SRM is at the PCI London event in London on 25th January, presenting on The Synergy Between Automated and Manual Penetration Testing.
How a responsive Test and Exercise strategy requires the synergy of both automated and manual testing to keep pace with a constantly evolving threat environment
Prevention is undoubtedly better than cure, particularly in the context of a potentially damaging data breach. In a world where the threat landscape is constantly changing, however, if prevention is to be an achievable goal, we cannot simply rely on static defences. Our defences need to evolve in line with the ever-changing threats and vulnerabilities we face and the only way to identify these is to act counter-intuitively. We need to challenge our own procedures and attack our own defences. If we do not, someone else surely will.
Using these offensive techniques enables us to validate the capability of our existing responses and, even more importantly, identify areas for improvement. A responsive strategic approach to data security requires constantly updated intelligence which can only be provided by a combination of both automated and manual test and exercise tools. Neither is fully effective without the other. The key is the synergy of the two: we cannot mount an effective defence without employing both the speed and rigour of the automated tool and the agility and ingenuity of the human mind. After all, hackers use both so we must too.
The first essential tool in the attack arsenal is the automated vulnerability test. Imagine yourself in a virtual world. You are in a vast chamber with hundreds of thousands of doors. Malicious hackers can get into your system through a just a handful of these doors but which ones? To identify where the vulnerability lies you must test each and every door; a task which if done manually would be time-consuming and complex. This task can, however, be completed accurately and swiftly through an automated vulnerability scan. Developed by experienced penetration testers, this identifies where the potential vulnerabilities are, putting you are in a position to accurately deploy the next level of attack tool: penetration testing.
A penetration test effectively opens the doors which have been identified in the vulnerability scan and explores deep into the underlying infrastructure to examine what is lurking behind them. Designed to answer the question: ‘What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?’, it goes to the next level by actively exploiting those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organisation’s IT assets, data, humans, and/or physical security.
More broadly, a full penetration test of an organisations infrastructure utilises the value of automated tests to lay the groundwork at the start of the process. Expert penetration testers will then put themselves into the mind of potential attackers, exploring and exploiting all opportunities. An individual or team of testers are able to think laterally; they can both analyse and synthesise. As systems become more complex, the ‘attack surface’ continues to grow and the potential number of ways a hacker gains access is ever expanding, making this technique increasingly valuable.
A properly executed penetration test will determine the feasibility of a particular set of attack vectors. It will identify the higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence. It will identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software and will assess the magnitude of potential business and operational impacts of any successful attack.
The scope will be dependent on what the drivers are for the organisation and these will determine the stated goals. These drivers may also influence other aspects of the engagement such as target selection scope, assumptions, and even funding ceilings that limit the amount of time a test team has to explore. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies, while useful as part of the testing process, are no match for human intelligence.
Red Team engagement
To continue the analogy of the doors: if pen testing opens the doors to see what is behind them, Red Team engagement goes through the doors and explores the room, the house and the street beyond, getting completely into the mind-set of the potential hacker.
The key difference between a penetration test and Red Team engagement is therefore the extent of the scope. So, while a penetration test is often focused upon a key application or system and is scoped following threat modelling, Red Team engagement is fully bespoke and often ‘goal orientated’. This goal will often be: ‘we have this highly sensitive network/piece of data – can you get access to it?’
The Red Team focuses on the objective of the engagement and examines it from many different angles pulling together a plan of attack using a range of different techniques and abilities. It tests procedural, social and physical components of security in addition to technical controls. Replicating the wider view an actual attack would have, the Red Team uses an adversarial mind set to determine strategy and policy making.
In practice, Red Team engagement involves working with ethical, skilled and experienced professionals who act like true hackers, simulating internal and external hacking attempts to test the response on a client’s system. With client permission, the Red Team seeks to break through the hardened perimeter, using the weakest identifiable point, to gain access to the organisation’s system. Using common hacking techniques, they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.
In addition to a rigorous examination of the organisation’s security controls, Red Team engagement will exercise incident detection, response and management. This can be linked to a wider incident simulation process testing procedures and response capability throughout the business.
Opening up an organisation’s entire network and allowing a third party to effectively breach security defences requires a high degree of trust. Experienced, highly qualified Red Teams are few and far between. At SRM our Red Team is comprised of ex-police High Tech Crime Unit officers, qualified ethical hackers and includes holders of the Offensive Security Certified Professional (OSCP) the world’s first completely hands-on offensive information security certification. OSCP challenges students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.
When you combine the benefits of a best in class web vulnerability scanner updated within hours of new threats emerging, able to be run ‘on demand’ and OSCP trained experienced penetration testers it’s a powerful combination to help stay safe in today’s ever-changing world of cyber threats.
There is no one-size-fits-all solution. The importance of accurate scoping at the outset of the exercise cannot be overemphasised because every organisation faces its own unique challenges in terms of regulations, risks and vulnerabilities. What is more, in a world where data security is constantly evolving in response to new and ever more ingenious attacks, an organisation’s test and exercise strategy needs to reflect this. If your incumbent data security provider cannot demonstrate the required agility, you must ask yourself whether your requirements are being met.
SRM partners with industry-leading vulnerability scan provider AppCheck to deliver both the automated and manual elements of a bespoke test and exercise strategy. SRM can advise on all aspects of Information Security Testing as well as providing a full range of consultancy services. For further information please contact Mark Nordstrom at firstname.lastname@example.org or phone 03450 21 21 51.