Penetration testing is in the eye of the beholder

[ This article was originally published here ]

 “Beauty is in the eye of the beholder.” A famous phrase known to all indicates that our perceptions influence our definitions. The same can be said about penetration testing. Often when clients approach us for what they believe to be a penetration test, their definition and needs do not necessarily meet the accepted approach of those within the security field.

From an organizational perspective, the objective of a penetration test is to validate the policy controls in place to identify deficiencies creating potential risk. In the mind of a penetration tester, their goal is to gain access to systems and applications that will lead to the disclosure of sensitive information. Often, penetration testing is required by compliance to be performed against the entire organizational environment or a selected set of assets supporting a regulated function. Even in the absence of compliance requirements, it is best practice to conduct offensive security assessments of an organization's assets frequently.

Real attackers do not have a scope and can attack an organization in numerous ways, such as directly attacking internet-facing systems and applications or targeting people. A secondary goal is to identify vulnerabilities that attackers can abuse with other techniques outside the scope or rules of engagement for a given test.

All penetration tests, irrespective of the type, typically include the same steps.

  1. Reconnaissance: The details of the target as disclosed by the organization are researched. This typically involves extensive OSINT (Open-source intelligence) that will assist the tester as they progress through other phases. Additionally, this helps identify targets for the tester if none are provided as part of initial scoping efforts with the client. Artifacts produced from this phase can include but are not limited to hostnames, IP addresses, employee names, and email addresses.
  2. Attack surface enumeration: During this phase of an assessment, the elements an attacker can interface with are enumerated. In the case of social engineering, the object being attacked can be a service, a web application, or even people and buildings. Every parameter or interface that can be interacted with is identified.
  3. Vulnerability detection:  A vulnerability is a weakness within a resource that can be exploited by an attacker leading to unintended consequences such as system access, information disclosure, or denial of service. During this phase, vulnerabilities are identified that can be potentially exploited by an attacker.
  4. Exploitation: The previously identified vulnerabilities are exploited by the penetration tester. Data and access obtained are leveraged to gain additional access or to access further sensitive data.
  5. Reporting: Collection of relevant artifacts performed through the course of the assessment. After active testing, relevant data is correlated and represented to the client in a clear format with actionable remediation details. The analysis provides management and executive teams with the assessment synopsis and suggested remediation actions.
  6. Remediation and retesting: The testing results are addressed by the assessed organization. The typical avenue of addressing findings is the remediation of the discovered vulnerabilities within the organizations' established policy and processes. There will be circumstances where a discovered vulnerability cannot be remediated directly but can be addressed via other mechanisms such as additional security measures or compensating controls. Sometimes, the organization may require written proof for auditors supporting compliance efforts. The penetration tester can be re-engaged to provide evidence of remediation or assess the mitigating controls.

Counter-intuitively, these phases are not necessarily traversed linearly, and a penetration tester may revisit previous phases as necessary.

AT&T Cybersecurity Consulting conducts several types of penetration testing for our clients. The three main categories are network penetration testing, application penetration testing, and social engineering.

Network penetration testing

Wireless network penetration testing: This type of test involves a penetration tester assessing the wireless network defined by a client. The tester will look for known weaknesses in wireless encryption attempting to crack keys, entice users to provide credentials to evil twin access points or captive folders, and brute force login details. A rogue access point sweep can accompany these assessment types through a physical location and an authenticated wireless segmentation test to determine what an attacker may have access to if they successfully connect to the environment.

External network penetration testing: Internet-facing assets are targeted during an external network penetration test. Typically, target assets are provided by the client, but ” no-scope ” testing can be performed with the client confirming the targets discovered through open-source intelligence (OSINT) efforts. Discovery scanning is performed of in-scope assets, which will then be assessed with commercial-grade vulnerability scanners. The tester will attempt any exploitable vulnerabilities discovered during the scan. Additionally, exposed services that allow for a login will be attacked using password guessing attacks such as brute force or a password spray using usernames collected during OSINT efforts. Exposed websites are typically given additional scrutiny looking for common web vulnerabilities easily observed by an unauthenticated attacker.

Internal network penetration testing: These assessments are performed from the perspective of an attacker who has gained access to the organization's internal network. The penetration tester may come on-site, but in the post-COVID-19 world, internal assessments are typically conducted remotely. Onsite testing can provide a beneficial interaction between the tester and the clients' staff, but remote testing has the financial benefit of reducing expensive travel costs. The tester can negotiate remote access using client provide infrastructure or the tester's physical or virtual remote testing systems.

Application penetration testing

Web application penetration testing: Most organizations use complex web applications that attackers can abuse in numerous well-documented ways. A web application penetration test focuses on the attack surface presented to attackers via a web application. These test types seek to assess the web application used by the average application user and look for innovative methods to access sensitive data or obtain control of the underlying operating system hosted by the web application. During this assessment, the organization will typically provide credential access to the tester to review the entire application as an attacker who has gained that access may do nefariously.

Mobile application penetration testing: Mobile applications are assessed by performing static analysis of compiled mobile applications and dynamic run time analysis of the application as it runs on the device. Additionally, any communications the device participates in are analyzed and assessed. This typically included HTTP connections with HTML data or API calls.

Thick application penetration testing: Compiled applications that run on desktop or server operating systems such as Linux and Windows require sophisticated reverse engineering. This assessment type would include disassembling and decompiling the application and using debuggers to attach to the application as it runs for runtime analysis. Where possible, fuzzing (repeatedly injecting malformed data) of the application's user input parameters is performed to locate bugs that can lead to severe vulnerabilities. As with all assessment application assessment types, the application communications are analyzed to determine if sensitive information is being transmitted in an insecure fashion or if there are opportunities for attacking servers supporting the application.

Social engineering

Email social engineering (phishing): Every organization is being phished by attackers. This assessment type seeks to determine the susceptibility of the organization's user base to fall prey to a spear phishing attack. AT&T Cybersecurity Consulting tailors the attack to be extremely specific to your organization, often posing as support staff directing clients to login portals that are skinned with the organization's logos and language or using other sophisticated attacks determined during assessment collaboration. The goals of these assessments are not to evaluate the effectiveness of the organization's email protections but to determine how the users will react when messages evade those filters. The outcome of these assessments is used to enhance the organization's anti-social engineering awareness programs.

Phone social engineering (vishing): Using caller ID spoofing technology, AT&T Cybersecurity Consultants impersonate users, support staff, or customers. This assessment aims to convince users to perform some action that would disclose information or provide access to an organizational system. Many users will trust the caller based on the source phone number. Other users will detect the attack and respond in various ways, such as confronting the consultant or contacting the information security team after the call. Contingencies for the anticipated user responses are determined as scope and rules of engagement are determined.

Physical social engineering (tailgating/impersonation): An attacker may attempt to enter an organization's facility to gain access to sensitive information or attach an implanted device to provide remote access for later activities. Techniques for gaining access to the building include tailgating and impersonating. AT&T Cybersecurity Consultants will pose as a staff member or vendor during a physical social engineering engagement and attempt to gain access to the organization's facilities. The consultants will use props and costumes to illicit trust on the part of the users.

USB token drops: Users may unwittingly attempt to attach USB devices to the environment. During this assessment type, AT&T Cybersecurity Consultants will deploy what appear to be garden-variety USB thumb drives disguised to entice the user to plug the device into a corporate system. The USB device can simply be a typical drive containing malicious files that establish remote connections or a full keyboard that executes keystrokes when attached. AT&T Cybersecurity Consulting will measure the devices attached and report the engagement results to the client.

SMS social engineering (smishing):  This assessment type is like phishing but delivers enticing messages to users using a short message service better known as SMS or phone text messaging. Like phishing, these engagements will attempt to have users visit sites impersonating the organization or try to deliver a malicious payload.

What penetration testing is not:

There are numerous misconceptions about the nature of penetration testing. Those can include perceptions or similarities to real-world attackers, simulating high network loads, and how the testing team will interface with the organization.

Often clients will attempt to craft rules of engagement to make the rest more realistic to an attacker's behaviors. However, penetration testers have a small amount of time to perform a significant amount of work. In contrast, an attacker can operate in an environment for months very stealthy to evade detection. Penetration testers do not have the luxury of time afforded to attackers. The assessment offered by AT&T Cybersecurity Consulting that most closely matches this is our Red Team Exercise offering. This assessment combines numerous testing types to emulate an attacker's activities as closely as possible.

Penetration testers do their best to avoid causing production impacts during their testing. Denial of service is typically not an activity a tester will engage in during an assessment. In some instances, a denial of service can be conducted against a specific system with a resource consumption vulnerability. Distributed Denial of Service (DDoS) is difficult to simulate and often can impact other organizations that rely on upstream bandwidth shared by the client and are typically not conducted.

The penetration tester will provide brief updates on their activities during a test. Still, due to time constraints, the tester cannot go into detail about specific attacks conducted at certain times. If the organization is looking to confirm detection and countermeasures are effective against explicit attack types, a deliberate effort between the defenders (blue team) and attackers (red team) is combined to make a purple team assessment. This assessment type is much more measured, takes longer to complete, and provides deeper insights in real-time for the effectiveness of various countermeasures and controls.

Conclusion

The various offensive security assessment available to an organization offers an exciting and necessary approach to assessing the security posture. Gaps in the controls, detection methods, and countermeasures adopted by the organization can be identified. The root cause of these identified issues should be corrected in various ways, including specific technical corrections, policies, procedures, and processes. Most large organizations will take a significant amount of time to make these corrections and increases in budgets are typically necessary effectively correct observed vulnerabilities in the long term.

References:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

https://owasp.org/www-project-web-security-testing-guide/v41/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies

https://www.isecom.org/OSSTMM.3.pdf

https://attack.mitre.org/

Ad

No posts to display