Penetration Testing
Penetration Tests are authorized, legal attempts to defeat an organization's security controls and perform unauthorized activities.
These tests are time-consuming and require staff who are equally skilled and determined as the real-world attackers that will attempt to compromise the organization. T They're also the most effective way for an organization to gain a complete picture of their security vulnerability. When conducting a penetration test (or a real-world attack), the attacker needs to win only once, and one time is all it takes for your systems to be compromised in real life.
It doesn’t matter if an organization's defense blocks 99.99% of all attacks, it means nothing if one of the 0.01% make it through.
Cybersecurity Professionals need to win 100% of the time, hackers just need to win only once. Why conduct a penetration test?
Penetration tests provide us with visibility into an organization’s security program that simply isn’t available anywhere else.
If I were an attacker, how could I use this information to my advantage?
Benefits of a penetration test?
We learn whether an attacker with the same knowledge, skills, and information as our testers would likely be able to penetrate our defenses. If they can't gain a foothold, we can then be reasonably confident that our networks are secure against attack by an equivalently talented attacker under the present circumstances. If attackers are successful, penetration testing provides us with an important blueprint for remediation. Cybersecurity professionals can trace the actions of the testers as they progressed through the different stages of the attack and close the series of open doors that the testers passed through. Penetration tests can provide us with essential, in-depth knowledge about a particular target. Maybe a new system created in our environment, or new equipment that was deployed.
Penetration Test Types
How much knowledge do pen testers have about the environment? That’s the real question.
There are 3 types of Pen Tests conducted: White-box tests, also referred to as Known Environment tests, are tests performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Testers will typically have such information as network diagrams, lists of systems and IP network ranges, and even credentials to the systems they are testing. Since testers can see everything inside an environment, they may not provide an accurate view of what a real external attacker would see. Black-box tests, also referred to as Unknown Environment tests, are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. Helps provide a reasonably accurate assessment of how secure the target is against an attacker of similar or lesser skill. The skill level of your Black-Box Attacker is very important; It should be close or higher than the suspected attackers that may break into your environment. Gray-box tests, also referred to as Partially Known Environment tests, are a blend of black-box and white-box testing. A gray-box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A gray-box test can help focus penetration testers time and effort while also providing a more accurate view of what an attacker would actually encounter.
What is a Bug Bounty Program?
Bug bounty programs provide organizations with an opportunity to benefit from the wisdom and talent of cybersecurity professionals outside their own teams. These programs allow outsiders to conduct security testing of an organization's public services and normally incentivize that research by offering financial rewards (or “bounties”) to testers who successfully discover vulnerabilities. Running a formal bug bounty program provides them with the incentive to let you know when they discover security issues. Might as well since adversaries are going to scout your system either way; Pay someone to find the loopholes for you! Rules Of Engagement
The RoE, or Rules Of Engagement, are meant to list out the specifics of your penetration testing project to ensure that both the client and the engineers working on a project know exactly what is being testing, when its being tested, and how its being tested.
Key RoE elements include the following:
The timeline for the engagement and when testing can be conducted. Some assessments will intentionally be scheduled for noncritical timeframes to minimize the impact of potential service outages Others may be scheduled during normal business hours to help test the organization's reaction to attacks. What locations, systems, applications, or other potential targets are included or excluded. Often includes discussions about third-party service providers that may be impacted by the test, such as Internet services providers, software-as-a-service or other cloud service providers, or outsourced security monitoring services. Data handling requirements for information gathered during the penetration test. How should the pen testers handle the data found during the test? How should the handle the data before and after the pen test is over? This is particularly important when engagements cover sensitive organizational data or systems. Requirements for handling often include confidentiality requirements for the findings, such as encrypting data during and after the test, and contractual requirements for disposing of the penetration test data and results after the engagement is over. What behaviors to expect from the target. How is the target going to react once Pen Testers enter the picture? Defensive behaviors like shunning, blacklisting, or other active defenses may limit the value of a penetration test. If the test is meant to evaluate defenses, this may be useful. If the test is meant to test a complete infrastructure, shunning or blocking the penetration testing team's efforts can waste time and resources What resources are committed to the test. Legal concerns should also be addressed, including a review of the laws that cover the target organization, any remote locations, and any service providers who will be in scope. When and how communications will occur. Should the engagement include daily or weekly updates regardless of progress, or will the penetration testers simply report when they are done with their work? How should the testers respond if they discover evidence of a current compromise? You need Permission.
Before you plan (and especially before you execute) a penetration test, you should have appropriate permission.
In most cases, you should be sure to have appropriate documentation for that permission in the form of a signed agreement, a memo from senior management, or a similar “get out of jail free” card from a person or people in the target organization with the rights to give you permission.
Reconnaissance
Penetration testing always begin with a Reconnaissance Phase, where the testers seek to gather as much information as possible about the target organization.
Passive Reconnaissance techniques seek to gather information without directly engaging with the target. OSINT (Open Source Intelligence Techniques) is the practice of collecting and analyzing publicly available information to generate actionable intelligence. Considered passive because you’re not going directly to the target’s system to poach for information; You’re using publicly available information and using it to make real plans Active reconnaissance techniques directly engage the target in intelligence gathering. These techniques include the use of port scanning to identify open ports on systems, footprinting to identify the operating systems and applications in use, and vulnerability scanning to identify exploitable vulnerabilities. Footprinting is the first step, during which the hacker gathers as much information as possible to find ways to enter a target system. It’s used to gather as much data as possible about a specific targeted computer system, an infrastructure and networks to identify opportunities to penetrate them. Wireless networks are always a treat for pen testers. Gaining access to an internal network belonging to the target without physically accessing the facility is an attackers wet dream. War Driving is the act of driving by the target’s building with high-end antennas and attempting to eavesdrop on or connect to wireless networks. This has evolved to using drones and UAVs; Warflying.
Lateral Movement
Lateral movement or Pivoting refers to the techniques that cyber attackers use to move deeper into a network in search of sensitive data and high value assets.
Lateral movement allows a to avoid detection and retain access, even if discovered on the machine that was first infected Occurs as the attacker uses the initial system compromise to gain access to other systems on the target network. There are three main stages of lateral movement: Credential/privilege gathering Gaining access to other computers in the network.
Running through the Pen Test
Privilege Escalation uses hacking techniques to shift from the initial access gained by the attacker to more advanced privileges, such as root access on the same system. Attackers establish Persistence on compromised networks by installing backdoors and using other mechanisms that will allow them to regain access to the network, even if the initial vulnerability is patched.
Cleaning Up
At the conclusion of a penetration test, the testers conduct close-out activities that include presenting their results to management and cleaning up the traces of their work.
Testers should remove any tools that they installed on systems as well as any persistence mechanisms that they put in place. The close-out report should provide the target with details on the vulnerabilities discovered during the test and advice on improving the organization's cybersecurity posture.
3 Teams During Penetration Testing
Red Team
Red team members are the attackers who attempt to gain access to systems. Blue Team
Blue team members are the defenders who must secure systems and networks from attack. The blue team also monitors the environment during the exercise, conducting active defense techniques. The blue team commonly gets a head start with some time to secure systems before the attack phase of the exercise begins. White Team
White team members are the observers and judges. They serve as referees to settle disputes over the rules and watch the exercise to document lessons learned from the test. The white team is able to observe the activities of both the red and blue teams and is also responsible for ensuring that the exercise does not cause production issues.
1.8 Explain the techniques used in Penetration Testing
