Cybersecurity: Penetration Testing
Dr. John McCarthy | B2E Principal
Background
There are many stories in the news these days regarding companies that were breached, customer data exposed, fines levied – it’s becoming a commonplace occurrence.
Both large and small companies can be a target for cyber criminals. In fact, some types of cyber-crime such as Ransomware have become such a lucrative market that they are now offered on the darkweb as RaaS (Ransomware as a Service), complete with its own support staff and payment systems. The nature of these attacks has evolved significantly over recent years; as the Anti-Virus and Endpoint Detection and Response capabilities have improved, malware (as used historically) is becoming harder to deploy at scale. Threat actors are instead moving to a model where infection and encryption of data is not the only method to extort companies. Instead, while still trying to encrypt company data, they also steal it so that they can blackmail companies into paying them and prevent them from releasing the data publicly.
This change of tactic significantly changes the landscape for every company. Now, it only takes one mistake by one user and everything that an employee has access to can be used in an extortion campaign. Since every organisation will hold confidential data that it doesn’t want in the public domain – employee details, customer details, research – every company is a valid target.
The Verizon Data Breach Investigations Report (DBIR) is released every year and offers an invaluable insight into the current threat landscape and emerging trends. The 2024 release details the 180% increase for exploitation of vulnerabilities being the initial point of compromise, which is almost triple on the previous year [1]. The origin of these vulnerabilities being exploited was, perhaps unsurprisingly, typically via web applications. Many of these vulnerabilities can be exploited automatically as soon as they are discovered by a threat actor or their tooling.
Penetration testing can help identify weaknesses in security practices and vulnerabilities before the threat actors do, allowing time to fix them before they are exploited. While a penetration test will not find every possible past, current and future vulnerability affecting an organisation, it will help harden an organisation to attack. This will make a successful attack a lot less likely, a lot harder to achieve and require a lot more time and effort on the attacker’s end, allowing businesses more time to detect and respond to the incident.
Who’s It For
Any organisation can benefit from a penetration test; if holding or processing sensitive data, it’s potentially a target to a threat actor. However, there is the cost to be considered – penetration tests are not inexpensive, and reducing the cost by arbitrarily reducing the day count for the engagement is typically not an advisable approach, as it could result in parts of the scope being skipped, which can leave important but unchecked areas of the estate vulnerable. It is therefore recommended to set budget aside each year for cyber security, of which penetration testing should be a component, and that scoping is performed in collaboration with a penetration testing partner. This will help to ensure the organisation gets the best value possible from the engagement.
Preparation
Once scoping has been agreed, there will be some steps that the business needs to take. The penetration testing partner should provide guidance on how to go about preparation, but there are some general actions that should be considered:
- Access – the scope of the work will dictate how access will be performed but if the scope is not publicly accessible, some form of remote access may need to be put in place, or onsite work agreed with the partner. As many organisations had to put in place technologies to allow for remote working during COVID, this is often relatively straightforward to achieve, and current VPN / Citrix solutions used by employees will often provide an easily solution.
- Accounts – penetration testers will benefit from having accounts created for them for whichever domain or application is in scope. Ultimately, they will be trying to locate credentials separately, but having a valid set of credentials will allow them good visibility and help them to provide as much value as possible in the event they are unable to locate any themselves.
- Planning for Disruption – disrupting business activities will never be purposefully performed. Good consultants understand how important it is not to impair business operations. However, it is always possible for things to go wrong during a penetration test, despite best efforts. For this reason, having redundancy plans and identifying key systems to handle with caution is a very important pre-engagement activity for any organisation.
- Notifying SOC and Third Parties – penetration tests by their nature can cause a lot of ‘alarm bells’ to be triggered in defensive technologies. If the organisation has a SOC, it is a good idea to notify them that a penetration test is taking place to avoid unnecessary panic and diversion of attention. Equally, all third parties (unless they have explicit exceptions e.g. AWS) who may fall into the scope of the work must be informed and provide written agreement for the penetration taking place to avoid legal implications from the Computer Misuse Act.
What’s Involved
The nature of the work will depend heavily on the scope agreed and the type of testing being performed. However, at a high level, scans will be run to gather a baseline of hosts on the network, services running on those hosts and known vulnerabilities affecting the discovered services. After the baseline scans have taken place, the approach switches to a manual one, where the consultant will be looking at each host and service individually to identify misconfigurations and vulnerabilities that may be present. For web applications this goes into a much deeper review on an application layer for the web services, looking for common and extremely dangerous vulnerabilities in both off-the-shelf and custom-built web applications, no matter what the technology stack is.
Should the internal network be in scope, this would also include a review of the Active Directory (AD). Attempts to use weaknesses in account, group and AD permissions to move laterally onto other machines and escalate privilege can also feature as part of the testing activity.
Reflection
Once the penetration test has completed and the report has been presented, this is the natural time for the company Head of Cyber Security to assess the holistic picture. This includes reviewing all aspects of the penetration test and identifying trends and urgent actions as a result of the outcome.
The urgent actions are generally a lot easier to identify than trends, and the penetration testing partner can suggest the best way to prioritise issues. Typically, this will be given by a rating system in the report, but it’s best practice to review and discuss the next steps. A typical approach is to work from the highest severity down when considering priority for remediation, but access should also be considered – if a vulnerability is internet facing and high severity it may be more pressing than an internal critical vulnerability, just due to the restricted access. A strong technical understanding is key in appreciating the nature of a vulnerability, and the penetration testing partner should be able to help an organisation process the findings and their urgency.
Less urgent but important vulnerabilities can also be established from the report. For example, one missing patch may not constitute a problematic trend. However, if there are several End-of-Life systems discovered and multiple patches missing across many hosts in the estate, this could indicate that the organisation’s patch policy may need attention. These can sometimes be hard to identify but reviewing with the consultant who performed the test can provide expert insight on general advice for improving practices moving forwards.
In conclusion, penetration testing is relevant for all business types and sizes, and it will deliver significantly more value than an automated scan could alone. It should identify vulnerabilities, as well as weaknesses in practices and gaps in policies to help the organisation remain resilient long after the engagement has ended and the urgent fixes applied. Discover how we can help support your organisation’s cybersecurity endeavours here.
Sources:
[1] https://www.verizon.com/business/en-gb/resources/reports/dbir/2024/summary-of-findings/