13 hours 9 minutes
Hello and welcome to another penetration. Testing execution Standard discussion. Today we're going to get into background concepts with respect to level 12 and three. Information or intelligence gathering So quick. Disclaimer.
Any tools or discussions of hacking tools or demonstrations of hacking tools performed is a part of
any of the pee test videos. UM, should be reviewed by the user. The tools should be understood by the user, and the laws and regulations for your given area should be understood as well.
Don't do anything with the tool blindly and ensure that if it is automated that you're well aware of any risks that it may pose and anything that it may do outside of its described function
now the objectives up today or going to get into what intelligence gathering levels are, why they are important with respect to information gathering and why we need to be aware of the different levels of intelligence gathering.
We're going to describe each of the levels of intelligence gathering with respect to level one,
two and three, and we're gonna give you some examples of each of those.
Now let's talk about what intelligence gathering levels are so currently within the Pee test standard. There are three levels described and they're not really defined. You don't have a general name for the levels. It's just level one, level two and level three.
in providing those levels, they do give you a term Think
X. So, in this case for level one, it's think compliance driven. Okay. And we'll talk about each of these and more detail. But level one is essentially the bare minimum,
and whatever it is you're doing to be compliant with a standard P. C. I. D. S s hip, whatever the case may be. Now, at this particular level, I'm not a huge fan, but
it depends on what the clients need is and what they want to achieve. Remember, your goal
as the tester
is to reduce risk,
to identify, risk, to tell them what could happen. What could be of concern and you were to reduce that risk is a part of your profession.
Level two is really
where we get the most bang for the buck with respect to best practice, um, and aligning with best practice in our information gathering activities. Now, if the client on Lee wants what's being offered in level one. Then you know, we have a responsibility to kind of advise and recommend.
But if they want to do something contrary to that,
that is their decision. As long as everything's in writing and clearly laid out in the contract,
then there should be no issues there.
Now, when we get into a Level three, we're talking state sponsored type activities, and so one that becomes more expensive. And we'll look at that and talk about that, as well as the amount of overall time that it would take to do these particular activities increases as well. So for each of these levels
that you go through, there's a direct correlation there with cost in time and effort. So keep that in mind when thinking about these. So we're using that. Level one to level three is the
gauge for complexity. Essentially.
So why is it important to talk about levels? Why would it even matter? Why should we care?
Well, we want to think of it like the client's security practice. We have to have a way to gauge the maturity
of the activity they won't performed. And so this assists in understanding again time and effort constraints. If the client says, Look,
I can only afford
to have you here for a week,
What is it that you can do with with reasonable expectation in a 40 hour time frame
that will give me a desired result?
We, as the subject matter expert, have a responsibility to be able to explain
not only what it is that they're hoping to achieve and why we can or cannot alone with that, but also be able to provide them some options in each of those given phases
so that we can closely aligned with their their expectations. And again, like we were saying, this assists and meeting the expectations and goals for the overall engagement. So an example of this would be a new client who is a very immature
security posture and has never done a penetration test would not reasonably need Level three information gathering performed
right, so I might need some vulnerability analysis and maybe a little level one information gathering to start understanding some weaknesses and some holes in my security posture. But no way do I need nation state level open source intelligence gathering performed in conducted against my organization when I've never done
anything of the manor before, so
that's why it's important to kind of have ah, scale really is so that we can learn Thio kind of whittle in what it is that a client or business is expecting us to achieve with that particular component of the test.
So let's talk about Level one information gathering real quick. So think again. Compliance driven. Okay. And so when we talk about this, it's mainly a click button information gathering process
almost always entirely them with automated tools. This is the bare minimum to say that we did information gathering for a penetration test. By no means when I go out and brag, you know, to other businesses Yeah, I got information gathering done. And, you know, when they found all this data, they did. X, Y and Z,
this is bare bones bare minimum.
Um, Acme Corp is the example here is required to be compliant with PCF Esma HIPPA, A level one information gathering effort should be appropriate to meet
And so this is a good time to remind
our particular client
that compliance does not directly correlate to a strong security posture. So these two things do not do not equal one another. And so if you have a client who is concerned with a strong security posture
while being compliant with PC I HIPPA fisma one of the those areas or maybe some some other standard than it may be best to recommend level to gathering at a minimum, and we'll discuss why that may be the case. And it may be important here in a moment.
So let's look at some brief examples for level one. And so really, what I did here was pulled straight from P. C. I. D. Assess the supplemental guide here, the definition of of what it is that they're looking for and what they're doing so open source Intelligence gathering is an important next step in confirming
scope and determining that all appropriate assets have been included in the test.
Um, essentially, in this case, nearly discovered assets were vetted by the client to determine that they, uh, whether they would be included in the test. During this face of the assessment and additional
disaster recovery site was identified, Indian s and the client confirmed this to be a warm backup in the event of failure all relevant assets were added to the scope. And so really, that was the extent of what PC idea says to find in that. And so you could really do some level one information gathering
open source, intelligence search, using some tools like Dean s Dumpster. So D n s Dumpster. The thing I like about this particular tool is, um, I put in a domain name and it will try to map out Imex, records, records, things of that nature to that site. And so you may
I have a client that gives you a site name a website name
and they give you some public I p addresses. And then you discover that there were some additional i p addresses present that weren't provided. And then you can ask Hey, why were these not included in the scope? What are these associated with
multi Go was also Ah, great tool for doing some information gathering. I like harvester. So I use harvester all the time to try and click
email addresses and things of that nature that may be relevant to an organization
recount. Angie is a great tool. If you're just getting started in penetration, testing or This is your first time hearing about the tool. It works a lot like medicine boy and the Medicine Point framework. And so
once you get over that kind of learning curve with re kon Angie, it combines a lot of the different things that some of the other tools are doing with, like gathering email addresses, looking at Domaine information, Thean s information,
and then it can actually output to, you know, a pretty rudimentary report. But it would give you something you could put into a report or used to supplement other activities. And so these are just a few useful tools that you can look at for level one information gathering. Um,
but they're by no means the only tools that you can use in that particular area
now level to information gathering is really where the Pee test standard is putting the best practice stamp. And so this level can be a combination of tools used in level one and so manual analysis. So good understanding of the business
would be necessary here. Physical location, information, business, relationships or charts. All of that would be
things that you would want to collect and look at and try to drive out some type of correlation or relationship between those entities
and so an example. Given
widget, it has to be PC and compliant but is interested in their long term security standing.
we discussed that compliance does not equal security. This is just an example that Widget Inc realizes that they need to be compliant, but they're also interested in their security posture in their long term practices. And so it's acquiring several smaller manufacturers, and it wants to gain
information at a level to state that would be appropriate for their needs.
So some examples here would be finding the Orc chart and extrapolating information from that business relationship, such as who provides widget parts? Can we figure you know that out who provides legal service is what what's the name of the HR company? All of that
would be used to kind of create a relationship, a relationship map,
and we could use, you know, some components and multi go to kind of lay out how the widget provider is going to be related to these other entities. Because
when we talk about security posture and information gathering, we're really trying to collect data to help us to build amount, to understand where there could be a risk in these connections. And so if you do business with a cloud service provider or you host information in the cloud
if that component, if that entity were compromised, what's the risk to your data set? If you've got a software vendor that has VP and access to your system's, how could that relationship compromise systems or caused risk?
The sky is really the limit here, but you could use thes data sets and a few others to start to kind of build this map of relationships between this entity, the core entity and then, you know, sub entities and other parties out there in the world. And then you could use that to essentially build a risk profile.
Now, this particular site is, uh, this is a website. I didn't put that in there, but it's oh sent frameworks. If you search oh sent Framework and Google, it will provide a website and it will direct you to a multitude of websites based on the
thing that you're looking to do. And so actually it may make sense. I'm gonna pull up a Web browser
and actually show you real quick because me explaining it doesn't actually do it justice. And so this is the site name.
And the thing that I like about this particular site
is that it starts in this little bubble. And if you need to look for particular things like telephone numbers, user names, domain names I p addresses, you condone it all in this particular area. And so if I needed to find business records,
it will actually take me to some sites that provide annual reports. And so some of this is free. Some of this may have some pay. They've got a little dark Web component here that provides some different directories malicious file analysis, which is kind of
oh, scent, but not so much for what we're doing in Level two.
So we're looking more like people search engines, social engineering networks. We may get more in the Level three stuff, but if we're looking like domain names and information, their I p address data, email address information, those might be some things that you could use to start to figure out where places are and what's going on in each of these things. So if we're doing passive Dean s,
it's got several. Well, that was certificate authority. It clicked it. It's little there. There we go. So D. N s history Deanna's dumpster was one of the ones we talked about. So if I click this, it actually takes me straight to the site.
And so I know this is a little bit of an impromptu introduction to that, but I thought it would be relevant to kind of show you that tool and it really introduces you to a myriad of other resource is. And so,
with respect to what we're doing in this area, that oh sent framework is probably
a great place to start next to Google for anything else that you would be doing. And then the previous tools that we looked at are going to be relevant as well and any other things that you want to use. So I know that was a little kind of sporadic, but I couldn't describe it without actually showing you a picture. So
let's go ahead and talk about Level three. Information gathering here is well, so again, this is on par with nation state state sponsored activities. This is more advanced pen testing. We're talking full scope, full spectrum level one and two with a lot of manual analysis.
You're cultivating relationships on social networks.
You're doing deep understanding of business relationship. And so
Ah, information gathering. You would spend weeks
mapping out relationships, mapping out things that you would have thought would be irrelevant to the organization in order to fully understand its current standing with respect to risk and what's really available out there. And so an example of this would be an Army Red team
is tasked with analyzing and attacking a segment of the Army's network in a foreign country.
And so they're really looking deep, deep, deep into that entity to look for weaknesses in ways that it could be taken advantage of. And so
I added some actual examples here for Level three that were included on the Pee Test standard site.
And so, looking at some of these, this could be things like purchase agreements, defense technologies, court records, political donations, social network analysis. I mean, political affiliation could have a lot to do with how an organization thinks and works. You could do you know, a full review of each employee's
social networking profile to try and find
information about the organization and maybe even find somebody that you could start a discussion with and potentially get additional data
you could look at purchase agreements toe understand technologies. If you've ever looked at our peace and things of that nature, those could be utilized as faras understanding what technologies in the organization court records. And so, if you want it to get, you know, information about that, the company is far as
recent settlements or recent issues and things of that nature, so it can go
very, very, very deep with respect to information gathering and with respect to those levels.
So with that in mind, let's do a quick check on learning nothing too crazy today, true or false, Level three information gathering is the lowest effort and easiest to gather. So lowest effort easiest to gather pieces of information.
And, of course, we just got done talking about Level three information gathering, so we know that that is false. Level three information gathering is one of the highest effort and most stringent processes within our information gathering levels. Low level one is the simplest level two is best practice mid complexity.
Level three is high effort, high intensity, high manual process information gathering.
in summary, we described intelligent gathering levels and what those were, and we looked at why those levels were important to remember that both of these things take part in proper scoping expectations, setting understanding of what the clients trying to achieve and by breaking it down into levels,
we can better gauge the effort and energy will need to put into an engagement as well as the tools we'll need to use.
Remember that Level one is primarily compliance driven. So why we always want to be on par with best practice? We have to remember that sometimes, you know, your client may just want to be compliant. They don't want to go any deeper than that.
These tools are primarily quick and run, and whatever you get is what you get. Level two is what we consider to be best practice information gathering, where we're actually evaluating
information sets in a manual manner so we may do some some checks for certain records. We may do some manual checks on the N s. We may do some cross referencing between entities. We may try toe, build out some business relationships and multi go, but it's not super deep. So we try to hit the high level areas
and do some best practice gathering with respect to Level two. And then Level three is nation state type analysis. So we're looking at everything from the kitchen sink to the street. We're looking at physical locations, business relationships, court records, financials, anything that we can get our hands on
that would help us to gain an edge or extrapolated information about that organization.
We're going to use Level three information gathering for that. And so all in all,
take these things into consideration when you're building out your open source intelligence gathering program within your penetration testing or when you're working to scope on engagement with a client. And again, all of these things and any of these activities would be well defined
and covered in your rules of engagement prior to actually doing any of the work.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.