Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/11/2020
10:00 AM
Shane Ryan
Shane Ryan
Commentary
50%
50%

Penetration Testing: A Road Map for Improving Outcomes

As cybersecurity incidents gain sophistication, to ensure we are assessing security postures effectively, it is critical to copy real-world adversaries' tools, tactics, and procedures during testing activities.

Red teaming (or offensive) cybersecurity exercises take traditional penetration (pen) testing a step further by simulating real-world attacks that replicate real-world adversaries' techniques, tactics, and procedures (TTPs). For one thing, a red-team engagement takes a zero-knowledge approach: The wider organization isn't notified about the testing ahead of time and the red team isn't supplied with any prerequisite information about the organization. 

By acting as an adversary trying to bypass an organization's security controls while avoiding detection, the red team identifies ways an organization can be compromised through real-world TTPs. It also assesses how well the organization can identify, manage, and resolve attacks or incidents consistent with best practices and incident response plans and procedures. 

Related Content:

Automated Pen Testing: Can It Replace Humans?

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

How to Improve Penetration Testing
Typically, a penetration test follows a predefined, approved, and time-boxed methodology. The organization defines which assets should be tested, and the resulting report highlights the security issues or vulnerabilities found on the in-scope assets.

Traditional penetration testing is a core element of many organizations' cybersecurity efforts because it provides a reliable measurement of the organization's security and defense measures. However, because a client can classify assets as out of scope, the pen test may not give an accurate read on the organization's full security posture. Because the pen-testing approach, authorization process, and testing ranges are defined in advance, these assessments may not measure an organization's true ability to identify and act on suspicious activities and traffic.

Ultimately, placing restrictions on a test's scope or duration can harm the tested organization. In the real world, neither time nor scope are of any consideration to attackers, meaning the results of such a test are not entirely reliable.

Objective-Oriented Penetration Testing
Incorporating objective-oriented penetration testing can improve typical pen-testing systems and, in turn, enhance an organization's security posture and incident response, as well as limit their risk of exposure. 

The first step is to agree on attackers' likely objectives and a reasonable time frame. For example, consider ways attackers could access and compromise customer data or gain access to a high-security network or physical location. Focusing on adversaries' realistic objectives, rather than their means or only the in-scope assets, allows a pen-testing team to combine testing methodologies, approaches, and tools to achieve the testing objective. 

By focusing on attackers' objectives, the testing team can do the following:

  • Perform physical penetration testing to gain unauthorized access to a target building or office and perform network penetration testing there;
  • Combine mobile, web application, and network penetration testing to gain unauthorized access to the internal network or sensitive data; and
  • Launch social engineering and phishing attacks in an attempt to compromise enterprise credentials and do network and application penetration testing armed with those credentials.

Preparing for Advanced Penetration Testing
An organization's security testing requirements depend on its current security posture and maturity level. Before initiating advanced penetration testing, frameworks like the following should be put in place so that the assessments provide the greatest value and an accurate measurement of your organization's cybersecurity posture. 

1. Regular Security Assessments
For advanced penetration tests and security assessments to provide value, you need baseline pen testing and vulnerability assessments to determine whether your information security posture is resilient and mature and it has made progress in addressing the root causes of identified vulnerabilities.

Advanced pen tests and assessments uncover more realistic threat profiles and attack scenarios than traditional penetration testing. However, if you're not also performing regular, organizationwide assessments, you may be better off performing traditional penetration testing until you have established a resilient cybersecurity posture across your organization.

2. Security Awareness Training
Attack avenues for these assessments differ from traditional penetration tests, encompassing a wider range of targets. Depending on your objective, it may make sense to target physical security controls and organizational staff. However, without a mature security awareness program in place, it may be trivial for a red team to compromise enterprise credentials through social engineering or gain unauthorized access to mission-critical infrastructure through physical penetration testing. 

3. Mature Security Operations and Intrusion Detection
If an organization is aware that its attack-detection capabilities are immature or no controls exist, there may be limited value in performing an assessment to prove what the organization already knows. If the organization doesn't have typical intrusion-detection controls and solutions, it may be impossible to measure the effectiveness of attack detection. 

4. Vulnerability Management Framework
As these assessments' scope is not limited to particular assets or approaches, they will likely uncover a multitude of security vulnerabilities across business units, teams, security controls, and locations. These vulnerabilities may have complex root causes that may require long-term security resolutions. 

To ensure that vulnerabilities are remediated correctly in a risk-prioritized and timely fashion, a robust vulnerability management framework should be in place before starting the assessments. This will identify the parties responsible for the vulnerabilities and ensure the business maintains visibility into their successful remediation. 

Increased Action Leads to Increased Knowledge
Penetration testing is a tried-and-tested method for understanding specific assets' security posture, but not that of the full organization. Therefore, conducting periodic attack-simulation exercises, in conjunction with traditional penetration testing, has become the norm for security-mature organizations. 

By utilizing both objective-oriented penetration testing and red-teaming exercises, organizations can improve their overall security posture and be confident that they're prepared for almost any security threat they face.

Shane is an experienced and well-rounded security consultant with nine years of industry experience. Shane is a Principal Security Consultant with the remit of delivering high-quality consultancy for BSI's US-based and international clients. Working with Espion and later BSI, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...