12:30 PM
Tom Parker
Tom Parker

Advanced Threats And Scenario-Based Penetration Testing

Why your pen-test efforts probably aren't preparing you for the worst

I'm a big believer in scenario-based assessment work. Back in the day when most attacks grew out of the attackers desire to learn and challenge themselves, it was acceptable to perform blanket security assessments without real purpose. In today's environment, real attacks are very much with a purpose and far more sinister than their counterparts of years gone by.

Motivated by attempts to steal, extort, and disrupt, the landscape looks very different than they did when I first started working in the business. As a result, it's vital that, in addition to traditional assessment work, organizations engage in scenario-based testing, which takes into consideration the nature of both the properties of an organization's business (such as the assets it values the most) and the threatscape at a given point in time.

At FusionX, we are frequently engaged in and regularly encouraging our clients to perform such testing -- especially when it comes to simulating sophisticated threats. When performing internal, scenario-based tests, our team is often challenged with a statement from IT staff, which typically goes something like this: "Well, you were already connected to the desktop network, which required you to get past physical security."

While this might have been a valid statement 10 years ago, or in the unlikely event that there is client-side attack surface whatsoever, this often causes me to question the institutional level of understanding for the threatscape of today. It also further reinforces the need for organizations to test and therefore demonstrate resilience against sophisticated threat actors.

All too often, security assessments commissioned by businesses consist of two lonely components -- the external network and internal penetration test. It's no secret that while some external exposure remains, successful attacks against today's IT-enabled businesses have trended away from the network perimeter to going after the client/desktop environment -- leveraging client-side vulnerabilities such as those commonly found to exist in browser plug-ins.

While conventional, external and internal assessment activities still remain valuable for validating perimeter and internal network security. They often fail to provide a realistic evaluation of how resilient your network infrastructure really might be to the common denominator of most modern compromises.

The good news is, more and more organizations are buying into the idea of running frequent, internal vulnerability scans against desktop environments. Even better news: Most commercially available vulnerability scanners now support authenticated scans that will identify delinquent patch levels of commonly attacked client-side software. Unfortunately, a large percentile of targeted malware attacks that we have seen in the past two years have leveraged flaws that were either previously unknown or for which no fix is yet available, and therefore likely effective against even the most heavily patched enterprise.

Further, automated internal VA activities against your desktop environments will inevitably fail to assess the adequacy of host-based intrusion prevention products and other factors that could make or break your ability to defend against the next targeted attack against your organization. In order to address this gap, an assessment approach is required that fully evaluates the multifaceted approach that should exist in order to fend off the increasingly sophisticated attacks of the present day.

In subsequent blog posts, I'll take a look at a few components that should be included within any scenario-based assessment whose objective is to evaluate your ability to withstand a sophisticated client-side attack.

Tom Parker is Chief Technology Officer at FusionX.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Title Partners Role in Perimeter Security
Title Partners Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.