This document provides tips and tricks for security assessments in a fictionalized cyberpunk fairytale format. It discusses various methodologies for assessments, the importance of scoping, and strategies for effective teamwork and communication. Visualization techniques and tools for data are presented, as well as tips for organizing documentation, prototyping ideas, automating reporting processes, and tailoring results for different audiences. The overall goal is to provide high-level concepts and philosophies for planning, managing and crafting effective security assessments and reports.

1. Hackanalytics
What's
hot
What's not
Cyberpunk Fairytale with Tips and Tricks
By
Alexey Kachalin
Advanced Monitoring

2. advancedmonitoring.ru
Advanced Monitoring
@kchln
Credits
as The Team
Alexey Kachalin
as Narrator
Shiny IT
as High Tech
Security Struggle
as Low Life
[AK@DeepSec 2013 Nov 21]$ story begin_

3. advancedmonitoring.ru
@kchln

4. advancedmonitoring.ru
@kchln
Security Struggle

5. advancedmonitoring.ru
@kchln
Why Struggle? More Secure  Less Secure
Insecurity
System
Evolution
Incidents
System
Complexity
???
Positive link
Negative link
Enforcing loop
Tool: System Diagrams
Introduce
Controls
Response

6. advancedmonitoring.ru
Wanna skip to Ninjas part?
1. Choose methodology
Technology specific  OWASP
Task specific  PTES
Domain specific  OSSTMM
Result-oriented  CSC
2. Scoping
…
n. Rock’n’Roll!
@kchln

7. advancedmonitoring.ru
@kchln
1 Security Ninja wasted. Continue [ y/N] _
Tool: Mindmap, brainstorm. Don’t read it all now – I made it for lols

8. advancedmonitoring.ru
Some Hack-o-sophy then?
Creating stuff
Engineering view
User view
Analytical thinking
Critical thinking
Out-of-box thinking
*Technical expertise is required anyway
@kchln

9. advancedmonitoring.ru
@kchln
When are you? Understand Their protocols
Enterprise runs hundreds of projects
and processes when you happen’
… not going to stop
Plan – Identify & Analyze
Do- Develop Solution
Check- …and Improve Solution
Act – Implement Solution
You better know Their context
Tool: Deming cycle and whatever follows PMBOK, TIL, ISO9000

10. advancedmonitoring.ru
@kchln
Pareto-zation. The benefit of hindsight
20%
effort
80%
$$$
Proves to be correct over and over
Rarely used in planning
Why?
No Data
Tool: Pareto, Knapsack problem
Log don’t memorize
Work out logs and use in planning

11. advancedmonitoring.ru
Suggest Project/Teamwork Strategy
Waterfall – stages, WBS
Agile concept
Time-limited iterations
Team work on component
Tasks not assigned – taken
Scope change tolerance
Customer awareness
Tool: WBS, T-Shirt estimate, Burndown
@kchln

12. advancedmonitoring.ru
@kchln
Broken communication – any project’s issue
Phone call – I’ll call you back
E-mail – ignored, maybe in spam?
Checklist – too big – please e-mail
Interview –please send checklist
Discussion – I will do my way
AaaRghh!!!

13. advancedmonitoring.ru
Communicating in and out tricks
Fight fears
Appreciative Inquiry (5Ds)
Too sweet? Criticize!
Constructive Controversy
Explore causes
5 Whys
Overcome egos
Six Hats
Tool: Communications scenarios. It’s not always the same
@kchln

14. advancedmonitoring.ru
@kchln
“Fairytale” Editor’s cut includes section
Other Extremely Effective Communication tips

15. advancedmonitoring.ru
Skimming documentation
Don’t read or rewrite or annotate
Review and analyze
Structure - what’s there, not there
Any logic in bundle?
Check consistency
How up-to-date documents are?
Authors available for comments?
Tool: Structure schemes, Sequence Diagrams
@kchln

16. advancedmonitoring.ru
Organize Chaos
Track and Log *
List *
List of received documents
List of created documents for the project
UID * – use ID’s across artifacts
ID’s used by customer are inconsistent… often
Translation tables
ID!=UID IP is not UID, MAC -?
Don’t stop hallway through:
Brainstorm Mindmap?  Actions!
Tool: Affinity Diagram & workflow
@kchln

17. advancedmonitoring.ru
@kchln
Almost there? Report.Create
Outline first – don’t generate texts
List items and give Definitions
Structure and facts
Width/Depth Switching prototyping
Get approval/corrections
Get clarification
Tool: Outline & Example first, WDS Prototype (am)

18. advancedmonitoring.ru
@kchln
Avoid extremes
Data and trends Visualization
ex.#1
Obvious  Preconceived
Simple  Complicated
Boring  Fancy
Report Texts
Full description  Screenshots/logs only
Boasting vulns  Hug problems
Hack Slang  Baby talk
ex.#2
Demonstrate. Communicate. Avoid

19. advancedmonitoring.ru
Don’t
restrict
ideas by
sticking to
standard
forms
but
do not
neglect
them
Tool: Standard vis tools in excel/calc etc. RTFM please!
@kchln
?

20. advancedmonitoring.ru
@kchln
Simple standard things. Use them right!
ex.#1
Tool: Piecharts
ex.#2

21. advancedmonitoring.ru
Even if You can explain it – it’s too much
Tool: No idea. shrooms??
@kchln

22. advancedmonitoring.ru
Tool: Visualization Taxonomy (give it a look here)
@kchln

23. advancedmonitoring.ru
Powerful complex general tools for fast
analysis and check ideas. Don’t over engineer
Tool: Grid analysis (services up/vulns found excel by am)
@kchln

24. advancedmonitoring.ru
Got idea? Prototype. Don’t over engineer
Tool: treemap (for services vis by am)
@kchln

25. advancedmonitoring.ru
Report.Automate – Build your System
Store Data (received/generated)
Human readable
Machine readable
Itemized (lists)
Well named
Actionable
Edit, Snippets takings
Filters, Sorting
Manage and service
@kchln

26. advancedmonitoring.ru
@kchln
Report.Repeat – They think they are all the same?
No!
Look!!
They
are
sooo
different
Rep q1
Rep q2
Rep q3
Rep q4

27. advancedmonitoring.ru
Hurling results to “Them”
Pitches that should’ve made it
but could as well fail
SQLi up to RCE for any registered
user
Any scary words like XSS
Database vulnerability leads to
full compromise
Critical vulnerability in AAA
config
Doh! You’re gonna get hacked
soon
@kchln

28. advancedmonitoring.ru
@kchln
Master “Their” language
Bridge
Current
State
Tool: MindTools.com for reference
Desired new
State
SWOT
Value chain
7S, McKinsey’s
Decision Trees
Comparison analysis
Impact (Organization) analysis

29. That’s all, folks!
Summary
Philosophy and high-level concepts
Planning and management
Report crafting
Communication tweaks
Visualization demystified
Organize chaos and keep tracking
Craft tools and build Your own System
Interpret results for presentation

30. advancedmonitoring.ru
Advanced Monitoring
OpSec/R&D/Forensics/Trainings
IT Security R&D Cooperation Worldwide
Russia – Europe - Americas – Asia
Alexey Kachalin, COO
kachalin@advancedmonitoring.ru
@kchln
@kchln