×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Red Teams Hack Your Site To Save It

samzenpus posted about a year and a half ago | from the we-had-to-destroy-the-village-in-order-to-save-it dept.

Security 58

Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities and other issues."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

58 comments

This is actually common in corporations... (3, Informative)

InvisibleClergy (1430277) | about a year and a half ago | (#41958213)

...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.

Re:This is actually common in corporations... (1)

Anonymous Coward | about a year and a half ago | (#41958307)

...frequently, corporations will hire security experts to see how easy it is to penetrate the building's security. Usually, a combination of people holding doors open and looking like a utility worker will get people in. This is just the version of that for the future, using technology.

Where by "the future", you mean the past decade?

Re:This is actually common in corporations... (3, Insightful)

Giant Electronic Bra (1229876) | about a year and a half ago | (#41958401)

Eh, I've taught security. I would dispute the "frequently" part of that, but of course pen testing and other forms of evaluation have been going on for years. The interesting part is how you do it. Most organizations could afford to learn a LOT about this subject...

Re:This is actually common in corporations... (2)

Synerg1y (2169962) | about a year and a half ago | (#41958693)

What? lol... Penetration testing has been around forever, so has social engineering.

Over the course of the discussion, it became clear that Jones sees the actual process of pentesting as a somewhat repetitive task

Nor is this guy doing anything innovative. He set up a toolkit for testing various vulnerabilities and runs it against consumer configurations.

Re:This is actually common in corporations... (4, Funny)

OhSoLaMeow (2536022) | about a year and a half ago | (#41958897)

This is /. What would we know about penetration?

Re:This is actually common in corporations... (1)

camperdave (969942) | about a year and a half ago | (#41959089)

This is /. What would we know about penetration?

Well, Microsoft shills still somehow manage to get accounts.

Monkeys. (-1)

Anonymous Coward | about a year and a half ago | (#41958223)

What?

For Those Left Wondering... (4, Informative)

Revotron (1115029) | about a year and a half ago | (#41958269)

From Wikipedia:

A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.

Re:For Those Left Wondering... (4, Funny)

interkin3tic (1469267) | about a year and a half ago | (#41958443)

All this time, I thought the Red team was our enemy... they were really just trying to help us keep the flag more secure? Now I feel bad about killing them, t-bagging them, and calling them racist names.

I'm confused... (1)

Dareth (47614) | about a year and a half ago | (#41958667)

I'm confused... are we at war with Eurasia today?

Re:I'm confused... (0)

Anonymous Coward | about a year and a half ago | (#41958993)

This is a first-person capture-the-flag gamestyle reference.

Re:I'm confused... (0)

Anonymous Coward | about a year and a half ago | (#41959271)

I'm confused... are we at war with Eurasia today?

We have always been on war with Eastasia, Eurasia are our allies

Re:For Those Left Wondering... (0)

Anonymous Coward | about a year and a half ago | (#41958939)

It's ok, caboose. We know life can be confusing sometimes.

Re:For Those Left Wondering... (1)

Kergan (780543) | about a year and a half ago | (#41958503)

From Wikipedia:

A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.

Does that make them communists?

Re:For Those Left Wondering... (1)

Synerg1y (2169962) | about a year and a half ago | (#41958715)

How is this different from a white hat?

Re:For Those Left Wondering... (0)

Anonymous Coward | about a year and a half ago | (#41959025)

Red v White. That seems pretty basic. Oh, unless you're color-blind that is. I guess Christmas must be the most confusing time of year for you, huh?

Re:For Those Left Wondering... (1)

Larryish (1215510) | about a year and a half ago | (#41959997)

AFAIK the term is derived from the Dungeons and Dragons roleplaying game.

In the Dragonlance series of books, the various classes of mage were dressed differently depending on their nature. Good=white, neutral=red, black=evil.

Re:For Those Left Wondering... (1)

Peter Mork (951443) | about a year and a half ago | (#41963107)

AFAIK the term is derived from the Dungeons and Dragons roleplaying game.

In the Dragonlance series of books, the various classes of mage were dressed differently depending on their nature. Good=white, neutral=red, black=evil.

I think that's wishful thinking. It arises from blue-team (us, i.e., the good guys) vs. red-team (us pretending to be them, i.e., the bad guys) military exercises. In other words, a red team is a bunch of good guys pretending to be bad guys against whom the blue team can practice.

Re:For Those Left Wondering... (1)

Larryish (1215510) | about a year and a half ago | (#41963199)

"whitehat" hackers

"redhat" linux

"blackhat" convention

In regards to the summary, yes, a red team comes from the red team / blue team system.

I was not addressing the submitter, however, in fact my response was a reply to
http://slashdot.org/comments.pl?sid=3247105&cid=41958715 [slashdot.org]
who expressed curiosity as to the origin of the term "white hat".

Thank you, and have a lovely day.

Re:For Those Left Wondering... (1)

shentino (1139071) | about a year and a half ago | (#41965725)

Interestingly enough the redhats use tactics of both blackhats and whitehats.

There also seems to be a new bluehat type that learns its tricks through experience, from being subject to actual hostile attacks.

Re:For Those Left Wondering... (0)

Anonymous Coward | about a year and a half ago | (#41960823)

Thanks. I was having visions of red teams wearing white hats probably writing on white paper in red books.

What is this obsession with assigning all kinds of meanings to colors?

Off with his head! (0)

Anonymous Coward | about a year and a half ago | (#41958349)

This valuable information can be used by terrorists to hack critical infrastructure! oh my!

WhiteHat Security.... McDonalds (4, Interesting)

SecurityTheatre (2427858) | about a year and a half ago | (#41958409)

With all due respect, WhiteHat Security is the Denny's of web application testing shops.

Sure, they're one step above TrustWave (who are just "checklist compliance" shills and would qualify as the McDonalds of testing), but it's hardly what many places would call a proper "red team" approach.

The run automated tools and do a basic level of validation against those tools. The problem is that with web applications, the automated tools only get about 40% of issues and have a 50% false positive rate (or higher) in my experience. Their tools are pretty fancy compared even to the commercial scanning bits, but they aren't perfect.

There are plenty of boutique shops (and even some larger ones) that do more in-depth testing with more experienced testers. I'm not claiming that Mr Jones here isn't experienced, but more pointing out the general trend within some of the testing shops like WhiteHat.

Mod parent up. (2)

khasim (1285) | about a year and a half ago | (#41958587)

Having been through a TrustWave audit, I have to agree.

Although the TrustWave person did manage to crack the systems using publicly available exploits and such. It was very much a "checklist compliance" process.

Management, as always, will take the advice of someone they just paid thousands of dollars when the exact same advice from the techs has been denied over and over.

Re:WhiteHat Security.... McDonalds (0)

Anonymous Coward | about a year and a half ago | (#41958919)

Whitehat doesn't only do automated scanning, they do manual assessments and automated testing. Plus, the 50% false positives that the scanner may find are sent to the threat research center to verify whether or not the vulnerabilities false positives or not. If they are false positives, they're disregarded and the customer never has to see them.

Re:WhiteHat Security.... McDonalds (4, Interesting)

Zapotek (1032314) | about a year and a half ago | (#41959017)

It's really simple:
  • Automated tools are here to pick the low handing fruit;
  • You should always validate their findings manually;
  • You should, if you can afford it, hire someone who knows what he's doing to do a proper pen test.

Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.

Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.

Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.

Re:WhiteHat Security.... McDonalds (1)

fluffy99 (870997) | about a year and a half ago | (#41960863)

Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).

Unfortunately, management often puts too much stock in these automated tools, either insisting the site be fixed to remove non-issue findings which end up breaking it, or they feel too good about the site because it didn't find anything.

Absolutely the automated tools catch the low-hanging fruit and stuff an amateur hacker might try. They don't check for serious methodology errors like keeping plain text passwords in the database or putting the credentials in the url for the world to see.

Re:WhiteHat Security.... McDonalds (1)

Zapotek (1032314) | about a year and a half ago | (#41961233)

Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).

Ah OK, I feel the need to point out that webappsec scanners and these sort of service fingerprinters are, operationally, completely different systems. Their designs may be similarly modular and web scanners may include some tests that rely on fingerprinting known vulnerable web apps or backdoor shells but the ones like mine and WhiteHat's Sentinel are focused more on fuzzing/injecting inputs.

Paradoxically, this is harder to get right but on the other hand the responses you get can give you enough data to make a more confident decision.
So 50% FPs in these systems is abysmal since the best of us are actually striving for 0% -- which in reality is an impossible standard considering the heterogeneous nature of the web but you're in it to make something as best as it can be, hopefully.

Thus, you may see some FPs or abnormal results but they'll probably be limited to a bug of a single test, so if there's a bug in the XSS check you'll see a lot of XSS FPs but the rest of the results will be unaffected. Or, it can be broader than that, like a flawed implementation of an analysis technique, so subsequent tests that rely on that technique might report FPs -- like if your timing-attack implementation is not resilient or intelligent enough to account for a dead/overloaded server (and stuff like that) you might get back FPs that report that OS command injection or PHP code injection was detected by a module/test that relies on timing attacks.

By necessity, things are quite compartmentalized in order be maintainable and that has the nice side-effect of failures also being compartmentalized.

Re:WhiteHat Security.... McDonalds (0)

Anonymous Coward | about a year and a half ago | (#41959967)

No offense taken. Denny's has really good food.
pic.twitter.com/t80mNSp6

Re:WhiteHat Security.... McDonalds (1)

Crambone (16799) | about a year and a half ago | (#42018731)

[For the purpose of full disclosure here, I work for Trustwave. I am also the head of their SpiderLabs organization.]

I think you may have your security and compliance testing paradigms very much confused. Let me help explain these a bit.

Trustwave is a Qualified Security Assessor (QSA) for the Payment Card Industry Security Standard Council (PCI SSC) and is authorized to perform security assessments for merchants and service providers against the Payment Card Industry Data Security Standard (PCI DSS). As a QSA there are testing procedures and standards interpretation that every firm performing these assessments must follow. Simply stated, a PCI DSS assessment might be called a "checklist compliance" because it was designed to be that to attempt to ensure uniformity across QSA's performing the review of the target organization. This process is dictated by the PCI SSC. A PCI DSS assessment is in no way attempting to be a "red team assessment".

Trustwave, like WhiteHat Security, also offers more traditional penetration testing through its SpiderLabs organization. While WhiteHat is focused on web application security (and are respected in the industry for their services here), SpiderLabs has global teams each with a focus on in the various aspects of red team attack vectors. Some organizations opt to just hire us for application, network, or physical testing, but other want the full red team treatment. In any case, we follow a well documented and tested methodology (similar to the Penetration Testing Execution Standard [PTES]) but in no way is the work we do a check-list engagement.

Yeah I can run a Nessus scan too... (0)

Anonymous Coward | about a year and a half ago | (#41958417)

Big whoop.

Penetration Testing how to get the most out of it! (2, Interesting)

Anonymous Coward | about a year and a half ago | (#41958421)

There's a nice little article over at the 360 Security blog on how penetration testing is a valuable exercise AND how sometimes penetration testing fails to improve security outcomes. It should not come as too much of a surprise to know that its one of those things where "you get out what you put in".
Disclosure: I do red-team penetration testing for a living, and rarely have I seen anyone squeeze full value out of the exercise without a lot of coaching and encouragement!

http://360is.blogspot.co.uk/2012/05/360is-guide-to-understanding.html

Re:Penetration Testing how to get the most out of (0)

ArcadeMan (2766669) | about a year and a half ago | (#41958703)

I get all my penetration testing news from sites like redtube and youporn.

dupe! (1)

larry bagina (561269) | about a year and a half ago | (#41958437)

This was already posted here [slashdot.org] .

Re:dupe! (2)

Megane (129182) | about a year and a half ago | (#41958583)

It's a Nerval's Lobster post. It's apparently his purpose in life to cross-post SlashBI crap over here to the real Slashdot. If you checked the firehose [slashdot.org] regularly, you would be familiar with his submissions. About one in ten of his submissions actually get posted, which shows you just how relevant SlashBI is to the world of "News for Nerds".

Re:dupe! (0)

Anonymous Coward | about a year and a half ago | (#41958609)

They are just checking security at /. to see if someone holding a thread open could let them sneak in a cross posting attack.

In my days we called them whitehats (0)

Anonymous Coward | about a year and a half ago | (#41958533)

In the last decade they were called security researchers. Never heard of calling them 'red teams'.

Re:In my days we called them whitehats (1)

DECula (6113) | about a year and a half ago | (#41958683)

It's from the military side of cyberspace:

http://www.networkworld.com/news/2008/042508-red-team-blue-team-how.html

Some of the worst enemies are within (1)

concealment (2447304) | about a year and a half ago | (#41958777)

Every product, website, and idea should be tested against its opposition. If you own it, it helps you to test it against the opposition using fake opposition before you release it to the public.

This is why the military has war games and big buildings have fire drills.

However, one thing you find is that penetration testing from outside is not enough. Some of the worst enemies turn out to be within: either helpful employees who aid the bad guys, or people who panic and respond badly. Even worse are the malicious employees or people creating "job security" through logic bombs.

It's great that people run these minimum-level tests. Any website should face them. But there can be a false sense of security created when other threats are forgotten.

Re:Some of the worst enemies are within (1)

SecurityTheatre (2427858) | about a year and a half ago | (#41959039)

Any vendor who accepts a substantial number of credit card transactions is required to meet PCI-DSS standards which requires internal and external vulnerability assessments quarterly, as well as annual penetration testing exercises.

It's not perfect, because the requirements are a bit odd in some areas, but it's a good start down that road.

Re:Some of the worst enemies are within (0)

Anonymous Coward | about a year and a half ago | (#41959193)

Not true.

Re:Some of the worst enemies are within (0)

Anonymous Coward | about a year and a half ago | (#41961439)

And that's why I cruise for gay sex when my wife is out of town. Just to make sure that sodomy and homosexual sex are still immoral.

network security penetration consultng (-1)

Anonymous Coward | about a year and a half ago | (#41958819)

no its not group sex but it feels all warm n fuzzy when you succeed.

Fir5Dt post (-1)

Anonymous Coward | about a year and a half ago | (#41958943)

of the waRring

Not pentesters (1)

sparr0w (902739) | about a year and a half ago | (#41959091)

I've been a pen tester, and what this guy is doing is not pen testing - it's vetting out false-positives a tool is telling him. As good as tools are, they'll never reveal vulnerabilities that may lead to the overall compromise of an environment. Things like business process flaws (like being able to manually modify prices or submit negative values during balance transfers), blind SQL injection (tools are worthless for those), parameter tampering (like changing an ID showing stuff that isn't yours) and parameter addition. You need an actual person who can look at something and think it's Not Quite Right.... something a tool just can't do.

Re:Not pentesters (0)

Anonymous Coward | about a year and a half ago | (#41960343)

You're absolutely correct; vetting out FPs does not constitute "pentesting" and certainly does not identify business logic flaws. This article is decently well written, but doesn't quite do justice to what Gillis (or any WhiteHat pentester) does on a daily basis. Vetting of FPs is just one part of the work WhiteHat's Threat Research Center does. Granted, this is an important part to getting broad coverage and looking for syntax-based technical vulnerabilities, but that's not the end of the story. WhiteHat additionally performs manual business logic assessments as part of their Premium offering, which are entirely separate from the verified scanner results that come default with every WhiteHat service line. These assessments are closer to what many would refer to as a "pentest", albeit the assessments are strictly focused on Layer 7 web application vulnerabilities (no social engineering, lock-picking, port scanning, etc). These assessments uncover authorization issues, crypto vulnerabilities, business process invalidation, and many more vulnerabilities which simply cannot be identified accurately with automation (any automation, not just WhiteHat's). The reality of modern hacks on web applications is that the bad guys use a combination of automated tools AND business logic exploitation, which is why WhiteHat offers several service lines which combine these approaches. This post is already way too long and "salesy" so I'll shutup; but, my point was simply to explain that this article is accurate, but does not comprehensively cover the topic of how WhiteHat approaches "pentesting".

Red team? (1, Funny)

LoRdTAW (99712) | about a year and a half ago | (#41959491)

I was under the impression Blue team was always trying to hack or destroy someone, usually Red team. Or is this supposed "Red" team really just Blue team with a red mask on? Someone needs to start spy checking.

Re:Red team? (1)

shentino (1139071) | about a year and a half ago | (#41965733)

Actually the Red team mixes tactics of both White and Black hats, while the Blue team picks its tricks up in the field from real enemies.

Basically worthless (1)

gweihir (88907) | about a year and a half ago | (#41959941)

This type of black-box penetration-test is pretty worthless in practice. Sure, you can patch some vulnerabilities afterwards, but these tests aim to get in fast, not to explore the whole attack surface. That takes way too much time and effort. Also, all you can really find with this type of test are beginners-mistakes. Sure, they are vulnerabilities too, but if you are vulnerable because of beginners mistakes, than you have a far deeper problem.

What is needed instead is a careful white-box analysis of the system(s) to be secured and then improvements in architecture, design and implementation that provide resilience. Sometimes it will be necessary to tell the customer to throw the system away and start over with people that actually have some idea what secure coding means. Sometimes things can be fixed or additional security measures will be effective.

In all cases the black-box perspective is by far the worst and something that itself is resides on amateur-level.

There is one exception: Black-box penetration testing can be used to create awareness that all is not well. But usually the people doing it do not understand that by far their most important duty is to impress on the customer that they will _not_ find all vulnerabilities or even a major part of them.

Re:Basically worthless (0)

Anonymous Coward | about a year and a half ago | (#41961911)

lol. i'm sure "throw it all away and start over again" is a great place to start when trying to convince a business to improve their security posture. The sad fact is that almost every web application has numerous, simple, and severe vulnerabilities. We have to find a reasonable approach to improving this, or risk continuing to be ignored as security professionals.

start at the bottom, work your way up. If you have simple, easy to find vulns, you will be exploited by drive-by worms and script kiddies eventually. Fix those first.

Once you have taken care of those vulns for all of your sites that touch your DB(very few ever do, even banks and govt sites), and you know you are a high value target, convince the boss to pony up the cash for an expensive consultant as described above. He will certainly find more issues, many of which have almost no chance of ever being exploited unless you are fully targeted by an expert attacker.

To your generalities about blackbox vs whitebox:

I work with both extensively. It is my only job. Both find different issues, with a surprisingly small amount of overlap. There are many issues that show up trivially with any dynamic fuzzer out of the box that the smartest manual code reviewer won't find. How many times has someone said "that shouldn't be possible" or "that's not how it's supposed to work." What determines exploitability is how it DOES work.

if your goal is perfect Security, good luck. But if you need to approach that line because you are into illegal stuff or you move billions of dollars or something, you really need to spend the money on blackbox and whitebox, both automatic and manual. All 4 will find at least one thing the others didn't, unless you have remarkably well trained coders.
if your goal is to raise the bar high enough that people hit your competitor instead of you, start with blackbox. It is the perspective the hackers work from, so you're findings will be more likely to encompass what the attackers will find.

The truth is people have very different goals when it comes to security. Many companies do risk analysis of their issues and decide to take out insurance instead of fixing them. As a security guy, that drives me nuts, but hey, at least they are considering it.

Sounds like you only think of security in one context(trying to be 100% secure, cost is no object), and that context is extremely uncommon in the real world.

Re:Basically worthless (1)

gweihir (88907) | about a year and a half ago | (#41962981)

I am not thinking in 100% security, but admittedly quite a bit more than a web-shop or the like needs. I should also say that my statement is for custom software. While I have done some penetration-testing and supervised more, what really helped to find out were matters stand is code-review. And yes, on advice of our team (and others of course, we do not have that much clout) at least one pretty expensive project was scrapped, because it had zero chance of getting where it needed to get security-wise. The main problem I see with all forms of pentesting is that they often create a false sense of security, while in reality they only scrape the surface and do not actually evaluate the situation to any meaningful degree, unless it is pretty bad. Admittedly, it often _is_ pretty bad and then pentesting can serve to raise awareness if done right.

reward based learning (1)

bloodhawk (813939) | about a year and a half ago | (#41964705)

A company I used to work for 10-15 years ago took the approach of reward based incentives towards security. It was widely publicised that the Red Team existed and their job was to try to break the organisations security and too see what weaknesses existed, Conversely anyone that caught a member of the Red Team attempting to hack their machine, bypass security protocols, social engineer security information or any such other violation of security protocols and then reported that violation would receive prizes. The by product of this was employees who were constantly on the watch for people breaking security protocol as it was a chance to get some juicy rewards thus making everyone far more security aware. Not sure if they still do it but it was damn effective at the time as half the battle is getting staff to actually pay attention to security.

Again with them... (0)

Anonymous Coward | about a year and a half ago | (#41966379)

Please /. enough with that WhiteHat publicity. It's the second time this month. We had dealt with them in the past. They spend more time and resource on PR than anything else. If you are into the market for such service. Make yourself a favor and look at some well establish and serious firms not WhiteHat.

Kill the red team (0)

Anonymous Coward | about a year and a half ago | (#41982643)

"You dumbass, you're supposed to kill the red guys."
https://www.youtube.com/watch?v=4TwbtcpnERU

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...