Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/9/2017
04:15 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Hacking The Penetration Test

Penetration testers rarely get spotted, according to a Rapid7 report analyzing its real-world engagements.

It's not a good sign when an organization undergoing a penetration test can't detect the operation probing and infiltrating its systems and network.

In a new report by Rapid7 that pulls back the covers on penetration test engagements the company has executed, two thirds of these engagements weren't discovered at all by the organization being tested. That's especially concerning because pen tests tend to be short-term, rapid-fire - and sometimes loud – operations, unlike the low-and-slow attacks by seasoned cyberattackers.

Tod Beardsley, research director at Rapid7, says pen tests typically run a week to 10 days, so researchers on the case basically throw as much as they can at the target fairly quickly, so it's more likely they'd be detected by the client's security tools and team. "It's kind of like you run in and break everything you can. That's the nature of the business, you have a week or 10 days," he says. "But there's not even detection [of a pen test] a third of the time which is bad."

"If you can't detect a penetration test, it seems it would be impossible to detect a real cybercriminal or cyber espionage" attack, Beardsley says.

Part of the problem is that organizations typically can't and don't daily track their event logs closely, he says, and don't necessarily have a handle on what's normal network activity. "It's kind of a UI failure. We have security tools that are hard to use in the security industry; I don't think it's a matter of instrumentation. It's more a matter of knowing what's the norm for your network."

Rapid7 took the results of 128 penetration tests it launched in the fourth quarter of 2016 in order to "demystify" penetration testing and to gauge just how much pen testers are getting away with due to security woes in organizations.

Penetration testing is gradually evolving. The rise in bug bounty programs in some cases has overshadowed and even shaped the nature of some pen testing, but even bug bounty proponents maintain that pen testing isn't going anywhere.

Alex Rice, co-founder and CEO of bug bounty firm HackerOne, says many organizations with bug bounty programs end up shifting the focus of their pen tests. "They start doing more penetration tests, with more narrow scope," Rice said in a recent interview with Dark Reading. "They learn and apply resources to areas lit up by a bug bounty program."

He says most veteran pen testers prefer the more focused and challenging engagements, anyway. "We find most of the good ones would rather spend the entire engagement focusing on very hard security problems to solve," Rice says. "It's a $300-an-hour waste of their talent and ability if" those pen testers aren't working on specific and tougher security issues, he says.

Almost Too Easy

Surprisingly, Rapid7's pen testers in most cases didn't have to look too deeply for holes to exploit: two-thirds of the time, pen testers were able to find and exploit vulnerabilities in the client's systems. And some 67% of the clients sported network misconfiguration issues. All in all, the pen testers were able to successfully "hack" their clients 80% of the time, either via unfixed vulnerabilities or configuration mistakes. Among the bugs they found were the usual suspects: cross-site request forgery (22.7%), SMB relaying (20.3%), (cross-site scripting (18.8%), broadcast name resolution (14.8%) as well as a some SQL injection, denial-of-service, and other web-type flaws, the report says.

In one pen test of a healthcare firm, Rapid7's team was able to exploit unrelated Web application flaws together to infiltrate the client's internal, back-end systems: first a CSRF flaw in a public Web application, giving them an entrée to create an account on the server. They then found a persistent XSS flaw that they employed to steal the administrator's session token and impersonate him. That led them to find in an insufficient validation flaw in the Web app that allowed them to gain access to the Web server's operating system and ultimately get full shell access on the server and internal network.

"That they were leveraging cross-site scripting, CSRF [and another flaw] to get internal network access: that was shocking to me," Beardsley says. "I was surprised to see vulnerabilities play such a large part of pen testing."

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...