As more Department of Defense (DoD) weapon and mission support systems become software dependent and networked, government agencies are being increasingly exposed to severe cybersecurity vulnerabilities. For DoD agencies and systems integrators, who support them, understand how pentesting can help secure next generation weapons and mission support systems. Pentesting has been around for decades, but with the technology evolution we’ve seen radical changes in today’s networks, including ubiquitous encryption, the death of the traditional network perimeter, and the advent of new end point devices, including a myriad of IoT devices. CompTIA’s chief technology evangelist Dr James Stanger on how pentesting has morphed, and you’ll learn the relevant skills that a pen tester should have today, how organizations use a pen tester, and how to usefully “digest” information gained from a pen test. Other topics covered include how the IT environment has changed radically in the last five years, pentesting challenges DoD agencies face today, responsible pen testing and the hacker lifecycle as well understanding the “hacker’s dilemma”. There's also a demo of responsible pentesting. For more information on CompTIA training, visit https://www.globalknowledge.com/us-en/training/course-catalog/brands/comptia/

1. Why Pentesting
is Vital to the
Modern DoD
Workforce
Presented by James Stanger, PhD
Chief Technology Evangelist - CompTIA
A+, Network+, Security+, MCSE, LPI LPIC 1
Works with IT pros, managers and executives
worldwide. Over 20 years of experience in:
• Penetration testing
• Security analytics
• Risk assessment
• Intrusion detection
• Linux and open source
• Network administration
• Virtualization
• Web technologies
• Certification development
• Courseware creation

2. © Global Knowledge Training LLC. All rights reserved. Page 2
Agenda
1. How the IT environment has changed radically
in the last five years
2. Pen testing challenges that DoD agencies face
today
3. Responsible pen testing and the hacker
lifecycle: Why does the pen tester even exist?
4. Understanding the “hacker’s dilemma”
5. The “hacker’s dilemma” and the hacker lifecycle
6. Mapping IoCs to steps in the hacker process
7. Responsible pen testing: A demo

3. How the IT environment
has changed radically in
the last five years

4. © Global Knowledge Training LLC. All rights reserved. Page 4
How the IT environment has changed
NEED FOR NETWORK
SEGMENTATION /
TRAFFIC
ISOLATION
CLOUD PROLIFERATION
• Automation
• Orchestration
DISSOLVED
PERIMETER
EVOLVING
ENDPOINT
• IoT / Mobile
• Sanctioned,
and otherwise
• Formal and
informal
tracking
• Data leakage
• Greater connectivity
GLOBAL MILITARY OPERATIONS
COMMAND AND CONTROL
INFRASTRUCTURE
• Modern equipment
• Legacy equipment
SECURITY
POSTURE
INCREASED NEED FOR
“POP-UP” NETWORKS
WORLDWIDE
ATTACK
SURFACE

5. Pen testing challenges
that DoD agencies face
today

6. © Global Knowledge Training LLC. All rights reserved. Page 6
Social engineering
• Most attacks are
perpetrated against
individuals
• Not misconfigured
systems
• Not software flaws
• Millions of potential
victims just waiting to be:
• Exploited
• Tracked
• Stolen from

7. © Global Knowledge Training LLC. All rights reserved. Page 7
Credential harvesting
• Stealing authentication
information
• User names
• Passwords
• Associated information
• The third most popular attack
• Involves
• Social engineering using
a “pretext”
• Phishing, spear phishing,
whaling
• Obtaining physical access
• Tricking individuals and groups of
users

8. © Global Knowledge Training LLC. All rights reserved. Page 8
Legacy devices and myriad platforms
• They are legion!
• Not just PCs, either
• Examples:
• Servers from 1990s to
now
• Mainframes
• Old notebook / tablet
• Communications
equipment (e.g., radio)
• Drone software
• Industrial
Control
System (ICS) / SCADA

9. © Global Knowledge Training LLC. All rights reserved. Page 9
Suspect implementations and platforms
• Domain Name System
(DNS) servers
• Recent auditing initiative
• Why?
• Talented teams tend to
get broken up and re-
deployed

10. © Global Knowledge Training LLC. All rights reserved. Page 10
Emerging technology
• The DoD uses emerging tech,
as well
• Examples
• Drones (not a contradiction
from the previous slide)
• Weapon guidance systems
• Communications
• Augmented Reality
• Infrastructure
• Robotics
• 3D printing
• Pumping, filtration, power

11. © Global Knowledge Training LLC. All rights reserved. Page 11
Increasing reliance on tech
• What isn’t on the network
or a computing device?
• Unprecedented reliance on
a relatively brittle set of
technologies
• How impact resistant is the
average PC?
• How much can be done to
affordably / reliably harden
something?
• Physically
• Logically
Therefore, increased risk

12. © Global Knowledge Training LLC. All rights reserved. Page 12
Lack of context
• “Situational awareness” is
paramount
• Commanders need to:
• Be aware
• Take proper action
• Need for:
• Ability to turn data into
actionable information
• Trend analysis
• Correlation
• Big data
• Cybersecurity perspective

13. © Global Knowledge Training LLC. All rights reserved. Page 13
Personnel upskilling
• Typical profiles
• They know how to use tech
• They don’t know how to
produce real-life solutions
with it
• Ages
• 18 – 22
• 23 – 28
• 30-something
• Issues
• Implications of actions and
decisions
• Older tech
• Generational issues

14. © Global Knowledge Training LLC. All rights reserved. Page 14
DevOps / DevSecOps / SOAR
 Intelligence platform
 Automation
 Orchestration
 Security Orchestration
Automation and Response
(SOAR)
– More than incident response
– Coordinates at multiple levels
 Contextualization
 Threat analysis
 IDS
 SIEM

15. Responsible pen testing
and the hacker lifecycle:
Why does the pen tester
even exist today?

16. © Global Knowledge Training LLC. All rights reserved. Page 16
Teamwork: red team / blue team
Courts
 To improve the blue team
 To create Indicators of Compromise
(IoC)
 Then, the blue team creates the
right thresholds and
metrics
 Responsible pen testing
– Why else would you
have these teams?
– Adjust tactics / strategy
Penetration
Testing / Vulnerability
managers
Security
Analysts
Blue team Red team
These teams work together with
management to create – and act upon –
useful metrics
This approach helps avoid the “whack-a-mole” approach to security

17. © Global Knowledge Training LLC. All rights reserved. Page 17
Searching for gaps - interstices
• “Space” where one technology connects with another
• The “hard to reach” places
 Where “meat space” and “cyber space”
converge
 ICS / SCADA systems
 Physical access to a building
 SMS/mobile and Web technologies
 SQL and Web servers (SQL injection)
 Domain Name Service (DNS)
 Networking systems, including 5g!
 Blockchain implementations!

18. © Global Knowledge Training LLC. All rights reserved. Page 18
The hacker lifecycle
Related to pen tester lifecycle
Many models Planning and scoping
Information gathering
Investigation
Clean up
Reporting
1
2
3
4
5
6
7

19. © Global Knowledge Training LLC. All rights reserved. Page 19
Models (attack, and security)
1. Lockheed cyber kill chain (https://www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-kill-chain.html)
 Threat-based
 How to stop attacks
2. ATT&CK (https://attack.mitre.org
/wiki/Main_Page)
 Not just preventing threats
 How to find them once they’re in
3. NIST 800 blah, blah, blah
4. Carnegie Mellon CMMI

20. © Global Knowledge Training LLC. All rights reserved. Page 20
Tool overview (pen tester)
• Don’t
get lost in the
“tool parade”
• Know when to
use them, and
why
• Many other
tools available
for pursuing the
hacker lifecycle
Tools and job roles
Discovery
(e.g., OSINT tools, Shodan, Nmap, Maltego)
Penetration / persistence / action on objectives
(e.g., Metasploit, BeEF, peach, AirCrack-ng, Netcat, Burp Suite)
Crackers
(John the Ripper, THC Hydra)
Kali Linux or Parrot
(Debian/Ubuntu Linux – includes many tools)

21. The hacker’s dilemma
and the hacker lifecycle:
Mapping Indicators of
Compromise (IoC)

22. © Global Knowledge Training LLC. All rights reserved. Page 22
Look for indicators of compromise (IoC)
Locard’s exchange principle
 The perpetrator of a crime will:
– Bring something to the crime scene
– Leave something at the crime scene
 Essential for success
 Also for metrics
What does this mean for IT security?
 Map controls to indicators of
compromise
 Essential resources
– Servers (application layer)
– End users
– End points
 Processes

23. © Global Knowledge Training LLC. All rights reserved. Page 23
The hacker’s dilemma and security frameworks
DMV
Corrections
Municipal
County
State
Federal
Law Enforcement
Message Switch
 It’s vital to focus on identifying the hacker lifecycle
 Mitigation involves inhibiting the hacker as well as
detection and response
Copyright (c) 2017 Target
You can use any framework. It could be the NIST Cybersecurity
Framework,
or NIST 800-53 or COSO or ISO whatever.
Regardless of framework, the key is to create – and use – a matrix that
helps you focus your security activities as a company.

24. © Global Knowledge Training LLC. All rights reserved. Page 24
Activity Description Pen testing tool Security analyst tool
Discovery /
Reconnaissance
Use active and passive scanning
techniques to identify vulnerable
people, processes, and systems.
Whois, Shodan, Nmap, Metagoofil Phone call logs, End point log
files (e.g., Windows / mobile
phone logs)
Penetration Use social engineering to deliver attack
vector
End user / Metasploit, shell
commands
Antivirus, centralized logging
tools for end point and firewall
Pen / escalation /
lateral movement
Transfer the Windows SAM, or the
Linux /etc./shadow file.
Metasploit (includes Meterpreter),
BeEF
Active Directory / Keberos /
LDAP logs, SGUIL
Pen / Persistence Decrypt the accounts database file/info John the Ripper / Online password
cracking resources
Tripwire, Splunk
Persistence Insert a specific registry key to open a
port or activate a service such as the
Remote Desktop Protocol (RDP)
Meterpreter / BeEF, scripts Regshot, WinMerge,
RegistryChangesView
Action on objectives
/ Data egress
Obtain or change sensitive information Native tools on victim system Process Explorer, Snort, Sagan,
Bro, any SIEM tool
Lateral movement Identify pre-existing shares and stored
credentials
Native tools / Meterpreter AlienVault, Suricata

25. Responsible pen testing:
A demo

26. © Global Knowledge Training LLC. All rights reserved. Page 26
Discovery / Reconnaissance nmap -O 10.0.2.20
• Types
• Passive
• Active
• nmap – (active)
• Whois (passive)
• Maltego (passive)
• Shodan (passive_
• Web site
• Command line
• Used with
other applications

27. © Global Knowledge Training LLC. All rights reserved. Page 27
Nmap (active)
nmap -Pn -sS 10.0.2.20
nmap –O -sV -iL targets.txt
nmap -T3 -d 10.0.2.20 -oX stanger.xml
OS fingerprint, deep ports target file
Timing, debugging, output (XML)
Disable ping, SYN only
nmap -Pn -sT -D 192.168.0.2,193.5.6.7 10.0.2.20
Disable ping, full connect, decoy

28. © Global Knowledge Training LLC. All rights reserved. Page 28
Shodan (passive)
• Search engine –
passive scanning
• Spider service
reads banners
• Provides searchable
results
• The Google for
pen testers
• Three modes
• Web site
• API
• Application (Python)

29. © Global Knowledge Training LLC. All rights reserved. Page 29
Maltego – providing more (passive) context
• Information gathering
 Accurate
 Quick
• Visual representation
of how information
flows between
systems
• Interconnections
• Search
• Context-specific
• Helps find indicators
of compromise

30. © Global Knowledge Training LLC. All rights reserved. Page 30
Penetration / password dumping

31. © Global Knowledge Training LLC. All rights reserved. Page 31
When it goes wrong
 Not every attack
is successful at
first
 Sometimes, the
exploit goes too far
 Consider the IoCs
– System reboots
– Memory dump files

32. © Global Knowledge Training LLC. All rights reserved. Page 32
Overview of the hack – Using an online password
cracker

33. © Global Knowledge Training LLC. All rights reserved. Page 33
Persistence / upgrading

34. © Global Knowledge Training LLC. All rights reserved. Page 34
Courses
Security+
Certification Prep
Course
CASP+ CompTIA
Advanced Security
Practitioner Prep
Course
CySA+
Cybersecurity
Analyst+ Prep
Course

35. © Global Knowledge Training LLC. All rights reserved. Page 35
Learning More
GlobalKnowledge.com
For additional on-demand and live webinars,
white papers, courses, special offers and
more, visit us at…

36. James Stanger, PhD
jstanger@comptia.org
+1 (360) 970-5357
Twitter: @jamesstanger
Skype: stangernet
Thank you!
My CompTIA hub:
https://certification.comptia.org/it-
career-news/hub/James-Stanger
Latest articles and blog entries:
Two sides of the same coin: Pen testing and security analytics
Penetration, persistence, and future attacks (forthcoming, Admin Magazine)
What’s hot in network certifications (NetworkWorld)
Escaping the Cybersecurity Metrics Matrix (CompTIA)
Private Eye: Open source tools for automated pen testing Admin Magazine
Thoughts about the help desk (YouTube)
The Hunt for the Meaning of the Red team (CompTIA)
The IT security disconnect (HP Enterprise)
A blockchain manifesto? A report from the RSA 2018 Blockchain Focus Group
Cloud Orchestration with Chef – Admin Magazine
No more close shaves: Talking end user security
How CIOs can optimize ITSM software (SearchCIO)
Vulnerability management: How to target bug bounty programs (TechTarget)
My career change journey: The importance of networking
The role of the service desk in the cybersecurity kill chain (HDI)
How to prevent insiders from breaching your data (Forbes)
Threat Hunting with Yara – Admin Magazine
10 critical security skills every IT team needs (interview, CIO Magazine)
How AI can help you stay ahead of cybersecurity threats (CSO Magazine)
Don’t hack me, bro! (Admin Magazine)
At the hop: Security testing with hping3 (Linux Magazine)