For many organizations out there, the first time they get to see whether or not those expensive network security appliances or endpoint solutions work as promised is when they are under direct attack from a real-world adversary; much the same can be said for the incident handling process itself. We all know that no matter how good our gear is we never want to field our teams and play for the championship without having practiced our playbooks 100s of times before! Information Security Programs should be approached in exactly the same way. We need to give our defenders multiple and if not continuous opportunities to implement and execute the defensive playbook. This is the BLS “Attack to Defend” mindset. That is, the fundamental objective of a Red Team Engagement or Penetration test is to provide for a better defense. We exist for the explicit purpose of improving and empowering network defenders, protecting organizations, and reducing overall risk.
In planning for the penetration test, BLS Engineers are going examine the threats and vulnerabilities that are most relevant to the business. For test execution, the tactics, techniques, and procedures (TTPs) utilized by the penetration tester will provide validated and relevant threats and attempt to demonstrate the greatest potential to negatively impact near and/or long term business operations. Our resulting analysis and recommendations are designed to empower the business and defend those critical business resources that add to the bottom line every day.
Our Penetration Testing methodology is based on industry accepted standards, including NIST SP800-115 and the Penetration Testing and Execution Standard (PTES).
Penetration test activities include:
Planning, Scope, and Customer On-Boarding
- Looks at structured and unstructured testing of network, application, and host based security controls
- Considers the maturity of the information security program, business objectives, resources, and overall mission
- Establishes test scope and blacklisted systems
- States test objectives and overall goals
- Establishes test duration and rules of engagement (ROE)
Passive Information Gathering
- Considers how the business makes money
- Identifies critical resources (Point of Sale (PoS) systems, Databases, Enterprise Applications, Intellectual Property, PII, PHI)
- Identifies key personnel (Comptroller(s), C-level Executives, System/Network administrators)
- Analyzes digital footprint (IP space, domain(s), hosts, mail server)
- Analyzes physical footprint (physical addresses, adjacent businesses, tenants)
- Investigates social media presence
- Identifies partner organizations
- Researches technologies deployed
Active Information Gathering
- Identifies public facing systems and services, including web sites and applications
- Identifies remote access solutions
- Executes vulnerability scanning
- Identifies security controls deployed
Attack Planning and Execution
- Identifies vulnerabilities and/or misconfigurations to be attacked
- Identifies desired “mission effects” (impacts to business processes, exfiltration of PII/PHI/cardholder info, disruption/denial of service)
- Establishes mission thread from initial compromise to data exfiltration and clean-up
- Configuration of tools, utilities, and/or custom exploitation techniques
- Verifies security controls being tested and expected results
- Attack execution
Post Exploitation Activities
- Establish persistent user-level access
- Escalate privileges
- Move laterally to additional systems and workstations
- Create specific mission effects and demonstrate business impacts
Reporting and Mitigation Strategy
- Includes test timeline and description of activities
- Provides detailed mitigation steps and strategies that are vendor agnostic and can be implemented by existing personnel
- Identifies perceived and actual gaps and provides concrete steps for improvement
- This is not the byproduct of an automated tool
Penetration Testing (External)
Unfortunately, for the majority of organizations, attacks originating from outside their perimeter have become an almost daily occurrence. An external network penetration test will assess the degree of difficulty required to bypass external security controls, access the internal network, and compromise critical resources. The overall goal is to demonstrate the greatest potential to negatively impact near and/or long term business operations.
The external penetration test will:
- Analyze and leverage publicly available information and intelligence (open source intelligence (OSINT))
- Attempt to compromise public facing applications and services
- Evaluate the effectiveness of network and host based security controls:
- Assess defensive strategies and tactics
- Evaluate incident response
- Include Social Engineering activities if the customer desires (phishing, watering hole(s), pre-texting)
Penetration Testing (Internal)
For even the most casual observer it should be obvious that for a determined adversary it’s not a matter of if they will get in but when. An internal network penetration test assumes that an attacker or malicious insider has already established access to the internal network(s) and/or domain. The data suggests that this isn’t an unreasonable assumption and it permits our customers to more immediately address how well a network is defended from the inside..
The internal penetration test will evaluate:
- The degree of difficulty required to compromise critical resources
- Misconfigured and/or vulnerable systems, services, and applications
- The effectiveness of network and host based security controls
- Defensive strategies and tactics
- Incident response
Wireless Penetration Testing
A wireless penetration test begins with the identification and enumeration of both authorized and rogue wireless access points. The information collected and analyzed will include deployed encryption, SSID, channel information, access point location, access point name, equipment vendor details, and hardware MAC addresses. This data will then be used to identify new or previously unknown vulnerabilities in wireless devices and configurations. The testers will attempt to gain unauthorized access to the wireless network by abusing device misconfigurations, exploiting a previously discovered vulnerability, or bypassing weak encryption. Follow on activities will include harvesting of sensitive/confidential company data, personally identifiable information (PII), and/or protected health information (PHI) with the overall goal being to demonstrate the greatest “potential” to negatively impact the customer’s near and/or long term business operations.
Web Application Penetration Testing
Internal and public facing web applications are attractive targets for attackers as they typically contain valuable data (PII, PHI, Intellectual Property) and provide a gateway into internal corporate networks. A web application penetration test will look to exploit vulnerabilities, misconfigurations, and logic flaws to attack an organization. BLS test methods are based on the long-standing OWASP framework and controls.
A red team engagement will simultaneously address all of the individual attack surfaces (internal/external network, physical, social, wireless, web/mobile applications) through a coordinated attack against the entire business or organization. An inter-disciplinary team of testers will use any means necessary to demonstrate the greatest “potential” to negatively impact your near and/or long term business operations. Red team engagements provide an excellent opportunity for the organization to thoroughly assess and understand their ability to withstand real world attackers, who routinely operate with no regard for scope, sensitivity, boundaries, or politics. This is a more advanced form of testing where multiple attack vectors may be leveraged in series or parallel. There will also be instances where individual vectors are used as force multipliers.