Slide 1

Slide 1 text

Ikaros An attack surface management framework for in-house teams

Slide 2

Slide 2 text

The Team and the PhonePe Appsec Team Prateek - Dev Bharath - ASM Techniques Praveen - Architect Pragya - Frontend Hitesh - Secret Scanning

Slide 3

Slide 3 text

Problem statement

Slide 4

Slide 4 text

An organisation has ever evolving digital foot print and attack surface. Security teams need to discover new assets, identify exploitable threats, monitor them and alert on them continuously.

Slide 5

Slide 5 text

A light weight, opinionated but fl exible framework using open source tools to - • Discover new assets • Identify exploitable threats • Monitor for new threats • Alert us on new threats What did we build? Ikaros

Slide 6

Slide 6 text

What does it look like? Ikaros

Slide 7

Slide 7 text

What does it look like? Ikaros

Slide 8

Slide 8 text

A security framework feedback loop

Slide 9

Slide 9 text

A security framework feedback loop

Slide 10

Slide 10 text

A security framework feedback loop

Slide 11

Slide 11 text

A security framework feedback loop

Slide 12

Slide 12 text

A security framework feedback loop

Slide 13

Slide 13 text

Ikaros - 10K Feet View Ikaros

Slide 14

Slide 14 text

Ikaros - 10K Feet View Seed Information: • Root domain names • IP addresses • Network ranges (CIDR) Ikaros

Slide 15

Slide 15 text

Ikaros - 10K Feet View Subdomain Sources: CT Logs, Search Engines, DNS Zone fi les, permutation scans, Scraping, Threat Intel APIs etc Related domains: Passive DNS datasets, TLS/SSL Certs etc. 
 
 We use tools like OWASP Amass, Project Discovery Sub fi nder, Chaos DNS datasets, AltDNS to perform discovery. 
 In future, we will be able to identify related assets such as Code Repos & SaaS services etc. 
 
 Ikaros

Slide 16

Slide 16 text

Ikaros - 10K Feet View

Slide 17

Slide 17 text

Ikaros - 10K Feet View Assets: • Subdomains • Code Repos • SaaS subscriptions • Network ranges Ikaros

Slide 18

Slide 18 text

Ikaros - 10K Feet View

Slide 19

Slide 19 text

Ikaros - 10K Feet View Identify WAF/CDN/Load balancer: By analysing headers, IP ranges, DNS records etc. Identify Tech Stack: By analysing response headers, source code, Behaviour patterns etc. 
 
 Identify services: Using Shodan Internet DB, Censys etc. 
 
 In future, we will perform light weight active scans to improve accuracy and coverage. 
 Ikaros

Slide 20

Slide 20 text

Ikaros - 10K Feet View Ikaros

Slide 21

Slide 21 text

Ikaros - 10K Feet View • Find all domains with valid DNS records (Active domains • For all active domains, fi nd if they have services exposed to the Internet (Passive scanning) • For all the services, identify the tech stack they are built on 


Slide 22

Slide 22 text

Ikaros - 10K Feet View Ikaros

Slide 23

Slide 23 text

Ikaros - 10K Feet View • Find application vulnerabilities using patterns/templates We use Nuclei - an industry-grade open source scanner. • Find CVEs affecting the tech stack of a service. In future, we will integrate this with Sirius service • Find leaked sensitive information across the Internet (In Progress) Ikaros

Slide 24

Slide 24 text

Ikaros - 10K Feet View Ikaros

Slide 25

Slide 25 text

As a: I want to: So that: Security Engineer be able to scan the attack surface of my org really quickly I’m on top of the security issues without a delay

Slide 26

Slide 26 text

Distributed scanning using Ray

Slide 27

Slide 27 text

Ray is an open-source unified compute framework that makes it easy to scale AI and Python workloads.

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

As a: I want to: So that: Ikaros user/dev have deep visibility into Ikaros framework at run time So that I can be sure of the scan completeness and debug issues

Slide 30

Slide 30 text

Observability in Ikaros

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

As a: I want to: So that: Product Security Engineer be able to feed the internal information available in the org to the tool It improves the coverage of the tool

Slide 33

Slide 33 text

• Ikaros supports feeding information that is available in the org such as • Subdomains from the Nameserver Zone fi les (Route53 etc) • Ability to have team based alerting if the org structure is provided

Slide 34

Slide 34 text

As a: I want to: So that: Vulnerability Manager have insights into Ikaros fi ndings in a non tech/friendly way So that I communicate the information across the org

Slide 35

Slide 35 text

Visualisation in Ikaros

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

• Take the input from IKAROS assets. Subdomain either keywords+Org(ORG+AWS_KEY). • In Secret Scanning tool depth(File,Repo,Owner) can be de fi ned. • Based on the above params it crawls through Github APIs to fi nd the results wrt input provided by the user. • If results is identi fi ed, based on the depth it perform the cloning and secret detection operation. 
 
 So good thing about this tool is if you search for the keyword --> if that key is present on that fi le it identi fi es and also other keys also are can be easily identi fi ed. The current tool which are present are identi fi es the results and manually observation is required and it fi nds speci fi c to the input provided by the user. Secret Scanning :

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Future road map

Slide 40

Slide 40 text

• Open Source the project with documentation • More tools to be integrated == more coverage • Fine tune the secret scanning engine • Report generation capabilities • Fine grain control over modules to run and scheduling • Real time scanning capabilities •

Slide 41

Slide 41 text

Thank you!