Every year, Delta Risk conducts hundreds of cyber security assessments, including penetration testing, for a wide range of commercial and public sector clients. Many of these organizations share similar weaknesses in their people, processes, and technology. But each assessment also presents new technical challenges for us to solve. In this five-part blog series, we’ll discuss our findings from external pen tests, also known as ethical hacking, against enterprise customers who have already implemented standard security best practices such as two-factor authentication (smart cards), identity access management controls, restricted administrative privileges, and spam filtering.
Our research has identified the attack vectors bad actors most commonly use to get initial access to a network and then infiltrate the rest of the organization. Through this series, we will offer our recommendations on how to best combat each scenario. Our objective is to help defenders better understand attacker patterns to improve their cyber security posture. It’s also worth noting that given the international political focus on cyber security and hacking in recent months, and the pending Cyber Security Executive Order, pen testing and cyber security assessments may soon become a requirement for all government organizations.
Defining the Delta Risk Penetration Testing Approach
Our pen testers take a direct, simulated attack approach against some of the toughest security defenses. For the past four years, we’ve performed penetration tests and red team assessments against many U.S. government departments and agencies, as well as critical infrastructure organizations.
Our penetration tests assess the effectiveness of security operations people, processes, and technology. We typically allocate one week for an external engagement and one week for an internal engagement. The external portion is conducted remotely and replicates an attack path that a geographically separated adversary might take. Unless the client specifies otherwise, the test is conducted “black-box” style, where the testers have minimal knowledge of the organization beforehand.
Our goal is to mimic adversaries as closely as possible while remaining tool-agnostic. We simply use the best tools and techniques for each job. The technical objective of our assessments is to emulate an outside adversary to get access into an internal network, escalate privileges, and obtain sensitive information. The intent is not to find every single vulnerability in the way that a vulnerability scan might do, but rather to find some of the vulnerabilities that exist, and attempt to exploit those.
What You Can Expect to Learn From This Blog Series
As we share our top five critical findings and lessons learned from 2016 external assessments, we’ll reveal weaknesses our testers exploited and offer vendor-neutral solutions for resolving each of these issues. The topics we’ll discuss include phishing, kerberoasting, administrative passwords on file shares, and misconfigured local administrative privileges.
In our next blog, we’ll explain why insufficient network segmentation on its own isn’t an exploitable vulnerability, but how lack of network segmentation can open your organization’s internal attack surface.