Gunter Ollmann IOActive
Despite morphing into vulnerability scanning and tick-box compliance in recent years, there is still a need for hardcore penetration testing. Sure, the bad guys continue to probe defences, scan open ports and enumerate visible services, but external attacks that exploit unpatched vulnerabilities and manage to breach corporate defences through the front door are an increasingly rare breed. Instead, the vast majority of successful attacks are based upon malware delivered through a barrage of social engineering, trickery and browser-level subversion.
Penetration of an enterprise network requires the defeat and subversion of multiple layers of defence - including anti-virus and intrusion prevention technologies. In order to test these defences, it is necessary to construct and deploy the same kind of advanced and stealthy malware as employed by the best cybercriminals. This paper explores new penetration testing methodologies designed to replicate current generation attack profiles and stress the layered defence model. Insight is provided into crafting custom malware for the purpose of corporate penetration and red-team exercises.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.