Sunday, November 20, 2011

Offensive Live Response


I haven't posted on this site much since I really haven't been working in the defensive operations side of things, but doing red team activities. Even tho I've been doing red teaming I still think in terms of defense. In all honesty , I believe they go hand in hand do to the fact you need to understand how defensive measures are working in order to subvert them. Running snort sensors for 12 years has helped me gain a pretty solid understanding and some of the faults also. Lately, I have been working engagements and thinking of ways to provide an additional benefit other than your security isn't up to par. This leads me to offensive live response and offensive forensics.



Let me give a little theory behind this. As a red team member we are focused heavily on adversary simulation along with exploitation. This leads me to a question, what happens when you are doing work for a business that does not have the visibility that you have? You yourself gain that visibility. Let me ask another question. As a pentester or red team member do you ever look for signs of other compromise when on a remote system? The truth is that I don't believe many actually think about doing this when in fact they could be walking on top of the footsteps of threats previous. What? Really? Yes, I hate to rain on the parade but there are groups of people that are smarter or have a wider set of resources that can compromise a system. Worst yet, what if this compromise happen to be APT related. So with this , I propose the idea of doing offensive live response on any of the systems that are compromised and have the appropriate groups look at it. If you company doesn't have a group that have live response scripts it really wouldn't be that hard to do with just a simple auto-runs or possibly process memory dumping. The whole idea would be to just provide enough visibility on a compromised system without setting off alarms that you are there working or interrupting the service on that workstation/server.

No comments:

Post a Comment