Upload
abhay-bhargav
View
531
Download
0
Embed Size (px)
Citation preview
© 2015 , we45 1
we45 case files infrastructure security assessment
client profile
© 2015 , we45 2
Client’s Business Environment - Leading Cloud Based Email Encryption Product company based in Sunnyvale, CA
Security Expertise – Client’s Management team was lead by Security experts who were previously employed in Microsoft, Sun Microsystems and Stanford University
Application Deployment Security Check – Client wanted to develop a specialized module that would identify bottlenecks in deployment of their Email Encryption service in the network
pre-engagement scenario
© 2015 , we45 3
Client had leading security experts in the internal team
Client, hosting infrastructure on Amazon AWS, wanted to validate Infrastructure security across its cloud infrastructure
Client required additional assurance on cloud infrastructure security
Client was specifically concerned about the CMS (content management system) for the registration of encryption service
testing approach
© 2015 , we45 4
• Identifying Key Security Risks to the enterprise infrastructure and prioritizing said risks.
• Infrastructure Security Threat Modeling using world-class methodologies
• Review of High and Low level network diagrams
Network Architecture Review and
Threat Modeling
• Performing Reconnaissance and Mapping against the infrastructure
• Identifying Vulnerabilities in the scoped targets and related system components Vulnerability Assessment
• Penetration Selected Vulnerabilities in scoped targets
• Maintaining Persistent Access to exploited application for deeper analysis Penetration and Post Exploitation
• Delivering presentation to key management stakeholders
• Preparing and delivering Comprehensive Security Testing Reports
• Designed Action Plan for Management Review Presentation and Reporting
threat modeling – the key to a successful test
© 2015 , we45 5
overview – we45’s security analysts identified the client’s business process / platform and penetration
testing requirements. This is meant to identify key data security risks for information stored, processed
and transmitted by the infrastructure and system components. These risks are meant to unlock the
highest business value for the client.
security profiles – we45’s security analysts then created security profiles for the key risks identified in the
overview process. For instance, Theft of customer data would be a key risk for a database. They also
assigned a score to the risk severity.
threat models – Based on the security profiles, the testing team identified various attack scenarios that
were used to recreate the security profiles. This was done based on the STRIDE and DREAD
methodologies by Microsoft.
SCRUM – The Threat Models were used as an attack plan. we45 used a SCRUM Model to prioritize and
test the application for maximum efficiency and effectiveness.
threat modeling - STRIDE
© 2015 , we45 6
Spoofing
Tampering
Repudiation
Information Disclosure
Denial-of-Service
Elevation of Privileges
• Masquerading
• Unauthorized Modification
• Deny Knowledge
• Data Exposure/Leakage
• Downtime / Service Denial
• Performing Privileged Actions
assessment and exploitation schema
© 2015 , we45 7
Reconnaissance IP Discovery WHOIS Lookups BGP Scanning DNS Lookups Search Engine Querying
IPS/WAF Identification
Scanning and Profiling Information
Disclosure
Mapping Port Scanning Banner Grabbing Linked Server Mapping Host Profiling OS and Version
Detection SNMP Mapping and
Scanning Web Services Enumeration
Directory Bruteforcing
Packet Captures and Analysis
Vulnerability Discovery
Automated Vulnerability
Scanning Fuzzing for multiple
attack vectors Linked Server Vulnerabilities
Identify insecure services and vendor
supplied default passwords
Identifying Web Flaws
Identifying potential Denial of Service
Vectors. Cryptographic
Attacks
Exploitation Custom Exploits – Apps
Publicly Available Exploits Exploit Pivoting Web Services
Exploits
Post Exploitation Clean-up (Post Exploit)
Identifying Impact of Exploits
Reporting Vulnerability
Management using Key Metrics
Analysis and Reporting - Key
Business Risks
Multiple Recommendations/
Solutions
we45’s – “leanbeast”
© 2015 , we45 8
we45’s “Hybrid-Automation” Vulnerability Management appliance was used to conduct this assessment for the client
Lean-beast leveraged tools and custom scripts to launch specific attack vectors defined by the security profiles of the scope
The appliance was tweaked to facilitate an assisted Penetration Testing exercise thereby maximizing the advantages of manual and automated testing methods
The “remote” mode of operation of the appliance enabled we45 to take advantage of production downtime slices to conduct the exercise
Lean-beast is fully integrated with an automated vulnerability management and reporting engine (VME) that provided powerful analytics and integrated dashboards to the client stakeholders
leanbeast : operation model
© 2015 , we45 9
a few major findings
© 2015 , we45 10
ElasticSearch server vulnerable to Remote Code
Execution – thereby gaining access to the entire
application server infrastructure of client
Vulnerabilities in Linux Kernel exploited using Shellshock
Vulnerability
Gained access to their Secure FTP server using
Authentication Flaws, gaining access to customer
sensitive information
Identified Remote File Inclusion in client’s CMS Platform
and compromised the web server and DB server.
modus operandi
© 2015 , we45 11
Performed extensive reconnaissance on system
components. Identified running services across TCP and
UDP services
Discovered vulnerabilities – through automated scanning
and custom vulnerability discovery scripts
Performed Exploits using popular exploit frameworks and
custom-developed exploits.
Performed pivot attacks – Ability to access different hosts
on the same network through compromised host
analysis & reporting
© 2015 , we45 12
A detailed security testing report and custom client
access on leanbeast’s VME was provided to the client at
the end of the assessment
The vulnerability findings were ranked based on severity
of business impact and were referenced with Industry
metrics like CWE and CVE.
The client team were provided with relevant and multiple
remediation strategies per vulnerability
The network and infrastructure teams were trained on
core concepts of network security and “business as
usual” security practices
Executive Summary and Action Plan prepared for
Management Action
Detailed Report
Ranked by Findings
Risk Ranking for Efficient Prioritization of Remediation Efforts
Multiple Recommendations
Multiple recommendations
for quicker remediation
Industry Metrics and Action Plan
Cita%on of Standard Industry Metrics Development of Execu%ve Summary and Ac%on Plans
success factors
© 2015 , we45 13
we45 was able to identify deep seated authentication issues
and platform issues that could have caused massive breaches
of confidentiality for the client. These issues were considered
Level 1 Security Issues for the client
Through the lean-beast, we45 implemented a measurable,
frequent and scalable vulnerability assessment framework for
the client.
we45 engaged with client’s security team to train them on
infrastructure security requirements. This has enabled the client
to independently manage certain aspects of their network
infrastructure security
thank you
14 © 2015 , we45