Vulnerabilities / Threats

2/9/2017
04:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Hacking The Penetration Test

Penetration testers rarely get spotted, according to a Rapid7 report analyzing its real-world engagements.

It's not a good sign when an organization undergoing a penetration test can't detect the operation probing and infiltrating its systems and network.

In a new report by Rapid7 that pulls back the covers on penetration test engagements the company has executed, two thirds of these engagements weren't discovered at all by the organization being tested. That's especially concerning because pen tests tend to be short-term, rapid-fire - and sometimes loud – operations, unlike the low-and-slow attacks by seasoned cyberattackers.

Tod Beardsley, research director at Rapid7, says pen tests typically run a week to 10 days, so researchers on the case basically throw as much as they can at the target fairly quickly, so it's more likely they'd be detected by the client's security tools and team. "It's kind of like you run in and break everything you can. That's the nature of the business, you have a week or 10 days," he says. "But there's not even detection [of a pen test] a third of the time which is bad."

"If you can't detect a penetration test, it seems it would be impossible to detect a real cybercriminal or cyber espionage" attack, Beardsley says.

Part of the problem is that organizations typically can't and don't daily track their event logs closely, he says, and don't necessarily have a handle on what's normal network activity. "It's kind of a UI failure. We have security tools that are hard to use in the security industry; I don't think it's a matter of instrumentation. It's more a matter of knowing what's the norm for your network."

Rapid7 took the results of 128 penetration tests it launched in the fourth quarter of 2016 in order to "demystify" penetration testing and to gauge just how much pen testers are getting away with due to security woes in organizations.

Penetration testing is gradually evolving. The rise in bug bounty programs in some cases has overshadowed and even shaped the nature of some pen testing, but even bug bounty proponents maintain that pen testing isn't going anywhere.

Alex Rice, co-founder and CEO of bug bounty firm HackerOne, says many organizations with bug bounty programs end up shifting the focus of their pen tests. "They start doing more penetration tests, with more narrow scope," Rice said in a recent interview with Dark Reading. "They learn and apply resources to areas lit up by a bug bounty program."

He says most veteran pen testers prefer the more focused and challenging engagements, anyway. "We find most of the good ones would rather spend the entire engagement focusing on very hard security problems to solve," Rice says. "It's a $300-an-hour waste of their talent and ability if" those pen testers aren't working on specific and tougher security issues, he says.

Almost Too Easy

Surprisingly, Rapid7's pen testers in most cases didn't have to look too deeply for holes to exploit: two-thirds of the time, pen testers were able to find and exploit vulnerabilities in the client's systems. And some 67% of the clients sported network misconfiguration issues. All in all, the pen testers were able to successfully "hack" their clients 80% of the time, either via unfixed vulnerabilities or configuration mistakes. Among the bugs they found were the usual suspects: cross-site request forgery (22.7%), SMB relaying (20.3%), (cross-site scripting (18.8%), broadcast name resolution (14.8%) as well as a some SQL injection, denial-of-service, and other web-type flaws, the report says.

In one pen test of a healthcare firm, Rapid7's team was able to exploit unrelated Web application flaws together to infiltrate the client's internal, back-end systems: first a CSRF flaw in a public Web application, giving them an entrée to create an account on the server. They then found a persistent XSS flaw that they employed to steal the administrator's session token and impersonate him. That led them to find in an insufficient validation flaw in the Web app that allowed them to gain access to the Web server's operating system and ultimately get full shell access on the server and internal network.

"That they were leveraging cross-site scripting, CSRF [and another flaw] to get internal network access: that was shocking to me," Beardsley says. "I was surprised to see vulnerabilities play such a large part of pen testing."

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1503
PUBLISHED: 2018-07-23
IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow a remotely authenticated attacker to to send invalid or malformed headers that could cause messages to no longer be transmitted via the affected channel. IBM X-Force ID: 141339.
CVE-2018-1513
PUBLISHED: 2018-07-23
IBM Sterling B2B Integrator Standard Edition 5.2.0 through 5.2.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IB...
CVE-2018-6677
PUBLISHED: 2018-07-23
Directory Traversal vulnerability in the administrative user interface in McAfee Web Gateway (MWG) MWG 7.8.1.x allows authenticated administrator users to gain elevated privileges via unspecified vectors.
CVE-2018-6678
PUBLISHED: 2018-07-23
Configuration/Environment manipulation vulnerability in the administrative interface in McAfee Web Gateway (MWG) MWG 7.8.1.x allows authenticated administrator users to execute arbitrary commands via unspecified vectors.
CVE-2018-14512
PUBLISHED: 2018-07-23
An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[nickname] parameter to the index.php?m=core&f=set&v=sendmail URI. When the administrator accesses the "system settings - mail ...