Ikaros - An attack surface management framework for in-house teams

Transcript

1. Ikaros An attack surface management framework for in-house teams

2. The Team and the PhonePe Appsec Team Prateek - Dev

   Bharath - ASM Techniques Praveen - Architect Pragya - Frontend Hitesh - Secret Scanning

3. Problem statement

4. An organisation has ever evolving digital foot print and attack

   surface. Security teams need to discover new assets, identify exploitable threats, monitor them and alert on them continuously.

5. A light weight, opinionated but fl exible framework using open

   source tools to - • Discover new assets • Identify exploitable threats • Monitor for new threats • Alert us on new threats What did we build? Ikaros

6. What does it look like? Ikaros

7. What does it look like? Ikaros

8. A security framework feedback loop

9. A security framework feedback loop

10. A security framework feedback loop

11. A security framework feedback loop

12. A security framework feedback loop

13. Ikaros - 10K Feet View Ikaros

14. Ikaros - 10K Feet View Seed Information: • Root domain

    names • IP addresses • Network ranges (CIDR) Ikaros

15. Ikaros - 10K Feet View Subdomain Sources: CT Logs, Search

    Engines, DNS Zone fi les, permutation scans, Scraping, Threat Intel APIs etc Related domains: Passive DNS datasets, TLS/SSL Certs etc. 
 
 We use tools like OWASP Amass, Project Discovery Sub fi nder, Chaos DNS datasets, AltDNS to perform discovery. 
 In future, we will be able to identify related assets such as Code Repos & SaaS services etc. 
 
 Ikaros

16. Ikaros - 10K Feet View

17. Ikaros - 10K Feet View Assets: • Subdomains • Code

    Repos • SaaS subscriptions • Network ranges Ikaros

18. Ikaros - 10K Feet View

19. Ikaros - 10K Feet View Identify WAF/CDN/Load balancer: By analysing

    headers, IP ranges, DNS records etc. Identify Tech Stack: By analysing response headers, source code, Behaviour patterns etc. 
 
 Identify services: Using Shodan Internet DB, Censys etc. 
 
 In future, we will perform light weight active scans to improve accuracy and coverage. 
 Ikaros

20. Ikaros - 10K Feet View Ikaros

21. Ikaros - 10K Feet View • Find all domains with

    valid DNS records (Active domains • For all active domains, fi nd if they have services exposed to the Internet (Passive scanning) • For all the services, identify the tech stack they are built on 


22. Ikaros - 10K Feet View Ikaros

23. Ikaros - 10K Feet View • Find application vulnerabilities using

    patterns/templates We use Nuclei - an industry-grade open source scanner. • Find CVEs affecting the tech stack of a service. In future, we will integrate this with Sirius service • Find leaked sensitive information across the Internet (In Progress) Ikaros

24. Ikaros - 10K Feet View Ikaros

25. As a: I want to: So that: Security Engineer be

    able to scan the attack surface of my org really quickly I’m on top of the security issues without a delay

26. Distributed scanning using Ray

27. Ray is an open-source unified compute framework that makes it

    easy to scale AI and Python workloads.
28. None

29. As a: I want to: So that: Ikaros user/dev have

    deep visibility into Ikaros framework at run time So that I can be sure of the scan completeness and debug issues

30. Observability in Ikaros

31. None

32. As a: I want to: So that: Product Security Engineer

    be able to feed the internal information available in the org to the tool It improves the coverage of the tool

33. • Ikaros supports feeding information that is available in the

    org such as • Subdomains from the Nameserver Zone fi les (Route53 etc) • Ability to have team based alerting if the org structure is provided

34. As a: I want to: So that: Vulnerability Manager have

    insights into Ikaros fi ndings in a non tech/friendly way So that I communicate the information across the org

35. Visualisation in Ikaros

36. None

37. • Take the input from IKAROS assets. Subdomain either keywords+Org(ORG+AWS_KEY).

    • In Secret Scanning tool depth(File,Repo,Owner) can be de fi ned. • Based on the above params it crawls through Github APIs to fi nd the results wrt input provided by the user. • If results is identi fi ed, based on the depth it perform the cloning and secret detection operation. 
 
 So good thing about this tool is if you search for the keyword --> if that key is present on that fi le it identi fi es and also other keys also are can be easily identi fi ed. The current tool which are present are identi fi es the results and manually observation is required and it fi nds speci fi c to the input provided by the user. Secret Scanning :
38. None

39. Future road map

40. • Open Source the project with documentation • More tools

    to be integrated == more coverage • Fine tune the secret scanning engine • Report generation capabilities • Fine grain control over modules to run and scheduling • Real time scanning capabilities •

41. Thank you!