Back To Schedule
Tuesday, January 27 • 5:15pm - 6:15pm
Evolution Of Penetration Testing

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Penetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against them, and thus the penetration testing industry was born. Back then if an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial onset of penetration testing was derived from real world attacks, and we evolved the penetration testing concept but then stopped a few years ago. We quit mimicking real attackers. Why did we do this? It isn’t because as an industry we didn’t want to continue to advance it, but it was because it became too difficult. Why so difficult? Because the times have changed, and people don’t just give out things like they used to (Attackers especially). True attackers find a vulnerability/exploit and they treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money. When money got involved the penetration testing industry went in a different direction than real world attacks. Yes our tools replicate “bad” things on networks, but they don’t replicate everything.
We will cover the not so common tactics, techniques, and procedures (TTP) scenarios from real world attacks and show the differences between true attackers and current penetration testers. This talk will focus on the binary and forensic aspects of these scenarios to show the significant differences of true attacks and penetration testers.   


Stephan Chenette

CEO and Founder, AttackIQ, Inc.
Stephan Chenette is the Founder and CTO of AttackIQ, Inc., where he and his team work on adversarial modeling and automated security control validation. Previous to AttackIQ, Stephan held positions as Director of Research for IOActive, Manager of Labs for Websense, and Security Engineer... Read More →
avatar for Russ Gideon

Russ Gideon

Director of Malware Research, Attack Research
Russ Gideon has many years of experience in information security, having fulfilled diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels at malware reverse engineering, which enables him to deeply understand how... Read More →

Tuesday January 27, 2015 5:15pm - 6:15pm PST
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

Attendees (0)