Today’s cybersecurity swings like a pendulum between the latest announced threats and latest security solutions. The majority of cyber activities operate in between the pendulum swings, and within that time new vulnerabilities are discovered and exploited like never before.
This leaves businesses and organizations in a constant need for adaptive and professional protective services. Not only to keep up with emerging threats but also to make sure nothing is left vulnerable or out of regulatory requirement in the process of setting up, transitioning, merging, or maintaining new and legacy systems.
Vulnerability scans are a great tool toward this goal, but they are not and should not be the sole solution, due in part to their static nature. Realistically, a proactive approach to threat hunting and threat mitigation that incorporates the mindset of what an attacker is willing and potentially capable of doing is required.
So, have you considered a pen test? This blog post will cover the benefits of penetration testing and why it’s a critical piece of your security strategy.
Pen testing — or penetration testing — is a controlled evaluation of a network, application, or system’s security through the lens of a threat actor conducting an actual cyber attack and performed by ethical hackers. They can be conducted independently using in-house or third-party testing agents. Pen tests identify exploitable weaknesses and misconfigurations that would allow the initial access, foothold, lateral movement and or other capabilities or resources needed to complete an attacker's objective. As a legitimate security activity, a pen test provides a “reliable way of identifying the risk of vulnerabilities in aggregate” (NIST SP 800-115), as a real world breach is rarely limited to just one method of exploitation.
Vulnerabilities can be endemic to the systems, services, or individual components in use by an organization. They may occur in communication channels, authentication and authorization failures, implementation errors, configuration faults, and other physical or operational deficiencies.
With the possible complexity of any given organization’s environment, NIST (NIST SP 800-53Ar5) proposes that the usefulness of penetration testing “can be viewed not as a means to verify security and privacy features, but rather as a means to enhance the organization’s understanding of the system, uncover weaknesses or deficiencies in the system, and indicate the level of effort required on the part of adversaries to breach the system’s safeguards.”
When defining what a pen test is, it becomes important to note that any given engagement can vary depending on the needs of the business or organization. This is why it is critical to clearly define a scope where factors like the Rules of Engagement (ROE) are recorded and approved by all involved parties. Multiple considerations will be addressed when defining the scope, which will essentially determine the initial level of access to or knowledge of the environment to be assessed (the methodology), the timeline to conduct the test, the type of threat source to simulate, and any limitations to be imposed. To state simply: the goal of the scope is to determine the breadth, depth, and constraints of the pen test.
There are three commonly accepted test methodologies:
Determining the appropriate methodology will be critical to meeting the established testing requirements. For example, if the engagement is confined to a short span of time, or focused on a specific system, it is worth consideration to allow an “assumed breach” approach (Gray-box or White-box) as to not waste valuable time against initial and basic security controls (such as a firewall).
These methodologies can apply to all types of engagements from those focused on cloud architectures to local systems, limited applications and physical security control testing.
Penetration tests can provide a greater level of analysis than would ordinarily be possible for demonstrating the effectiveness of current security controls (and thus affect an organization’s overall security posture), especially when revealing the absence of them. Security Controls that are overlooked or ignored often provide the perfect avenue for a threat actor to gain access to sensitive systems, and so it is strongly recommended the organization or business start with ensuring these are addressed. The latest CIS Controls v8, along with CIS Benchmarks, provide a roadmap of recommended and prioritized actions for scalable cyber defense (up to and including a pen test as it happens) and act as companions to additional frameworks such as PCI DSS, NIST, FISMA, HIPAA, GDPR, and ISO/IEC 27001.
Implementing these will go a long way toward solidifying a basic business cybersecurity strategy, as well as align the organization or business with industry and government security requirements.
As CIS states in Controls v8, “ A successful defensive posture requires a comprehensive program of effective policies and governance, strong technical defenses, combined with appropriate action from people. However, it is rarely perfect. In a complex environment where technology is constantly evolving and new attacker tradecraft appears regularly, enterprises should periodically test their controls to identify gaps and to assess their resiliency. “
Therefore, after establishing that other controls are met, initiating a pen test will reveal security flaws in the way that a real world threat actor would see them, before they are exploited. Whereas a Tabletop Exercise (TTX) as part of Incident Response Management will test the business or organization’s response to an incident, a pen test can reveal deeply rooted technical issues that risk exposing sensitive data to any variety of misuse, corruption, or outright destruction. Ingalls’ Senior Cybersecurity Consultant Scotlyn Clark states, “The purpose of penetration testing is to understand not only whether or not vulnerabilities exist, but if and how they can be exploited. And, if they can be exploited, what’s the consequence?”
Once the pen test is underway, the assessment team will essentially work through 4 phases as laid out in NIST 800-115:
|
Four-Stage Penetration Testing Methodology |
Although the actions performed during testing can vary, this chart provides a generally accepted grouping of what to expect. In a well executed pen test, reporting will exist concurrently with the other phases in order to facilitate critical needs or address concerns that may arise while the engagement is in progress.
Planning
During planning, the groundwork is laid out to determine the communications, the scope, the timeline, the parties that will need to be involved, and any other requirements in order to have a successful pen test. It is recommended that select personnel who are responsible for information security and system/network administrators be in attendance at a minimum.
Discovery
This is the actual beginning of the pen testing activity and typically involves the enumeration of systems and potential resources the pen testing team will look to exploit/utilize further later on. These can be anything from open ports to physical inspections of a facility (in cases where physical pen tests are within scope). Vulnerability scans (such as a Nessus scan) will often be utilized during this phase, but this is only a fraction of the actual work to be done, potential vulnerabilities found during this time will need to be confirmed in the attack phase.
Attack
Once the information is gathered and vulnerabilities in targeted systems are mapped, the attack phase begins. Previously identified potential vulnerabilities will be put through the wringer in attempted exploitation. Anything from weak passwords, active directory misconfigurations, and API mishandling can give rise to additional access. If successful, they are recorded in documentation and recommendations are made to their mitigation. During this time, each successful exploit may lead to additional vulnerabilities as attackers progress through the scope of testing. These will each be analyzed to determine the level of risk to the client and any critical security holes, including those that may cause significant impact outside the scope, should be immediately reported to the client.
Systems that are being tested which are also monitored may witness occasional security alerts, but the goal in a pen test is to operate as quietly as possible, which simulates real-world tactics.
Reporting
As stated earlier, reporting will occur throughout the engagement. During planning, the desired level of communication, personnel to report to, and means of communication should be determined. For subsequent phases, logs and periodic reports are then dispersed according to that initial plan. At the conclusion of the pen test a final report is assembled and reviewed during the post-test debrief.
After the team has completed their assessment, a final report will be prepared and delivered to the client for review. These can take on many forms but in general will contain the following:
It is important to make time after the pen test in order to address and remediate vulnerabilities with a structured approach. Determine a course of action for any finding or vulnerability discovered, identify and document what will be done as a task, assign responsibility for the task, and set the deadline to have it completed. This approach will ensure every issue is handled and that accountability is clearly defined.
There are, of course, many concerns which may arise with paying for anything designed to defeat security. There are three that tend to come up which provide the most agony:
Disruption to Business
There is no guarantee that pen testing activities will avoid disrupting operations. However, a highly skilled and reputable team will possess the required skills to minimize disruptive actions. For example with Ingalls, Scotlyn notes that testing is tailored to our client’s needs, where active testing is scheduled “around times that are less likely to affect employees or operations” and tactics considered too volatile are avoided.
It is a priority second only to protecting clients’ data, to not impact operations.
Handling of Sensitive Data
When determining who will be conducting pen testing services, a highly important consideration should be made as to the standards they hold when handling sensitive data. You should expect all parties to sign an NDA and that the pen testing provider disclose their data destruction/classification policy with regards to the engagement during initial discussion.
But really…how long will this take?
The duration of a pen test depends on factors surrounding the complexity of the target and the objective of the assessment. In general for an average size business or organization, it will likely take one to two weeks. However (especially for comprehensive black-box testing) they can proceed for greater lengths of time. This is due in part to the need of the assessors to build an effective attack path which may include specific tools and tactics such as a phishing campaign. Additionally, engagements with a broader scope or targeted applications with particular complexity can also prolong the overall time it takes to thoroughly complete a pen test.
“Organizations must exercise due diligence in managing information security and privacy risk. This is accomplished, in part, by establishing a comprehensive risk management program“ (NIST SP 800-53)
Many businesses and organizations are now required to enlist third-party pen testing services. Therefore we recommend planning ahead for scheduled testing, as clients may be competing for calendar space to complete them per regulatory deadlines. Also consider that it will take time and resources to both support the testing as well as resolve any critical issues that may be discovered during the engagement, or address any vulnerability findings after reporting.
Ready to move into an improved business security strategy and build a stronger cyber defensive posture? Learn more about our penetration testing and other professional services by reaching out to the experts at Ingalls Professional Consulting Services via our contact form for more information today.