Defending the Castle by Actively Abusing It

Monday, April 25, 2011

Contributed By: J. Oquendo

Research indicates that current trends in information security threats outpaces the security controls that reduce and or eliminate information security vulnerabilities.

This document examines the approach of achieving maximum information security defensibility, by utilizing effective offensive testing.

Compared are the differences in the effectiveness of security testing by performing a controlled test – referred to as “vanilla” testing, and a responsibly orchestrated blackhat test.

Contrary to popular industry belief, realistic “adversarial” testing can be accomplished in a responsible manner without the consequences of “bringing down the house”.

Offered are arguments, costs associated with testing, and counterpoints against organizational decisions that disallow certain types of testing.

Blackhat-based testing is similar to what a malicious and structured attacker would perform and it is believed that by performing “blackhat” testing, we are taking a “realistic” approach to vulnerability testing.

This is the proper route to take to ensure fully scoping the potential vulnerabilities in a given environment in an effort to maintain proper defensibility.

12505
Network->General
Information Security
Vulnerability Assessments Penetration Testing Network Security Information Security Black Hat
Post Rating I Like this!
681afc0b54fe6a855e3b0215d3081d52
Susan V. James Great paper by J. Oquendo. With the rise in APT attacks, it is obvious that the bad guys understand the value in investing in top tools, talent, and time to capture valuable information. They are not all drive-by hackers using freeware, and they are not all starting the attack from outside of your network.

The comparison of Canvas to Metasploit, with Canvas focusing on exploitation of real-world, major business application vulnerabilities instead of free / hobby-level applications, is highly relevant.

I wonder if anyone has any numbers on the average ROI for the attacker who conducts successful major attacks, i.e.: RSA break-in, Epsilon, PlayStation Network? I'm sure this would be difficult to determine, but it must be an impressive ratio considering what can be done with the stolen information.
1303910099
C643eec6350152c6c3fbd1288578d98a
Terry Perkins I completely agree with Susan. I really appreciate the comparison of the tools. Thanks for a great article.
1303917608