Article by Josh Berry, Principal Risk and Compliance Consultant.
Current security assessment approaches are broad in nature, identifying vulnerabilities across the people, processes, and technologies encountered at targeted organizations. Organizations could greatly benefit from supplementing these approaches with more frequent penetration tests to identify gaps in specific controls.
Performing regular internal and external testing for security weaknesses has become an industry-accepted best practice and is a rudimentary component of most organizations’ information security programs. Vulnerability and penetration tests have primarily been driven by regulations that explicitly require it, such as the Payment Card Industry Data Security Standard (PCI DSS); regulations that strongly recommend it, such as the Financial Industry Regulatory Authority (FINRA); and regulations that require risk assessments that may include implementing controls as an outcome of the findings, such as the Health Insurance Portability and Accountability Act (HIPAA).
Vulnerability Assessments and Penetration Tests
Regular vulnerability assessments provide value by identifying gaps in lifecycle, patch, and configuration management processes. They enable an organization to identify issues that might be successfully attacked by a malicious actor.
Penetration tests take the next step in security testing, attempting to exploit as many of the vulnerabilities identified in a network as possible to determine the level of risk each represents. These tests often include attempts to escalate access and compromise critical company resources to test internal defenses further and quantify the risk a vulnerability poses to the company network.
Vulnerability assessments and penetration tests cast a wide net. They help organizations identify and remediate the low hanging fruit that a malicious threat actor could use to compromise company systems or data. These activities do not typically test an organization’s ability to detect or prevent a threat actor’s tactics, techniques, and procedures (TTPs). Detecting and preventing a malicious actor from using tools and TTPs will significantly disrupt successful attacks and increase the resilience of an organization’s defenses, as demonstrated in David Bianco’s Pyramid of Pain:
Red teaming seeks to address this gap in vulnerability assessments and penetration testing by creating campaigns that mimic real-world tools, adversaries, and TTPs. The rules of engagement for a red team assessment are typically more open than a penetration test to provide greater flexibility towards achieving the attack’s objectives. These engagements purposely evade defenses, attempt to fly under the radar, use similar tools and methodologies as specific malicious groups, and attempt to achieve specific objectives, such as exfiltration of sensitive customer data.
Red teaming often includes open-source intelligence gathering to identify targets, understand the tools and technologies deployed within the target network, and set the stage for planning multiple avenues of attack. These engagements can include network- and application-layer attacks, in addition to physical, email, and phone-based social engineering efforts. Red team testing mostly benefits organizations with consistent and repeatable lifecycle, patch, and configuration management processes, operating with a reduced attack surface and strong operational security controls designed to detect and mitigate common attack vectors. These tests’ advanced nature provides the most value to organizations with mature information security policies and practices.
The Value of Security Testing
All security testing approaches can provide value to an organization’s information security program by identifying opportunities to reduce the attack surface and enhance operational security capabilities. Each approach has strengths and weaknesses and should be employed according to the organization’s maturity for effective implementation. However, there is still room for smaller, more targeted testing.
Security is often depicted as an onion, as multiple layers of defenses should be deployed to protect a company’s network.
Each layer can have multiple security technologies deployed to reduce risk, as listed in the following table.
|Security Layer||Solutions Often Included|
|Perimeter Security||Firewalls, intrusion detection and prevention solutions, email content filtering, web content filtering, and many other products|
|Internal Network||Firewalls to segment networks into zones, intrusion detection and prevention, Active Directory configuration hardening, and many other security controls|
|Host Security||Configuration hardening, antivirus (AV), endpoint detection and response (EDR), and logging and monitoring|
Attackers frequently employ commoditized tradecraft to deliver malicious payloads, command and control, situational awareness, and privilege escalation. Similar techniques are used in targeted attacks, opportunistic attacks, and even ransomware. The stages of attack have been described by Lockheed Martin as a Cyber Kill Chain, outlining what adversaries must complete to achieve their objectives.
All organizations, small or large with various information security maturity levels, stand to benefit from testing the weaknesses of individual security controls deployed to reduce risk at each stage of the Kill Chain. Vulnerability assessments and penetration tests are not designed to evaluate an organization’s ability to detect common attacker techniques, nor do they focus on testing a security product’s ability to prevent code execution, privilege escalation, and lateral movement. Red teaming seeks to bypass security defenses in general, with a no-holds-barred approach geared towards mimicking specific tools and threat actors.
The majority of attacks begin at the perimeter, either through testing at the network layer for accessible services and vulnerabilities or via phishing attacks. The progression of the attack then moves to accessing specific hosts, achieving situational awareness through network reconnaissance, obtaining privilege escalation, and targeting company resources.
Targeted testing of controls at each level enables an organization to substantially refine its resilience against these attacks and reduce the risk of compromise with relatively minimal effort and cost. What does this testing look like in practice? Most engagements can be performed within a two-day window. Perimeter testing can determine the ease with which an attacker can bypass external defenses and compromise a company’s external IP address space, with a focus on:
- Scanning the network layer for accessibility of services
- Password spraying to test against weak or non-existent multi-factor authentication for services that could be leveraged to access the network
- Testing for gaps in email and web content filtering capabilities that an attacker can leverage to smuggle in malicious payloads, obtain remote command and control activities, and exfiltrate sensitive data by using valid and categorized domains with commonly used payloads, such as Office macros, encrypted zip files, or documents hosted on Google Docs or Amazon S3 buckets
This mini-assessment aims to identify quick wins for remediation that go a long way toward raising the bar on the effort required by an attacker to establish a foothold in the network.
Host-level controls are also prime targets for individual testing. Regularly testing the configuration hardening, AV, and EDR capabilities for endpoints can provide great value to an organization. Real-world scenarios can be crafted to test endpoints for their ability to prevent common code execution methods, such as Office macros and other executable formats, in addition to their ability to prevent privilege escalation and reconnaissance once obtaining access. This type of engagement would typically include the following:
- Attempts to execute various forms of common malicious payloads, identifying whether the payload executes and whether a command-and-control agent successfully establishes communication
- Attempts to escalate privileges on the host, using poor configurations and known endpoint security bypass techniques
- Execution of common malicious code used to obtain credentials
- Standard execution of situational awareness and lateral movement techniques
This mini-assessment aims to enable the company to harden host and endpoint security configurations to increase the difficulty of obtaining and retaining host-based access using common and known techniques once perimeter defenses have been bypassed.
“Assumed breach” is a paradigm where the customer takes the approach that a compromise is inevitable and that security defenses should reduce the risk of an attack even after unauthorized access has been obtained. Targeted testing of an organization’s detective controls, designed to identify common situational awareness activities, lateral movement, and attempts to escalate privilege, can greatly benefit an organization’s security operations center (SOC), whether internal or outsourced to a third party. This approach would include components such as:
- Lightweight Directory Access Protocol (LDAP) searches in Active Directory (AD) to identify available paths to escalate access
- AD user and group access searches to identify common configuration and permission weaknesses that enable privilege escalation
- Command-and-control communication establishment over the internet
- Password spraying and password reuse attacks
- Network poisoning attacks
- Domain admin and local administrator group changes
This mini-assessment aims to identify gaps in visibility within the network and log monitoring processes for detection of situational awareness, lateral movement, privilege escalation, and persistence techniques, assuming an attacker bypasses perimeter and host-based security controls.
These various components can be combined into a larger assessment to determine an organization’s preparedness for a ransomware attack. Ransomware attacks commonly leverage weaknesses at the perimeter, either at the network layer or with social engineering, to achieve payload delivery and command-and-control access to company systems. These attacks then use known tools and techniques for reconnaissance and lateral movement throughout a network to achieve widespread malware deployment. Targeted testing of each phase can greatly improve an organization’s chance of successfully defending and remediating a ransomware attack.
By definition, targeted testing is focused in nature, making it a low-cost option that’s useful for supplementing the aforementioned broad testing approaches. These testing techniques can enable a company to refine its detective and preventative capabilities across the various stages of an attack and are not dependent upon organizational maturity. Targeted testing should be an iterative approach that seeks to improve a security layer to an acceptable level before moving on to the next level in the Kill Chain. Implemented effectively, this can provide a low-cost method for reducing the tools and TTPs commonly employed by threat actors.