Penetration Testing: Why is a Good Offense the Best Defense?

by: Quentin Rhoads-Herrera – Director, Professional Services

I recently wrote about the steps in the National Institute of Standards and Technology (NIST) incident response (IR) process. IR is a good example of defensive cybersecurity. But you don’t want to wait around for a breach to happen. You can leverage proactive measures, such as penetration (pen) testing, to access your networks vulnerabilities before bad actors can exploit them. Today, I will look at our team’s pen testing process to give you an idea of what to expect if you decide to utilize this service in your environment—a decision I highly recommend.

Penetration testing, often referred to as “ethical hacking”, mimics a real-world attack so you can identify possible vulnerabilities and methods for bypassing security technologies running on your network, system, or application. In addition to showing how well your system could tolerate a real-world attack, penetration testing also helps you determine counter measures you can take to limit threats to your system and how effectively you are able to detect and respond to an attack.

Not all penetration tests are created equal. The complexity of a project can vary from a few days to a few months, and it’s important to know what you want to accomplish before you commit.

Which “box” fits you best?

The volume and type of information you provide to the penetration testing team prior to the execution of your engagement can significantly influence the outcome. Think of it in terms of boxes, where:

• Black box:  Assessors get no data about what they are testing. While having less information might simulate a true attacker, we do not usually recommend this approach to companies who haven’t done a penetration test before or if they don’t have a very mature security program.
• Gray box: Assessors get some data about what they are testing. Gray box does provide some simulation of an attacker, while also providing more information to the assessors, which can result in a higher quality assessment.
• White box: Assessors get whatever data they need to execute the assessment. White box is best if the goal is to identify as many vulnerabilities as possible within a set timeframe, as well as trying to simulate an insider threat. It is very helpful when performing web application assessments, especially when source code is provided, as it gives enough information to the assessors to find those more complex vulnerabilities.

What steps are included in pen testing?

Different vendors follow different processes and use different tools for penetration testing engagements. At CRITICALSTART, our pen testing steps include:

1. Planning/Scoping – Prior to completing a quote for pen testing, our team meets with the customer to define their objectives, which can be as broad as “What vulnerabilities do I have?” or as narrow as verifying Supervisory Control and Data Acquisition (SCADA) security or segmentation of services.
   
2. Reconnaissance (Recon) – It is our goal during recon to find out as much as we can about the organization and the systems they have running. When it comes to web application assessments, assessors will look for technology versions, frameworks used, or if a web application firewall is in use. During the recon phase, we generally look for the following:
   • Domains owned by the organization
   • IP Addresses
   • Web applications and vendor technology leveraged
   • Employees, email address naming schema, password dumps
     
3. Enumeration – After we have completed recon, we enumerate what is running on the customer’s systems. For example, we look for an application’s normal workflow, usernames, passwords, and frameworks (for example, WordPress), operating systems, and the age of their applications. This gives us a better idea of what flaws we need to look at more closely, such as validating network segmentation, to achieve our testing objectives. Within the agreed-upon timeframe, our team looks at every vulnerability possible.
   
4. Discovery/Attack – This phase consists of testing and vulnerability analysis:
   • Initial attacks – Assessor sends the opening round of attacks to gain an initial foothold or obtain information that might expand their attack.
   • Evasion – For this phase, we evaluate our need to evade defenses based on the attack and the defense techniques that might be present. The tools our team uses for pen tests are similar to the ones used by criminals. We also leverage custom tools that are designed to bypass detection. If we need to bypass more sophisticated detections to meet a client objective or to exploit a specific vulnerability, we will craft a special tool for that engagement.  
   • Continued discovery – Assessor looks for alternative access method exposures, including portals to internal servers and other issues, if we have achieved our objectives or as other paths to achieving the same objective.

For example, during this phase, we look for whether individual laptops have access to what hackers need. After this step is completed, we leverage that new information to begin the process over again. With each successive attack, our assessors can gather more information about the systems and network security. This in turn allows them to exploit newly discovered vulnerabilities and gain even further access. 

The Discovery/Attack process continues until we achieve our objectives. It is important to keep in mind that our teams have a finite amount of time to execute a high-quality penetration test, whereas criminals have as long as they need. This is why a structured, repeatable process, executed by very talented people is so critical.  

5. Reporting —The last step in our process is to issue an Executive Summary Report and Full Attack Narrative, which walks through all the steps we took to achieve the stated objectives. Our reports highlight the strengths of the customer’s security posture, what defenses worked, what failed, and what areas still need hardening.  Based on these reports, customers can take our lessons learned and add to their own testing initiatives.

TEAMARES, the cybersecurity consulting practice for CRITICALSTART, helps organizations identify, classify, prioritize, assist in remediation, and mitigate software vulnerabilities.  Talk to one of our experts to learn how to prepare your organization for an incident response—before you are breached.