So, here we are with another Adobe 0-day vulnerability. No! Wait! Stop! Don't go away from this page because you think it is a repeat from the past multitude of Adobe 0-days. This one is for Reader and… for Flash. See, that is something kind of new!
Anyway, why should you care? First, this exploit has been used on a "very small number of organizations and limited in scope.” See! there is nothing to worry about…
But wait… There’s more. The advisory goes on to say it has been used to “install persistent malware on the victim's machine." Okay, now is a good time to harken back to what we talked about yesterday. The threat landscape is no longer changing folks, it has changed. As we have been hammering that traditional detection and prevention technologies are easily bypassed on the show for the past few months. Don't believe us? Go and talk to any competent pen testing company. Very rarely does AV and IDS/IPS get in the way. Further, if we think about current penetration tests, they are very limited in scope. We usually only have about a week or two, possibly a month for most engagements. This means we are not spending a tremendous amount of time working on 0-days or taxing ourselves too hard to develop custom malware.
However, that being said, if you are a sufficiently large organization with adversaries that could make millions off of a compromise, you better believe they are going to spend the cash to purchase or develop 0-day or custom malware as part of their strategy to compromise you.
The reason I am jumping on this theme this week is because of the many organizations that hire pen testing companies what the absolute minimum. Keep the cost and the scope down as much as possible. However, if you want this done right it is going to cost you in terms of time and money. Lately, at PaulDotCom we have found a number of our customers have opted to have things done the right way. Solid recon, slow enumeration and scanning to stay under the detection wire and very targeted attacks. Why? Almost all of our current customers that are looking for this type of test have one thing in common… They have been compromised. Getting a penetration test is now far more to them than a simple checkbox activity.
Going forward we are going to focus on three things at PaulDotCom. First, train your Systems Administrators. Second, keep an eye on the Pentesting standards group. And finally, start looking into Offensive Countermeasures. We will have an announcement on the Offensive Countermeasures angle here next week.
John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.