Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automated Human Vulnerability Scanning with AVA

B114ea20c4172d8f92f3ff42a8cf8ea4?s=47 Laura Bell
August 06, 2015

Automated Human Vulnerability Scanning with AVA

Presented at BlackHat USA 2015 by Laura Bell (SafeStack)


Laura Bell

August 06, 2015


  1. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     laura@safestack.io   h6p:/ /safestack.io   Automated human vulnerabillity scanning with AVA
  2. #BHUSA #protectyourpeople To  join  the  discussion  (but  play  nicely  please)

  3. This  talk  might  make  you  feel   uncomfortable. Sorry.

  4. …I  want  you  to  feel  uncomfortable

  5. I  like  people

  6. Border  Security ApplicaEon  Security Threat  Intelligence    

  7. people  are  the  path  of   least  resistance    

  8. In  this  talk The  Problem   The  need  for  and

     lack  of  human  defense   The  Tool   We  built  AVA…  and  we  think  you  might  like  it   The  Challenges   Building  human  security  systems  is  hard…      
  9. we  are  comfortable  when  we  talk   about  technical  vulnerability

  10. we  do  not  empathise  or  sympathise  with   machines They

     are  inanimate  objects.
  11. technology  is  only  part  of  the  security  picture technology people

  12. technical  systems  are:     reviewed   scanned   penetraEon

  13. processes  are  audited

  14. what  about  people?

  15. The problem  with  people

  16. human vulnerability is natural

  17. fear  of  rejecEon fear  of  exposure fear  of  physical  harm

    fear  of  loss
  18. love

  19. humans  are  sufficiently  predictable   to  make  it  suitably  annoying

        when  we  fail  to     predict  their  behaviour.
  20. The  modern  approaches

  21. compliance  has  us  racing  to  the  boKom

  22. we  watch  video  training  or  e-­‐learning we  make  posters we

     Eck  boxes
  23. Security   Awareness   EducaEon   really  sucks

  24.       Posters  don’t  work     Stop  it

  25. this  is  not  how  people  learn go  ask  the  educaEon

     and  psychology  communiEes
  26. None
  27. we  shame  the  human  vicEms  of   human  security  aKacks*

    *while  secretly  doing  the  exact  same  things
  28. we  forget  that  we  are  a  connected  species

  29. why  don't  we  acEvely  assess   and  test  our  human

     security   risk?
  30. we  don't  test  because  it’s  too  easy

  31. people  can’t  be  taught people  are  lazy people  are  stupid

  32. s/people/we/g

  33. we  don't  test       because  it  makes  us

     feel  uncomfortable because we don't want people to get hurt because it’s hard because  we  don’t  know  how  to  fix  it because we don't want people to get fired
  34. border  devices  are  not  enough

  35. AVA

  36. A first generation proof of concept 3- phase automated human

    vulnerability scanner
  37. Know PHASE 1

  38. We don’t know what our organisations look like

  39. Human security risk is magnified by connection

  40. Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups

    Relationships Data
  41. Location Time stamps Sender Receiver User agent friends contacts frequency

    aliases profiles Last login Pw Expires? Disabled? Influence Admin?
  42. test PHASE 2

  43. Threat injection and behaviour monitoring

  44. Attack vectors that mean something Email Social Networks Removable Media

    Files and honeypots SMS
  45. Email attacks that go beyond phishing Email phishing Internal request

    social panic Direct request External request favour authoritative
  46.   The  URL  may  be  different  on  different  messages.  

    Subject:  Security  Alert:  Update  Java  (*See  Kronos  Note)   Date:  February  22,  2013   *********************************************************** *************   This  is  an  automaNcally  generated  message.  Please  DO  NOT  REPLY.     If  you  require  assistance,  please  contact  the  Help  Center.   *********************************************************** *************   Oracle  has  released  an  update  for  Java  that  fixes  50  security  holes,   including  a     criNcal  hole  currently  being  exploited  in  the  wild.   The  IT  Security  Office  strongly  recommends  that  you  update  Java  as   User generated and publicly sourced attacks
  47. Removing the boundaries between business and personal

  48. Instant, scheduled and recurring Security fails when it is treated

    like a special event
  49. Give the option of succeeding and reinforce good behaviours

  50. analyse PHASE 3

  51. Behaviour Vs. time

  52. Measuring impact of training

  53. And now for something a little bit different

  54. Bridges, weak links and targeting

  55. Pivoting and propagation

  56. You know what would be fun? Predictive risk behaviour analysis

  57. Technologies • Django • Postgresql • Celery • Redis • Bootstrap • Open source • GPL • docker

    • Integrates with exchange, ad and google apps for business
  58. The  inevitable  demo

  59. None
  60. Case  studies

  61. The  process • Candidate  and  volunteer  requests  submiKed  to  social  

    media  and  contacts • Volunteers  briefed • Removed  volunteers  including  children,  students  or   health  data • AcEve  directory  users  and  groups  collected  from  acEve   directory  server  and  stored  in  json  files • Json  files  processed  to  remove  personal  informaEon • Ava  know  used  to  parse  and  idenEfy  paKerns
  62. You  want  to  show  this  at  BlackHat?   LOL  

    Wait,  you’re  serious?   Nope.  Nope.  Nope.  Nope.  Nope.  Nope.  Nope.  Nope.   Yes!   …  please?   …  yes?  
  63. 540  people  and  idenEEes   3  organisaEons   public  and

     private  sector   educaEon  and  commerce  
  64. 19  adminstrator  accounts   400  non-­‐expiring   4  groups  per

     account   35  never  logged  in   oldest  password  =  11  years   newest  password  =  3  months
  65. In  2015,  why  is  this     sEll  an  issue?

  66. The  challenges

  67. a  public  interest  security  tool

  68. ….from  everyone success  requires  engagement

  69. is  this  even  legal?

  70. The  law  in  this  space  is  immature

  71. publically  available previously  known already  published

  72. can  we  assess  human   vulnerability  on  this  scale  

    compromising  the  privacy  the   people  we  assess?
  73. Privacy  is  about  protecEng  people Know Update Delete Ask  

  74. AVA  Ethics  and  Privacy  Board ObjecEve,  RepresentaEve,  Independent,  CollaboraEve new

     members  welcome  to  apply
  75. Open.  Honest.  Plain  English

  76. Providing  people  with  the   informaEon  they  need  to  protect

      themselves  and  their  privacy
  77. Is  this  technically  possible?

  78. Building  new  things  is  hard

  79. Scale  that  has  to  be  visible

  80. There  is  a   reason  why   compromised   email

     accounts   have  value Can  we  simulate   aKack  aliases  in  a   manageable  way?
  81. Nobody  has  Eme  for  more  appliances

  82. Where  next?

  83. From  research  project  to  real  life   TesEng ConEnuous  IntegraEon

    Roadmap  development Feature  development
  84. Security  culture  change  as  a  service?

  85. IntegraEon Google Facebook TwiKer Linkedin Microsom Slack GitHub If  you

     are  reading  this  and   work  for  these  places,  we   should  probably  talk.
  86. Ethics  board Developers Testers ContribuEon DocumentaEon Sociologists UX  and  design

  87. volunteers  wanted Safe   consensual   human  security   science

  88. TL;DR We  have  a  people  problem   A<ackers  will  choose

     the  path  of  least  resistance  and  we  are  not  prepared   AVA  is  an  early  alpha  prototype   We  want  a  future  of  con>nuous  human  vulnerability  assessment   The  road  ahead  is  hard   Privacy,  ethics,  momentum,  security,  scaling  and  much  more    
  89. Learn more or get involved hKps:/ /github.com/SafeStack/ava   now  with

     docker  build       @avasecure   hKp:/ /avasecure.com   hKp:/ /ava.rqd.org/   hello@avasecure.com  
  90. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     laura@safestack.io   h6p:/ /safestack.io   Questions? #protectyourpeople