informa
/
Risk
News

Tech Insight: Defenders Take the Offensive

Sexy pen-testing tools aren't just for offensive security; defenders can leverage the same tools to proactively detect vulnerabilities and shore up defenses
Talk to any penetration tester who has been at the job for a few years, and he will tell you that breaking in is easy -- it is the defense against today's burgeoning threat landscape where you'll find the real difficulty. Why? It's simple. From the attackers' perspective, they only have to be successful with one exploit, and they are in. Defenders, on the other hand, have to get it right every time, which is why layered defense and planning for failure has become necessities for keeping data secure.

It's not uncommon to hear that the offensive side of security is simply more fun. That's not necessarily true. Both sides have their distinct challenges, and, as far as tools go, both have interesting and unique tools, but offensive tools just seem a little "sexier" to many. So my question is, can defenders leverage offensive tools to make their lives easier? Absolutely. Enterprise defenders can use some of the same tools and techniques used by penetration testers in order to find flaws, identify poorly secured data, and fix the issues before a bad guy finds them.

Looking at some of the typical phases of penetration testing, the tools and techniques used within reconnaissance, mapping, vulnerability detection, and exploitation can be used with a defensive focus. The key distinction here is the proactive approach. Enterprises with a solid defensive posture often got there because they were able to shift their focus from being reactive to proactive. The use of offensive tools and techniques can help in that transition to detect the vulnerabilities prior to finding out about them because a bad guy exploited them.

During the reconnaissance phase, penetration testers and attackers are looking to find out as much information about the target organization as possible. Defenders can perform this same activity to get an idea of just how exposed they are on the Internet. Conducting regular searches using popular search engines can help uncover company information that may have been posted inadvertently to a social networking site or files shared via one of the many file hosting sites.

In addition to potential data exposure, running regular searches can also uncover compromised sites within the corporate network or external phishing sites set up to lure employees into exposing their enterprise credentials. The problem with running the searches regularly is that they can become time-consuming or easily forgotten. The best option is to automate the task as much as possible using tools like Google Alerts set up for your company name, or prepared search terms from Stach & Liu's Google Hacking Diggity project. These tools can make the process of regular reconnaissance practically "set it and forget it."

After recon, penetration testers will perform network mapping to identify the host and services of the target. One of the best-known tools for mapping a network is nmap. Nmap is capable of identifying live hosts on the network and detailed enumeration of the services on each host. Newer versions of nmap include an advanced scripting engine capable of interrogating services for more information and performing vulnerability checks.

Nmap is great for scanning internal networks looking for hosts and services that should not be there. It also works well for scanning the external network to confirm that firewall rules in place are working as expected. One of the coolest features from a defense perspective is the ndiff tool, which allows you to compare two different map scans. Nmap can be configured to run nightly, and each new scan compared to a baseline or the previous nights can using ndiff. The resulting report can identify new hosts or services that have appeared in the network, possibly indicating malicious activity.

Penetration testers and attackers have to identify a vulnerability to exploit in order to get in. Typically, a vulnerability scanner of some type is used to detect vulnerabilities that may be exploitable. It's becoming more common for security teams responsible for defense to perform regular vulnerability scans; however, the results are not always acted on quickly enough or understood completely by staff. It's important that the individuals running the scans understand the tools being used and how to interpret the results.

A common problem is that once a vulnerability scan has been run, only the high and medium vulnerabilities are focused on. As a penetration tester and former defender, I can attest to the extreme shortsightedness of this approach. Chris Gates recently wrote several blog entries specifically about this issue and how vulnerabilities rated as low can often lead to full penetration by an attacker. When done properly, vulnerability scanning can help shore up defenses once the vulnerabilities have been identified and remediated, but it requires action and follow-up to be effective.

The final area is exploitation. It's easy for this area to be overlooked as not being important to defense, but often vulnerability scanners have false-positives. Offensive tools like Metasploit, Burp Suite, and sqlmap can be used to verify some the vulnerabilities detected during vulnerability scans. By verifying whether the vulnerabilities are true- or false-positives, defenders can understand the real risk of the reported vulnerability and respond appropriately by placing mitigating controls to prevent exploitation by a real attacker.

While many of these tools and activities are the same ones that penetration testers and attacker perform, defenders can also use them in a proactive attempt to find and remediate vulnerabilities before attackers can exploit them. Taking a proactive approach using offensive tools can help enterprises get ahead of the curve and possibly prevent unnecessary data breaches.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5