Staff Security Engineer, Gatsby, Inc.
Mike Gualtieri is an experienced technologist and entrepreneur who is passionate about cybersecurity and building software. He currently leads the security and compliance initiatives at the cloud and website framework company Gatsby, as Staff Security Engineer. He is also an instructor for the University of Pittsburgh School of Computing & Information, where he has developed curriculum and teaches the two capstone offensive security courses for the Professional Institute. Previously he was the President of the consulting firm Eris Interactive Group, co-founder and Principal Consultant for SAVIO Information Security, and the innovator of Kiddix, a Linux-based OS for kids with integrated parental controls. Mike's enthusiasm for security was apparent at a young age, when he decided to write a program to (weakly) password protect some of his 5.25" floppy disks, only to discover that 20 years later he had to hack into his own files and discover that the secret password was 'ninja'.
Assumed Breach is a penetration testing methodology that helps reduce the cost and complexity of an assessment by providing initial access. At an organization with a traditional on-premises network, an Assumed Breach engagement may provide to the tester Domain User credentials or a workstation joined to the network as a point of initial access. None of this makes sense for cloud-native organizations that have no traditional on-premises network and operate through a stitchwork of disparate vendors and services. Providing credentials to a typical employee account may yield no real ability to move toward a testing goal, and workstations may not even have access to production networks. This talk discusses a methodology for scoping and executing a goal-based Assumed Breach penetration test at a cloud-native organization. Offensive security professionals who come up against a wide variety of targets, as well as organizations who have invested heavily in cloud infrastructure will benefit from the discussion. The talk will work through all testing phases, from intelligence gathering to scoping the attack surface to setting up access at key points in the platform architecture. In addition to methodology, realistic technical examples will be presented. Ultimately the goal of a cloud-native Assumed Breach test remains the same as in a traditional setting, achieving a successful test by delivering impactful results that improve organizational security.
