This presentation was by Chris Nickerson, founder of Lares Consulting, and the goal was to talk about the use of layered attacks.

General types of threats includes social engineering/human (corporate/personal manipulation, bogus e-mails, physical intrusion, media dropping, phone calls, conversation, role playing), electronic (application and business logic attacks, software vulnerability exploitation, …), physical (break-in, theft, physical access, physical manipulation, violence), and malfunction/inherent (business logic flaws, software glitches, software coding holes/exploits, process breakdown, act of god/war/terrorism disruption, intended backdoors) and a red team test should cover them all.

Why red teaming?

How do you know you can put up a fight if you have never taken a punch?

Red teaming process: Information Gathering -> Vulnerability Analysis -> Target Selection -> Planning -> Executing the Attack -> Back to step 1

Process of Attack

  • Information Gathering: Research methods and useful information (spend most time here)
  • Vulnerability Analysis: Internal/external/hired/personal
  • Target Selection: Internal/external/hired/personal
  • Planning: Plan a, b, e, d, pie
  • Executing the Attack: Getting what you need and getting out.  Not getting greedy.  Getting out cleanly.

Corporate Attack Approach

  • External Direct: server/app attack
  • External Indirect: client side/phishing/phone calls
  • Internal Indirect: key/cd drops/propaganda/creating a spy
  • Internal Direct: social/electronic/physical/blended
  • Exotic Attacks: environment manipulation (pulling the fire alarm, etc to move people)

Information Gathering Tools

  • Maltego: The best attacks from the best intel (gives a graphical view of how all of the information interacts)
  • Metagoofil: Yer Dox on the net have Infos (Extracts information from internet documents)
  • Clez.net (External Profiling)
  • CentralOps.net (Network Profiling)
  • Robtex (Server Profiling)
  • Touchgraph (Show business relationships and links)
  • ServerSniff (Get tons of webserver specific info and verification)
  • Netcraft (usage info)
  • DomainTools (Domain info)
  • MySpace/Friendster/Twitter (know ya enemy)

Onsite Tools

  • BootRoot/SysReQ
  • Ophcrack Live
  • Helix/Backtrack
  • Core Impact
  • FireWire PCMCIA Card + Winlockpwn = Unlock
  • Switchblade + Hacksaw + U3 drive
  • Elite Keylogger
  • WRT + Metasploit = Cheap leave behind

Other Fun Toys Onsite

  • FlexiSpy (installs image on cell phone to read SMS, listen to phone calls, etc)
  • Pen cams
  • USB cams
  • Cell phone jammers

All of these different methods to test front/back/side doors don’t rule out the low tech attacks.  You could spend a million dollars to prevent someone from hacking the server and they could just walk in the front door and take it.  A really good talk by a guy who really knows his stuff and the only talk I’ve seen so far at the conference that wasn’t specifically about technical vulnerabilities.