$30 off During Our Annual Pro Sale. View Details »

Ikaros - An attack surface management framework for in-house teams

Bharath
July 27, 2023
Technology
0
33

Ikaros - An attack surface management framework for in-house teams

A presentation on Ikaros, an in-house attack surface management framework we built targeting product security teams.

Bharath

July 27, 2023
Tweet

More Decks by Bharath

See All by Bharath
Breaking iOS Security Testing Barrier
0xbharath
0
12
FRida Unleashed - Scratching beneath the surface of bug bounties
0xbharath
0
270
An attacker’s guide to AWS Access Keys
0xbharath
0
1.9k
Intro to Browser security policies/features
0xbharath
0
500
Practical recon techniques for bug hunters & pentesters
0xbharath
5
10k
Understanding Windows Management Instrumentation(WMI)
0xbharath
2
590
Doing recon like it's 2017!
0xbharath
2
220
Esoteric sub-domain enumeration techniques
0xbharath
2
2.1k
DNS for Penetration Testers
0xbharath
0
370

Other Decks in Technology

See All in Technology
Making your Kubernetes-based log collection reliable & durable with Vector
palark
0
430
開発生産性の多角的接点〜1,000名のクリエイター組織 × 開発生産性〜 / Multifaceted touchpoints of development productivity
i35_267
3
520
VRの世界でLTしていく (LT) - NIFTY Tech Day 2023
niftycorp
0
110
RealSense T265とD415とUFACTORY Lite 6で模倣学習の実験
hygradme
0
360
トヨタの社内コミュニティについて色々聞いちゃおう ~たった4年の奇跡の軌跡~
taichinakamura
0
160
ココナラでエンジニアマネージャーをやってみた!
coconala_engineer
1
130
Parsing case study in Go / Go Conference mini 2023 Winter IN KYOTO
k1low
2
350
AWS re:Invent 2023に参加してきた ~Amazon Inspectorのアップデートを添えて~ / AWS re:Invent 2023 Participation Bulletin with Amazon Inspector Updates
yuj1osm
0
260
AI・機械学習ライブラリを使ったWebアプリでワクワク体験! / Qiita Night~AI、機械学習 / 20231201
you
PRO
1
1.3k
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
0
150
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
690
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
990

Featured

See All Featured
Atom: Resistance is Futile
akmur
257
24k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Why Our Code Smells
bkeepers
PRO
329
56k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
Visualization
eitanlees
131
13k
Rebuilding a faster, lazier Slack
samanthasiow
71
7.9k
Building Flexible Design Systems
yeseniaperezcruz
317
36k
Automating Front-end Workflow
addyosmani
1354
200k
A designer walks into a library…
pauljervisheath
199
22k
Building an army of robots
kneath
299
41k

Transcript

  1. Ikaros
    An attack surface management framework for in-house teams

    View Slide

  2. The Team
    and the PhonePe Appsec Team
    Prateek - Dev Bharath - ASM Techniques Praveen - Architect Pragya - Frontend Hitesh - Secret Scanning

    View Slide

  3. Problem statement

    View Slide

  4. An organisation has ever evolving digital foot print and
    attack surface. Security teams need to discover new
    assets, identify exploitable threats, monitor them and
    alert on them continuously.

    View Slide

  5. A light weight, opinionated but
    fl
    exible framework using open source tools to -


    • Discover new assets


    • Identify exploitable threats


    • Monitor for new threats


    • Alert us on new threats
    What did we build?
    Ikaros

    View Slide

  6. What does it look like?
    Ikaros

    View Slide

  7. What does it look like?
    Ikaros

    View Slide

  8. A security framework feedback loop

    View Slide

  9. A security framework feedback loop

    View Slide

  10. A security framework feedback loop

    View Slide

  11. A security framework feedback loop

    View Slide

  12. A security framework feedback loop

    View Slide

  13. Ikaros - 10K Feet View
    Ikaros

    View Slide

  14. Ikaros - 10K Feet View
    Seed Information:


    • Root domain names


    • IP addresses


    • Network ranges (CIDR)


    Ikaros

    View Slide

  15. Ikaros - 10K Feet View
    Subdomain Sources: CT Logs, Search Engines, DNS Zone
    fi
    les, permutation scans, Scraping, Threat Intel
    APIs etc


    Related domains: Passive DNS datasets, TLS/SSL Certs etc.


    We use tools like OWASP Amass, Project Discovery Sub
    fi
    nder, Chaos DNS datasets, AltDNS to perform
    discovery.



    In future, we will be able to identify related assets such as Code Repos & SaaS services etc.


    Ikaros

    View Slide

  16. Ikaros - 10K Feet View

    View Slide

  17. Ikaros - 10K Feet View
    Assets:


    • Subdomains


    • Code Repos


    • SaaS subscriptions


    • Network ranges


    Ikaros

    View Slide

  18. Ikaros - 10K Feet View

    View Slide

  19. Ikaros - 10K Feet View
    Identify WAF/CDN/Load balancer: By analysing headers, IP ranges, DNS records etc.


    Identify Tech Stack: By analysing response headers, source code, Behaviour patterns
    etc.


    Identify services: Using Shodan Internet DB, Censys etc.


    In future, we will perform light weight active scans to improve accuracy and coverage.

    Ikaros

    View Slide

  20. Ikaros - 10K Feet View
    Ikaros

    View Slide

  21. Ikaros - 10K Feet View
    • Find all domains with valid DNS records (Active domains


    • For all active domains,
    fi
    nd if they have services exposed
    to the Internet (Passive scanning)


    • For all the services, identify the tech stack they are built on

    View Slide

  22. Ikaros - 10K Feet View
    Ikaros

    View Slide

  23. Ikaros - 10K Feet View
    • Find application vulnerabilities using patterns/templates We
    use Nuclei - an industry-grade open source scanner.


    • Find CVEs affecting the tech stack of a service. In future, we will
    integrate this with Sirius service


    • Find leaked sensitive information across the Internet (In
    Progress)
    Ikaros

    View Slide

  24. Ikaros - 10K Feet View
    Ikaros

    View Slide

  25. As a:


    I want to:


    So that:


    Security Engineer
    be able to scan the attack surface of my org

    really quickly
    I’m on top of the security issues without a delay

    View Slide

  26. Distributed scanning using Ray

    View Slide

  27. Ray is an open-source unified compute
    framework that makes it easy to scale AI
    and Python workloads.

    View Slide

  28. View Slide

  29. As a:


    I want to:


    So that:


    Ikaros user/dev
    have deep visibility into Ikaros framework at run time
    So that I can be sure of the scan completeness and

    debug issues

    View Slide

  30. Observability in Ikaros

    View Slide

  31. View Slide

  32. As a:


    I want to:


    So that:


    Product Security Engineer
    be able to feed the internal information

    available in the org to the tool
    It improves the coverage of the tool

    View Slide

  33. • Ikaros supports feeding information
    that is available in the org such as

    • Subdomains from the Nameserver
    Zone
    fi
    les (Route53 etc)

    • Ability to have team based alerting
    if the org structure is provided

    View Slide

  34. As a:


    I want to:


    So that:


    Vulnerability Manager
    have insights into Ikaros
    fi
    ndings in a

    non tech/friendly way
    So that I communicate the information across the org

    View Slide

  35. Visualisation in Ikaros

    View Slide

  36. View Slide

  37. • Take the input from IKAROS assets. Subdomain either keywords+Org(ORG+AWS_KEY).

    • In Secret Scanning tool depth(File,Repo,Owner) can be de
    fi
    ned.

    • Based on the above params it crawls through Github APIs to
    fi
    nd the results wrt input provided by the user.

    • If results is identi
    fi
    ed, based on the depth it perform the cloning and secret detection operation. 


    So good thing about this tool is if you search for the keyword --> if that key is present on that
    fi
    le it identi
    fi
    es and also other keys also are can be easily identi
    fi
    ed.
    The current tool which are present are identi
    fi
    es the results and manually observation is required and it
    fi
    nds speci
    fi
    c to the input provided by the user.
    Secret Scanning :

    View Slide

  38. View Slide

  39. Future road map

    View Slide

  40. • Open Source the project with
    documentation

    • More tools to be integrated == more
    coverage

    • Fine tune the secret scanning engine

    • Report generation capabilities

    • Fine grain control over modules to run and
    scheduling

    • Real time scanning capabilities


    View Slide

  41. Thank you!

    View Slide