Many CISOs swear by penetration testing – simulated attacks on an organisation’s infrastructure (typically cyber infrastructure, but physical security tests can also fall within scope..) Yuri Rassega, for example, the CISO of Italian utility Enel, says his company conducts some 400 deep vulnerability tests on the company’s critical assets every year; more than one engagement daily.
Get your scoping agreements less than crystal clear, however, and things can go sideways fast: cybersecurity firm Coalfire’s pen testing of an Iowa State Court house saw two arrested and charged with trespassing.
(As Coalfire lamented: “Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work… recent events have shown that [they] had different interpretations of the scope of the agreement).
Similar confusion can extend to the definition of penetration testing itself.
As Niels Schweisshelm, a technical programme manager at bug bounty firm HackerOne tells Computer Business Review: [“It’s important not to] confuse penetration testing with vulnerability assessments. A vulnerability assessment results in an overview of vulnerabilities in a system whereas a penetration uncovers the total impact by combining and exploiting aforementioned vulnerabilities.”
In short, when a hacker breaks into a system it is not done by simply finding one large vulnerability that opens up a network, thought this can happen.
Often, rather, a threat actor will compromise a system by finding one low-level vulnerability that they can then chain together with a string of other low-level vulnerabilities until they have obtained extensive privileges.
“Penetration Testing’s Difficult Moments: “They Decided to go Into Full-on ‘Red Team’ mode…”
Absolute clarity between client and penetration tester is crucial.
As Andrew van der Stock, a senior principal consultant at Synopsys emphasises: “Real attackers don’t have rules of engagement, time limits, and no boundaries, but we do.”
He adds: “I know of a penetration test at a previous employer where the rules of engagement never mentioned data exfiltration. A young team member discovered a default highly privileged account. That is the finding that should have been reported, but they decided to go into full-on ‘red team’ mode and clone and download a large object for subsequent analysis, which drained the system of disk space. This incident led to a difficult conversation with both the client and the tester…”
Consent and communication, in short, are king.
Pick Your Vendor Carefully…
Rob Downie, Principal Consultant and Red Team Lead at Context Information Security tels Computer Business Review: “Pen testing with broader scopes and with more freedom to operate, are often discussed under the umbrella terms of ‘red teams’ or ‘simulated attacks’. These are looking at the full range of security controls that might be in place and are often done to test more advanced and established defensive teams, evaluating the people, process and technology interplays for weaknesses.
He adds: “This can provide real-world insights into the defensive performance of organisations, but also requires some of the greatest levels of professional expertise to plan, risk manage and deliver in a safe and controlled manner – making vendor selection even more important for companies seeking this service.”
What Makes a Good Penetration tester?
Clearly an in-depth knowledge of operating systems and protocols is a key element. A keen eye for how applications and tools work and interact with each can help you find low-level vulnerabilities that can be stacked.
But as David Hartley, technical director of F-Secure Consulting emphasises, good offensive security skills are just the start. “Ultimately the most important tools in a penetration tester’s tool box are Word and Powerpoint,” he notes.
“Clients are looking for outcomes and realise the value not by how technically astute the penetration tester is, but how useful and actionable the results of the test to them are. Penetration tests are deeply technical assessments and the results are not always easily understood by non-techies.
He adds: “Helping the board understand the significance of the findings, mapping them to business risk; as well as helping them to address them can be a real challenge. This is often best done graphically with an illustration of an Attack Path as a map, as opposed to screenshots of shells on servers.”
Tools the Experts Use
So what kind of nasties are offensive security types rolling out against your business? Niels Schweisshelm, technical program manager, HackerOne explains: “What tooling a pen tester requires is dependent on the type of assessment.
“Most pen-testers will use Burp Suite for web application penetration testing, whereas Nmap or Masscan are more important during infrastructure penetration testing. Regardless of the testing activity, it is crucial that a penetration tester understands the purpose of their target and is able to modify existing tooling or write new tools to accommodate their testing needs.”
Synopsys’ van der Stock adds: “Most people will answer this question with the name of their favourite tool or distro such as “Burp Suite Pro” or “Kali,” but the most essential part of a pen-testers kit is their brain.
“If you can’t think of bad things to do, no tool will help you. The second most important tool, in my opinion, is a vulnerable application to practice on, such as OWASP Juice Shop or any number of vulnerable Capture the Flag (CTF) virtual machines. These allow pen testers to practice and hone techniques that they may only come across in the real world once in a blue moon.”
Ultimately, he notes, they need to “think Evil. Abuse case generation and verification is the primary skill of a penetration tester. If a penetration tester thinks their job is babysitting automated tools and triaging results, that is both soul-destroying work and that tester is not performing a penetration test, but a vulnerability scan. Most high impact issues we find today are rarely automatically detectable and exploitable.”