out a lot with a patrician test and the confusion we are customers what they want or what they need which makes them not trust us and that's just it's fine bomb until it blows up in her face when customer starts off trusting us especially with such sensitive data and our reports show what we provided to these customers and that's why I'm extremely important that we make a little puppy I have always been into my Tia tech back the old lady said when authorities intern in high school career

what we would do is we would mess with the Indian windows scammers I would say I got a virus please hold windows and I'm gonna have to figure out how do I secure a virtual machines but they canvass a lysosome while at the same time it's a way maybe main problem or some service just like bricks though so customer comes to you says I wanted pin tests what does that mean right why are they doing it what do they want what do they need it's usually because they feel about it or they execute for insurance purposes or whatever but they really don't know what they want I recently had a recruiter contact me say hey we're looking for

penetration tester would you be interested and then when I started asking questions she said we just want you to do an assessment of all the vulnerabilities and give us a report and said okay do you want me to make you a vampire she's ever known we want you to tell all our vulnerabilities you don't know just ability to do this for a mask and be done so that's one of the issues and then you know whatever you would say hold on the red team or I do confess or you so again issue based gonna go over and Tricia test team red teaming they could report in the retro so get the issues key terms if you ask somebody the

difference between a vulnerability you will get their answer just like you may get three different answers with us what we needed risk and vulnerability index with it they all have new game meaning they all kind of deal with each other but

so then if we look at indeed and we look at cyber security analyst for they had so many requirements remember some skills and technical expertise common knowledge and spiritual practices and procedures okay maybe our three friends pretty much they basically go where they want you to be a in certain spots but at the same time they want you to do and testing they want you to document everything document RIT disaster recovery bills we dug those all for an analyst position right so we're giving us do it for human balls would see this and it just telling it to follow down many other issues of recruiters saying hey about this position open for you they say

that's our red team vast sums of salary difference and technical abilities so penetration test look at the definition cools the person with vulnerability assessment different types of Sally which is best for your customer and he'll each type provide value to that so for melody assessment you've done quarterly anytime the new equipment or software added environment but I and then we look at a penetration test the goals to compromise the target systems and gain access to information to determine business impacts basically the goal is to identify as many vulnerabilities very loud by exploiting those and then determine at risk or the other sport to determine business impacts of those and then you have to context of penetration

test within that to give a customer exactly what they want done in a professional and safe manner because they know what's going on just may have to do it at night on the weekends that way side effective business clearly defined rules of engagement if you don't man it gets a little better much better idea than a more loving assessment and it should be done annually to complete should be done by a third party you don't want any in-house especially if you're doing like the black box sex because the network and again and that's what you get when you have a portability the accent and

so a corner abilities applaud then you take your asset read company who intends to arm your business by whatever means and the risk is a loss or damage because of that so then we look at different types of penetration testing client-side Wireless social engineering typically you're going to see network services web application at all the same thing nearing client side as well but the main thing we would only get is three different types so we have black box black box clear box pencil box and then grey box black box these where they have no idea where network architecture no idea what software you're using they use distant techniques to identify their network layout and determine the

vulnerabilities for that white box the test renews the network infrastructure has access to the software and there's where black box and the grey box is a little mixture of those two little more focus and Mike and a fun best of the two but where you get the main differences and these is a black box is great if you want a simulated real world attack but you are sacrificing time which means money which means if I have a week penetration test right and I spend the first week doing this and try to figure out the structure of your organization your network infrastructure what software you use that's time wasted I could have been identified vulnerabilities and exporting

them and giving you a more clearly defined picture of the security posture of your enterprise white box they know what you have they can get right to it again it doesn't attack but you're basically throwing everything at it and see what sticks and then getting a better idea much better idea where your weaknesses are and where you need to improve on and any other steps of the pen test and now people being here something that they do know first an information-gathering your jewelry on you can try flying as much information as you can in the time allotted spend too much time on this but you definitely want to be thorough have a really important scene a threat

modeling really woman building a house is the main one and you explore today try to do quiz exploitation situation 1 and then report everybody's favorite part of the pendants it's not fun I don't think get into information security to write a ports but it's what I have to do and we're going to do whatever if I want to continue to do what I love then I got to make sure that our ports are great that way it just was have you ever been to a bad mechanic and they rip you all and they kind of just ruins the trust for any other one yeah they're always kind of second-guessing yourself I always kind of related to

that I battle for the client they say why that makes more money for this and then neither than that you know others in the media are going to see this they may not get another pin chest up for a year or two years and then come in and I see something in there like giving ridiculous risk scores just so they can make it look like brilliant eggs and company those problems and then actually something completely different then I met trust either one of us but I know that I need my wife and then again it just creates mistrust people don't want to do it and start apart enough to pitch security to enterprise right we're not viewed as a few dozen walls

right it's gonna cost us money to maybe cost downtime it's going to be stressful and there's not much payback unless you can effectively communicate how you gain that back and security either with dollar amounts you kind of trigger with that so yeah Thank You princess you determine the business feasibility of a particular set of attack vectors you identify I original owner abilities bottom anyway exploiting them and seeing just how much you can get away with and then from lower vertical abilities highlight one of these difficult or impossible detect so you know if I have if I'm exploiting cancer decks right if I'm able to alter that exploits event it's not protected by the virus standards and you know

that's still the same exploit I'm just simply modified it a little bit to black ass detection then you have assess test fly the pretty implemented validate your plot I can be around for that basically just hand off report and that's why it's very very very critical if you can to provide a steps to detect or maybe steps to prevent even I understand that's kind of getting into the realm of blue team but I I was want people to our pen testers that let's do some digital plans response we're too distant with them so they can see what does it look like from the opposite end when a penetration test is happening right what are they looking

forward so then I told me how can I avoid this if I don't know all the information or I'm going to their half line I'm just not that good at my job just do the job but it's not as good again - so where you're going to report right I am presenting and you want to present this in a way that non-technical people will understand and pretending to directors and CEOs will plug one of the scariest things for me I took them all to find out but I was scared nervous that you know I messed up or something stupid or they're gonna call me out something technical my analyst day I wasn't prepared I didn't have my

findings to back up my and then have appendices to back up my findings may have enough information anytime you talk dollar amounts you better have something to back up anytime you talk about downtime you need to show how did you get that you can't just be like you know it took us down our best recovered policy states that we should be back for 12 hours 12 hours of production downtime equals right you need to go a little more than that what's the maximum like half a production I really put that terms interesting and then you find scope and ro most of engagement apply the biggest difference between a contestant reading engagement with a pen test scare was

more narrow because by P addresses or IP ranges the rules of engagement usually no art poisoning not too much social engineering things of that nature whereas a red team engagement we have one main objective please that objective lead by any means

you have you want you in testicles pirates routine equals a ninja right all right when there make a mess grab whatever they can and then just try to be stealthy do so red team again it's more bull based they can identify this little hardware or software human abilities so there's mirroring trying to access a database server room gives you more clearly defined idea of how a tackler would attack your organization and helps identify an address also says the main thing is to cup of blue tea how are we going to help the blue team to identify attacks the full-scale multi-layered member so evidence of the taxi Malaysian create to measure how well an organization staff and we're

basically just on you and the red team should be more internal right you want them constantly improving the police so that's why when a pin taxi or a third party or a team should be more mature so what's the main difference again it's supporting the blue team is major one the goals the length of engagement where the pin says usually they've got to 12 weeks they read to engagement or team 1820 weeks they have the boomers have more clearly to my role where as I could have somebody doing an in-app stand web app and have a red team doing social engineering there's somebody doing exploit customization there are very very knowledgeable innovators and methodologies different city every

content was more heavily in essence you weaponized a deliverer it exported more about taking your time and if they get detected good things I mean blue team is great but it also needs a big finish right that's kind of trio weird concepts those two methods organization flicking information infrastructure about infrastructure files delivery that could launch our deployments exploit insulation is it cyber physical and control and then actually uh detective we need to expose some data we need to gain access to the server rooms what do we so what do you need right so vulnerabilities that say you just want to stand in a numerate penetration test are you looking intensity systems are you looking to get more clearly defined

idea of what your superior culture looks like in your enterprise and then the importance of those vulnerabilities that can be exploited and then erecting engagement do you want to learn everything you possibly can about the Pacific's Bowl you want to prove your blue team then again that should be internal so really if you want to build an inside team really don't need that for a small meeting business in those big businesses I get to hear about briefs caught by an amputee and it's usually something dumb and these are related or phishing the simple sub works I don't need to customize an exploit if I can get into your systems right and therefore people are tired of hearing in

users Andy and we need to train them better but you don't need a so the more better trinket or the better they are

so again penetration tests wounded due to time spoon writing campaigns that remove these limitations give you a war critter declining simulated attack and then reports right so this is our end product it shows the work we did it I was kind of related to resume like you don't want to make it a spelling error and your resume you want to impress them you want to grab their attention and you want to come to term understand you want to do the same thing with the report right you want to make sure that they understand what I tell them remote code execution do you think they're gonna know what that is right if I say it's gonna cost X

dollars now that exploited the risk of this being exploited is pretty high how easily it is be acquitted they understand that right but again you need stuff to back up back that's why you in disease and stuff like that to provide more detailed documentation in use but you want to keep pretty simple right so communication issues that I we're going to hear is I can't they don't listen at our time what that tells me is that it may be an issue of began but a thought that could be how are you communicating there's plenty of different ways you can look at this but I want you to take away from this is that really communicating with your

customer during those initial meetings about what she wants or what they want and helping them figure that out and explaining them in depth will make your job a thousand times easier and then really I mean the time and effort to developing better reports just makes us look better as a whole some ways you can do that is usually have a ticket for their methodology you usually already have the scope defined the executive summary can be a little bit tricky you need to kind of fill that out or what are they wanting to watch go do they just might here you have this this will give you simple sweet but then as well have have stuff to back though

if they ask for questions if you have somebody else I could see so where somebody director by TSN you well you go more into how you exported this

preparation and if you don't know if you ever see anything like that document everything so if you're new to this start reporting their screen start saving your stance just practice doing that practice doing the reporting off sick has a template that's great and you can just do that kind of in the habit of how do I write this report and then that to the slide I've got one to public report that you can look at to see how they do it you what community you I add it in there or use it to do reports the u.s. is a portal note-taking works XML files prima TV and test Irish it just punch itself basically organization

will help your report writing we can go to clearly define thought process thinking about the notes screen recordings if you like that will help you go back through it I can't tell you how many times I have sat there trying to exploit a vulnerability exploit it and be like oh I didn't take any notes or screen grab or anything like that I have to redo it and waste my time

so the takeaway don't you take working softer that hints at blank presentation you know really defined what is your clients goal picture they never see the difference having clearly defined objectives and talking taking good notes and make your job so much easier as an employee reports our end product they last a long time I've seen some that are old five years old it's how we justify our positions our salary I like making a lot of money I liked having job security I want to continue to do this and the best way we can do that is providing more value to our customers and then doing little things will provide essential value how do I detect this exploit how do I prevent it

usually aren't in a report if you can add those you provide substantial value to that or for best ids/ips is people and if your blue team one offense your offense and defense they will just help you be better

you