Penetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against attackers, and thus the penetration testing industry was born. Back then the approach to attacks was very paint by numbers. If an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial training on this concept was derived from real world attacks, and we have evolved that training but stopped a few years ago that quick mimicking the real attackers. Why did we do this? It isn’t because as an industry we didn’t want to advance it but it was because it became very difficult to. Why so difficult, because the times have changed, and people are not just giving out thing like they used to. Attackers don’t take that approach. They find a vulnerability/exploit and treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money and takes a Monet. Yes there are plenty of lookalike Monet paintings, but none have the brush stroke characteristics that true Monet paintings do. Are current approach to detecting and resembling real attacks is still very paint by numbers. Our commercial off-the-shelf tools are great tools, and can help something look like a Monet, but when you look at the brush strokes you can see it is a paint by numbers.
We will be reviewing some Tactics, Techniques, and Procedures (TTP) scenarios from real world attacks and showing the not so common differences between true attacker TTPs and current penetration testing methodologies, TTPs, and tools. This talk will focus on the binary aspects of these scenarios to show significant differences and some similarities of current attack patterns. This presentation is designed to show viewers the very low level details that we are overlooking in how to replicate true malicious attackers.This common trend to use off-the-shelf tools to conduct penetration tests has replaced a significant amount of tool writing which has and will help the industry, but this has come at an expense as well.