Why Penetration Testing is Critical to Improving Cybersecurity Defense
by Robert Bond
Penetration Testing is Critical to Improving Cybersecurity Defenses
Penetration testing has long been a primary method for organizations to test their defenses against cyberattacks. By hiring an outside company to pose as an attacker, organizations are able to identify weaknesses in their systems to prevent future breaches. During a penetration test, a CEH or certified ethical hacker simulates the techniques a criminal attacker might use during an attempt to gain access to IT systems, potentially including password cracking, malware, and even social engineering.
Penetration testing or ethical hacking, has been around since at least the 1970s – when the U.S. military and RAND Corporation began using tiger teams to test the ability of computer networks to resist attack. Today’s penetration tests are increasingly a standardized service – a packaged bundle of discovery scans, vulnerability scans, and limited attempts to exploit any discovered vulnerabilities.
While traditional techniques still dominate marketplace offerings, penetration tests in 2018 are increasingly adopting new and improved methods of testing defenses, including new attack techniques, red teaming, capture the flag and bug bounty programs.
Phases of a Penetration Test
Penetration tests remain a primary method of simulating a cyber-attack and testing defenses. A penetration test does not stop with simply discovering vulnerabilities as a vulnerability scan would – it takes the next step of actively exploiting vulnerabilities to simulate a real-world attack.
Penetration tests usually include the following phases:
- Reconnaissance – testers use internet searches, social engineering, DNS inquiries, and non-intrusive network scanning to map out organization systems and networks, potentially identifying targets for further exploration.
- Vulnerability Detection – testers use automated vulnerability scans and manual testing to identify open ports and services, vulnerable applications and operating systems, and weak network configurations that may be vulnerable to exploitation.
- Exploitation Attempt – testers attempt to gain access by exploiting discovered vulnerabilities. This might include exploitation of remote code exploitation vulnerabilities like MS17, which allow attackers to gain administrative access to vulnerable systems.
- Reporting and Remediation – testers deliver a report on their progress during the test, identifying vulnerabilities discovered, successful breaches and the results of those breaches including sensitive data that was accessed so that the organization may make the proper updates and patches.
Attackers progress through these phases over a period of days to weeks in order to simulate an attack and produce meaningful discovery data to the target company.
Top Five Benefits of a Penetration Test
Penetration test benefits include the following
- Penetration tests help organizations to identify high-risk vulnerabilities that are often difficult or impossible to detect with an automated network or application vulnerability scan. Penetration testing is one of the only types of tests that allows a realistic method to gauge the actual risk to their systems. Vulnerability scanning can help to find some weaknesses, but an ethical hacker has access to networks and systems that might not be compatible with scanning, and can use a manual, methodical process to verify actual exploitability of weaknesses.
- Penetrations tests are a way to assess the ability of defenders to successfully detect and respond to attacks. A frequent element of a test is to gauge the ability of defensive tools and personnel to respond to attacks. The real value of tools like antivirus, intrusion detection systems, and firewalls becomes clear when organizations see them stop malware and attackers – or fail to do so. The ability of defenders to analyze alerts and logs to detect the underway attack also provides a gauge of the defensive personnel in place.
- Tests provide evidence to organization leadership to support increased investment in security program initiatives, personnel, and technology. Many organizations use penetration tests to assess the effectiveness of their security investments and cost effectiveness as an IT security organization. They either assess after an initiative is complete and evaluate the defensive strength of a new system, or to test before a new project as a way to justify the budgetary spend.
- Tests help organizations prevent potential future incidents – by identifying vulnerabilities before they are exploited by attackers, tests can help organizations prevent potential breaches. As we mentioned earlier, vulnerability scanners are not intended to uncover weaknesses beyond software vulnerabilities. By responding to the penetration test findings, organizations can improve their overall cybersecurity posture. Usually the low-hanging fruit is found early during a penetration test, vulnerabilities that are easy to remediate but allow attackers easy access into the environment.
- Penetration tests help organizations meet their compliance requirements, including Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley, HIPPA, 201 CMR 17.00. Some compliance frameworks – like PCI – explicitly require an annual penetration test as a mandatory activity.
New Tools and Techniques
While traditional penetration tests usually involve similar tools that have been in use for many years, tools are regularly updated to target new vulnerabilities and system misconfigurations. Some of today’s most popular tools include the following:
- Web application scanning tools – Testers frequently use tools like Netsparker, OWASP Zed Attack Proxy, and Burp Suite Scanner to scan web applications and discover vulnerabilities. These tools are able to test for injection attacks and other frequently found web application vulnerabilities that open organizations to attack from the Internet.
- Discovery scanning – Penetration tests frequently begin their reconnaissance with stealthy port scans using tools like nmap and Advanced Port Scanner to identify ports and protocols that are open and potentially vulnerable to attack.
- Network Traffic Analysis – Testers often use traffic analysis tools to intercept credentials or exploit potential network weaknesses. Wireshark is one popular tool to intercept and analyze network packets. Some attackers target wireless network vulnerabilities with tools like Aircrack-NG in attempts to gain access. Other tools like Impacket can help to target and exploit vulnerabilities exposed by weak network traffic protocols.
- Exploitation – testers often leverage Metasploit, Empire, and other tools as ways to craft malicious payloads and exploit the vulnerabilities discovered during earlier phases of the attack.
Organizations with more advanced defenses are increasingly turning to red teaming to simulate attacks on their cyber systems. A red teaming exercise is more in-depth and wide ranging than a penetration test. Red teams are tasked to simulate cyber-attacks at a greater depth than a penetration test, without the scope or time-limits of penetration tests. Defensive actors are typically not notified of the red team exercise. Red teams can include reconnaissance and physical breach specialists, phishing experts, and traditional penetration testers skilled in communications and IT.
Capture the Flag
Some organizations choose to turn their penetration test into a type of competition – placing a ‘flag’ (usually a sensitive file) in a secure location on their network. The attacking penetration testers are given the task of accessing this file or “capturing the flag” by any means possible. A defending ‘Blue Team’ – usually the incident response staff at the organization – is evaluated during the simulated attack, testing their ability to detect and respond to the attacker. This style of capture the flag penetration test allows companies to test their defensive capability in a more realistic way, placing the focus on protecting sensitive data rather than their entire network.
Bug Bounty programs are another increasingly popular way for organizations to test their cyber defenses. Sites like Bugcrowd and HackerOne offer ways for potential attackers to turn in discovered vulnerabilities in exchange for a reward. Organizations use these programs to offer compensation and recognition to white hat hackers that report bugs, exploits, or vulnerabilities on their systems, allowing the organization to patch them before they are exploited by a malicious attacker. Large organizations like General Motors, Microsoft, and HP are offering $10,000 to $100,000 per verifiable discovery reported. Larger organizations are able to start their own programs, and smaller companies can leverage bug bounty-as-a-service providers like Bugcrowd or Synack to run a program for their website or applications.
Penetration tests remain a primary way for organizations to test their cyber defenses. While the traditional penetration test remains important, some companies are now leveraging new tools and techniques, more advanced red teaming exercises, capture the flag competitions and continuous testing via bug bounty programs as a way to test their defensive capability. Regardless, having an ethical hacker, a genuine cybersecurity professional hack into your system instead of a legitimate attack, the defense weaknesses can be bolstered before a malicious hacker targets your organization.
January 6, 2021