Supercharge Your Security: How to Upgrade Your Pentesting Program to Get Better Results - (c) PentestCrowd 2019 - ETDA
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Supercharge Your Security:
How to Upgrade Your Pentesting Program to Get Better Results
(c) PentestCrowd 2019
AGENDA
• Overview of bug bounty campaign
• Case study from famous campaigns
• Penetration testing stats in Thailand
• PentestCrowd the 1st Thailand bug bounty platform
• Benefits to organization and security workforce
• PentestCrowd Closed Beta Campaign (with lite demo)
•Q & A
(c) PentestCrowd 2019
Evolution of Pentest Projects in Thailand
Project-based Man day-based Vulnerability-based
2010-2017 2017-2019 2019-Future
(c) PentestCrowd 2019
Harness the power of the crowd
to improve your security
(c) PentestCrowd 2019
World’s First Bug Bounty Program
(c) PentestCrowd 2019
World’s First Bug Bounty Program
(c) PentestCrowd 2019
Bug Bounty Case Study (c) PentestCrowd 2019
Department Of Defense, USA
(c) PentestCrowd 2019
Department Of Defense, USA
The first bug bounty program in the history of the Federal Government
April 2016 – May 2016
24 DAYS
Time to first vulnerability report 1,410 138
13 MINUTES Hackers Vulnerabilities
Total cost Cost per vulnerability
$150,000 > $1,100
(c) PentestCrowd 2019
Department Of Defense, USA
Nov 2016 – Dec 2016
23 DAYS
Time to first vulnerability report 373 118
5 MINUTES Hackers Vulnerabilities
Total cost Cost per vulnerability
$100,000 > $900
(c) PentestCrowd 2019Department Of Defense, USA
The most successful government-run,
bug bounty program in history.
June 2017
25 DAYS
Time to first vulnerability report 272 207
1 MINUTE Hackers Vulnerabilities
Total cost Cost per vulnerability
$130,000 > $700
(c) PentestCrowd 2019Department Of Defense, USA
And so on...
HACK THE U.S. AIR FORCE 2-3
HACK THE U.S. MARINE CORPS
HACK THE DEFENSE TRAVEL SYSTEM
U.S. Dept Of Defense Vulnerability Disclosure Program
(c) PentestCrowd 2019Ministry of Defence, Singapore
Singapore’s first crowd-sourced security initiative and the first program of its
kind by a government agency in Asia.
Jan 2018 – Feb 2018
21 DAYS
Time to first vulnerability report 264 35
83 MINUTES Hackers Vulnerabilities
Total cost Cost per vulnerability
$14,750 > $500
(c) PentestCrowd 2019Singapore Government
And so on...
(c) PentestCrowd 2019United Airlines
4 YEARS
Since 2015
Payout as Mile
Instead of money
High Medium Low
1M miles 250k miles 50k miles
(c) PentestCrowd 2019United Airlines
Get over 15 million miles!!
100+
Vulnerabilities
15+ MILLION
Miles
Ryan Pickren
(c) PentestCrowd 2019Facebook
8 YEARS Total cost
Since 2011 $7.5M
2018
201 700
Hackers Vulnerabilities
Total cost of 2018 Cost per vulnerability
$1.1M > $1,500
(c) PentestCrowd 2019(c) PentestCrowd 2019
(c) PentestCrowd 2019
Vulnerability
• ช่องโหว่นําไปสูอ่ ะไร
VULNERABILITY
• IOT
PEOPLE PROCESS TECHNOLOGY
(c) PentestCrowd 2019(c) PentestCrowd 2019
(c) PentestCrowd 2019
(c) PentestCrowd 2019
(c) PentestCrowd 2019
PENETRATION
TESTING
(c) PentestCrowd 2019AUTOMATED MANUAL
UNSKILLED SKILLED
BREADTH DEPTH
NOISY STEALTH
- EXPERIENCED
VA result usually tell Missing patch, Poor configuration, etc.
But it will never answer “What could happen if someone tries to break in?”
(c) PentestCrowd 2019(c) PentestCrowd 2019
What is Red Teaming?
Cyber Drill, Cyber Exercise, Adversary Simulation, Threats Emulation
Definition
A simulated operation involving planning, preparation, and
execution that is carried out for the purpose of using Tactic,
Techniques, Procedures (TTPs) to emulate a real-world threats
with the goals of training and measuring the effectiveness of
people, process and technology used to defend the environment.
(c) PentestCrowd 2019Types of Cyber Exercise/ Red Teaming
Type Description Complexity
Table Top Paper-driven exercise with This type of exercise can be planned
injects scripted by exercise and executed quickly, depending on
planners and delivered via paper the number of entities involved.
(cards/ discussion)
Hybrid Paper injects with some live This type of exercise requires more
scenarios planning and longer Execution times.
Full Live Exercise plan incorporates real This type of exercise requires detailed
scenarios and injects into the coordination and planning.
exercise. Paper injects only used
to stimulate if necessary.
(c) PentestCrowd 2019Why Red Teaming?
1. Better than common TTX in terms of simulation and real participation
2. Train / measure blue team
3. Test and understand specific threats and threat scenarios
4. Engage executives and business units to the exercise
Breadth
Vulnerability Assessment
Penetration Testing
Pirate
Red Teaming
Ninja
Depth
(c) PentestCrowd 2019Comparison?
Category VA Scan Penetration Test Red Teaming
Find ways to exploit vulnerabilities Simulate the threats to measure
Trophy Scan for all vulnerabilities and
misconfiguration then generate and break what designers did not and train
list of vulnerabilities mean to in order to determine risk
Focus breadth over depth Balance between breadth and
depth
Goals
Time short period Medium to long Medium to long
Tools Automated Automated and manual Mostly craft for specific targets
Skills Minimal Moderate to expert Moderate to expert
Cost Low Moderate to High Higher
(c) PentestCrowd 2019(c) PentestCrowd 2019
QUALIFICATION
TECHNICAL SKILLS ETHICS ESSENTIAL SKILLS
(c) PentestCrowd 2019Ethics
(c) PentestCrowd 2019Technical Skills?
(c) PentestCrowd 2019(c) PentestCrowd 2019
(c) PentestCrowd 2019
CAPACITY VS CAPABILITY
(c) PentestCrowd 2019(c) PentestCrowd 2019
(c) PentestCrowd 2019
ECOSYSTEM (c) PentestCrowd 2019
PROCESS
Company starts PentestCrowd
Researcher joins Researcher submits
acknowledge
a campaign campaign vulnerability report
receipt
Reseacher happy :) PentestCrowd/ PentestCrowd/
PentestCrowd
Company happy :) Company pays to Company approves
verify report
PentestCrowd happy:) Researcher report
(c) PentestCrowd 2019AS A RESEARCHER
LEGAL SKILL IMPROVEMENT RECOGNITION
PLAYGROUND MONEY SWAG
THANK YOU 3,000
(c) PentestCrowd 2019There are the rules!!!
• Testing only in-scope system, respect what are out-of-scope
• Avoid violating privacy of others, destroying data, disrupt target
systems
• Use the official channel to discuss about the findings
• Follow Vulnerability Disclosure Policy!!
(c) PentestCrowd 2019AS A COMPANY
MORE SECURE
RESPONSIBILITY
REPUTATION
VULNERABILITY HANDLING POLICY
VULNERABILITY DISCLOSURE POLICY
(c) PentestCrowd 2019AS A PLATFORM
VULNERABILITY DISCLOSURE POLICY COST OF CAMPAIGN
SIGNAL VS NOISE COMMUNITY
(c) PentestCrowd 2019COMPARISON TIME
PERSONNEL
SCOPE COVERAGE
Traditional
Pentest
COST
METHODOLOGY
(c) PentestCrowd 2019Question?
Does it replace
• Bugbounty can replace traditional pentest?
traditional pentest?
(c) PentestCrowd 2019DEMO (c) PentestCrowd 2019
PentestCrowd: Closed Beta Campaign Timeline
3 Jun 28 Jun Mid july
Announce Campaign Finish Announce Campaign #2
qualified
researchers
22-31 May 10 Jun Early JULY August
Researcher Campaign Start Campaign wrap up / Public Live!
registration feedback / researcher
pay out
(c) PentestCrowd 2019Closed Beta Campaign: Hacking PentestCrowd
Coming in Jun 2019
Total Campaign Budget: 100,000 Baht
Researcher registration start now!
*T&C Apply
(c) PentestCrowd 2019Closed Beta Campaign: Free Hack
Coming in Jul 2019
Total Campaign Budget: 100,000 Baht
Eligible entity:
ü Non-profit organizations
ü Startup companies
ü SMEs
ü Education
Register your interest now!
*T&C Apply
(c) PentestCrowd 2019Researcher: See you at the first campaign
ถ้าคุณชอบและเก่งด้าน Cybersecurity
มาเปลี่ยนความเก่งเป็นรายได้
และร่วมสร้างสังคมให้ปลอดภัยกันเถอะ
It’s time for PentestCrowd
(c) PentestCrowd 2019Company: Start Your Campaign Now!
เร็วกว่า
ประหยัดกว่า
เชื่อถือได้
จ่ายเฉพาะช่องโหว่ที่พบ
It’s time for PentestCrowd
(c) PentestCrowd 2019Tel. 02-670-8980
info@pentestcrowd.com
www.pentestcrowd.com
Q? &
(c) PentestCrowd 2019 A!For Security Experts For Corporation
(c) PentestCrowd 2019You can also read
