Pentesting and Active Defense

Pentest+, CEH, OSCP

Hunting vs Pentesting

• Threat hunting

  • Less disruptive, “look but don’t touch”

  • Based on observation, analysis

  • Shortens detection time for threats

• Pentesting

  • “Let’s see how we could be attacked”

  • A process to identify vulnerabilities

  • Actively attempts to break security

  • Disruptive

  • Provides an “outside” perspective on security (attacker’s PoV)

Purpose is to identify vulnerabilities

Rules of engagement

• Authorization is a must!

• Time-bound: When? How long?

• Scope: What? (don’t give in to “scope creep”)

• Are you in the right country?

• Type: web, WLAN, social engineering, etc

• Tools and techniques

• White/Grey/Black box?

• Engage staff or not?

• Reporting

Wargames – a “team” exercise

• Red team – pentesters

• Blue team – incident responders

• White team – Control the game

• Purple team – Ensure communication between red and blue

Active Defense

• Decoy tactics – throw off the attackers. Nonstandard ports/user accounts/obfuscation.

  • Honeypots/Honeynets

  • OpenCanary

• Annoyance tactics

• Counterattacks

Blacklist / Blocklist approach

• Specify what is not allowed

• Can be used during incident response

• Careful with excessive blocking

• Careful with too little blocking.

Whitelist approach

• Specify what is allowed

• Can also be used during incident response

• Requires more admin work

Execution control

• Part of endpoint protection solutions

• Allow/deny installation and execution of software

• Can either be blocklist or whitelist

• Examples: software restriction policies (group policy), AppLocker, Windows Defender Application Control

• Linux: AppArmor, SELinux