what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, November 17, 2013

BLACK BOX / RED TEAM ASSESSMENT FIELD REQUIREMENTS



This blog is meant for everyone who keeps asking me about Red Teaming and accompanying me, during such operations. The reason i normally refuse its due to that some of them don't have minimal requirements that an operative should have.

Now remember old school BlackBox doesn't require RedTeaming, but with the advanced technology, and security threats, this part of testing has to be applied. Most Pentest Companies will tell you its not part of Blackbox, since they have no idea how to do it and have no personnel and they will have to give you a substandard service.

1. Confidentiality

You need to keep what you learn about the operation close up, until at a time when its declassified and irrelevant. Naming of client Organization and the vulnerabilities that they still have should not be known by the public or friends. Also the target should not know when attack is underway, everything should be stealth as possible. Thats why Red Team is part of BlackBox Pentesting especially during Clandestine Intel Gathering, Social Engineering and Physical Exploitation.

2. Strength and Speed

You have to be really fit, fast and strong. This is not a field for the weak and fatty fatty geeks who sit behind the desk all day, this is for the people, who will pull themselves over a roof / fence, who can run for a long distance, can sprint very fast at short distance, can jump from one staircase to another, go through stairs up to the floor target in a tall building and still type, and also be able to handle an on-coming threat in a hostile area. This is where alot of you fail.

3. Integrity

You can never be bought off, by thugs to help them steal money from a bank.
You can never Deny services, to servers and infrastructure because DDOS is your only options you got.
You don't Bruteforce until its the last option.
Any machine, mobile technology, access cards, printed paper work, should be returned back after the engagement.
You can not hack back the network, because the organization is taking forever to pay you.
You should never leak surveillance footage, even if its explicit, it should be deleted.

4. Think on your feet

You should be able to react to a situation, make something up real fast, be a fast thinker and be good with words. Not many Computer geeks are good with this, but you can learn.

5. On Ground Defense/Offense

You should have an idea of how to crack a safe, how to steal a wallet, to plant an accesspoint / flashdisk, notice a weapon/ gun-type, or if somebody is armed, learn how to use a side arm (Not so necessary, unless contracted for Govt Operations), learn how to spot a camera and other physical security devices and be smart on the road and streets.

6. Financial Knowledge

Its vital to understand banking and other financial infrastructure, applications used in banking, understand how these infrastructures work and which types of servers and operating systems are commonly used.

7. Adapt to any environment

During Threat Intelligence, one of the vital issues you will encounter is understanding the administrator who set up that network, the guard who is at the door, who did set the firewall/IDS and what was the state of their mind. What are the inner-working of the IT Team in this organization and how they relate to the users and their bosses. You should be able to adapt to any other situation that has developed during the engagement. (I remember fixing a service i had messed uo, before the administrator figures out the service has crashed)

8. Perfect Liar

Social Engineering and Espionage requires good liars. You gotta make up the perfect lie that will sell during an assessment.


So these are the most essential Requirements during a Black Box Penetration Testing, the others are equally important but not as essential.


3 comments:

Black Hat Hacking said...

Good article. Ready for the challenge..

The Martian said...

Quite true

chuksjonia said...

Inspired by several people, thankx guys.