Official Blog of Trustwave's SpiderLabs - SpiderLabs is an elite team of ethical hackers, investigators and researchers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world.
This past weekend I was lucky enough to attend Microsoft’s
BlueHat Conference in Redmond WA and Security B-Sides Seattle. The combination of some of those talks succeeded
in keeping some persistent issues alive in the hopes of finding a
solution. We live in a world dominated
by the Internet and rapidly changing technology. Most people regularly use at least some form
of social media online whether it’s Facebook, Twitter, Reddit, etc., and it’s
accessed and updated from a home computer, tablet device, or smartphone. And while the Information Security world is
far more cognizant of what transpires online your average user really
isn’t. And it’s sad to think they either
don’t care, or have a “it will never happen to me” attitude. I’m not sure how much of my online life is
made up of paranoia, anti-social behavior, or just that I feel what I do is
none of anyone’s business but my own. I
don’t have a real Facebook account, I have a “sock puppet” account. I have a
twitter account, but if you look at it, it’s all angry rants. I try to minimize my web footprint as much as
possible, but I love my email accounts.
Yes, that’s right -plural. All
are different user names, with different email services. Each is associated with various logins to
different services on the Internet. So
what about the average user?
A
story of a young pentester, going south over Earth’s second largest continent
until it doesn’t quite meet the sea again - sun beaten Johannesburg, South
Africa. Keeping him company is a MacBook and earphones.
Within
the unibody aluminium case are his scripts and tools, but the experience he
relies on is weightless.
The professional penetration testing scene in Sout Africa is not very big compared to US or the UK, but there are a number of internationally recognized folks based there.
There are a few security
conferences in South Africa: ZAcon, B-sides and ITWEB Security Summit. ZaCon (ZAcon) is
a community driven infosec conference. The aim is to build a better community
of hackers in ZA, and provide a platform for up-n-coming speakers while still
getting some inspiration from the greats. ZAcon has a “meet up” spin off called
0xC0FFEE. 0xC0FFEE (0xC0FFEE) is a
mostly monthly gathering where project ideas are shared, collaboration occurs
and folk generally talk hack.
In
this maturing region, where Internet adoption is growing at a breakneck speed,
there are only a handful of companies that provide penetration testing or
ethical hacking services – there’s even fewer with a global footprint like
ours.
Trustwave’s presence
in the region is already established, but for SpiderLabs with its first local
and native Afrikaans-speaking technical consultant, its elite security team
will be hitting the ground running. Backed by the resources of the global
practice, this is truly a very exciting time and environment to be in.
Most likely it will
not be long before he is joined by others as there are large numbers of
organizations enjoying fast paced growth in the region, many of whom will turn
to Trustwave to simplify their security challenges and help to secure their
businesses.
It is with a sense
of sun kissed enthusiasm that I sign off, and look forward to meeting some of
you out there in conferences or in Trustwave’s offices, wherever you are...
Europe, Middle East and Africa consists of around 120 countries depending on the definition of each territory. We don't have customers in all of those countries, but the number of countries that we do is growing rapidly year on year.
One of the areas that we within the SpiderLabs leadership team focus on as a year round activity is our ability to attract, retain and enable top talent. On our growth trajectory finding enough of the right people can be a challenge. As you could probably guess, we expect a lot from the experts on the team, because our customers depend on us to help them secure their businesses.
...So what's important to us from a hiring perspective?
Being Technically Excellent – after all SpiderLabs is the advanced security team within Trustwave;
Getting Involved – having a passion for sharing your insights and expertise with, clients, colleagues and the industry at large;
Being Quality Focussed – last year we delivered 2000+ manual penetration tests and 300+ incident investigations, reputation is hard to build yet easily damaged;
Being Organised – its very important to be able to work well within a team, and to the game-plan, whether servicing clients in a consulting capacity or delivering on R&D projects.
... And what's it like being on the team?
There's the consistently high level of banter as a starting point, as well as a healthy competitiveness that you would expect from having close to 100 world-class penetration testers, incident responders and researchers all working together under the same banner... You can likely get a good flavour of some of the skill-sets, proficiencies, interests and personalities by taking the time to read through recent blog posts).
Most recently we've expanded our footprint to include senior team members to cover both Africa (from Johannessburg) and the Nordic region (from Stockholm). Both regions are where we already have a sizeable Trustwave footprint of business.
Today the SpiderLabs EMEA operation consists of people in a number of countries - headcount is up 100% from January 2011 - and we now have SpiderLabs experts in:
UK
Sweden
Spain
Greece
South Africa
Poland
(For comparison a couple of years ago for us EMEA was synonymous with just the UK)
No surprises then that we're still hiring today, with anoter UK opening about to be posted… to browse the list of Trustwave job openings, including SpiderLabs roles see: https://www.trustwave.com/employment-opportunities.php.
Trustwave recently launched PenTest Manager 2.0, a major enhancement of the innovative Trustwave reporting tool used by SpiderLabs team member during penetration testing. PenTest Manager 2.0 provides a significant reporting upgrade in the form of Attack Sequences. These allow for a team member to graphically link one or more vulnerabilities to represent the relationships between vulnerabilities.
Other consulting firms often generate a PDF report listing security vulnerabilities but fail to clearly illustrate how multiple findings are related - long lists of bugs don’t really tell the full story. SpiderLabs often leverage multiple lower risk security vulnerabilities chained together to compromise a system, gain unauthorized access to credit cards, or escalate permission during security testing.
The new Attack Sequence reporting capabilities allows for SpiderLabs to simplify complex attack scenarios so they can be understood across all levels of the organization, from CEO to developers. Current modeling techniques such as attack and fault trees are too formal, too academic and too expensive to produce and provide high value. How well do you understand the relationship between vulnerabilities from a real-world, attacker’s perspective?
To see more, check out https://www.trustwave.com/pentest-manager.php
Probably in the same period I started at Trustwave SpiderLabs I decided to start my training for an Ironman race.
First what is an Ironman?
An Ironman Triathlon is one of a series of long-distance triathlon races organized by the World Triathlon Corporation (WTC) consisting of a 2.4-mile (3.86 km) swim, a 112-mile (180.25 km) bike and a marathon 26.2-mile (42.2 km) run, raced in that order and without a break. Most Ironman events have a strict time limit of 17 hours to complete the race, where the Ironman race starts at 7:00 AM, the mandatory swim cut off for the 2.4-mile (3.9 km) swim is 2 hours 20 minutes, the bike cut off time is 5:30 PM, and all finishers must complete their marathon by midnight.
You probably thinking - are you insane? or what are you trying to prove?
That's the point. I like challenges in any subject. Besides health and INSANE training, Ironman is much more than that and some stuff I could enumerate:
Focus
Long Term Planning
Discipline
Goal
Mind/Mental Trainings
If we compare with our daily security work it's pretty similar since we need to split into different parts to get the result.
Ironman is the scope - 140.6 miles or 226 km
Training is the Enumeration/Reconnaissance
Swimming is the very first step to get into next level, we need to own this swim distance to achieve the next goal. We have a time-line of 2h30m (more than enough but if something goes wrong your race could be over at this point)
Biking second and large stage here you need to have a balance about good performance (correct tools in PenTest) and save energy for a marathon right after (not lot of noise)
Running is probably the privilege escalation/exploitation where you are pretty close to the goal but you need to get the finish line and LOT of stuff could go wrong.
Writing this blog post is the report =)
As I told I started to train to this race 2 years ago. It's not easy task for me and my family... I missed lot of beers, parties and family time to do insane trainings all weekend. This video is funny but mostly true.
After long trainings, hours and hours the race day arrived. I was nervous since it's a very long race and you never know how your body will behave but my goal was to arrive at finish line in any time before 17h. In my plans I was thinking about a 12h race.
First the swin part. The race start is MAGIC ... 7:00 am and the race started. Around 2000 athletes with the same goal. If you see this video from a helicopter you will see how nuts and beautiful it's.
I swam as planned. It's important to say that family support in the start is something that make the difference.
After that just went to transition area and picked up my bike and start to ride my back. That's the longest part and where people usually ride too fast and could not run after. I did my bike track exactly as planned in 6h02m. I was pretty good to start my run.
I started my run and all was doing fine as planned but after 12km running, my abdomen started hurting and I could not run anymore only walk. I thought that will be hard but I looked into my watch and saw I have 7 more hours to finish the race. So I started my mental battle so walk that distance after all swim and bike. This marathon took forever to my, my coach as afraid since only walking I could have some problems with my body temperature and never finish the race.
BUT I did ... after 14h06m I arrived in the finish line and now I'M an IRONMAN!!!!
Thanks for all that support me and understand when I said NO for beer, party or whatever because I need to wake up early for trainings. This was the most insane thing I ever tried in my life and I learned too much with trainings, race problems and during all this period.
Ready for next challenge!!! I'm a SpiderLabs team member and I only try HARD.
It was a hectic week in London. In case you hadn't heard its was InfoSec europe week, but we were also busy with the SC Awards dinner (where PenTest Manager won the innovation award), Bsides London, 44 café, speaking at InfoSec in the conference track, and speaking at an insurance event.
We also managed to find time to host a private customer networking lunch inside the InfoSec venue where we encouraged security and risk managers from our customer base to share their experiences and insights under chatham house rules on a number of hot topics in security. We discussed technology outsourcing risks, security awareness and education of employees amongst others. (we run these types of "sharing security insights" dinners on a semi-regular basis so if you'd like to attend one, let us know)
Insurance conventions and EU draft regulations… you might not normally associate SpiderLabs with either, but read on…
Our Global Security Report 2012 shows that data breach victims are largely unable to self-detect data compromises (only 16% of organisations self-detected they had suffered a breach according to our statistics) and also that the time lag between intrusion and detection can be very lengthy (some of the 2011 cases we worked, the initial point of intrusion dated back to 2008 and 2009).
This throws up some interesting considerations for the "cyber risk insurance" industry. Which was the subject of our joint presentation with DAC Beachcroft LLP at the International Association of Claims Professionals (www.iaclpro.com). Our insights raised a number of eye-brows, and generated lots of interesting questions around how cyber insurance products might need to be improved to reflect these realities. (we will be working on a follow up blog post to cover some of these off).
Some of the stats discussed above also have implications when considering the EU draft data protection regulation which will amongst other things, legally compel breached organisations throughout the EU to notify the local data protection agency, as well as the affected persons. Trustwave SpiderLabs EMEA Director, John Yeo received some press coverage on this subject in a recent Financial Times article (http://on.ft.com/IiIcbV, free registration required).
As the proposed regulation is not yet law, there will undoubtedly be some changes yet to come. However astute organisations are already starting to think about what they will need to do better to not get caught out by its introduction.
Conversely, not being able to understand what malicious/suspicious activities are occurring within your IT environment probably isn't a great starting point from a due-dilligence perspective, but we know from the low data-breach self-detection rates this is the reality for many organizations…
Thanks to all the hard work of the Trustwave's Engineering teams, IT, SpiderLabs, and our customers for pushing the limits, overcoming the challenges along the way and making this a success. Version 2.0 is on the horizon with major new features that will make our competitors rethink how they provide vulnerability and test result information to businesses. Death to PDF!
PenTest Manager, the cutting edge penetration test management and reporting platform used by Trustwave SpiderLabs, was recently "shortlisted" as a finalist for SC Magazine Europe's Innovation Award. The award ceremony will be held on April 24th in London.
Trustwave's PenTest Manager is the only on-line reporting portal for 100% manual penetration testing that gives you real-time access to detailed, comprehensible results, rich evidence, and vulnerability metrics for Network, Application, Wireless, Physical, Social Engineering, and other types of assessments.
The next version of PenTest Manager is currently under heavy development by a significantly expanded development team with a major upgrade scheduled for later this summer!
PenTest Manager, the cutting-edge reporting tool created by Trustwave SpiderLabs to manage, track, and report results of penetration tests, has been updated to include secure file transfer to simplify the testing process, where documents and other files need to be shared between the tester and the client.
Say goodbye to encrypted emails, temporary SCP servers, mailing thumb drives, and other inconvenient and insecure mechanisms to transfer data. Files up to 100MB can now be uploaded and downloaded using the documents tab on a test. You can easily share code, configuration files, reports, network diagrams, and other data with a SpiderLabs tester in a simple, secure way. BONUS - you can keep all of your test data in a single location with PenTest Manager.
The screenshot below shows an example of how this can be used during a test to share files:
Major enhancements are planned for PenTest Manager in the summer of 2012. For additional info on PenTest Manager, check out the website and videos: https://www.trustwave.com/pentest-manager.php
We have just released the SpiderLabs Radio March Edition. This show is packed with interviews from various members of the team who are speaking at a bunch of different conferences around the Globe in the next month. We also hear some information about our new Threat Intelligence offering launched recently.
To subscribe to our iTunes visit HERE or to download directly visit HERE.
We are looking at doing this monthly now and next month we will hopefully have a little surprise for you...
