Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ikaros - An attack surface management framework...

Ikaros - An attack surface management framework for in-house teams

A presentation on Ikaros, an in-house attack surface management framework we built targeting product security teams.

Bharath

July 27, 2023
Tweet

More Decks by Bharath

Other Decks in Technology

Transcript

  1. The Team and the PhonePe Appsec Team Prateek - Dev

    Bharath - ASM Techniques Praveen - Architect Pragya - Frontend Hitesh - Secret Scanning
  2. An organisation has ever evolving digital foot print and attack

    surface. Security teams need to discover new assets, identify exploitable threats, monitor them and alert on them continuously.
  3. A light weight, opinionated but fl exible framework using open

    source tools to - • Discover new assets • Identify exploitable threats • Monitor for new threats • Alert us on new threats What did we build? Ikaros
  4. Ikaros - 10K Feet View Seed Information: • Root domain

    names • IP addresses • Network ranges (CIDR) Ikaros
  5. Ikaros - 10K Feet View Subdomain Sources: CT Logs, Search

    Engines, DNS Zone fi les, permutation scans, Scraping, Threat Intel APIs etc Related domains: Passive DNS datasets, TLS/SSL Certs etc. 
 
 We use tools like OWASP Amass, Project Discovery Sub fi nder, Chaos DNS datasets, AltDNS to perform discovery. 
 In future, we will be able to identify related assets such as Code Repos & SaaS services etc. 
 
 Ikaros
  6. Ikaros - 10K Feet View Assets: • Subdomains • Code

    Repos • SaaS subscriptions • Network ranges Ikaros
  7. Ikaros - 10K Feet View Identify WAF/CDN/Load balancer: By analysing

    headers, IP ranges, DNS records etc. Identify Tech Stack: By analysing response headers, source code, Behaviour patterns etc. 
 
 Identify services: Using Shodan Internet DB, Censys etc. 
 
 In future, we will perform light weight active scans to improve accuracy and coverage. 
 Ikaros
  8. Ikaros - 10K Feet View • Find all domains with

    valid DNS records (Active domains • For all active domains, fi nd if they have services exposed to the Internet (Passive scanning) • For all the services, identify the tech stack they are built on 

  9. Ikaros - 10K Feet View • Find application vulnerabilities using

    patterns/templates We use Nuclei - an industry-grade open source scanner. • Find CVEs affecting the tech stack of a service. In future, we will integrate this with Sirius service • Find leaked sensitive information across the Internet (In Progress) Ikaros
  10. As a: I want to: So that: Security Engineer be

    able to scan the attack surface of my org really quickly I’m on top of the security issues without a delay
  11. Ray is an open-source unified compute framework that makes it

    easy to scale AI and Python workloads.
  12. As a: I want to: So that: Ikaros user/dev have

    deep visibility into Ikaros framework at run time So that I can be sure of the scan completeness and debug issues
  13. As a: I want to: So that: Product Security Engineer

    be able to feed the internal information available in the org to the tool It improves the coverage of the tool
  14. • Ikaros supports feeding information that is available in the

    org such as • Subdomains from the Nameserver Zone fi les (Route53 etc) • Ability to have team based alerting if the org structure is provided
  15. As a: I want to: So that: Vulnerability Manager have

    insights into Ikaros fi ndings in a non tech/friendly way So that I communicate the information across the org
  16. • Take the input from IKAROS assets. Subdomain either keywords+Org(ORG+AWS_KEY).

    • In Secret Scanning tool depth(File,Repo,Owner) can be de fi ned. • Based on the above params it crawls through Github APIs to fi nd the results wrt input provided by the user. • If results is identi fi ed, based on the depth it perform the cloning and secret detection operation. 
 
 So good thing about this tool is if you search for the keyword --> if that key is present on that fi le it identi fi es and also other keys also are can be easily identi fi ed. The current tool which are present are identi fi es the results and manually observation is required and it fi nds speci fi c to the input provided by the user. Secret Scanning :
  17. • Open Source the project with documentation • More tools

    to be integrated == more coverage • Fine tune the secret scanning engine • Report generation capabilities • Fine grain control over modules to run and scheduling • Real time scanning capabilities •