Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Red Teams Hack Your Site To Save It

Posted by samzenpus on from the we-had-to-destroy-the-village-in-order-to-save-it dept.

Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities and other issues."

11 of 58 comments (clear)

  1. This is actually common in corporations... by InvisibleClergy · · Score: 3, Informative

    ...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.

    1. Re:This is actually common in corporations... by Giant+Electronic+Bra · · Score: 3, Insightful

      Eh, I've taught security. I would dispute the "frequently" part of that, but of course pen testing and other forms of evaluation have been going on for years. The interesting part is how you do it. Most organizations could afford to learn a LOT about this subject...

      --
      "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
    2. Re:This is actually common in corporations... by Synerg1y · · Score: 2

      What? lol... Penetration testing has been around forever, so has social engineering.

      Over the course of the discussion, it became clear that Jones sees the actual process of pentesting as a somewhat repetitive task

      Nor is this guy doing anything innovative. He set up a toolkit for testing various vulnerabilities and runs it against consumer configurations.

    3. Re:This is actually common in corporations... by OhSoLaMeow · · Score: 4, Funny

      This is /. What would we know about penetration?

      --
      They can take my LifeAlert pendant when they pry it from my cold dead fingers.
  2. For Those Left Wondering... by Revotron · · Score: 4, Informative
    From Wikipedia:

    A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.

    1. Re:For Those Left Wondering... by interkin3tic · · Score: 4, Funny

      All this time, I thought the Red team was our enemy... they were really just trying to help us keep the flag more secure? Now I feel bad about killing them, t-bagging them, and calling them racist names.

  3. WhiteHat Security.... McDonalds by SecurityTheatre · · Score: 4, Interesting

    With all due respect, WhiteHat Security is the Denny's of web application testing shops.

    Sure, they're one step above TrustWave (who are just "checklist compliance" shills and would qualify as the McDonalds of testing), but it's hardly what many places would call a proper "red team" approach.

    The run automated tools and do a basic level of validation against those tools. The problem is that with web applications, the automated tools only get about 40% of issues and have a 50% false positive rate (or higher) in my experience. Their tools are pretty fancy compared even to the commercial scanning bits, but they aren't perfect.

    There are plenty of boutique shops (and even some larger ones) that do more in-depth testing with more experienced testers. I'm not claiming that Mr Jones here isn't experienced, but more pointing out the general trend within some of the testing shops like WhiteHat.

    1. Re:WhiteHat Security.... McDonalds by Zapotek · · Score: 4, Interesting
      It's really simple:
      • Automated tools are here to pick the low handing fruit;
      • You should always validate their findings manually;
      • You should, if you can afford it, hire someone who knows what he's doing to do a proper pen test.

      Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

      As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.

      Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.

      Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.

  4. Penetration Testing how to get the most out of it! by Anonymous Coward · · Score: 2, Interesting

    There's a nice little article over at the 360 Security blog on how penetration testing is a valuable exercise AND how sometimes penetration testing fails to improve security outcomes. It should not come as too much of a surprise to know that its one of those things where "you get out what you put in".
    Disclosure: I do red-team penetration testing for a living, and rarely have I seen anyone squeeze full value out of the exercise without a lot of coaching and encouragement!

    http://360is.blogspot.co.uk/2012/05/360is-guide-to-understanding.html

  5. Re:dupe! by Megane · · Score: 2

    It's a Nerval's Lobster post. It's apparently his purpose in life to cross-post SlashBI crap over here to the real Slashdot. If you checked the firehose regularly, you would be familiar with his submissions. About one in ten of his submissions actually get posted, which shows you just how relevant SlashBI is to the world of "News for Nerds".

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  6. Mod parent up. by khasim · · Score: 2

    Having been through a TrustWave audit, I have to agree.

    Although the TrustWave person did manage to crack the systems using publicly available exploits and such. It was very much a "checklist compliance" process.

    Management, as always, will take the advice of someone they just paid thousands of dollars when the exact same advice from the techs has been denied over and over.