A penetration test is an authorized attack on computer systems and/or networks that mimics the methods used by real-world attackers by combining both automated and manual testing. Penetration testing can be used to identify weaknesses in your environment or be used to demonstrate the resilience of your network to attack. A pen test focuses on what real-world attackers might attempt to compromise and helps your organization get in front of any gaps or weaknesses before they do.
So, who are these mysterious keyboard jockeys using their powers for good? One of CampusGuard’s Offensive Security Services team, David Sullivan, has been busy educating customers on exactly what penetration testing is during recent conferences and webinars. In this interview with David, we decided to learn more about why he chose pen testing as a career and what he has learned along the way.
1. What made you want to become a penetration tester?
As far back as I can remember, I have always been an inquisitive person. I’ve never really been content with only knowing how things work; but I want to know why we use a thing and what the purpose of that thing is too. Additionally, I have always been a fan of strategy games. Growing up, I used to play a lot of board games with my dad and older brother (Risk, Stratego, Chess, etc.). While the games themselves were a lot of fun, studying your opponent and learning how to react to their thought process instead of their skill, was always a lot of fun to me.
So I think those 2 elements of my personality really drew me to becoming a Pen Tester more so than working on the defensive side of things. I had enjoyed working on the defensive side as well, prior to becoming a Pen Tester; but you are typically pigeon-holed into only understanding a few tools or processes.
With penetration testing, you get to learn something new every day. In fact, you have to or you will start to lose your advantage. So getting to learn new things, getting to match up against clients who have very skilled teams, and learning from each other on how to better our craft are appealing parts of my job. Advising on remediation actions in a way that the client understands not only what they need to do, but also the reason behind certain mitigations and how they can still achieve their goal(s) without sacrificing security is very satisfying.
2. When your mother-in-law asks you what you do for a living, what do you tell her?
She’s an incredibly smart person so I just talk to her like I would anyone in the industry. While she isn’t a super technical person, she understands what a pen tester is and asks pretty genuine questions about our methodology and how regular people can protect themselves from being a victim.
3. Your recent presentation focused on the confusion between vulnerability scanning, “automated” penetration testing, and actual penetration testing? Can you give us a high level overview of how these differ?
Vulnerability scans are when you use a tool, or suite of tools, to run a variety of tests to discover any services or applications that are running, what their patch level is, if default settings have been changed, etc. These tools then provide a report based on those tests that gives you a number of details about what was found, the severity of the findings, and how to remediate them. This process is typically completely automated aside from telling the tools what their targets are and a manual review of the results to ensure that there are no false positives.
So ‘automated’ pen testing, despite any claims made otherwise is the same thing as a vulnerability scan. While these tests may include some logic that causes the automated tool to dig a bit deeper than a traditional vulnerability scanning tool would, or it attempts automated exploits based on vulnerabilities found; at the end of the day it’s still a tool that can only run with the instructions it was provided and with the algorithms it was programmed with.
A penetration test may use the other two methods as part of the overall approach to the testing done, but will mostly be driven by a human reviewing the results from the tools and responses from the application(s) or service(s) being tested, and trying various methods to exploit misconfigurations, weaknesses, or lapses in protocol to gain access. These methods are then repeated to find additional ways to access the network, or move deeper to obtain more privileged access within the environment.
4. You mentioned during that presentation that one of the best ways to vet a potential penetration test vendor is to ask for a sample report. Any other red flags to watch for?
Price is going to be another one. While some vendors may be overcharging for the services they provide in order to look legitimate, typically, you are going to get what you pay for in this industry. Legitimate vendors, providing quality pen testing, with skilled pen testers on their team are going to cost more than a vendor that runs a vulnerability scan and changes the logo on the report. If the price is too good to be true, there is a very strong chance that it is.
Additionally, interview the technical staff that will be working on the test. While sales may confuse price is too good to be true, there is a very strong chance that it is. some terms, the actual testers never should. A pen tester who doesn’t know the difference between a pen test and a scan is not someone you should hire to do a pen test for you any more than you should hire a roofer to put slate on your house who doesn’t know the difference between asphalt and slate. You don’t want to pay for slate and get asphalt any more than you want to pay for a pen test and get a vulnerability scan. They aren’t the same quality.
5. What vulnerabilities or misconfigurations do you see most often during penetration tests?
This is pretty varied depending on the type of pen test we are doing, however, weak passwords combined with the lack of multi-factor authentication is rampant.
It is extremely easy for an attacker to profile your company and collect information on usernames, email addresses, etc., then leverage that information to test for weak passwords against the discovered accounts. And once an attacker is in a corporate email account, they will typically have an easy time getting more access because people send shared account passwords and other sensitive data through email all of the time. Exposing domain or single sign-on accounts in this way to the internet is almost a guarantee that an organizational account will be compromised by an attacker.
So while it may not be the most often thing we find in our testing, it is definitely one of the things that is most often exploited by attackers without organizations even knowing they have been compromised.
6. What is your favorite or the most common exploit or method you use during testing?
We’ve developed a few python tools that I use that make the collecting of internet-exposed usernames and emails really easy, which we then use to conduct the attack from the previous question.
While not the most exciting or technically savvy attack method, when successful, it is one of the best for helping us to get initial access onto a network. It’s also something that is easily understood by non-technical customer staff so we can provide them with remediation options or mitigations for this attack that can be implemented pretty quickly.
7. Have you ever been completely blocked during a test? (If so, remind me to give that company my data!)
It all depends on your viewpoint here. We have had organizations that have scoped the pen test in a way that we could not find any vulnerabilities or weaknesses to exploit. However, we have seen some of same organizations have gaping holes in systems that we were not authorized to test against. So were we blocked? Yes. But does that mean that company is secure? Not necessarily.
We have had other customers who have been able to detect our activity and have actively defended against us during an engagement. This is what you hope to see them be able to do against realworld attackers, and many of them have this capability. However, we also know that some organizations, when having a penetration test performed against them, request the IPs that all penetration testing activity will be coming from and block exploits from those IPs automatically. While a good idea in theory, they will not know where attackers are coming from in a real-world attack. For this reason, we typically try to work with customers to help monitor our activity and build detection around the attacks we used that they could not see. This is a more practical reaction than blocking all exploits since it will enable them to defend against attackers regardless of the IP addresses they are coming from.
At the end of the day some organizations are more prepared for an attack than others, but no organization is impenetrable. So the goal here is to not get comfortable, review your detections and defenses in all parts of your network, and test those defense and mitigation systems just as you would the systems they are protecting. Strong detection and reaction capabilities can be just as, if not more, important than stopping the initial foothold.
8. If an organization knows they have security gaps, but they also know they don’t have resources available to fix them all right now, should they just wait to have a pen test performed?
I’m going to say it depends. In order to get the most benefit from your penetration test, you should be doing vulnerability scans on your network already. While some compliance frameworks require them, they are also a security best practice because it will help you find missing patches, default accounts, etc. at a lower cost than having a penetration test done, and when you do get a penetration test done, you won’t be using up time that could be spent on other aspects of the penetration test.
However, if you know you have critical vulnerabilities or you already have that vulnerability scan program in place but need to know where to plan for resources in the future, a penetration test is definitely the right thing to do. It will help provide a risk based approach to the vulnerabilities that are not being discovered through other methods. We’ve also seen management increase support for remediation of vulnerabilities when they are found by an outside agency. A penetration test can strengthen the voice of your internal security teams and may validate the need for more resources when a loss-expectancy review of the findings is done.
Finding out exactly where your exposures are assists you to determine what your highest risks are, exactly how likely they are to be exploited, and what the impact might be if systems are compromised. This will allow the organization to efficiently plan for and allocate resources to fixing identified vulnerabilities as resources allow. Without a pen test, you start chipping away at vulnerabilities that are actually a fairly low risk, all the while leaving a major hole exposed.
9. What do you see as the ultimate value of a penetration test?
To provide insight into where an organization can improve their security posture. Whether it be through discovery of assets not being managed by their patching/change control program, evidence of security procedures not being followed that could lead to loss (hard-coded credentials, passwords shared through email, etc.), gaps in monitoring that can be addressed to improve discovery and reaction time of their defenders, or identifying additional controls that can mitigate weaknesses that are too expensive to completely remediate (implementing 2FA on internet facing login portals).
10. How can organizations ensure they are getting the most value out of a third-party pen test?
Instead of viewing the assets as individual things to be secured, view the network as a living entity where every part of the network has an effect on the overall health of the network. This means scoping your pen tests in a way that includes not just the systems you want tested, but any neighboring systems that might be leveraged against that system. For example, if you want the storage servers to be looked at, make sure the mail and domain controllers are in scope as well, these are the systems that attackers will compromise to compromise your storage servers.
Another important thing is to choose a vendor that you are comfortable with, who not only has the technical ability to test your network, but also a good understanding of compensating controls, the methodology used by attackers, and the flexibility to help design security controls that enable business without compromising on the end goal of securing your product or network.
11. What do you predict will be some of the biggest threats to organizational systems this year?
I think that social engineering will continue to be one of the biggest issues that organizations face. Phishing emails are getting easier to deploy with numerous cloud providers and services that allow for anonymity. Sadly, deepfake voice calls are starting to emerge and have already been attributed to at least one major breach.
Exploitation of misconfigurations in the cloud will continue to be another issue as well. A number of companies have suffered breaches due to misconfigured permissions on AWS buckets. As the number of organizations that move from on premise servers to the cloud increase, the number of misconfigured servers that are migrated will increase as well, especially as agencies with staff who are not trained in cloud technologies make the switch.
This will be exacerbated by the fact that moving to a shared space may not require these organizations to include them in their compliance testing. Agencies that do not go beyond testing for compliance requirements are going to be breached as well as they transfer sensitive data to “out-of-scope” systems.
12. Have you ever responded to a phishing email?
Accidentally? Yes, when I was younger (maybe 17) and had lost my social security card (it was a phishing email from the social security agency).
Purposely? Yes, but they never wrote back to me. 🙁
13. Final question – Have you ever been tempted to hack your local DMV and update your driver’s license expiration date, just to avoid the line?
Nope, the damage done to my personal life and career by going to jail for that wouldn’t be worth it. I enjoy knowing that what I do helps to protect the sensitive information of others and wouldn’t want to jeopardize it.
14. Sorry, one more. How many times have you watched Star Wars?
Ha, honestly, no idea! Depends on which movie, but probably around 15 times each for the original trilogy, 5+ each for the prequels (including Solo and Rogue One), and 3+ each for the sequels.
I have read over 60 of the expanded universe books though.
For more information on penetration testing and to discuss if your organization might benefit from taking a more in-depth look at your environment, please contact us.