Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/9/2017
04:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Hacking The Penetration Test

Penetration testers rarely get spotted, according to a Rapid7 report analyzing its real-world engagements.

It's not a good sign when an organization undergoing a penetration test can't detect the operation probing and infiltrating its systems and network.

In a new report by Rapid7 that pulls back the covers on penetration test engagements the company has executed, two thirds of these engagements weren't discovered at all by the organization being tested. That's especially concerning because pen tests tend to be short-term, rapid-fire - and sometimes loud – operations, unlike the low-and-slow attacks by seasoned cyberattackers.

Tod Beardsley, research director at Rapid7, says pen tests typically run a week to 10 days, so researchers on the case basically throw as much as they can at the target fairly quickly, so it's more likely they'd be detected by the client's security tools and team. "It's kind of like you run in and break everything you can. That's the nature of the business, you have a week or 10 days," he says. "But there's not even detection [of a pen test] a third of the time which is bad."

"If you can't detect a penetration test, it seems it would be impossible to detect a real cybercriminal or cyber espionage" attack, Beardsley says.

Part of the problem is that organizations typically can't and don't daily track their event logs closely, he says, and don't necessarily have a handle on what's normal network activity. "It's kind of a UI failure. We have security tools that are hard to use in the security industry; I don't think it's a matter of instrumentation. It's more a matter of knowing what's the norm for your network."

Rapid7 took the results of 128 penetration tests it launched in the fourth quarter of 2016 in order to "demystify" penetration testing and to gauge just how much pen testers are getting away with due to security woes in organizations.

Penetration testing is gradually evolving. The rise in bug bounty programs in some cases has overshadowed and even shaped the nature of some pen testing, but even bug bounty proponents maintain that pen testing isn't going anywhere.

Alex Rice, co-founder and CEO of bug bounty firm HackerOne, says many organizations with bug bounty programs end up shifting the focus of their pen tests. "They start doing more penetration tests, with more narrow scope," Rice said in a recent interview with Dark Reading. "They learn and apply resources to areas lit up by a bug bounty program."

He says most veteran pen testers prefer the more focused and challenging engagements, anyway. "We find most of the good ones would rather spend the entire engagement focusing on very hard security problems to solve," Rice says. "It's a $300-an-hour waste of their talent and ability if" those pen testers aren't working on specific and tougher security issues, he says.

Almost Too Easy

Surprisingly, Rapid7's pen testers in most cases didn't have to look too deeply for holes to exploit: two-thirds of the time, pen testers were able to find and exploit vulnerabilities in the client's systems. And some 67% of the clients sported network misconfiguration issues. All in all, the pen testers were able to successfully "hack" their clients 80% of the time, either via unfixed vulnerabilities or configuration mistakes. Among the bugs they found were the usual suspects: cross-site request forgery (22.7%), SMB relaying (20.3%), (cross-site scripting (18.8%), broadcast name resolution (14.8%) as well as a some SQL injection, denial-of-service, and other web-type flaws, the report says.

In one pen test of a healthcare firm, Rapid7's team was able to exploit unrelated Web application flaws together to infiltrate the client's internal, back-end systems: first a CSRF flaw in a public Web application, giving them an entrée to create an account on the server. They then found a persistent XSS flaw that they employed to steal the administrator's session token and impersonate him. That led them to find in an insufficient validation flaw in the Web app that allowed them to gain access to the Web server's operating system and ultimately get full shell access on the server and internal network.

"That they were leveraging cross-site scripting, CSRF [and another flaw] to get internal network access: that was shocking to me," Beardsley says. "I was surprised to see vulnerabilities play such a large part of pen testing."

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14230
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
CVE-2019-14231
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
CVE-2019-14207
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
CVE-2019-14208
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
CVE-2019-14209
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.