Wednesday, July 31, 2013

Gaming Framework - Campaign Structure

We left off yesterday with some rambling on about games, newbs and context.  Oh and some pentest application.

Let's back up.  In my opinion there are a few key items that separate a 'pentest' from a vulnerability assessment (with validation):

  • Pentests are focused.  VAs need to cover every system
  • Pentests have a critical human element
  • Pentests should be flexible (eww what's that?  poke...)
  • Pentests should have the least amount of concessions/constraints as operationally, financially and timely as possible.  Should be event based unlike VAs, which are continuos, open info sharing, etc.
With that in mind, let's dissect the DnD model (condensed as best I could)


The Catalyst

There are 4 main components (well 3 and the DM).  We're first going to head down the 'Catalyst' path.  The catalyst in gaming is that event that sets our hero/es off to their destiny.  This could be an attack on a town, someone being kidnapped, or waking up in a jail cell, not knowing how you got there or who you are (this is going to happen quite a bit this week in LV)

Ugh, Pwn'd Again

A system breach, a regulatory requirement, or a concerned CISO could all be catalysts that take us down the penetration testing path.  Whatever the case, our heroes, erm, testers just can't go storm the castle jumping on turtles.  This is especially true if our main objective is to train as well as assess.  Unlike actually gaming, where there is a steady progression towards the end boss, in penetration testing you can just arrive at the loot with few hops.  This is equivalent the existing backdoor, the warp zone, the cheat code.

Sometimes, It's This Easy

Let's forget that though.  Here we'll assume a simple progression towards an end goal, where information/access/credentials helps you in the next quest.

Red Line = Main Path

The Campaign

All penetration tests should simulate some sort of campaign.  Campaigns vs. driveby attacks or skiddies, usually have a more formulated end goal/objective and involve more thought (stealth) in the actions taken.  Your vulnerability assessments and network monitoring should take care of the drivebys/skiddies.

Once the main goal is established it's time to adventure!  Your adventure could be broken up into multiple, chained quests (defeat the orc to get a sword that kills the dragon that drops the key that opens the dungeon to kill the boss for phat lewtz!!!)  Most quests will have an adversary or challenge that may include individual encounters (like how you keep defeating bowser but he gets away).  You get the idea.

When you pentesterize this:

Campaign -> Quest Example (Can Loop Back Around)

Plowing through the red line without the blue line context is how we conduct our testing and training today (for the most part).  Tomorrow we'll start the walk through this process in depth and start to document our scenario more thoroughly.  (as long as I don't get a migraine =P)




Monday, July 29, 2013

Gaming Mindset - The DnD Way

Anyone who has spent time playing Dungeons and Dragons will tell you... have an imagination or GTFO. Without it, DnD or any other table top game is just an exercise in rolling dice and excel sheets.

So why do we try to teach our young hackers with lack of imagination? Because being the Dungeon Master is hard work, takes time/passion and a deep understanding of 'the rules'.  Gamification, while a nasty buzzword, does have applications to the real world of penetration testing.  


The Real World...Doesn't Have to Be Like This

First The Problem

The most often compliant I hear about 'bad pentesting' is the lack of real world context or just a basic Nessus report (*shudder*).  Other problems include
  • Too Many Constraints 
    • "We want a pentest, just without client side attacks, web app, social engineering, physical attacks, phishing, etc.
  • Generic Technical Skills
    • IT folks trying to test, enterprise folks trying to test non-enterprise
  • Pentests That Aren't
    • Check the box pentests (to meet NIST, whatever)
    • Vulnerability assessments called pentests (buzzword) 


Gaming Mindset As a Solution

There are a number of benefits that both directly and indirectly common pentest problems.  Mainly, it allows the tester to elevate themselves above that of 'button pusher' and become more involved.  The tester/player now takes into context:
  • The System Environment  -  The Game World
  • The Users / Admin / Attacker  -  The Cast
  • The Team Leads (Target and Team)  -  The Dungeon Masters
From here, your newbie sword of pwnage that knocks over the imp outside the castle gates can have a tangible relation to the overall quest/campaign.

HAIL!  You Do 67 dmg.  Imp Vaporizes


Tomorrow I'll delve into the bag of cats that is my mindmap on this, introducing concepts of campaigning, setting, quests, NPC, PCs, and raids?  Going to be fun.

LFM Mage Spec'd Metasploit

Sunday, July 28, 2013

Blogging the Obvious - 30 Days | 30 Posts

So a lot has happened in the past few days.  Like a geek country music song, I lost my iPhone, my contract was cancelled and I'm sure my laptop will die at any minute.



But let's forget that.  Time to start documenting the obvious...welp, the obvious to me.  Because what is obvious to some is not to other, and because I need some karmic retribution, I'll post here every day for the next 30 or so days.  Somethings I've learned, maybe the hard way.