Automation of Penetration Testing

@haydnjohnson

Automation of Pentesting- What | Why | Future

@haydnjohnson

whoami

@haydnjohnson

OSCP | GXPN

Pentester - with an approach to work with blue teams

Enthusiast

Presenter - hopefully I will be back

Australian who lives in cold Canada.

@haydnjohnson

On My Own Time & Dime- My opinions only!

@haydnjohnson

Talk Outline

❏ The trend for automation of pentesting❏ Pentest Puppy mills❏ Small & Big business reasons for pushing automation❏ Pentesters | Exploit Devs - what does this mean❏ What to do to fight back!

@haydnjohnson

The Trend

@haydnjohnson

Automation of Pentesting - The Trend

Pentesting - for less $$$$

● Fighting to under-cut each other

Vulnerability Assessment as a Pentest

● Customers are being sold a VAs not Pentests!

Not Liable

● If I am hacked, I do not want to be legally liable

@haydnjohnson

Automation of Pentesting - The Trend

Commoditization

@haydnjohnson

Pentest Puppy Mills

@haydnjohnson

Pentest Puppy Mills

● Scan● Scan● Scan● Report● Make report look nice● Make report look nicer● Send

@haydnjohnson

Outsourcing

Cheaper

@haydnjohnson

Business Reasons for Automation

@haydnjohnson

Small Business - No money | no budget

@haydnjohnson

Small Business - Can’t Keep talent

@haydnjohnson

Large Business - all the money | complex

@haydnjohnson

Large Business - Old policies

@haydnjohnson

Small Business

● I want security, but how?● As longs as the network is up!

@haydnjohnson

Big Business

● I am not responsible for security● Red Tape galore

@haydnjohnson

Defenders - blinky boxes

● Even for the blue side, they have the culture of buying blinky boxes over human talent.

@haydnjohnson

Terminology Confusion

http://winterspite.com/security/phrasing/

@haydnjohnson

A whole blog for Terminology!

Vulnerability Assessment

Intrusion Detection

Blue Team

Penetration Testing

Adversarial Emulation

Purple Team

SRSLY GO READ IT:http://winterspite.com/security/phrasing/

@haydnjohnson

VA Pentest Redteam - what does it mean?

● Firms sell Pentests then execute a VA● Clients ask for a VA to be called a

Pentest● Red Team ??

@haydnjohnson

Will we need exploit Devs??

@haydnjohnson

We just Scan right?

Environments too big to not scan.

Understand vulnerabilities

Business risk!

Quantitative and Qualitative

@haydnjohnson

Expertise needed

Exploit development

Bug Hunting

Finding Vulnerability

Exploit Found Added to Scanner Scanning for exploit

Look for other exploits

@haydnjohnson

Skill Spectrum

Scanning Pentesting Exploit Development

Scanning

Now

Future

@haydnjohnson

World is FUBAR’ed

@haydnjohnson

A more insecure world

● Lack of vulns found● Vulns sold on black market

@haydnjohnson

WHAT DO??

@haydnjohnson

What can we do from the front line?

● Educate managers● Educate Clients● Promote valuable security

@haydnjohnson

Clarity on terms

Vulnerability Assessment

The point of a vulnerability assessment is to identify and categorize the vulnerabilities on a system or network.

Issues identified and categorized.

@haydnjohnson

Clarity on terms

Penetration Test

A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities.

Tests are goal-oriented

https://www.coresecurity.com/penetration-testing-overview

@haydnjohnson

The differences

Vulnerability Assessment

List Oriented

Penetration Testing

Goal Oriented

https://danielmiessler.com/study/vulnerability-assessment-penetration-test/

VULN A

VULN B

VULN C

Phishing

Local Admin

Dump Hashes

Domain Admin

@haydnjohnson

Education - Sales / Managers

Yes VA brings money, but it's small $$ and small value.

Great to show different potential vulns.

What about show the business impact?

Can it be exploited?

Difficult of exploitation?

Any controls to mitigate damage?

@haydnjohnson

Thank you

Remember to provide real security

Fight against the PenTest Puppy Mills.

@haydnjohnson

Questions?

Please ask away

Tell me I am wrong, discuss.

Got an opinion? Share it

Clapping, welcome!