Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Red Teams Hack Your Site To Save It

Posted by samzenpus on from the we-had-to-destroy-the-village-in-order-to-save-it dept.

Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities and other issues."

58 comments

  1. This is actually common in corporations... by InvisibleClergy · · Score: 3, Informative

    ...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.

    1. Re:This is actually common in corporations... by Anonymous Coward · · Score: 1

      ...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.

      Where by "the future", you mean the past decade?

    2. Re:This is actually common in corporations... by Giant+Electronic+Bra · · Score: 3, Insightful

      Eh, I've taught security. I would dispute the "frequently" part of that, but of course pen testing and other forms of evaluation have been going on for years. The interesting part is how you do it. Most organizations could afford to learn a LOT about this subject...

      --
      "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
    3. Re:This is actually common in corporations... by Synerg1y · · Score: 2

      What? lol... Penetration testing has been around forever, so has social engineering.

      Over the course of the discussion, it became clear that Jones sees the actual process of pentesting as a somewhat repetitive task

      Nor is this guy doing anything innovative. He set up a toolkit for testing various vulnerabilities and runs it against consumer configurations.

    4. Re:This is actually common in corporations... by OhSoLaMeow · · Score: 4, Funny

      This is /. What would we know about penetration?

      --
      They can take my LifeAlert pendant when they pry it from my cold dead fingers.
    5. Re:This is actually common in corporations... by camperdave · · Score: 1

      This is /. What would we know about penetration?

      Well, Microsoft shills still somehow manage to get accounts.

      --
      When our name is on the back of your car, we're behind you all the way!
    6. Re:This is actually common in corporations... by zerro · · Score: 1

      What, no mod flag for "whoosh" factor?!

  2. For Those Left Wondering... by Revotron · · Score: 4, Informative
    From Wikipedia:

    A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.

    1. Re:For Those Left Wondering... by interkin3tic · · Score: 4, Funny

      All this time, I thought the Red team was our enemy... they were really just trying to help us keep the flag more secure? Now I feel bad about killing them, t-bagging them, and calling them racist names.

    2. Re:For Those Left Wondering... by Kergan · · Score: 1

      From Wikipedia:

      A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.

      Does that make them communists?

    3. Re:For Those Left Wondering... by Synerg1y · · Score: 1

      How is this different from a white hat?

    4. Re:For Those Left Wondering... by Anonymous Coward · · Score: 0

      It's ok, caboose. We know life can be confusing sometimes.

    5. Re:For Those Left Wondering... by Anonymous Coward · · Score: 0

      Red v White. That seems pretty basic. Oh, unless you're color-blind that is. I guess Christmas must be the most confusing time of year for you, huh?

    6. Re:For Those Left Wondering... by Larryish · · Score: 1

      AFAIK the term is derived from the Dungeons and Dragons roleplaying game.

      In the Dragonlance series of books, the various classes of mage were dressed differently depending on their nature. Good=white, neutral=red, black=evil.

    7. Re:For Those Left Wondering... by Anonymous Coward · · Score: 0

      Thanks. I was having visions of red teams wearing white hats probably writing on white paper in red books.

      What is this obsession with assigning all kinds of meanings to colors?

    8. Re:For Those Left Wondering... by Peter+Mork · · Score: 1

      AFAIK the term is derived from the Dungeons and Dragons roleplaying game.

      In the Dragonlance series of books, the various classes of mage were dressed differently depending on their nature. Good=white, neutral=red, black=evil.

      I think that's wishful thinking. It arises from blue-team (us, i.e., the good guys) vs. red-team (us pretending to be them, i.e., the bad guys) military exercises. In other words, a red team is a bunch of good guys pretending to be bad guys against whom the blue team can practice.

    9. Re:For Those Left Wondering... by Larryish · · Score: 1

      "whitehat" hackers

      "redhat" linux

      "blackhat" convention

      In regards to the summary, yes, a red team comes from the red team / blue team system.

      I was not addressing the submitter, however, in fact my response was a reply to
      http://slashdot.org/comments.pl?sid=3247105&cid=41958715
      who expressed curiosity as to the origin of the term "white hat".

      Thank you, and have a lovely day.

    10. Re:For Those Left Wondering... by shentino · · Score: 1

      Interestingly enough the redhats use tactics of both blackhats and whitehats.

      There also seems to be a new bluehat type that learns its tricks through experience, from being subject to actual hostile attacks.

    11. Re:For Those Left Wondering... by Peter+Mork · · Score: 1

      My apologies; I should have read more carefully.

  3. Off with his head! by Anonymous Coward · · Score: 0

    This valuable information can be used by terrorists to hack critical infrastructure! oh my!

  4. WhiteHat Security.... McDonalds by SecurityTheatre · · Score: 4, Interesting

    With all due respect, WhiteHat Security is the Denny's of web application testing shops.

    Sure, they're one step above TrustWave (who are just "checklist compliance" shills and would qualify as the McDonalds of testing), but it's hardly what many places would call a proper "red team" approach.

    The run automated tools and do a basic level of validation against those tools. The problem is that with web applications, the automated tools only get about 40% of issues and have a 50% false positive rate (or higher) in my experience. Their tools are pretty fancy compared even to the commercial scanning bits, but they aren't perfect.

    There are plenty of boutique shops (and even some larger ones) that do more in-depth testing with more experienced testers. I'm not claiming that Mr Jones here isn't experienced, but more pointing out the general trend within some of the testing shops like WhiteHat.

    1. Re:WhiteHat Security.... McDonalds by Anonymous Coward · · Score: 0

      Whitehat doesn't only do automated scanning, they do manual assessments and automated testing. Plus, the 50% false positives that the scanner may find are sent to the threat research center to verify whether or not the vulnerabilities false positives or not. If they are false positives, they're disregarded and the customer never has to see them.

    2. Re:WhiteHat Security.... McDonalds by Zapotek · · Score: 4, Interesting
      It's really simple:
      • Automated tools are here to pick the low handing fruit;
      • You should always validate their findings manually;
      • You should, if you can afford it, hire someone who knows what he's doing to do a proper pen test.

      Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

      As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.

      Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.

      Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.

    3. Re:WhiteHat Security.... McDonalds by Anonymous Coward · · Score: 0

      No offense taken. Denny's has really good food.
      pic.twitter.com/t80mNSp6

    4. Re:WhiteHat Security.... McDonalds by fluffy99 · · Score: 1

      Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

      Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).

      Unfortunately, management often puts too much stock in these automated tools, either insisting the site be fixed to remove non-issue findings which end up breaking it, or they feel too good about the site because it didn't find anything.

      Absolutely the automated tools catch the low-hanging fruit and stuff an amateur hacker might try. They don't check for serious methodology errors like keeping plain text passwords in the database or putting the credentials in the url for the world to see.

    5. Re:WhiteHat Security.... McDonalds by Zapotek · · Score: 1

      Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

      Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).

      Ah OK, I feel the need to point out that webappsec scanners and these sort of service fingerprinters are, operationally, completely different systems. Their designs may be similarly modular and web scanners may include some tests that rely on fingerprinting known vulnerable web apps or backdoor shells but the ones like mine and WhiteHat's Sentinel are focused more on fuzzing/injecting inputs.

      Paradoxically, this is harder to get right but on the other hand the responses you get can give you enough data to make a more confident decision.
      So 50% FPs in these systems is abysmal since the best of us are actually striving for 0% -- which in reality is an impossible standard considering the heterogeneous nature of the web but you're in it to make something as best as it can be, hopefully.

      Thus, you may see some FPs or abnormal results but they'll probably be limited to a bug of a single test, so if there's a bug in the XSS check you'll see a lot of XSS FPs but the rest of the results will be unaffected. Or, it can be broader than that, like a flawed implementation of an analysis technique, so subsequent tests that rely on that technique might report FPs -- like if your timing-attack implementation is not resilient or intelligent enough to account for a dead/overloaded server (and stuff like that) you might get back FPs that report that OS command injection or PHP code injection was detected by a module/test that relies on timing attacks.

      By necessity, things are quite compartmentalized in order be maintainable and that has the nice side-effect of failures also being compartmentalized.

    6. Re:WhiteHat Security.... McDonalds by Crambone · · Score: 1

      [For the purpose of full disclosure here, I work for Trustwave. I am also the head of their SpiderLabs organization.]

      I think you may have your security and compliance testing paradigms very much confused. Let me help explain these a bit.

      Trustwave is a Qualified Security Assessor (QSA) for the Payment Card Industry Security Standard Council (PCI SSC) and is authorized to perform security assessments for merchants and service providers against the Payment Card Industry Data Security Standard (PCI DSS). As a QSA there are testing procedures and standards interpretation that every firm performing these assessments must follow. Simply stated, a PCI DSS assessment might be called a "checklist compliance" because it was designed to be that to attempt to ensure uniformity across QSA's performing the review of the target organization. This process is dictated by the PCI SSC. A PCI DSS assessment is in no way attempting to be a "red team assessment".

      Trustwave, like WhiteHat Security, also offers more traditional penetration testing through its SpiderLabs organization. While WhiteHat is focused on web application security (and are respected in the industry for their services here), SpiderLabs has global teams each with a focus on in the various aspects of red team attack vectors. Some organizations opt to just hire us for application, network, or physical testing, but other want the full red team treatment. In any case, we follow a well documented and tested methodology (similar to the Penetration Testing Execution Standard [PTES]) but in no way is the work we do a check-list engagement.

      --
      c7five
  5. Yeah I can run a Nessus scan too... by Anonymous Coward · · Score: 0

    Big whoop.

  6. Penetration Testing how to get the most out of it! by Anonymous Coward · · Score: 2, Interesting

    There's a nice little article over at the 360 Security blog on how penetration testing is a valuable exercise AND how sometimes penetration testing fails to improve security outcomes. It should not come as too much of a surprise to know that its one of those things where "you get out what you put in".
    Disclosure: I do red-team penetration testing for a living, and rarely have I seen anyone squeeze full value out of the exercise without a lot of coaching and encouragement!

    http://360is.blogspot.co.uk/2012/05/360is-guide-to-understanding.html

  7. dupe! by larry+bagina · · Score: 1

    This was already posted here.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

    1. Re:dupe! by Megane · · Score: 2

      It's a Nerval's Lobster post. It's apparently his purpose in life to cross-post SlashBI crap over here to the real Slashdot. If you checked the firehose regularly, you would be familiar with his submissions. About one in ten of his submissions actually get posted, which shows you just how relevant SlashBI is to the world of "News for Nerds".

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    2. Re:dupe! by Anonymous Coward · · Score: 0

      They are just checking security at /. to see if someone holding a thread open could let them sneak in a cross posting attack.

  8. In my days we called them whitehats by Anonymous Coward · · Score: 0

    In the last decade they were called security researchers. Never heard of calling them 'red teams'.

    1. Re:In my days we called them whitehats by DECula · · Score: 1

      It's from the military side of cyberspace:

      http://www.networkworld.com/news/2008/042508-red-team-blue-team-how.html

      --
      dreaded scurrilous bit-twiddler from Oklahoma
  9. Mod parent up. by khasim · · Score: 2

    Having been through a TrustWave audit, I have to agree.

    Although the TrustWave person did manage to crack the systems using publicly available exploits and such. It was very much a "checklist compliance" process.

    Management, as always, will take the advice of someone they just paid thousands of dollars when the exact same advice from the techs has been denied over and over.

  10. I'm confused... by Dareth · · Score: 1

    I'm confused... are we at war with Eurasia today?

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
    1. Re:I'm confused... by Anonymous Coward · · Score: 0

      This is a first-person capture-the-flag gamestyle reference.

    2. Re:I'm confused... by Anonymous Coward · · Score: 0

      I'm confused... are we at war with Eurasia today?

      We have always been on war with Eastasia, Eurasia are our allies

  11. SQL injection vulnerabilities? by ArcadeMan · · Score: 1

    Joke's on you, my website backend is all in XML! /duck

    --
    Get free satoshi (Bitcoin) and Dogecoins
  12. Re:Penetration Testing how to get the most out of by ArcadeMan · · Score: 0

    I get all my penetration testing news from sites like redtube and youporn.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  13. Some of the worst enemies are within by concealment · · Score: 1

    Every product, website, and idea should be tested against its opposition. If you own it, it helps you to test it against the opposition using fake opposition before you release it to the public.

    This is why the military has war games and big buildings have fire drills.

    However, one thing you find is that penetration testing from outside is not enough. Some of the worst enemies turn out to be within: either helpful employees who aid the bad guys, or people who panic and respond badly. Even worse are the malicious employees or people creating "job security" through logic bombs.

    It's great that people run these minimum-level tests. Any website should face them. But there can be a false sense of security created when other threats are forgotten.

    1. Re:Some of the worst enemies are within by SecurityTheatre · · Score: 1

      Any vendor who accepts a substantial number of credit card transactions is required to meet PCI-DSS standards which requires internal and external vulnerability assessments quarterly, as well as annual penetration testing exercises.

      It's not perfect, because the requirements are a bit odd in some areas, but it's a good start down that road.

    2. Re:Some of the worst enemies are within by Anonymous Coward · · Score: 0

      Not true.

    3. Re:Some of the worst enemies are within by Anonymous Coward · · Score: 0

      And that's why I cruise for gay sex when my wife is out of town. Just to make sure that sodomy and homosexual sex are still immoral.

  14. Not pentesters by sparr0w · · Score: 1

    I've been a pen tester, and what this guy is doing is not pen testing - it's vetting out false-positives a tool is telling him. As good as tools are, they'll never reveal vulnerabilities that may lead to the overall compromise of an environment. Things like business process flaws (like being able to manually modify prices or submit negative values during balance transfers), blind SQL injection (tools are worthless for those), parameter tampering (like changing an ID showing stuff that isn't yours) and parameter addition. You need an actual person who can look at something and think it's Not Quite Right.... something a tool just can't do.

    1. Re:Not pentesters by Anonymous Coward · · Score: 0

      You're absolutely correct; vetting out FPs does not constitute "pentesting" and certainly does not identify business logic flaws. This article is decently well written, but doesn't quite do justice to what Gillis (or any WhiteHat pentester) does on a daily basis. Vetting of FPs is just one part of the work WhiteHat's Threat Research Center does. Granted, this is an important part to getting broad coverage and looking for syntax-based technical vulnerabilities, but that's not the end of the story. WhiteHat additionally performs manual business logic assessments as part of their Premium offering, which are entirely separate from the verified scanner results that come default with every WhiteHat service line. These assessments are closer to what many would refer to as a "pentest", albeit the assessments are strictly focused on Layer 7 web application vulnerabilities (no social engineering, lock-picking, port scanning, etc). These assessments uncover authorization issues, crypto vulnerabilities, business process invalidation, and many more vulnerabilities which simply cannot be identified accurately with automation (any automation, not just WhiteHat's). The reality of modern hacks on web applications is that the bad guys use a combination of automated tools AND business logic exploitation, which is why WhiteHat offers several service lines which combine these approaches. This post is already way too long and "salesy" so I'll shutup; but, my point was simply to explain that this article is accurate, but does not comprehensively cover the topic of how WhiteHat approaches "pentesting".

  15. Red team? by LoRdTAW · · Score: 1, Funny

    I was under the impression Blue team was always trying to hack or destroy someone, usually Red team. Or is this supposed "Red" team really just Blue team with a red mask on? Someone needs to start spy checking.

    1. Re:Red team? by shentino · · Score: 1

      Actually the Red team mixes tactics of both White and Black hats, while the Blue team picks its tricks up in the field from real enemies.

  16. Basically worthless by gweihir · · Score: 1

    This type of black-box penetration-test is pretty worthless in practice. Sure, you can patch some vulnerabilities afterwards, but these tests aim to get in fast, not to explore the whole attack surface. That takes way too much time and effort. Also, all you can really find with this type of test are beginners-mistakes. Sure, they are vulnerabilities too, but if you are vulnerable because of beginners mistakes, than you have a far deeper problem.

    What is needed instead is a careful white-box analysis of the system(s) to be secured and then improvements in architecture, design and implementation that provide resilience. Sometimes it will be necessary to tell the customer to throw the system away and start over with people that actually have some idea what secure coding means. Sometimes things can be fixed or additional security measures will be effective.

    In all cases the black-box perspective is by far the worst and something that itself is resides on amateur-level.

    There is one exception: Black-box penetration testing can be used to create awareness that all is not well. But usually the people doing it do not understand that by far their most important duty is to impress on the customer that they will _not_ find all vulnerabilities or even a major part of them.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Basically worthless by Anonymous Coward · · Score: 0

      lol. i'm sure "throw it all away and start over again" is a great place to start when trying to convince a business to improve their security posture. The sad fact is that almost every web application has numerous, simple, and severe vulnerabilities. We have to find a reasonable approach to improving this, or risk continuing to be ignored as security professionals.

      start at the bottom, work your way up. If you have simple, easy to find vulns, you will be exploited by drive-by worms and script kiddies eventually. Fix those first.

      Once you have taken care of those vulns for all of your sites that touch your DB(very few ever do, even banks and govt sites), and you know you are a high value target, convince the boss to pony up the cash for an expensive consultant as described above. He will certainly find more issues, many of which have almost no chance of ever being exploited unless you are fully targeted by an expert attacker.

      To your generalities about blackbox vs whitebox:

      I work with both extensively. It is my only job. Both find different issues, with a surprisingly small amount of overlap. There are many issues that show up trivially with any dynamic fuzzer out of the box that the smartest manual code reviewer won't find. How many times has someone said "that shouldn't be possible" or "that's not how it's supposed to work." What determines exploitability is how it DOES work.

      if your goal is perfect Security, good luck. But if you need to approach that line because you are into illegal stuff or you move billions of dollars or something, you really need to spend the money on blackbox and whitebox, both automatic and manual. All 4 will find at least one thing the others didn't, unless you have remarkably well trained coders.
      if your goal is to raise the bar high enough that people hit your competitor instead of you, start with blackbox. It is the perspective the hackers work from, so you're findings will be more likely to encompass what the attackers will find.

      The truth is people have very different goals when it comes to security. Many companies do risk analysis of their issues and decide to take out insurance instead of fixing them. As a security guy, that drives me nuts, but hey, at least they are considering it.

      Sounds like you only think of security in one context(trying to be 100% secure, cost is no object), and that context is extremely uncommon in the real world.

    2. Re:Basically worthless by gweihir · · Score: 1

      I am not thinking in 100% security, but admittedly quite a bit more than a web-shop or the like needs. I should also say that my statement is for custom software. While I have done some penetration-testing and supervised more, what really helped to find out were matters stand is code-review. And yes, on advice of our team (and others of course, we do not have that much clout) at least one pretty expensive project was scrapped, because it had zero chance of getting where it needed to get security-wise. The main problem I see with all forms of pentesting is that they often create a false sense of security, while in reality they only scrape the surface and do not actually evaluate the situation to any meaningful degree, unless it is pretty bad. Admittedly, it often _is_ pretty bad and then pentesting can serve to raise awareness if done right.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  17. Red is the new blue by roguegramma · · Score: 1

    .. enough said ..

    --
    Hey don't blame me, IANAB
  18. reward based learning by bloodhawk · · Score: 1

    A company I used to work for 10-15 years ago took the approach of reward based incentives towards security. It was widely publicised that the Red Team existed and their job was to try to break the organisations security and too see what weaknesses existed, Conversely anyone that caught a member of the Red Team attempting to hack their machine, bypass security protocols, social engineer security information or any such other violation of security protocols and then reported that violation would receive prizes. The by product of this was employees who were constantly on the watch for people breaking security protocol as it was a chance to get some juicy rewards thus making everyone far more security aware. Not sure if they still do it but it was damn effective at the time as half the battle is getting staff to actually pay attention to security.

  19. Again with them... by Anonymous Coward · · Score: 0

    Please /. enough with that WhiteHat publicity. It's the second time this month. We had dealt with them in the past. They spend more time and resource on PR than anything else. If you are into the market for such service. Make yourself a favor and look at some well establish and serious firms not WhiteHat.

  20. Kill the red team by Anonymous Coward · · Score: 0

    "You dumbass, you're supposed to kill the red guys."
    https://www.youtube.com/watch?v=4TwbtcpnERU