Wed, 9 May 2012

Pentesting in the spotlight - a view

Tags: conferences, pentest, presentations, public, threat, modelling — charl @ 20:57

As 44Con 2012 starts to gain momentum (we'll be there again this time around) I was perusing some of the talks from last year's event...

It was a great event with some great presentations, including (if I may say) our own Ian deVilliers' *Security Application Proxy Pwnage*. Another presentation that caught my attention was Haroon Meer's *Penetration Testing considered harmful today*. In this presentation Haroon outlines concerns he has with Penetration Testing and suggests some changes that could be made to the way we test in order to improve the results we get. As you may know a core part of SensePost's business, and my career for almost 13 years, has been security testing, and so I followed this talk quite closely. The raises some interesting ideas and I felt I'd like to comment on some of the points he was making.

As I understood it, the talk's hypothesis could be (over) simplified as follows:

Despite all efforts the security problem is growing and we're heading towards a 'security apocalypse';
Penetration Testing has been presented as a solution to this problem;
Penetration Testing doesn't seem to be working - we're still just one 0-day away from being owned - even for our most valuable assets;
One of the reasons for this is that we don't cater for the 0-day, which is a game-changer. 0-day is sometimes overemphasized, but mostly it's underemphasized, making the value of the test spurious at best;
There are some ways in which this can be improved, including the use '0-day cards', which allow the tester to emulate the use of a 0-day on a specific system without needing to actually have one. Think of this like a joker in a game of cards.

To begin with, let's consider the term "Penetration Testing", which sits at the core of the hypotheses. This term is widely used to express a number of security testing methodologies and could also be referred to as "attack & penetration", "ethical hacking", "vulnerability testing" or "vulnerability assessment". At SensePost we use the latter term, and the methodology it expresses includes a number of phases of which 'penetration testing' - the attempt to actually leverage the vulnerabilities discovered and practically demonstrate their potential impact to the business - is only one. The talk did not specify which specific definition of Penetration Test he was using. However, given the emphasis later in the talk about the significance of the 0-day and 'owning' things, I'm assuming he was using the most narrow, technical form of the term. It would seem to me that this already impacts much of his assertion: There are cases of course where a customer wants us simply to 'own' something, or somethings, but most often Penetration Testing is performed within the context of some broader assessment within which many of Haroon's concerns may already be being addressed. As the talk pointed out, there are instances where the question is asked "can we breached?", or "can we be breached without detecting it?". In such cases a raw "attack and penetration" test can be exactly what's needed; indeed it's a model that's been used by the military for decades. However for the most part penetration testing should only be used as a specific phase in an assessment and to achieve a specific purpose. I believe many services companies, including our own, have already evolved to the point where this is the case.

Next, I'd like to consider the assertion that penetration testing or even security assessment is presented as the "solution" to the security problem. While it's true that many companies do employ regular testing, amongst our customers it's most often used as a part of a broader strategy, to achieve a specific purpose. Security Assessment is about learning. Through regular testing, the tester, the assessment team and the customer incrementally understand threats and defenses better. Assumptions and assertions are tested and impacts are demonstrated. To me the talk's point is like saying that cholesterol testing is being presented as a solution to heart attacks. This seems untrue. Medical testing for a specific condition helps us gauge the likelihood of someone falling victim to a disease. Having understood this, we can apply treatments, change behavior or accept the odds and carry on. Where we have made changes, further testing helps us gauge whether those changes were successful or not. In the same way, security testing delivers a data point that can be used as part of a general security management process. I don't believe many people are presenting testing as the 'solution' to the security problem.

It is fair to say that the entire process within which security testing functions is not having the desired effect; Hence the talk's reference to a "security apocalypse". The failure of security testers to communicate the severity of the situation in language that business can understand surely plays a role here. However, it's not clear to me that the core of this problem lies with the testing component.

A significant, and interesting component of the talk's thesis has to do with the role of "0-day" in security and testing. He rightly points out that even a single 0-day in the hands of an attacker can completely change the result of the test and therefore the situation for the attacker. He suggests in his talk that the testing teams who do have 0-day are inclined to over-emphasise those that they have, whilst those who don't have tend to underemphasize or ignore their impact completely. Reading a bit into what he was saying, you can see the 0-day as a joker in a game of cards. You can play a great game with a great hand but if your opponent has a joker he's going to smoke you every time. In this the assertion is completely true. The talk goes on to suggest that testers should be granted "0-day cards", which they can "play" from time to time to be granted access to a particular system and thereby to illustrate more realistically the impact a 0-day can have. I like this idea very much and I'd like to investigate incorporating it into the penetration testing phase for some of our own assessments.

What I struggle to understand however, is why the talk emphasizes the particular 'joker' over a number of others that seems apparent to me. For example, why not have a "malicious system administrator card", a "spear phishing card", a "backdoor in OTS software" card or a "compromise of upstream provider" card? As the 'compromise' of major UK sites like the Register and the Daily Telegraph illustrate there are many factors that could significantly alter the result of an attack but that would typically fall outside the scope of a traditional penetration test. These are attack vectors that fall within the victim's threat model but are often outside of their reasonable control. Their existence is typically not dealt with during penetration testing, or even assessment, but also cannot be ignored. This doesn't doesn't invalidate penetration testing itself, it simply illustrates that testing is not equal to risk management and that risk management also needs to consider factors beyond the client's direct control.

The solution to this conundrum was touched on in the presentation, albeit very briefly, and it's "Threat Modeling". For the last five years I've been arguing that system- or enterprise-wide Threat Modeling presents us with the ability to deal with all these unknown factors (and more) and perform technical testing in a manner that's both broader and more efficient.

The core of the approach I'm proposing is roughly based on the Microsoft methodology and looks as follows:

Develop a model of your target environment, incorporating all players, locations, and interfaces. This is done in close collaboration between the client and the tester, thus incorporating both the 'insider' and the 'outsider' perspective;
Enumerate all potential risks, and map them to the model. This results in a very long and comprehensive list of hypothetical risks, which would naturally include the 0-day, but also all the other 'jokers' that we discussed above;
Sort the list into some order of priority and group similar hypothetical risks together;
Perform tests in order of priority where appropriate to prove or disprove the hypothetical risks;
Remediate, mitigate, insure or inform as appropriate;
Rinse and repeat.

This approach provides a reasonable balance between solid theoretical risk management and aggressive technical testing that addresses all the concerns raised in the talk about the way penetration testing is done today. It also provides the customer with a concrete register of tested risks that can easily be updated from time-to-time and makes sense to both technical and business leaders.

Threat Modeling makes our testing smarter, broader, more efficient and more relevant and as such is a vital improvement to our risk assessment methodology.

Solving the security problem in total is sadly still going to take a whole lot more work...

12 comments

Armchair General on 2012/5/8‡

I like the diagram over at the 360 blog on the subject, and there's a particularly frank assessment of the utility of penetration testing in their paper: http://360is.blogspot.co.uk/2012/05/360is-guide-to-understanding.html

CG on 2012/5/8‡

unfortunately to do #1 you have to know what you own. very few organizations i've seen can even provide a list of all their assets. The idea of them making a list of "all players, locations, and interfaces" may be seen as impossible to accomplish task.

so what do we do?

PSmith on 2012/5/9‡

Charl: Your response is completely predictable for a person running a business that makes a lot of money doing Penetration-Testing.

You start by agreeing that what we are currently doing is not working and
you end by suggesting that Threat Modeling is the answer. This perfectly validates what Haroon was saying.

Your argument about cholesterol checks sounds clever at first, but isn't. Do you notice that you don't get companies that specialize just in doing cholesterol checks and then walking away [like most pen-test companies do]. [You can get really good at cholesterol checks before you remember that the original point was to prevent heart attacks]

It's a pretty simple sum. You say Threat Modeling is the solution yet you sell Pen-tests over threat models. As Haroon said: "sell them what they need, not what just what you can"

-pS

charl on 2012/5/9‡

CG,

What you say is true, and it is a real challenge. However, given a sufficiently good relationship with the client, I still think the Threat Model can bring this problem to light and raise it as one of the enumerated risks, to which a mediation step might be to perform a comprehensive inventory exercise. The point (to me) remains that you're using a structure approach to think widely about the theoretical risks a system or organization faces, and then conducting technical tests (e.g. penetration tests) to understand those risks better.

./charl

dominic on 2012/5/9‡

@PSmith: You seem to have understood threat modelling, remediation and pentesting as exclusive (if you do one, you can't do the other).

Pentesting threat modeling aren't mutually exclusive. In fact, they work very well together. Charl created our threat modeling methodology, and I (Dominic) expanded on it. We have a tool, a workshop (on ours and other methodologies), multiple presentations and have contributed to papers on the topic. It's certainly not something we just talk about, but something we've done a significant amount of work in, and actively sell (I'm doing one such project at the moment).

As for the test walk-away argument. You have another problem of false exclusivity. It's possible for a pentest to be useful, *and* remediation to be useful *and* not have the same company provide both services. Unless you can show why one company *should* provide both, and failing to do so, makes the whole thing pointless, your point won't stand. In fact, there's years of counter examples, which is why audit houses can't implement stuff they audit anymore (ask Enron).

That said, I personally run our consulting division which exists specifically to help customers deal with the bigger problem. This isn't something SP has ignored. The reality however, is that a client needs to implement the changes themselves or it won't stick. Sure we could storm the site, dish out patches, plug into code repos and write fixes, config boxes to be secure, but we aren't in the best position to do that, taking into account business realities, and so we choose to instead advise clients on how best to do that.

P.S. Sorry you felt you needed to use Tor. I love a good debate and would be happy to do it face to face sometime if you're interested ;)

dominic on 2012/5/9‡

@Chris: It's not impossible. Our threat modelling methodology deals with ways of doing it. You end up with some holes, and the thing needs to evolve over time, but with interviews with key people and some technical validation, you can get coverage of even pretty large organisations quite quickly (1-2 weeks). Happy to take you through it (I did in our Metricon preso on it last year).

haroon on 2012/5/10‡

Wow.. never thought i would see the day when Dominic feels using Tor needs an apology..

Allen Baranov on 2012/5/11‡

Dom,

I have to disagree (as usual). There is no separation of duties conflict here.

The role (very simply) of a financial audit is to make sure for the shareholders (stakeholders?) that the people running the company are doing a good job. The accountants prepare the financial statements which essentially say "we are running the company well and it will be a good investment for at least the next year." Their auditors come in and say "yes, we agree." IT Audits are very different. They are more a case of "can we be hacked? And if so, how?" It is done on behalf of the company and not specific
ally the shareholders. The outcome should be a course of action and not a "yes. these guys are doing a good job". Then there is no reason why the company doing the audit can not take it further and say "...we can help close this issue."

The only risk is that the audit firm may overplay some issues in order to get some consulting work. This is not a bad thing because there is no requirement legally to close all the holes and it really comes down to the Security Manager making a good business decision on what course of action to take. He essentially has to earn his position.

Charl on 2012/5/11‡

Dominic,

LOL. @haroon /busted/ you! ;). A reminder that privacy is a two-way street?

dominic on 2012/5/11‡

@Allen: We may be missing each other, but audit firms are explicitly prevented from auditing controls they implemented. It's an independence issue, and independence is huge for audit firms. I am talking explicitly about IT audit's conducted as part of the financial audit.

SayWhot on 2012/5/29‡

A predominantly technical organisation attempting to expunge the virtues of a risk management methodology (call it threat modelling if you like) with an outcome that will lead to additional services for various business units in that organisation realising more revenue through engaging in mitigation of said discovered risks trying to argue the point of conflict of interest and SoD is like a KFC franchisee selling said cholosterol testing to garner more business....

dominic on 2012/5/29‡

Threat modelling does not imply additional work for us. In the cases that it does, we think it's because we provide useful services, not as some conspiracy. Our biases are out in the open, point out the flaw in our reasons, especially when I was arguing that we *don't* do the remediation (we do help design or think about the best way to do it) because a client needs to do it to stick.

As for your SoD point, I'm not sure I understand you. You're saying we have a disincentive to argue honestly about audit independence (KFC wouldn't want to push cholesterol testing because people would eat less KFC), yet, I'm the one arguing *for* it. So... what are you trying to say, I'm being too honest?

Categoriers

.ac.za (1)
.za (2)
44con (4)
about:us (42)
analysis (7)
auctions (1)
auditors (1)
b-sides (2)
blackhat (22)
blog (10)
broadview (4)
build-it (1)
ccdcoe (1)
cloud (12)
community (21)
conferences (75)
consulting (1)
crypto (6)
estonia (1)
fail (3)
foos (1)
footprinting (2)
fun (52)
goodbye (1)
hackathon (1)
hackrack (2)
Hope? (2)
howto (14)
imsojaded (2)
infosec-soapies (25)
infrastructure (3)
interns (1)
ios (1)
jobs (3)
local (7)
mac (15)
management (12)
materials (4)
memcached (2)
memory (1)
metasploit (3)
metricon (2)
metrics (3)
mindless-politics (4)
mindmaps (1)
mobile (5)
modelling (5)
PCI (2)
penny (1)
pentest (4)
phone (1)
pickle (4)
policy (1)
post-exploitation (1)
post-it (1)
presentations (3)
Press (3)
privacy (7)
product (2)
programming (13)
public (359)
python (7)
qo[w|m|?] (5)
rambling (2)
README (1)
real-world (17)
Release (3)
report-info (1)
research (55)
reversing (12)
risk (2)
SAP (2)
security-fyi (8)
security-news (6)
shells (1)
silly-yammerings (20)
skype (2)
solution (1)
suru (1)
tech-toys (3)
threat (5)
time-waster (6)
tin-foil-hat (6)
tools (50)
training (38)
travel (2)
tricks (3)
UK (2)
Uncategorized (3)
uncon (2)
vendors (7)
videos (6)
vulnerability (10)
wasc (1)
webapps (6)
web_x.0 (2)
wifi (1)
windows (1)
writing-advice (1)
zaprize (2)
zen-hacking (6)

Name^*:
Email^*:	(Won't be displayed)
Email 2^*:	(Won't be displayed)
URL:
Comment^*:
^*required

Wed, 9 May 2012

Pentesting in the spotlight - a view

12 comments

Leave a comment

Categoriers

Archives

United Kingdom

South Africa