![]() ![]() ![]()
When chained together, these vulnerabilities resulted in the ability for an attacker to run arbitrary code on a victim’s computer by having the victim simply visit a maliciously crafted web page. #Update dropbox for mac high sierra softwareOur third-party partner, Syndis, found vulnerabilities in Apple software we use at Dropbox that didn’t just affect our macOS fleet, it affected all Safari users running the latest version at the time-a so-called zero-day vulnerability). However, we didn’t have to simulate this breach. Identifying new ways to break into Dropbox was in scope for this engagement, but even if none were found, we were going to simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team). Our testing goals included measuring the steady-state of our detection and alerting program, as well as measuring our team’s response when a breach has been identified. So how do we know we’re doing a good job? That’s the kind of testing we were going for with our most recent attack simulation. Even if an attacker breaks in and accesses various systems in our environments without triggering an alarm, we have extensive instrumentation to trace activity post-exploitation. We’ve invested a lot in our hardening, detection, alerting, and response capabilities at Dropbox. Or at least, if they do raise alarm, be able to accomplish their goals before we’re able to kick them out. #Update dropbox for mac high sierra how toThey need to learn how to navigate through our environments, breach other internal security barriers, exfiltrate data out of our networks, and do so without raising alarm. What about post-exploitation? An attacker who wants access to our user data, for example, still has their work cut out for them. ![]() Penetration testing is great for identifying unknown vulnerabilities in your systems and showing how susceptible they are to being exploited however, the tester’s goals are typically limited to just that. We recently conducted an attack simulation as a red team exercise with a third-party vendor. These are the people that leverage real-world adversarial techniques to test and improve the effectiveness of our security program at Dropbox. This post will focus on our Offensive Security team.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |