Killing the Pen Test & BSides Knoxville (with Adrian Sanabria)
Apr 26, 2018 ·
59m 1s
Killing the Pen Test & BSides Knoxville (with Adrian Sanabria) Advanced Persistent Security Podcast Episode 44 Guests: Adrian Sanabria April 26, 2018 If you enjoy this podcast, be sure to...
show more
Killing the Pen Test & BSides Knoxville (with Adrian Sanabria)
Advanced Persistent Security Podcast
Episode 44
Guests: Adrian Sanabria
April 26, 2018
If you enjoy this podcast, be sure to give us a 5 Star Review and "Love Us" on iTunes; Like us on Google Play, Stitcher, Sound Cloud, Spreaker, and YouTube.
NOTE: The opinions expressed in this podcast are ours alone and do not reflect those of our employers
Killing the Pen Test & BSides Knoxville (with Adrian Sanabria)
Show Notes
In this episode, Joe is joined by Adrian Sanabria. Adrian is a co-organizer of BSides Knoxville and one of the founders of dc865. We discuss Adrian's background in technology and how he came into security in the days before PCI. Adrian talks about his transition into working at 451 Research in terms of terminology and industry analysis.
Joe and Adrian talk about Savage Security and RSA Conference. Adrian tells us about his (then forthcoming) presentation at RSA Conference. Adrian's presentation is called It is Time to Kill the Pen Test and why it is important. He cites Haroon Meer's Keynote at 44con in 2011 as a thought provoking idea that spawned this.
Pen testing as a skill is not the problem, it is the service offering that is. Adrian cites inefficiencies like vulnerability scanning and reporting at the same rate as the test. We talk about the advanced attacks versus sticking to the basics. Adrian talks about prioritizing breach simulations and ransomware simulations over a pen test.
We talk about the scoping documents of pen tests and how they are relative to actual attacks and their objectives. The fact that not all adversaries attempt to get domain admin, while others try to perform defacement or exfiltration. Adrian mentions Haroon's quote:
Pen testers are not emulating attackers. They are emulating other pen testers.
Adrian talks about the lack of responsiveness of blue teams during pen tests. We talk about the mentality of many attackers of wanting to "pwn the world" vice enhance the security of an organization. Adrian calls for more "white box testing." Joe mentions the lack of analysis of OSINT as another inefficiency in pen testing. We also discuss the fact that dwell time is so high that expecting a black box test is almost unrealistic.
Adrian talks about some metrics associated with MSSPs detecting him when doing breach simulations. We talk about C2 and other indicators such as the use of TOR. We talk about how to make the industry better.
About Adrian:
show less
Advanced Persistent Security Podcast
Episode 44
Guests: Adrian Sanabria
April 26, 2018
If you enjoy this podcast, be sure to give us a 5 Star Review and "Love Us" on iTunes; Like us on Google Play, Stitcher, Sound Cloud, Spreaker, and YouTube.
NOTE: The opinions expressed in this podcast are ours alone and do not reflect those of our employers
Killing the Pen Test & BSides Knoxville (with Adrian Sanabria)
Show Notes
In this episode, Joe is joined by Adrian Sanabria. Adrian is a co-organizer of BSides Knoxville and one of the founders of dc865. We discuss Adrian's background in technology and how he came into security in the days before PCI. Adrian talks about his transition into working at 451 Research in terms of terminology and industry analysis.
Joe and Adrian talk about Savage Security and RSA Conference. Adrian tells us about his (then forthcoming) presentation at RSA Conference. Adrian's presentation is called It is Time to Kill the Pen Test and why it is important. He cites Haroon Meer's Keynote at 44con in 2011 as a thought provoking idea that spawned this.
Pen testing as a skill is not the problem, it is the service offering that is. Adrian cites inefficiencies like vulnerability scanning and reporting at the same rate as the test. We talk about the advanced attacks versus sticking to the basics. Adrian talks about prioritizing breach simulations and ransomware simulations over a pen test.
We talk about the scoping documents of pen tests and how they are relative to actual attacks and their objectives. The fact that not all adversaries attempt to get domain admin, while others try to perform defacement or exfiltration. Adrian mentions Haroon's quote:
Pen testers are not emulating attackers. They are emulating other pen testers.
Adrian talks about the lack of responsiveness of blue teams during pen tests. We talk about the mentality of many attackers of wanting to "pwn the world" vice enhance the security of an organization. Adrian calls for more "white box testing." Joe mentions the lack of analysis of OSINT as another inefficiency in pen testing. We also discuss the fact that dwell time is so high that expecting a black box test is almost unrealistic.
Adrian talks about some metrics associated with MSSPs detecting him when doing breach simulations. We talk about C2 and other indicators such as the use of TOR. We talk about how to make the industry better.
About Adrian:
Information
| Author | Advanced Persistent Security |
| Website | - |
| Tags |
Copyright 2024 - Spreaker Inc. an iHeartMedia Company
