![]() Or maybe use a 30$ thumbstick that can go through a shredder.Įveryone is jumping to a Red Team or pentest however, this is not the way to start. TBH, if I were a pentester, I'd only write your data to the disk through an encryption layer first using an arbitrary 256-bit key that exists on an easily destroyable piece of paper, and I'd still DBAN that disk afterwards. If they're successful, they're going to end up with your very important credentials or company data on their disk blocks at one point in time. Keep in mind that the entire reason you hired a pentester is to prove where you do or do not have security leaks. Any of your company's real intellectual property that the pentester was able to get ahold of, for instance, passwords, kerberos tickets, etc.The pentester's private intellectual property, which they don't want to leak.Things that could have been left in untouched blocks: Are you sure that the re-image is going to overwrite every single block on the disk? Imaging doesn't usually do that. I don't think a simple re-image is a good idea. Malware families are all fairly different from each other - just because you can block/detect one, doesn't mean you'll block/detect them all. Some firewalls and AV tools will be great at catching metasploit, but awful at catching emotet, trickbot, qbot, remcos RAT, etc etc etc. Metasploit (and similar) are great for overall evaluations, but is also not a holistic test for real world effectiveness. ![]() EICAR has no obfuscation, no simulation of using installed tools to operate, no command-and-control behaviors (for those using sandboxing/behavioral detection and prevention tools) and won't let you know what the effectiveness of your tools are against real world attacks.Įvaluating surface area offensively is what metaspolit is for It's basically a file that says "I'm evil, detect me!" whereas real world malware tries to hide from AV. The EICAR file does none of that, and is the lowest of hanging fruit anyway. Malware persistence and command-and-control comms are then established.Payload runs, unpacks itself, and infects the machine.Macros run and use powershell to download packed.Office document contains obfuscated VBS macros.Send weaponized office document via email.It will absolute not tell you how good your appliances are at detecting actual malware.įor example, many commodity malware campaigns that target just about everyone globally each week (emotet, if we want a very specific example) commonly follow the pattern of: The EICAR test file will tell you that your appliances are configured to inspect and alert. Testing AV detection through an infection vector is exactly what EICAR is for. "Front line admin, C-level1, C-level2, Manager1, Manager2, Manager3, OfficeP1, OfficeP2, OfficePn+1, ContractorProj1, ContractorProj2, SummerStudent1, SuperUser1, SuperUser2, etc)Ĭreate system user profiles (have some random batch jobs running somewhere?)Ĭreate test plans for malware use by each of the accounts identified Part of your testing process is going to be:Ĭreate identical user test profiles (e.g. Trust and access relationships by users to fileservers, other user computers, printers, other network devices ![]() Permissions granted on individual computers and fileservers Part of your documentation process is going to be: Write lessons learned, post-morteum, and project wrap up present project outcomes to C-levels Remove all network drops, remove all open and guest wifi from your corporate networkīuy alternate DSL or secondary connection to internetīuild a lab environment with multiple VMs and virtual systems replicating your production environmentĭecontaminate all equipment as being "potentially hostile": wipe and warranty Document project plan and receive sign-off from C-levelsĭocument your current environment, including switches, VLANs, IDS, packet inspection, firewall rules, file servers, AD groups, permissions.įind a secure and isolated room with a lock, restrict key to cleared personnel only
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |