Black Hat: Adaptive Penetration Testing Course Review
This is the first year that I've been able to make it to Black Hat (3rd to DEF CON, starting a couple days). I took a Training put on by the Veris Group titled "Adaptive Penetration Testing". Here's how the course describes itself:
Practice and real world application is critical to learning how to effectively conduct penetration tests. Adaptive Penetration Testing is an immersive course that will provide practical experience and a solid framework for conducting in-depth security assessments. The majority of this course is spent in a fully operational lab environment, overcoming the real-world obstacles faced in today enterprise networks. We will cover tactics, techniques and procedures (TTPs) successful penetration testers use to provide comprehensive and efficient security assessments in a variety of enterprise environments. Methods presented are based on TTPs consistently being refined by our penetration testers' operational experience.
Knowing the right tool for the job and how to adapt around constraints is often the difference maker for an effective penetration test. We will walk you through various commercial and open-source tools for identifying attack vectors and infiltrating a simulated enterprise environment. We will cover both network and web testing tools and frameworks such as Cobalt Strike, Metasploit, Nessus, Nmap, OWASP-ZAP, SQLMap, and a host of various tools that have been developed by Veris Group testers (including the Veil-Framework, PowerUp and EyeWitness). These tools will enable you to collaboratively conduct penetration tests efficiently and effectively against variable target environments. You will also overcome obstacles, practice modern attack techniques and learn how to use advanced tactics to force-multiply your penetration tests.
Review
I had the expectation going in that I would be improving my pen test capabilities in both the hard and soft-skill arenas. In that respect the class met my expectation. It lasted for 2 days (finished just a couple hours ago) and the presenters were clearly subject matter experts with a great deal of knowledge and the capability to convey that knowledge to the class.
Most of the class was spent using a VM which was specially prepared for the class and distributed to us on Bamboo-clad USB drives (pretty cool, I think!). After going over the high level concepts we were quickly set into labs which required us to examine documentation to properly utilize tools and techniques to accomplish our objectives. Many of these labs required working in teams (they had us grouped 4 to a table. The team I was on was a blast to work with and we had a good banter going between us as we accomplished our tasks.
If I were to nit-pick I'd say that the course overview is a bit out of date as we only covered the Veil-Framework in the slide deck and no one mentioned OWASP-ZAP or SQLMap. The gap here isn't in the presenters or the presentation, it's in the high-level summary a student would see when signng up for the class.
The class focused heavily on using a tool called Cobalt Strike, which is a collaborative pen testing tool that wraps Metsaploit, Armitage, nmap and has shortcuts to exploiting your way into a system. I think it was chosen to help facilitate the group activities. This tool is serviceable, even if it hides the interconnections between the pen test tools that it wraps. I need to dig deeper and figure out how to do some of the stuff we talked about in class outside this tool.
Overall I was satisfied, and if I have the budget to attend another training put on by Veris group next year I'll try to work it into my conference schedule.