Sam Humphries, Security Strategist at Exabeam, looks at the key benefits of penetration testing and how organisations can use it to significantly improve their security posture against real-world threats.
Many organisations invest heavily in their cybersecurity programmes, only to discover they overlooked or missed something significant the moment a real cyber-attack actually takes place. For this reason, it’s absolutely imperative to regularly test security systems, processes and personnel, in order to identify vulnerabilities and gaps before somebody with more nefarious intentions finds them first. One of the best ways to do this is through the use of penetration testing (pentesting), which not only helps pinpoint potential weaknesses, but also provides security personnel with vital experience in how to operate under the pressure of a real-world attack.
Pentesting is a highly effective form of ethical hacking
The versatile nature of pentesting means it isn’t just limited to networks and can also be performed against single web applications, or subsets of the network or infrastructure. Tests can also be internal (starting inside the network), external (starting outside the perimeter), or physical, where the tester attempts to gain physical access to the organisation using techniques like social engineering.
Pentesting is typically performed by ethical hackers, either from a third party company or an in-house “red team”, who attempt to breach an organisation’s security systems in a safe and controlled manner. Scope is predefined before the engagement takes place, to ensure both sides are covered contractually, and can often include special terms around business critical systems. Third-party engagements also tend to be time bound for cost purposes, although this does somewhat limit the ‘real world experience’ as attackers aren’t up against a clock. At the end of any engagement, key findings and/or recommendations are reported back to the organisation for remedying vulnerabilities found.
The five phases of network pentesting
The pentesting process is designed to emulate the cyber security kill chain and typically consists of five key phases:
Phase One: Planning
The planning phase involves discussions with the organisation who ordered the test, to understand the key goals and scope, the systems to be tested, and best testing methods. Some penetration tests may be open-ended and some may test specific malicious tactics, techniques and procedures (TTPs). Pentesters will also gather intelligence at this stage to understand the architecture of the target system(s), its network structure and security tooling.
Phase Two: Scanning
The scanning phase commonly involves using automated tools to analyse the target systems. Pentesters commonly perform static analysis or dynamic analysis, checking the system’s code for bugs or security gaps. They also run system and vulnerability scans, looking for old or unpatched components that may be vulnerable to known exploits.
Phase Three: Gaining Access
Based on the previous phase, the pentester selects a weak point in the target system that they can use to penetrate. They may perform brute force or password cracking attacks to break through weak authentication, perform SQL injection or cross site scripting to run malicious code on the target system, or deliver malware into a system inside the security perimeter.
Phase Four: Maintaining Access
In this phase the pentester will typically act like an advanced persistent threat (APT), looking for ways to escalate privileges and perform lateral movement to gain access to sensitive assets. In this way, they can help the organisation discover vulnerabilities of internal systems (not just those deployed on the security perimeter or network edge), and the security team’s ability to detect malicious activity inside the network.
Phase Five: Feeding Back
At the end of the test, the pentester will compile a report detailing any/all vulnerabilities discovered (including those that were not actually exploited), how they breached the system, which internal systems or sensitive data they were able to compromise, whether they were detected, and how the organisation responded. The organisation can then use this data to remediate vulnerabilities, bolster security processes and adjust security tool configuration.
Tools of the trade
Just like real cyber-criminals, pentesters use automated tools to scan for weak points and carry out their simulated attacks. Here are just a few examples of the tools most commonly used:
Kali – a free tool developed by Offensive Security – is the most common penetration testing operating system. It can be run directly on a machine, or as a virtual machine on Windows/OS X and comes with over 100 penetration testing tools, which can help with information gathering, vulnerability analysis, exploitation, stress testing, password attacks, and more.
John the Ripper
John the Ripper is an open source tool designed to crack encryption and carry out brute force password attacks. It’s an extremely robust tool that can run on a local machine for as long as needed to crack a set of passwords.
Metasploit is a tool used to find, exploit, and validate vulnerabilities. Most versions of Metasploit are available free of charge, although open-core commercial versions are also available. Metasploit has thousands of different exploits, tools, and payloads which can be used individually or chained together. Metasploit modules are commonly created and updated by community contributors.
Know your own vulnerabilities
Unfortunately, when it comes to modern cybercrime, the element of surprise nearly always lies with the attackers. This means organisations must be ready to act anytime, anywhere, using systems and processes that they have complete confidence in. Like so much of life, preparation is key. Pentesting can play a critical role in helping organisations better understand their own vulnerabilities and put the right tools and processes in place to mitigate them before it’s too late.
Bio: Samantha Humphries, Security Strategist at Exabeam
Samantha has 20 years of experience in cyber security, and during this time has held a plethora of roles, one of her favorite titles being Global Threat Response Manager, which definitely sounds more glamorous than it was in reality. She has defined strategy for multiple security products and technologies, helped hundreds of organisations of all shapes, sizes, and geographies recover and learn from cyberattacks, and trained anyone who’ll listen on security concepts and solutions. In her current regeneration, she’s thoroughly enjoying being a part of the global product marketing team at Exabeam, where she has responsibility for EMEA, security strategy, plus anything that has “cloud” in the name. Sam’s a go-to person for data compliance related questions and has to regularly remind people that she isn’t a lawyer, although if she had a time machine she probably would be. She authors articles for various security publications and is a regular speaker and volunteer at industry events, including BSides, IPExpo, CyberSecurityX, The Diana Initiative, and Blue Team Village (DEFCON).