Advanced Threats And Scenario-Based Penetration TestingWhy your pen-test efforts probably aren't preparing you for the worst
I'm a big believer in scenario-based assessment work. Back in the day when most attacks grew out of the attackers desire to learn and challenge themselves, it was acceptable to perform blanket security assessments without real purpose. In today's environment, real attacks are very much with a purpose and far more sinister than their counterparts of years gone by.
Motivated by attempts to steal, extort, and disrupt, the landscape looks very different than they did when I first started working in the business. As a result, it's vital that, in addition to traditional assessment work, organizations engage in scenario-based testing, which takes into consideration the nature of both the properties of an organization's business (such as the assets it values the most) and the threatscape at a given point in time.
At FusionX, we are frequently engaged in and regularly encouraging our clients to perform such testing -- especially when it comes to simulating sophisticated threats. When performing internal, scenario-based tests, our team is often challenged with a statement from IT staff, which typically goes something like this: "Well, you were already connected to the desktop network, which required you to get past physical security."
While this might have been a valid statement 10 years ago, or in the unlikely event that there is client-side attack surface whatsoever, this often causes me to question the institutional level of understanding for the threatscape of today. It also further reinforces the need for organizations to test and therefore demonstrate resilience against sophisticated threat actors.
All too often, security assessments commissioned by businesses consist of two lonely components -- the external network and internal penetration test. It's no secret that while some external exposure remains, successful attacks against today's IT-enabled businesses have trended away from the network perimeter to going after the client/desktop environment -- leveraging client-side vulnerabilities such as those commonly found to exist in browser plug-ins.
While conventional, external and internal assessment activities still remain valuable for validating perimeter and internal network security. They often fail to provide a realistic evaluation of how resilient your network infrastructure really might be to the common denominator of most modern compromises.
The good news is, more and more organizations are buying into the idea of running frequent, internal vulnerability scans against desktop environments. Even better news: Most commercially available vulnerability scanners now support authenticated scans that will identify delinquent patch levels of commonly attacked client-side software. Unfortunately, a large percentile of targeted malware attacks that we have seen in the past two years have leveraged flaws that were either previously unknown or for which no fix is yet available, and therefore likely effective against even the most heavily patched enterprise.
Further, automated internal VA activities against your desktop environments will inevitably fail to assess the adequacy of host-based intrusion prevention products and other factors that could make or break your ability to defend against the next targeted attack against your organization. In order to address this gap, an assessment approach is required that fully evaluates the multifaceted approach that should exist in order to fend off the increasingly sophisticated attacks of the present day.
In subsequent blog posts, I'll take a look at a few components that should be included within any scenario-based assessment whose objective is to evaluate your ability to withstand a sophisticated client-side attack.
Tom Parker is Chief Technology Officer at FusionX.