Penetration testing and other technical assessments are designed to be practical, useful exercises to examine your security defenses and look for holes in your network or applications. There’s real value in performing these assessments to see how threat actors might be able to get into your organization and take proactive steps to address any problems. However, if the most “real” part of your assessments are a vendor’s Statement of Work, you need to change how your organization approaches them.
For instance, vulnerability scans are common technical assessments that require someone to manually validate whatever issues are found. An assessor runs an automated vulnerability discovery engine (e.g., Nessus) and separates false-positives from true findings. With the findings in hand, organizations spin-up their configuration management process and develop a plan to patch the critical and high impact findings.
This is a good start, but these actions won’t stop threat actors. In all honesty, many assessments lack realism. Let’s take a closer look at what this means for effective pen testing that can help your organization withstand an attack.
The Importance of Realism
Realistic assessments try to mimic the actions and motives of actual threat actors. Ask any seasoned security professional, and they’ll tell you there’s always a gap between what security operations do versus adversaries. This gap exists because adversaries are usually on the offensive, while security operations try to play catch up in an endless game of cat-and-mouse. As attackers have become more sophisticated, it’s even tougher on security operations to detect their activity fast enough to stop them in their tracks before they compromise the entire environment.
Scope definition is the first area where there’s often a disconnect with reality, as many times organizations aren’t sure what should be included or not in the assessment. For more effective results, consider including the following:
- All domain names an organization owns
- All external and internal IP ranges
- Excluded IP addresses
This list is fairly basic, but that’s the point. If you want the assessment to provide real value, don’t handcuff the assessors. Excluding systems should be done sparingly. Moreover, assessors shouldn’t be locked out of finding vulnerabilities in critical systems.
Verifying Group Access
Assessments that only look for systems-based vulnerabilities aren’t realistic, either. Within every network, there are systems, and on every system, there are people. How those people’s user accounts are designed and managed has a tremendous impact on the overall security of the organization.
On several assessments, our pen testers have seen robust patch management processes across an organization but still identified vulnerabilities. Often, they’ve discovered that the vulnerability was tied to poor identity management practices. This type of vulnerability can give threat actors quick access to the highest privileges within a domain and compromise all systems. Unfortunately, vulnerability scanners don’t report on identity management, so this area can go undetected until an actual attack or compromise highlights it.
Code Execution and Phishing
For a system to be compromised, code must be executed. Even if exploitable vulnerabilities aren’t discovered, the organization should provide assessors with access to a workstation running under the account context of a regular user – that is, someone without admin privileges. With this level of access, assessors can look for any executable code and suggest ways for the organization to improve their detection capabilities. Organizations that understand the conditions for code execution are better equipped to detect and respond to threat actors quickly.
Closely related to code execution is phishing testing with custom payloads. Not only is this effective, it’s a very real attack pattern. Phishing is still the number one method that threat actors use to get access to secured environments. Phishing tests can show not only who takes the bait, but what code is executable through email and web delivery, and what systems assessors can get access to as a result.
After a successful compromise, adversaries really go to work, looking for valuable information like credit card numbers, personal identification numbers, and client data. Without an exfiltration path, though, they can’t easily get this information out of your network.
You can make an assessment more realistic by testing actual protocols and methods that threat actors might use to exfiltrate information. Every path that fails is a win for your organization, and every path that succeeds provides your security team with a clear idea on where you need to plug the holes and add or increase monitoring.
Historically, technical assessments have been driven less by security concerns than by compliance. No matter a company’s risk appetite, threat actors are not slowing down. The value of a realistic penetration test is phenomenal and is something every organization needs to do sooner rather than later.
To learn more about the value of realistic penetration testing for your organization, download our eGuide, “Hacker Secrets Revealed: Five Lessons Learned From Security Assessments.”