Posted on 2023-08-01 by Nathan Jarvie in Industry
“Why bother getting a penetration test when we already know they will compromise us? “
“We already know our security sucks, we don’t need someone to tell us that.”
We occassionally hear this sentiment from our clients. Penetration testing is much, much more than just “getting pwned” by your friendly neighbourhood hacker-man. This article goes through the benefits of getting a network penetration test done even when you know there are problems.
Introduction
Getting an external or web application penetration test is a fairly common practice for businesses in this day and age. These services are exposed to the Internet and are therefore a potential target for anyone with an Internet connection and enough spare time. With cyber-attacks being a regular occurrence in the news, it is enough to make any business pay attention.
But what about the internal environment? What could a hacker do if they already had a foothold in your network?
Most businesses don’t find out until it’s too late. The incident has already occured and the IR team are working furiously to recover what they can and get the business back online. The leadership teams debate with insurance companies over paying a ransom that will statistically not result in a better outcome. Once all is said and done there is a promise to stakeholders and clients to improve security so this never happens again.
But security is hard. We, that is to say the Volkis team, have written many blogs, and done in person talks and webinars on the topic. We know security is hard, and that one of the biggest barriers facing ICT support teams is that there is just so much to tackle with a lot of jargon that it becomes overwhelming. Security concerns are difficult to understand and remediate so they get pushed down the priority list until it becomes someone else’s problem. So when the prospect of getting a penetration test is raised, the natural response is:
“Oh man… our network is like swiss cheese. They would pwn us in a second. Why waste our money on something we already know?”
Great question! I am glad you brought it up!
The king and the castle
Consider this scenario. The king of a region is holed up in the throne room of a castle. Surrounding them are layers of walls and narrow hallways, a veritable maze of distractions. Surrounding all of that is a big castle wall and a moat with a draw bridge. While the king may have a couple of guards near by, the majority of the regions defenders are placed around the outer walls, defending against attacks.
Fighting against the outer defences is a losing battle. There are so many defences in place that getting past all of it would be next to impossible. But what happens if someone was to slip past all of it without detection? They could bribe a kitchenhand or convince one of the guards to take an extended break. Attacking the king from the inside would be much easier than attacking through the perimeter. After all, there are much fewer guards on the inside and all attention is on the walls.
But this person may not want to kill the king. they just want to make some coin. So they sell the details of how they got in to the highest bidder. Then they walk away and let the buyer do the dirty(-er) work.
There is a whole black market for footholds in corporate networks. Initial Access Brokers make a lot of money by middle-manning between those who gain access (through hacking, phishing, or coercing an insider) and those who want to access that network. Once inside they could launch ransomware or exfiltrate data for extorsion or activism.
The goal of an internal penetration test is to identify the weaknesses within the castle walls to help defend the king. The key words being help defend. This is achieved by having an expert demonstrate what could be done, and more importantly how to fix it.
The sole deliverable of a penetration test is the report, which should help the IT team to prioritise and address vulnerabilities in a manageable way; but also explain the current security posture and the root causes of the issues at a high level to executives. This helps to build more informed decisions, drive change, and justify resource allocation throughout the business.
We highly recommend viewing our anonymised report, of a real assessment, we completed to get an idea of what you can expect from a penetration test.
IT support teams are not security professionals
IT security is a whole field of study on it’s own, and is not something that every IT professional understands fully. While most IT professionals will understand the basic concepts, detecting vulnerabilities and remediating them is not necessarily a skill-set they possess.
Before you respond with “But we already use a vulnerability scanner”, let me direct you to this blog post by Alexei, which addresses the difference between the different types of assessments.
A professional penetration tester can not only find the vulnerabilities but also exploit them to both verify their existence, and evaluate their impact to the business. This removes false positives and unrealistic exploitation scenarios, and allows the IT team to focus efforts on verified vulnerabilities that are actually a problem.
The outcome is a report that should provide an accurate demonstration of how an attacker may operate within your network, and what areas need to be addressed to limit their opportunities and progress. It may also highlight areas that could be improved by adhering to best practices, despite not being vulnerabilities.
The purpose of this exercise is not to draw attention to the the “failings” of the IT team, but rather to utilise our skill as hackers to prioritise which vulnerabilities need to be addressed quickly, and which are less pressing. Additionally, it can help highlight all the “quick wins” the IT team can make to create drastic improvement in the security posture of the business with little overhead.
Finding vulnerabilities and testing them for impact against business operations
Hiring a professional penetration tester to perform a penetration test ensures that vulnerabilities within the network are not only detected, but analysed for business impact. This analysis allows both technical and non-technical readers to understand the individual risks associated with each vulnerability, implications for exploitation, and provides an overview of the security posture of the business.
The penetration tester will work with the IT team to get you the most value out of the engagement. This includes prioritising areas of weakness that would cause the largest impact to the business, such as a demonstrating breaching of a database of client PII (Personably Identifiable Information), or highlighting opportunities to disrupt operations.
Remediation advice for each vulnerability is provided. Depending on the vulnerability this may be detailed technical advice, or more general recommendations to align with industry best practice.
Penetration test reports and remediation plans can assist with justifying department resources (budget, personnel, or time), and can be used to bolster faith and trust in the business for shareholders.
Impactful vulnerabilities are prioritised for remediation
The most valuable aspect of penetration testing is that on completion, both the executives and the IT team will have a detailed list of issues they need to resolve.
Instead of a vulnerability analysis (read: scan) in which there may be thousands of individual items to resolve, with descriptions that don’t explain anything and risk ratings that do not reflect the real world, you receive a document with a prioritised list vulnerabilities and details of how they were exploited, and to what end.
Risk ratings are calculated not only on how exploitation may impact the business operations but also on how likely it is for that scenario to occur. This is evaluated on:
- Ease of exploitation - the amount of technical ability required.
- Availability of tools to perform the exploit.
- Access level and position required to exploit it.
- Likelihood of detection.
A vulnerability scan may indicate that a potential vulnerability is CRITICAL, a word that makes everyone panic. But when it is tested in the real world, it may be that the attacker needs to access a specific part of the network, and create a custom exploit that is not available publicly for your specific configuration. This significantly reduces the likelihood of exploitation, and thus lowers the risk rating from critical to, say, medium.
Then the penetration tester will evaluate which machine that vulnerability is on. Is it a workstation? Is it a web server? Is it a server in the corner that runs a single function, is not connected to the domain, has a strong password, and is otherwise fully patched? If it’s the latter then that may reduce the potential impact of exploitation, further reducing the risk rating from medium to low.
Bonus: The attack walkthrough
The risk associated with individual vulnerabilities can be difficult to comprehend alone. Something that we at Volkis love to include in our reports is an attack walkthrough.
This section of the report takes the reader, step-by-step through the attack chain, demonstrating how each discovered vulnerability links together to gain further access, more often than not resulting in a full compromise of the network. The demonstration shows how remediation of individual vulnerabilities, that may on their own seem innocuous, may break the chain and render the attacker helpless.
This is not something any automated vulnerability assessment can provide, and is most commonly the most entertaining, frightening, and eye-opening part of the report.
Conclusion
A common misconception is that a penetration tester’s goal is to find every vulnerability they can, slam you with a report so big it wouldn’t fit in King Kong’s hand, then strut away from the explosion like a hero in a Michael Bay film while you and your team cry into your hands on the sand. But this isn’t helpful and it doesn’t have to work like that.
Penetration testing should not create a huge elephant of a problem that you are now left to deal with. It should not increase the amount of work you have to do, but rather help to prioritise issues and remediate them as simply as possible.
A penetration tester’s ultimate goal is to help the business they are working with to improve their security posture. They are on your side and can help to improve your security posture and drive the necessary change in your business.
About the author
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn