AU1609_Tip 8/18/04 3:51 PM Page 1

PLAN

RECONNAISSANCE

ENUMERATE

ANALYSIS

ATTACK

RESULTS

DELIVERABLE

INTEGRATE

Input/Output

Script Kiddie

Hacker

Uber Hacker

Custom Applications

Miscellaneous Data

Incidents White Team Mitigation Test Critical Remedial Pilot Implement Validate

Policy

Business Type

Threat Type

Red Team

Blue Team

White Team

Social Eng.

e-Mail

HelpDesk Fraud

People Fraud

Prowling / Surfing

Internal Relations

Identity Assumption

Account Data

Password Change

Organizational Structure

Default Passwords

Tools

Source Filter

Business Objectives

Overall Expectation

Inherent Limitations

Teams

Default Installation

Internet Final Analysis Warning Deliverable Tactical Integrate Defense Planning Architecture Review

Operating System

Windows Attacks

*nix Attacks

Appliance Attacks

Red Team

Blue Team

Physical Security

Observation

Dumpster Diving

War Driving

War Chalking

Theft

Phone Systems

Input/Output

Input/Output

Input/Output

Input/Output

Input/Output

Previous Test(s)

Wireless Network

Network

Obtained

Thread-1 Process Review Awareness Policy

Security Alerts

Application

Web Attacks

Citrix/X

Custom

Thread Results

Group-n

Initial Results

Results Analysis

Imposed Limitations Informational Incident Management Strategic

Attack Type

Required Knowledge

Information Rationalization

Information Collection

Vendor

Attack Plan

Intranet

Thread-2

Security Program

Initial Discovery Scans

Extranet

Thread-n

Yes

Yes

Internet Sources

Website

Domain Data

News Groups

Ping Sweeps

Partner Data

IP Addresses

Domain Information

Partner Information

Vulnerablity Reports

ACL/FW

SNMP RMON

Protocols

Internet

Network

Detect

Identify

Isolate

Erradicate

Logistics & Engagement Plan

Protocol Standards

Wireless

RAS/ Extranet

Nodes

Expected?

Expected?

Risk Analysis Existing Policy

Intranet Data

Phone Lists

Network Map

Manuals & Policies

Passwords

Access Badges

Initial Deductions

Operating Systems

Network Map

Known Applications

//

Services

FTP/Telnet

No

Patches & Service Packs

No

HTTP/ SMTP

Misc.

Starts with a Policy: Fully understanding the security policy of an organization is critical to

White Team

Quality Loop

Overall Expectation

All results must be evaluated against established expectations prior to progression

the interpreted value of any security project.

Feedback Loop

Ends with a Policy: Fully integrating the results, expectations for future security endeavors based on the test, and overall objectives into the security policy is essential to for value realization and better ROI on future test Risk is Key: The only method for
ensuring a usable engagement document is to align with existing security policy, understanding of risk, and overall expectations (i.e. comparison of value of test to the value of data). Define a interpretation table and prioritize based on business demands, risk, and time

Collect and Define:

Threats and Limitations:

Leverage existing information security related data, combine with overall business objectives and establish expected outcome of test.

Evaluate known threats, tactics and structure and compare to existing information and expectations to devise an attack type, profile of required knowledge, and imposed limitations

Management: Create teams, provide operational and communication protocols, and create metrics to ensure clear measurement of success or failure factors

Learn and Use: Based on the level and scope of required knowledge, the creation of an information and proposed collection tactic matrix should be used to acquire information about the target. Intensity and scope are defined by the business objectives and threat type, which in turn will establish the role collected data plays in the remainder of the engagement

Rationalize: Depending on the tactic, depth, provided data, timeframe, and overall vulnerability of the target or the amount of freely available information, all data can be normalized and compared to seek other opportunities to gain information prior to moving into the next phase

Direct Technical Investigation: By using various tools and specific information collected from the previous phase, systems, networks, services, and applications can be queried to gather empirical data on characteristics that can be used for an attack vector

Vulnerability Analysis: Data from the Internet, product vendors and even the target are reviewed for any documented alignment to a vulnerability

Always Compare and Review:

Fix What is Broke:

Based on the tests prioritized results, the first order of business is to address the remedial, risk reducing elements

Attack Strategy: Based on the information learned about the target, overall objectives, expectations, limitations, and restrictions an attack plan can be formulated. The data will promote the use of one source point over another, or any combination of the three primary types

Quality Loop: Without a review of the initial thread results there is a greater possibility to loosing valuable vulnerability information or affecting the value of the test based on poor validation of a vulnerability thread

Setup for Long-term ROI:

Develop a clear operational and management structure to support full integration of security recommendations, establish an Information Security Management Program, and prepare for the next test

Groups of Threads: Threads represent a singularity of attack that can be combined to represent the total impact of a collection of threads or vulnerability. Multiple groups represent a web of vulnerabilities founded on technical as well as management vulnerabilities

Review Thread and Group data and combine to formulate other attack scenarios if time permits. Additionally, evaluate results against expectations and agreed upon tactics. If group results analysis continue to not meet expectations, you need to review the expectations of the test otherwise you will not be prepared for the results

Response: Developing an incident response plan will be one of the few investments that get better with time. Create, evaluate, and test a response plan, document results and expectations, and prepare for the real thing