Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/9/2017
04:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Hacking The Penetration Test

Penetration testers rarely get spotted, according to a Rapid7 report analyzing its real-world engagements.

It's not a good sign when an organization undergoing a penetration test can't detect the operation probing and infiltrating its systems and network.

In a new report by Rapid7 that pulls back the covers on penetration test engagements the company has executed, two thirds of these engagements weren't discovered at all by the organization being tested. That's especially concerning because pen tests tend to be short-term, rapid-fire - and sometimes loud – operations, unlike the low-and-slow attacks by seasoned cyberattackers.

Tod Beardsley, research director at Rapid7, says pen tests typically run a week to 10 days, so researchers on the case basically throw as much as they can at the target fairly quickly, so it's more likely they'd be detected by the client's security tools and team. "It's kind of like you run in and break everything you can. That's the nature of the business, you have a week or 10 days," he says. "But there's not even detection [of a pen test] a third of the time which is bad."

"If you can't detect a penetration test, it seems it would be impossible to detect a real cybercriminal or cyber espionage" attack, Beardsley says.

Part of the problem is that organizations typically can't and don't daily track their event logs closely, he says, and don't necessarily have a handle on what's normal network activity. "It's kind of a UI failure. We have security tools that are hard to use in the security industry; I don't think it's a matter of instrumentation. It's more a matter of knowing what's the norm for your network."

Rapid7 took the results of 128 penetration tests it launched in the fourth quarter of 2016 in order to "demystify" penetration testing and to gauge just how much pen testers are getting away with due to security woes in organizations.

Penetration testing is gradually evolving. The rise in bug bounty programs in some cases has overshadowed and even shaped the nature of some pen testing, but even bug bounty proponents maintain that pen testing isn't going anywhere.

Alex Rice, co-founder and CEO of bug bounty firm HackerOne, says many organizations with bug bounty programs end up shifting the focus of their pen tests. "They start doing more penetration tests, with more narrow scope," Rice said in a recent interview with Dark Reading. "They learn and apply resources to areas lit up by a bug bounty program."

He says most veteran pen testers prefer the more focused and challenging engagements, anyway. "We find most of the good ones would rather spend the entire engagement focusing on very hard security problems to solve," Rice says. "It's a $300-an-hour waste of their talent and ability if" those pen testers aren't working on specific and tougher security issues, he says.

Almost Too Easy

Surprisingly, Rapid7's pen testers in most cases didn't have to look too deeply for holes to exploit: two-thirds of the time, pen testers were able to find and exploit vulnerabilities in the client's systems. And some 67% of the clients sported network misconfiguration issues. All in all, the pen testers were able to successfully "hack" their clients 80% of the time, either via unfixed vulnerabilities or configuration mistakes. Among the bugs they found were the usual suspects: cross-site request forgery (22.7%), SMB relaying (20.3%), (cross-site scripting (18.8%), broadcast name resolution (14.8%) as well as a some SQL injection, denial-of-service, and other web-type flaws, the report says.

In one pen test of a healthcare firm, Rapid7's team was able to exploit unrelated Web application flaws together to infiltrate the client's internal, back-end systems: first a CSRF flaw in a public Web application, giving them an entrée to create an account on the server. They then found a persistent XSS flaw that they employed to steal the administrator's session token and impersonate him. That led them to find in an insufficient validation flaw in the Web app that allowed them to gain access to the Web server's operating system and ultimately get full shell access on the server and internal network.

"That they were leveraging cross-site scripting, CSRF [and another flaw] to get internal network access: that was shocking to me," Beardsley says. "I was surprised to see vulnerabilities play such a large part of pen testing."

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19317
PUBLISHED: 2019-12-05
lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.
CVE-2019-19602
PUBLISHED: 2019-12-05
fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstr...
CVE-2019-19601
PUBLISHED: 2019-12-05
OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l because of an incorrect sprintf.
CVE-2019-19589
PUBLISHED: 2019-12-05
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives.
CVE-2019-19597
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.