Extrusion Testing Extrusion Testing …testing your controls “inside-out” against the …testing your controls “inside-out” against the threats that actually matter! threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007
16
Embed
Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Extrusion TestingExtrusion Testing…testing your controls “inside-out” against …testing your controls “inside-out” against
the threats that actually matter!the threats that actually matter!
“Extrusion is a manufacturing process used to create long objects of a fixed cross-sectional profile. A material, often in the form of a billet, is
pushed and/or drawn through a die of the desired profile shape. Hollow sections are usually extruded by placing a pin or piercing mandrel inside of the die, and in some cases positive pressure is applied to the internal
cavities through the pin. Extrusion may be continuous (producing indefinitely long material) or semi-continuous (producing many short
pieces). Some materials are hot drawn whilst others may be cold drawn.”
However in Information Security:
“Extrusion is the leakage/theft of internal sensitive data.”
“Extrusion Attack”
Attacking “inside-out”Attacking “inside-out”
If you cannot get directly to the data
Let the Users come to you
…and the data will follow
“Extrusion Testing” Defined
Testing the Threats that matter!Testing the Threats that matter!
Targeted, Internet-initiated “Extrusion Attacks”
The Objective:
– Demonstrate external access to internal
system(s)/network(s)
– Demonstrate external access to specific data/services
Puts the organization's security controls & capabilities to
the test against the professional attacker:
– Web access/content security
– Endpoint security
– Information leak prevention
– Network Monitoring
– …
Extrusion Testing
MethodologyMethodology
– e-footprinting & e-Social Engineering
» Profile users in the organization» Trick users to access a specific web-site…
– Web-born Attack
» Use mobile code exploits to get access on internal user system (endpoint)
– Full-blown Extrusion Testing
» Escalate attack to compromise internal business system(s) and/or network
» Demonstrate ability to obtain specific critical data
e-footprinting…the power of Google™
“e-social engineering”…the power of e-mail
“e-social engineering”…the power of e-mail
“Web-born” Attack – drive-by infection
Invisible frame Mobile code (JavaScript,
VBScript) Exploiting browser
vulnerability
drive-by infection by What???
AuthenticatingHTTP Proxy
Victim PCFirewall
Attacker
Internet
Trojan
NTLMAuthentication
Successful
HTTP or HTTPSTraffic fromProxy...Ok!
IDS
No SuspiciousActivity...onlyoutbound Web
Access
PersonalFirewall
IE goes to theInternet...Ok!
The Mechanics…– Spawns a IE process, not visible– Controls IE via OLE– Establishes a connection with the
attacker– Receives Commands as “HTML pages”
from the attacker’s “Web Site”…– Sends output of commands as HTTP