Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/9/2017
04:15 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Hacking The Penetration Test

Penetration testers rarely get spotted, according to a Rapid7 report analyzing its real-world engagements.

It's not a good sign when an organization undergoing a penetration test can't detect the operation probing and infiltrating its systems and network.

In a new report by Rapid7 that pulls back the covers on penetration test engagements the company has executed, two thirds of these engagements weren't discovered at all by the organization being tested. That's especially concerning because pen tests tend to be short-term, rapid-fire - and sometimes loud – operations, unlike the low-and-slow attacks by seasoned cyberattackers.

Tod Beardsley, research director at Rapid7, says pen tests typically run a week to 10 days, so researchers on the case basically throw as much as they can at the target fairly quickly, so it's more likely they'd be detected by the client's security tools and team. "It's kind of like you run in and break everything you can. That's the nature of the business, you have a week or 10 days," he says. "But there's not even detection [of a pen test] a third of the time which is bad."

"If you can't detect a penetration test, it seems it would be impossible to detect a real cybercriminal or cyber espionage" attack, Beardsley says.

Part of the problem is that organizations typically can't and don't daily track their event logs closely, he says, and don't necessarily have a handle on what's normal network activity. "It's kind of a UI failure. We have security tools that are hard to use in the security industry; I don't think it's a matter of instrumentation. It's more a matter of knowing what's the norm for your network."

Rapid7 took the results of 128 penetration tests it launched in the fourth quarter of 2016 in order to "demystify" penetration testing and to gauge just how much pen testers are getting away with due to security woes in organizations.

Penetration testing is gradually evolving. The rise in bug bounty programs in some cases has overshadowed and even shaped the nature of some pen testing, but even bug bounty proponents maintain that pen testing isn't going anywhere.

Alex Rice, co-founder and CEO of bug bounty firm HackerOne, says many organizations with bug bounty programs end up shifting the focus of their pen tests. "They start doing more penetration tests, with more narrow scope," Rice said in a recent interview with Dark Reading. "They learn and apply resources to areas lit up by a bug bounty program."

He says most veteran pen testers prefer the more focused and challenging engagements, anyway. "We find most of the good ones would rather spend the entire engagement focusing on very hard security problems to solve," Rice says. "It's a $300-an-hour waste of their talent and ability if" those pen testers aren't working on specific and tougher security issues, he says.

Almost Too Easy

Surprisingly, Rapid7's pen testers in most cases didn't have to look too deeply for holes to exploit: two-thirds of the time, pen testers were able to find and exploit vulnerabilities in the client's systems. And some 67% of the clients sported network misconfiguration issues. All in all, the pen testers were able to successfully "hack" their clients 80% of the time, either via unfixed vulnerabilities or configuration mistakes. Among the bugs they found were the usual suspects: cross-site request forgery (22.7%), SMB relaying (20.3%), (cross-site scripting (18.8%), broadcast name resolution (14.8%) as well as a some SQL injection, denial-of-service, and other web-type flaws, the report says.

In one pen test of a healthcare firm, Rapid7's team was able to exploit unrelated Web application flaws together to infiltrate the client's internal, back-end systems: first a CSRF flaw in a public Web application, giving them an entrée to create an account on the server. They then found a persistent XSS flaw that they employed to steal the administrator's session token and impersonate him. That led them to find in an insufficient validation flaw in the Web app that allowed them to gain access to the Web server's operating system and ultimately get full shell access on the server and internal network.

"That they were leveraging cross-site scripting, CSRF [and another flaw] to get internal network access: that was shocking to me," Beardsley says. "I was surprised to see vulnerabilities play such a large part of pen testing."

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.