In our previous blog, we introduced our 2016 top five penetration testing lessons learned blog series. Today, in Part II of this series, we discuss our first finding: insufficient network segmentation.
The Challenges of Network Segmentation
Many of the clients we conduct penetration tests for are larger organizations that have thousands of hosts on a completely flat network. A flat network in this context can be thought of as a network in which all hosts are routable to all other hosts within the network. Meaning, it allows any two computers in the organization to communicate with each other, regardless of their geographic location or business purpose. A flat network can make IT administration simpler, but it also drastically increases the organization’s internal attack surface.
Proper network segmentation can be very difficult to implement correctly, especially on networks that have existed without it for many years. It requires an in-depth understanding of the expected network communication within the organization, or else segmentation may stop employees from performing their normal day-to-day work functions.
Lack of network segmentation in and of itself is not a vulnerability or misconfiguration that can be exploit directly. However, it makes the rest of the assessment much easier for us, and enables us to take advantage of misconfigurations anywhere in the organization. If network segmentation is properly implemented, we can only communicate with a limited number of internal resources from our initial access. If network segmentation is not properly implemented, though, we can take advantage of that during both the privilege escalation and post-exploitation phases of the assessment.
Abuse During Privilege Escalation Phase
The escalation phase takes place after we have gained initial access. One of the most common methods we use to get that access is through phishing emails to selected targets within in the organization. Once we gain initial access, we are usually impersonating a regular non-IT employee (someone without administrative rights). This type of user should only be able to access a few servers and file shares that they need to perform their day-to-day work functions. For example, an initial phishing victim might get us access to an HR user’s workstation. A user in human resources typically would have no reason to attempt to access a web server within the IT department, or a payroll system within the finance department.
However, in organizations that do not implement any network segmentation, we are immediately able to see every server (file shares, SQL servers, web servers) and workstation that is connected to the internal network. This simplifies our job because we can start looking for misconfiguration anywhere in the organization to elevate our privileges and gain additional access. For example, we might initially use phishing to compromise the workstation of a user in the organization’s Washington, D.C. marketing department. Then, due to lack of network segmentation, we may identify cleartext credentials on a share in Boston that we could use against a web application in Salt Lake City.
Abuse During the Post-Exploitation Phase
The post-exploitation phase starts after we have gained administrative access within the organization, meaning we have obtained credentials that allow us to log into any domain-joined host. The purpose of this phase is to “show impact”and demonstrate the risk to the organization that comes from the vulnerabilities and misconfigurations previously exploited during the assessment. We usually exfiltrate Personally Identifiable Information (PII) to show the leadership team how someone with unfettered access can get to valuable, confidential information once they’re on the network.
When network segmentation hasn’t been implemented, we can easily jump anywhere we need to go. For instance, we can move from a summer intern’s workstation directly to the workstation of a system administrator in charge of a server holding social security numbers. Even though there is no business reason for the intern to access the sysadmin’s workstation, without proper network segmentation, there is nothing stopping those hosts from communicating – and from the intern being able to pull other employee’s information.
Proper network segmentation (allowing only required communication) can considerably reduce your internal attack surface. When handled correctly, network segmentation minimizes the number of hosts an attacker can potentially exploit, and inhibits an attacker’s ability to spread laterally within an organization. In addition, segmentation can also help defenders detect malicious behavior within their network by alerting on hosts that are attempting to access systems they have no business trying to access.
Learn more about our penetration testing services, and read our next finding in the blog series about Misconfigured Local Administrative Privileges.