A panel of experts including government and regulators discuss the importance of intelligence-led penetration testing frameworks for the assurance of critical functions that may be subject to sophisticated and persistent attacks.

Thank you to our panelists:

Rob Dartnall – Security Alliance
Tracey Jones – Bank of England
Pete Cooper – Cabinet Office; NCSC
Simon Clow – Context Information Security
Neil Fowler Wright - Hitachi Rail Europe

Stay up to date with CREST:
https://www.crest-approved.org/
https://twitter.com/crestadvocate
https://www.linkedin.com/company/crest-approved/

This CREST video is suitable for self-directed CPD

We spoke to Tom Ellson about his role as a Senior Cyber Security Consultant, technical books he'd recommend, how he sees penetration testing evolving and more.

CREST Penetration Testing Focus Group:
https://www.crest-approved.org/crest-penetration-testing-focus-group/index.html

JUMPSEC:
https://www.jumpsec.com/

Stay up to date with CREST:
https://www.crest-approved.org/
https://twitter.com/crestadvocate
https://www.linkedin.com/company/crest-approved/

CREST spoke to Rob McElvanney (Associate Director, Deloitte) about how his career began, the key thing you need to have to work in penetration testing, and what organisations should look for in a PT provider.

CREST Penetration Testing Focus Group:
https://www.crest-approved.org/crest-penetration-testing-focus-group/index.html

Stay up to date with CREST:
https://www.crest-approved.org/
https://twitter.com/crestadvocate
https://www.linkedin.com/company/crest-approved/

We interviewed Roy Hill about his career trajectory from a software engineer to running a pentest firm, the most important skills a pentester needs, and what organisations should look for in a PT Provider.

Stay up to date with CREST:
https://www.crest-approved.org/
https://twitter.com/crestadvocate
https://www.linkedin.com/company/crest-approved/

We interviewed Phil Lynch about his role as Principal Security Consultant, the most important skills a pentester needs, and why he joined the CREST PT Sub-Committee.

Stay up to date with CREST:
https://www.crest-approved.org/
https://twitter.com/crestadvocate
https://www.linkedin.com/company/crest-approved/

Bug Bounties – Working Towards a Fairer and Safer Marketplace With rapid growth in the bug bounty marketplace, the CREST Bug Bounties Report explores good and bad practice to establish how to better understand bug bounty programmes and how they fit into the wider technical assurance framework. It also highlights the need to provide advice to buyers of bug bounty services and protect the interests. Download the report at: https://www.crest-approved.org/wp-content/uploads/CREST-Bug-Bounties-2018.pdf

This CREST video is suitable for self-directed CPD.

Daniel talks about how a remote
attacker can compromise an ISP-provided
router using web-based methods only - no
screwdrivers or soldering irons required.
Multiple vulnerabilities are chained together to
compromise the router, leading to subsequent
attacks - such as being able to connect to the
customer’s Wi-Fi, hijack their DNS results, or
read their sensitive files from an attached USB
memory stick.
Daniel Cater is a Lead Security
Consultant at Context Information
Security. Previously a software
developer for an investment bank,
he now prefers trying to break things
rather than make things. He holds the CREST
Certified Tester for Web Applications certificate
(CCT App) and enjoys hunting for bugs in web
applications and web browsers, as well as
doing research into big data, cloud security and
consumer products.

This CREST video is suitable for self-directed CPD.

Saurabh Harit, Spirent talks about vulnerabilities that exist in 3rd party web apps at CRESTCon & IISP Congress

This CREST video is suitable for self-directed CPD.

Recently removed from OWASP Top 10, Cross Site Request Forgery (CSRF) vulnerabilities used to rule the world of web applications. Impressive in simplicity and effectiveness, CSRF was the plague that threatened to extinct multi-tab browsing. However, after years of “vaccination” with CSRF Tokens and other medication, CSRF is
dead. A plague of the past. Right? Well, not really. A few mutations, some unimmunised hosts and a bit of imagination can result in
the rebirth of CSRF into a deadly, ‘beautiful’ vulnerability. The presentation will cover common scenarios which can allow an
attacker to: pivot from the internet to your internal network; jump from one browser to another; uncover your secret internet
identities or unveil your darkest secrets. All the above scenarios, may sound apocalyptic and science-fictional, but can be reproduced because Cross-Site Requests are still fair
game. Long live CSRF!

This CREST video is suitable for self-directed CPD.

There is growing awareness of the information security threat landscape by organisations around the world, but the key challenge of how to stay up-to-date in order to mitigate the latest threats and exploits remains. Penetration testing provides a key route for enterprises to validate and improve information security programmes by bringing expert knowledge of cyber-attacks into the business in a controlled way. Already a requirement in the financial sector and within many other organisations, BCS, The Chartered Institute for IT, is working with CREST to address the needs of business and IT professionals in understanding the role and benefits of penetration testing, as well as identifying people, process and technology considerations, and common barriers to adoption.

This CREST video is suitable for self-directed CPD.

It is a common sight for red teamers to see their carefully-prepared malware beacon back, only to find that it's actually been detonated by a sandbox. Not only does this result in a compromise of the campaign and potentially of the malware, if it ends up being analysed and signatured, but it also usually means the domains used for infection and C2 channels are subsequently blacklisted.

SandGrox is the result of several months of research by the PwC Threat and Vulnerability Management (TVM) team. It is a compilation of over a hundred checks for sandbox technologies - some already known and publicly available, but still sometimes successful and some new. Early testing indicates that SandGrox is able to distinguish between bare metal machines and sandboxes and virtualised environments, with high rates of accuracy.

The emphasis of the SandGrox project is on detecting sandboxes, so that upon detecting a sandboxed environment, malware can immediately terminate and self-destruct, avoiding the problem of having domains and IP addresses blacklisted and reducing the risk of malware being reverse-engineered and signatured by antivirus engines. However, SandGrox also includes several techniques for bypassing sandboxed environments - again, some old and some new. Matt will present some of these techniques, lessons learned whilst doing the research, and outline some suggestions for future work in this area.

Matt is a penetration tester on the Threat and Vulnerability Management (TVM) team at PwC, and leads the team's research capability. Prior to joining PwC, he worked in law enforcement, leading a technical R&D team. His research interests include antivirus technologies, exploit development, and RF security.

This CREST video is suitable for self-directed CPD.

Want to know how the private & public sector partners uncovered & disrupted one of the largest ever sustained global cyber espionage campaigns? Allan Carchrie & Jason Smart provide their personal accounts of responding to intrusions connected with APT10 and how critical an end-to-end response is when it comes to tackling Advanced Persistent Threats. They will walk through the necessary steps needed to defend your network, focusing on the key elements of detection, response and threat intelligence.

This CREST video is suitable for self-directed CPD.

Nation state threat actors are known to employ some of the more sophisticated tactics, techniques and procedures (TTPs) for the purpose of gaining and maintaining access to a target organisation, operating surreptitiously and ultimately performing exfiltration of sensitive data. This talk aims to elaborate on some of the more advanced and effective TTPs observed by HPE’s Digital Investigation Services team, and look at how these may be leveraged to enhance red team penetration testing.

This CREST video is suitable for self-directed CPD.

At CRESTCon 2016: This talk focuses on a series of relatively unknown malware families used by attackers in 2015. Despite being used by a variety of different threat actors, from different regions of the world - these malware families share two things in common - their use of JavaScript and their role in the theft of data for espionage purposes. Whilst the use of JavaScript in terms of malicious redirected and occasionally in malware installation is well documented - there are very few examples of malware written entirely in JavaScript. But as we will discuss in our talk, there are many advantage to writing malware in JavaScript.

Thomas and Chris will explain how they came to identify each malware as being interesting in the first place; the themes of the campaigns run by the threat actors using the malware; the methods by which the attackers initialise the malware, methods by which the malware persists, and some cool tricks used to encode the malware; and the defence mechanisms that can be bypassed by using JavaScript based malware.

This CREST video is suitable for self-directed CPD.

ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings are based on ZigBee. New IoT devices have often very limited processing and energy resources. Therefore they are not capable of implementing well-known communication standards like Wifi. ZigBee is an open, public available alternative that enables wireless communication for such limited devices.
ZigBee also provides security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected?

No, definitely not. This talk will provide an overview about the actual applied security measures in ZigBee, highlight the included weaknesses and show also practical exploitations of actual product vulnerabilities.

This CREST video is suitable for self-directed CPD.

Context has identified design flaws and software vulnerabilities in a next generation smart IP camera, which allow an attacker to control the camera remotely behind a NAT router, steal passwords and keys, gain a foothold on your network and redirect the alerts and video to them, all from the click of a link. This particular cloud security device has been demonstrated to be a hidden security risk on a private network and Context believe the vulnerable code is present on other brands of smart IP cameras also.

This CREST video is suitable for self-directed CPD.

James Chappell, CTO, Digital Shadows: Threat Intelligence – Marketing Hype or Innovation

Cyber Threat Intelligence has become an increasingly prevalent term in the information security (Cyber) industry with vendors of all shapes and sizes using this buzzword to justify to their customers that this is the right thing to be focusing on. Of course, in talking to a vendor, they’ll say this is a buy-once-solve-everything type purchase. There are a diverse range of technical, analytical and public information products that seem to carry information about ‘bad people doing things’

At the same time attackers, fraudsters and criminals are innovating their capabilities in increasing pace, traditional anti-fraud or security is a zero sum game, with the best situation being that no incidents occur, this is already a losing battle. So if we need this new set of capabilities how should an organisation go about procuring the right thing and how much is actually useful? And how would an organisation decide when they’ve done ‘enough’ of it to be meaningful.

James has over twelve years’ experience of technical information security acting as an advisor to large private sector and government organisations. Much of his work has involved counteracting the growth of crime and fraud in computer networks and developing effective ways of measuring and managing the information security big picture.

Dave Hartley, Managing Security Consultant, MWR: Fracking with Hybrid Mobile Applications

The talk provides information on how hybrid applications work (under the hood) on common mobile platforms (e.g. Android, iOS, Windows Phone and Blackberry), presents an overview of the attack surface, highlights weaknesses in commonly deployed defences and discusses how attackers can compromise hybrid applications.

Hybrid mobile applications combine the features of web applications and “native” mobile applications using cross platform languages such as HTML and JavaScript. Hybrid applications are usually developed using application frameworks such as PhoneGap. The frameworks and/or development approach provides an embedded web browser (WebView) that executes the application’s web code (HTML/JavaScript) and provides a “bridge” that allows the web code to access local resources on the device. There are a number of pros and cons to this approach, from both a technical and business perspective. There are a number of security considerations for developers, testers and the business to fully understand before the approach can be utilised and/or the applications assessed.

Dave Hartley is a Principal Security Consultant for MWR InfoSecurity. He is a CHECK and CREST Certified Consultant (Application and Infrastructure) and has been working in the IT Industry since 1998. His experience includes a range of IT Security fields and disciplines. Dave is also a published author (SQL Injection Attacks and Defenses 1st & 2nd editions), Metasploit framework contributor and has presented research at several international respected security conferences such as 44CON, BSides, CRESTCon, Sec-T, ZACon, DeepSec, T2 etc.

Steve Elliott, Application Developer, Context: RDP-Replay – The story Behind the Tool

It started with a simple question from one of our network intrusion analysts: “I have a PCAP of RDP. Steve, what can you get out of it?” This talk will explain where this question led, including the discovery of a mature APT (Advanced Persistent Threat). This in turn led to detection of other compromised computers in the enterprise, the discovery and processing of the C2 (Command and Control), through to eventual remediation. This presentation will look at RDP as a protocol, its variants, how to process it, what is involved in dealing with the encryption, and show what is in the encrypted data. The presentation will also take a look at some of the tools and techniques used by the threat actor, how they work, and the processing of their comms.

Although Steve graduated as a mathematician, he has been involved in programming and networks all his career. He was a pen tester in CESG when the initial CHECK scheme was set up, but foolishly left without passing the assault course he helped to organise! For the last 3 years he has been at Context, working on bespoke data processing, binary and network analysis, and threat detection.

Cam Buchannan, Principal Consultant & Adrian Nish, Head of Cyber Threat Intelligence BAE Applied Intelligence: Intelligence led Penetration Testing - applying attack tradecraft and tools

As cyber-attacks become have become sophisticated and prevalent, it is key that penetration testing evolves accordingly to continue to add value to the organisations that use it as a key security control. Utilising threat intelligence and OSINT as the scoping tools to make a penetration test bespoke, relevant and realistic to our clients is something that BAE Systems is currently focussing on. Part of our approach involves collecting, repurposing and mimicking real attack toolkits and techniques that are attributed to threat actors that we have collected through our Threat intelligence and incident response work.

The focus of this presentation is how to use both general threat intelligence and recovered attack toolkits to define and deliver this type of highly focussed testing. It will use references to examples of tool repositories we have access to, malware we have reverse engineered and tools we have written to replicate real attacks.
The audience should leave the presentation with an understanding of the process of turning a threat intelligence report into a set of actionable tests, that emulate the behaviour of distinct attack groups and tools and how they might apply this to future STAR and intelligence led penetration testing assignments.

Cam Buchanan is a penetration tester from BAE Systems with three years of experience in ethical hacking. His book “Kali Linux CTF Blueprints” was recently published and he is currently working on his second. His experience stretches across all sectors and he specialises in the scoping and delivery of Mobile, Red Team and Web Application penetration tests.

Adrian Nish is an Associate Fellow at RUSI and subject matter expert on cyber security. With experience both in investigating the technical components of attacks, as well as their socio-political drivers, Adrian regularly advises both businesses and governments on cyber issues. Adrian is the Cyber Threat Intelligence team lead at BAE Systems and holds a PhD in Physics from the University of Oxford.

This CREST video is suitable for self-directed CPD.

Daniel talks about his internship at Nettitude

Adrian Winckles, OWASP & Anglia Ruskin University talks about OWASP, InfoSec courses available - such as digital forensics - and provides advice to people who want to join the industry

A day in the working life of Matthew Gough, CHECK Team Leader, Nettitude. Mathew talks about his role and provides advice for people who would like to progress in the industry

Thomas and Ben, penetration testers at HP talk about the best and worst of the job and provide advice for people who want to enter the industry.

Andy Hornegold, Security Consultant at Context Information Security talks about a typical working day and gives advice for anyone who wants to get into the technical security industry

A day in the life of Alex Chapman, Senior Assurance Consultant and Researcher at Context Information Security. Alex covers a typical working day, the best parts of his jobs and how to get into the industry

Paul Pratley, Verizon, talks about his presentation at CRESTCon & IISP Congress - The world of cyber crime and espionage

Andy Davis, NCC Group, talks about his presentation at CRESTCon & IISP Congress: Fuzzing the easy way, using Zulu

Tim Varkalis, penetration tester at PWC talks about a day in his working life and provides advice for getting into the industry

Robin Fewster, Selex ES talks about his presentation- A 360 degree view on penetration testing - at CRESTCon & IISP Congress 2014

Rowland Johnson, CEO, Nettitude talks about his typical working day and gives advice to people who want a career in the information security industry

Ian Whiting, CEO, Titania talks about a typical day in his working life and gives his advice on a career in Information Security

Simon Clow, Context Information Security talks about his presentation at CRESTCon & IISP Congress 2014: Exploiting hardware management subsystems (aka "iLO iLO, it's off to work we go!")

Adrian Davis, ISC2, talks about his presentation at CRESTCon & IISP Congress 2014: What does tomorrow look like? The evolution of threats.

Daniel Cannon, security consultant talks about his role at IRM, working as a team and what a typical day at work is like.

Dylan Botha, technical consultant at IRM talks about how and why he got into the technical security industry

Andy describes what it's like to be a pen tester

Chris from Nettitude tells us how he became a pentester, discusses the highs and lows of the job and gives his advice to people thinking of getting into the industry

Sarah from SensePost explains how she got started in ethical hacking

Rodrigo from SecForce tells us how he became a pen tester and what drew him to the industry

Owen from Context explains how he got into the information security industry and what a day in his working life is like

Jonathan from PwC gives us his account of how he got into pentesting

Chris Ensor, NCSC talks about his presentation at CRESTCon & IISP Congress 2013 - 'Building capacity to meet today's cyberthreat'

Kevin O'Reilly from Context talks about his presentation at CRESTCon & IISP Congress that covered some of the more interesting security bugs that have been found in the Cloud and the new techniques that have to be used to perform these types of assessments.

Jason Creasey talks about the CREST guide to the procurement of penetration testing services