Penetration tests are cyber-attack simulations, not only uncovering but exploiting vulnerabilities in a company’s applications, infrastructure, or security policies in order to protect the business ahead of the attackers. Although pentesters use the same techniques as malicious actors, the process is legal, because it is performed with the consent of the tested organization.
Penetration tests go beyond a traditional vulnerability scan with an automated tool; they can uncover subtle security issues while demonstrating the impact of a cyber attack to the organization, using the latest techniques and potential synergies among identified security flaws (vulnerability chaining). Armed with this information, the client can patch or mitigate any vulnerabilities found during the tests, repeating assessments as often as deemed necessary.
So what should organizations expect from a penetration test and what makes this unique?
Applications and infrastructure
According to Obrela Labs, around 50% of the tests the team carries out assess application security, with the other 50% focused on infrastructure.
Application testing covers web and mobile security, which thanks to the influence of frameworks such as OWASP has improved markedly over the last decade. The problems they find often relate to issues of design logic and coding practices that may allow application users to exceed their privileges and manipulate the programs.
The other half of penetration testing assesses the external perimeter and internal infrastructure, either by looking for vulnerable resources within an agreed IP range or domain over internet or, in the case of an internal test, by connecting a laptop to a network port or Wi-Fi.
“Inside a company, there are always things you can sniff in order to move around and up, escalating privileges as you go,” according to Obrela Labs. “But what makes it meaningful is that we start with the same resources and access an employee as a vendor/visitor would have – it depends on the scenario that is executed.”
There is no ‘worst vulnerability’, the team says. Most clients’ applications and infrastructure will have some vulnerabilities to some extent, hence the need for penetration testers to give clients a heads up. But finding vulnerabilities is often less important than understanding how they occur in the first place within each company’s wider security culture. It is this which will define what a client does with the information given to it by a penetration test.
What recommendations would Obrela Labs team offer from its experience of penetration testing?
EDR technology is highly effective
The device or endpoint is where attackers often start – the so-called “foothold”. This explains why planting malware through phishing has become so popular – compromise a single client device or end user account and you have an important vantage point. The good news is that today’s EDR systems deliver good security, especially when coupled with good 24/7 SOC with MDR capabilities.
“Criminals have to update their techniques constantly to attempt to bypass defense mechanisms such as EDRs. However, even if they are successful, in most cases this will produce activity traces and ultimately they must still beat the SOCs and that’s getting harder every year by a significant pace.”
Change creates risk
One reason why financial sector networks are often among the hardest to compromise is that they are stable, with new devices and changes inside the network kept to a minimum. The risk is much greater for organizations in which change is a constant and unavoidable because of their business model or digitalization program.
“An organization only needs to screw up once,” says Obrela Labs.
Don’t forget the internal infrastructure
When attackers find a way around the endpoint, trouble always follows.
“Inside a company, the attack surface is larger compared to the external perimeter. It is usually enough to move around and move up, escalating your privileges.” The defense against this is a competent XDR, a way of having very low level visibility on the endpoint, gathering telemetry and spotting anomalies by relating endpoint traffic to network traffic both inside and heading out of the network.
Pen test reports are critical intelligence
The report produced at the end of a test by Obrela will contain vital information clients should act upon. In most cases, the initial vulnerabilities found during a penetration test and acted as an entry point will be known issues that are already in the public domain. It is often that these everyday vulnerabilities, misconfigurations or even conceptual flaws are the reason for negatively impacting the organization.
“The point is not to prove to the client that someone can get in. The purpose of penetration testing is to provide actionable intelligence to the client, so they understand the importance of cyber security investment and become better prepared”
But have we acted upon it?
Surprisingly, not all clients follow the advice of penetration tests. This sounds counter-intuitive, but it happens. The tester gives a report outlining the weaknesses found, along with the recommended changes, patches, and mitigations. In some cases, a year later when the testers return for another test, they find the same vulnerability unaddressed.
This can happen for a variety of reasons. Fixes and mitigations are not always easy to accommodate, for example, in the case of legacy systems. Or perhaps, the systems identified as vulnerable are production systems that can’t be taken down without major disruption. A final possibility is that the people reading the report are not the same people who fix them. The barrier can be as simple as organizational structures and culture.
A different mindset is the key point
Penetration testing is about telling clients things that are in their interest. Using a trusted company to do this provides an invaluable impartial perspective. The mindset of testers is totally different from the network engineer, who is paid to keep systems running. Penetration testing is the mirror image of the criminal mind but using the same Method of Operation, tools, and objectives. They use the same techniques as criminals but with the opposite intent. It is a force for good.