image_3.jpg

WHAT IS PENETRATION TESTING

Penetration testing is usually rolled into one big umbrella with all security assessments. A lot of people do not understand the differences between a Penetration Test, a Vulnerability Assessment, and a Red Team Assessment, so they call them all Penetration Testing. However, this is a misconception. While they may have similar components, each one is different and should be used in different contexts.

At its core, real Penetration Testing is testing to find as many vulnerabilities and configuration issues as possible in the time allotted, and exploiting those vulnerabilities to determine the risk of the vulnerability. This does not necessarily mean uncovering new vulnerabilities (zero days), it's more often looking for known, unpatched vulnerabilities. Just like Vulnerability Assessments, Penetration Testing is designed to find vulnerabilities and assess to ensure they are not false positives. However, Penetration Testing goes further, as the tester attempts to exploit a vulnerability. This can be done numerous ways and, once a vulnerability is exploited, a good tester will not stop. They will continue to find and exploit other vulnerabilities, chaining attacks together, to reach their goal. Each organization is different, so this goal may change, but usually includes access to Personally Identifiable Information (PII), Protected Health Information (PHI), and trade secrets. Sometimes this requires Domain Administrator access; often it does not or Domain Administrator is not enough.

Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (External Testing) and from inside the network (Internal Testing).

Who needs a penetration test? Some governing authorities require it, such as SOX and HIPAA, but organizations already performing regular security audits internally, and implementing security training and monitoring, are likely ready for a penetration test.

WHAT IS RED TEAM ASSESSMENT

A Red Team Assessment is similar to a penetration test in many ways but is more targeted. The goal of the Red Team Assessment is NOT to find as many vulnerabilities as possible. The goal is to test the organization's detection and response capabilities. The red team will try to get in and access sensitive information in any way possible, as quietly as possible. The Red Team Assessment emulates a malicious actor targeting attacks and looking to avoid detection, similar to an Advanced Persistent Threat (APT). (Ugh! I said it…) Red Team Assessments are also normally longer in duration than Penetration Tests. A Penetration Test often takes place over 1-2 weeks, whereas a Red Team Assessment could be over 3-4 weeks or longer, and often consists of multiple people.

image_1.png

A Red Team Assessment does not look for multiple vulnerabilities but for those vulnerabilities that will achieve their goals. The goals are often the same as the Penetration Test. Methods used during a Red Team Assessment include Social Engineering (Physical and Electronic), Wireless, External, and more. A Red Team Assessment is NOT for everyone though and should be performed by organizations with mature security programs. These are organizations that often have penetration tests done, have patched most vulnerabilities, and have generally positive penetration test results.

The Red Team Assessment might consist of the following:

A member of the Red Team poses as a Fed-Ex delivery driver and accesses the building. Once inside, the Team member plants a device on the network for easy remote access. This device tunnels out using a common port allowed outbound, such as port 80, 443, or 53 (HTTP, HTTPS, or DNS), and establishes a command and control (C2) channel to the Red Team's servers. Another Team member picks up the C2 channel and pivots around the network, possibly using insecure printers or other devices that will take the sights off the device placed. The Team members then pivot around the network until they reach their goal, taking their time to avoid detection.

This is just one of innumerable methods a Red Team may operate but is a good example of some tests we have performed

Penetration Testing Methodology

Once the threats and vulnerabilities have been evaluated, the penetration testing should address the risks identified throughout the environment. The penetration testing should be appropriate for the complexity and size of an organization. All locations of sensitive data; all key applications that store, process or transmit such data; all key network connections; and all key access points should be included. The penetration testing should attempt to exploit security vulnerabilities and weaknesses throughout the environment, attempting to penetrate both at the network level and key applications. The goal of penetration testing is to determine if unauthorized access to key systems and files can be achieved. If access is achieved, the vulnerability should be corrected and the penetration testing re-performed until the test is clean and no longer allows unauthorized access or other malicious activity.

PENETRATION TESTING STAGES

The pen testing process can be broken down into five stages. 
pen-testing.jpgimage_3.jpeg
  
1553179612591-755.png
  1. Planning and reconnaissance
    The first stage involves:
    • Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used.
    • Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
  2. Scanning
    The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using:
    • Static analysis – Inspecting an application's code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
    • Dynamic analysis – Inspecting an application's code in a running state. This is a more practical way of scanning, as it provides a real-time view into an application's performance.
  3. Gaining access
    This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target's vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
  4. Maintaining access
    The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data.
  5. Analysis
    The results of the penetration test are then compiled into a report detailing:
    • The amount of time the pen tester was able to remain in the system undetected
    • Sensitive data that was accessed
    • Specific vulnerabilities that were exploited

PENETRATION TESTING METHODS

External Testing

External penetration tests target the assets of a company that are visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access and extract valuable data.

Internal Testing

In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This isn't necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.


References


  1. Penetration Testing (incapsula.com)
  2. Penetration Testing (veracode.com)
Tags:
Created by wizard32 on 2020/04/28 13:20
   

Red Teaming

Social Engineering

Web Application

©2020 Return0. All rights reserved