Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ikaros - Asset Discovery Framework

Prateek Thakare
July 18, 2023
0
140

Ikaros - Asset Discovery Framework

Prateek Thakare

July 18, 2023
Tweet

More Decks by Prateek Thakare

See All by Prateek Thakare
Getting Started with Code Reviews
prateekthakare
1
280
Business Logic Vulnerabilities: The issues we often miss
prateekthakare
4
220

Featured

See All Featured
Scaling GitHub
holman
458
140k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
The Cost Of JavaScript in 2023
addyosmani
45
6.6k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
We Have a Design System, Now What?
morganepeng
50
7.2k
Testing 201, or: Great Expectations
jmmastey
38
7k
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
14
1.9k
Navigating Team Friction
lara
183
14k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k

Transcript

  1. Ikaros An attack surface management framework for in-house teams

  2. The Team and the PhonePe Appsec Team Prateek - Dev

    Bharath - ASM Techniques Praveen - Architect Pragya - Frontend Hitesh - Secret Scanning

  3. Problem statement

  4. An organisation has ever evolving digital foot print and attack

    surface. Security teams need to discover new assets, identify exploitable threats, monitor them and alert on them continuously.

  5. A light weight, opinionated but fl exible framework using open

    source tools to - • Discover new assets • Identify exploitable threats • Monitor for new threats • Alert us on new threats What did we build? Ikaros

  6. What does it look like? Ikaros

  7. What does it look like? Ikaros

  8. A security framework feedback loop

  9. A security framework feedback loop

  10. A security framework feedback loop

  11. A security framework feedback loop

  12. A security framework feedback loop

  13. Ikaros - 10K Feet View Ikaros

  14. Ikaros - 10K Feet View Seed Information: • Root domain

    names • IP addresses • Network ranges (CIDR) Ikaros

  15. Ikaros - 10K Feet View Subdomain Sources: CT Logs, Search

    Engines, DNS Zone fi les, permutation scans, Scraping, Threat Intel APIs etc Related domains: Passive DNS datasets, TLS/SSL Certs etc. 
 
 We use tools like OWASP Amass, Project Discovery Sub fi nder, Chaos DNS datasets, AltDNS to perform discovery. 
 In future, we will be able to identify related assets such as Code Repos & SaaS services etc. 
 
 Ikaros

  16. Ikaros - 10K Feet View

  17. Ikaros - 10K Feet View Assets: • Subdomains • Code

    Repos • SaaS subscriptions • Network ranges Ikaros

  18. Ikaros - 10K Feet View

  19. Ikaros - 10K Feet View Identify WAF/CDN/Load balancer: By analysing

    headers, IP ranges, DNS records etc. Identify Tech Stack: By analysing response headers, source code, Behaviour patterns etc. 
 
 Identify services: Using Shodan Internet DB, Censys etc. 
 
 In future, we will perform light weight active scans to improve accuracy and coverage. 
 Ikaros

  20. Ikaros - 10K Feet View Ikaros

  21. Ikaros - 10K Feet View • Find all domains with

    valid DNS records (Active domains • For all active domains, fi nd if they have services exposed to the Internet (Passive scanning) • For all the services, identify the tech stack they are built on 


  22. Ikaros - 10K Feet View Ikaros

  23. Ikaros - 10K Feet View • Find application vulnerabilities using

    patterns/templates We use Nuclei - an industry-grade open source scanner. • Find CVEs affecting the tech stack of a service. In future, we will integrate this with Sirius service • Find leaked sensitive information across the Internet (In Progress) Ikaros

  24. Ikaros - 10K Feet View Ikaros

  25. As a: I want to: So that: Security Engineer be

    able to scan the attack surface of my org really quickly I’m on top of the security issues without a delay

  26. Distributed scanning using Ray

  27. Ray is an open-source unified compute framework that makes it

    easy to scale AI and Python workloads.
  28. None

  29. As a: I want to: So that: Ikaros user/dev have

    deep visibility into Ikaros framework at run time So that I can be sure of the scan completeness and debug issues

  30. Observability in Ikaros

  31. None

  32. As a: I want to: So that: Product Security Engineer

    be able to feed the internal information available in the org to the tool It improves the coverage of the tool

  33. • Ikaros supports feeding information that is available in the

    org such as • Subdomains from the Nameserver Zone fi les (Route53 etc) • Ability to have team based alerting if the org structure is provided

  34. As a: I want to: So that: Vulnerability Manager have

    insights into Ikaros fi ndings in a non tech/friendly way So that I communicate the information across the org

  35. Visualisation in Ikaros

  36. None

  37. • Take the input from IKAROS assets. Subdomain either keywords+Org(ORG+AWS_KEY).

    • In Secret Scanning tool depth(File,Repo,Owner) can be de fi ned. • Based on the above params it crawls through Github APIs to fi nd the results wrt input provided by the user. • If results is identi fi ed, based on the depth it perform the cloning and secret detection operation. 
 
 So good thing about this tool is if you search for the keyword --> if that key is present on that fi le it identi fi es and also other keys also are can be easily identi fi ed. The current tool which are present are identi fi es the results and manually observation is required and it fi nds speci fi c to the input provided by the user. Secret Scanning :
  38. None

  39. Future road map

  40. • Open Source the project with documentation • More tools

    to be integrated == more coverage • Fine tune the secret scanning engine • Report generation capabilities • Fine grain control over modules to run and scheduling • Real time scanning capabilities •

  41. Thank you!