Whilst there is an indisputable need in the current IT Security strategy to conduct Penetration Tests (even in some cases where there is an unavoidable compliancy requirement which mandates this testing), there is a gap in the traditional Penetration Testing. This gap is simply giving confidence to answering the question of, “Did my defense in depth security controls and security monitoring strategy detect and stop the Penetration test successfully?”. We often see penetration testing scopes that are directed attacks against web applications or vulnerability exploiting of surface level exploits where reports from suppliers provide one dimensional recommendations of the need to patch or make simple changes to a configuration. These recommendations are not real world mitigations to the ongoing risks to security in a business as usual context of the overall security protecting the applications or the enterprise.
We need to move away from answering the question of, “Is my application or enterprise exploitable under specific testing conditions?”, and really consider if the mitigation advice being received is applicable, realistic or complete. Maybe you don’t have the ability to patch systems every patch Tuesday and reboot servers that are required to be always online. Maybe instead of attacking your Web Application directly from the perimeter, an advanced threat actor may steal legitimate administrative credentials and become an insider threat and simply access the web server. There are a never ending tirade of security angles that can be exploited.
What we should be achieving is answering the question of, “Is my application or enterprise exploitable when you consider all of the security investments made to enhance its security?”.
To this end, Counterveil have produced a number of Penetration Test scenarios following CBEST threat modeling, real world attack scenarios that are designed to test your enterprises security capabilities from end to end. This is done using the latest Red Team Tools Techniques and Procedures (TTP`s) pitted against your enterprise security controls and Blue Team capabilities to detect, protect and respond to the Red Team security threats.
Our reports will also provide added value to stale penetration testing reports by providing mitigation recommendations for software, operating system and architectural considerations as well as providing security monitoring use cases and hunt team indicators for SIEM, IPS/IDS, EPO and other security indicators to better enable the protect of your organization.
Testing Methodology can be conducted as either:
Traditional penetration testing with Blue Team assessment, which is fundamentally traditional penetration testing, but with the added the reporting and recommendations outlying the Security Monitoring Use Cases and Indicators that SIEM, IPS/ IDS/ EPO and other security indicators that should have been detected.
The second type of testing is to perform a dedicated Red Team versus Blue Team Penetration Test. These are narrative based tests simulating real world TTP`s these include:
Entry level - Perimeter Testing which includes generating an overt presence that should be easy to detect and defend against. This is largely a surface level reconnaissance test of the perimeter network and applications, Banner Lookups, DNS enumeration, Brute Forcing, SQL injection, Cross Site Scripting, Directory Traversals. Where no techniques are used to hide the presence of the attacks being conducted.
Entry Level – Insider Threat testing which includes generating an overt presence that should be easy to detect and defend against. This is largely includes internal reconnaissance, accessing multiple application interfaces, directory services, DNS enumeration, Brute Forcing applications, privilege escalation, downloading of suspicious tools, testing data leakage, accessing command and control, using privileged tools such as powershell.
Mid Level – Perimeter Covert Testing, this level of testing is designed to make it harder for presence of the attackers to be detected. Tools will be used to create a below the radar and slow attack pattern with the aim to exploit any weakness and gain access to an insider asset.
Mid Level - Insider Threat Testing, this level of testing is designed to make it harder for presence of the attackers to be detected. Tools will be used to create a below the radar and slow attack pattern with the aim to exploit any weakness move laterally from a none privileged user machine to a server asset.
Mid Level - Insider Threat - Malware phishing email detonated, this test will make use of controlled malware that is purposely detonated on a customer desktop or laptop device. The malicious remote access software will be used as the mechanism for the attackers to move laterally from a none privileged user machine to a server asset.
Mid Level - Insider Threat - waterhole malware - deliberate execution. A user will deliberately navigate to a newly listed purpose build malware infected website where they will be infected by malware, this malware will then be used by the attacker as remote control software where the attackers aim is to move laterally from a none privileged user machine to a server asset.
Advanced Level - Supplier or Partner intrusion, this level of testing will involve the co-operation of a supplier where the attacker will move from a trusted network into your organisations network exploit weakness and or credentials to move laterally to a server asset.
Advanced Level - Cloud Based to Internal lateral movement, this level of testing will involve the attacker being given access to a cloud based asset where they will move from a trusted network into your enterprise network exploit weakness and or credentials to move laterally to a server asset.
End Game Objective Scenarios:
Further to the gaining access types of tests above end game objective scenarios add an extra level of realism to test the risks and security of your enterprise where the attackers objective after gaining access is to achieve one of the following:
Gain access to Secure Assets (PCI / SOX / HIPPA)
Gain access to applications (databases/ HR data)
Beacon malware to command and control servers
Laterally move data between sites / environments
Gain Legitimate Persistence - using corporate credentials and VPN methods
Gain Persistence by instantiating remote access malware
Gain Persistence by instantiating remote access software (team viewer / other)
Exfiltrate a piece of data