PoC | Kharim Mchatta Author: Kharim Haji Mchatta Title: How to do a Presentation on PoC Date: 1/17/2020
PoC | Kharim Mchatta PROOF OF CONCEPT (PoC) I recently came across a penetration test which taught me how to do a Proof of Concept which I had never done before. this penetration test has also taught me how to break down the attack in such a way that the cooperate world individuals would understand the impact of the vulnerability that was found. This article will focus on teaching penetration testers on how to create content of the vulnerability to peach to the corporate word in a professional manner and show them the impact the vulnerability has to their business and avoiding being too technical. Your presentation should be moderate not too technical so that the business people wouldn’t understand whats going on but should be moderate that it would also amuse the technical guys. In the cooperate world there is only one language which they understand, and since you are peaching an idea to them, you should make sure you cover one of these aspects in order to win the business guys over, these aspects that should be included in your peach is: (a) Loss of reputation (b) Financial loss If your peach doesn’t meet one of th ose aspects, then you won’t be successful on putting the business guys on board with what your presenting. After adding the company logo on the first slide and introducing yourself on the second slide next you start with explaining to them what the problem is with the aid of a vector diagram which will illustrate how you did the attack in a holistic view. Below is an example of a vector diagram
PoC | Kharim Mchatta As you can see the above vector diagram demonstrates visually what went right and what went wrong and this is best practice when doing a PoC presentation, you need to show them apart from you being able to find the vulnerability in your system there we re some things that I couldn’t manage to do because they have a firewall in place or an IDPS in place etc. Business people want to see what they are doing good. The next slide you would either show graphs or tables and few statistics about your vulnerability, but you need to keep it as simple as possible. For this penetration test I did a vulnerability metric table which showed the threat agent in place, attack vector, weakness prevalence, weakness detectability, technical impact and business impact and provided a rating to it. Below is an example of the vulnerability metric I had created.
PoC | Kharim Mchatta The next step is to provide a detailed explanation of your attack, what was your objective for doing the test, what were the possible attacks that could be done on the platform, explain the weakness of the web app found also explain to them what opened the vulnerability, you need to also explain to the what are the conditions that are need to be met for the attack to be successful and finally how could the information collected by the hacker be used to execute the attack. In this penetration test that I was doing for my client I started explain the test that I was doing which was trying to see if their was any possibility for me to collect publicly available information which included valid credentials and try to interact with the authentication mechanism which could lead to the brute force attack by finding the corresponding passwords. Next, I explained what lead to the vulnerability which on this penetration testing that I was doing was due to a consequence of a misconfiguration, and I addressed what conditions should be met in order for an attack to be successful. The last step based on my objective was to demonstrate the information that I managed to obtain during the penetration test that I had performed. And so this is very important to provide a disclaimer so that to clarify that what you were doing wasn’t illegal, based on the penetration test that I was doing I had to clarify that it was ok because I was obtaining publicly available information and everything that I was doing was non-intrusive meaning I was still maintaining my line of ethics as an ethical hacker Then last but not list as an expert and as best practice is to provide recommendations on how they could fix the vulnerability. Lesson Learned: 1. How to professionally represent the problem as a proof of concept by demonstrating the attack vectors with aid of diagrams for better visualization of their problem 2. How to create vulnerability matric and grading the vulnerability 3. Providing detailed description of the problem and adding a disclaimer for personal protection against the law 4. Providing simple yet straight forward recommendations.
Recommend
More recommend