Assumed Compromise Penetration Testing allows you to assess your organisations current internal security posture. Ultimately, a defence in depth approach with layered security controls will slow down adversaries that breach the external perimeter and afford the security team critical time to contain and eliminate the threat from the network.
Your organisation has an inventory of all internet-facing assets. You know what ports and services are exposed to the internet and which aren't. There is a patching policy in place to ensure these assets are updated in-line with the latest release of their software. You have implemented access-control rules to only allow access to authorised users. You have an annual external penetration test which turns up a couple of lows and the occasional medium impact vulnerability. Bottom line? You've got this on lock down. However, the external perimeter is never the complete picture...
Once an adversary lands within your organisations network, what's next?
- Can every standard employee user account access most file shares with at least read-only access? But even if they can, all your sensitive data is encrypted right?
- What's the internal patching like? You definitely decommissioned that Windows Server 2003 box several years ago or at least, put it in a closed off/restricted network?
- Every user has to open a ticket to install software, not a single one of them has local administrator privileges, we hope?
- You definitely don't allow every service to communicate outbound from the organisation, allowing an adversary to exfiltrate lot's of data?
If the answer to any of these is "I'm not sure", then Assumed Compromise Internal Penetration Testing should be an exercise you strongly consider.
Objectives
The goal of the assessment is to assess the current attack surface of the internal network. However, this type of engagement purely focuses on exploitable vulnerabilities and how might an attacker be able to leverage them to gain privileged access within your organisations network. A significant advantage of this conducting this kind of Penetration Test, is the ability to see real-world exploitable risks. The same risks that are seen in lot's of breaches every year, commonly exploited by attackers/ransomware groups.
To maximise the results of an Assumed Compromise Internal Penetration Test, it is best conducted once standard vulnerability assessments have been performed. This is to ensure that time can be adequately spent hunting down exploitable flaws and leveraging them to show how an attacker might abuse them. In contrast to reporting lot's of issues that an automated scanner could find.
This assessment serves to find the issues automated scanners can't identify.
This article won't discuss the differences between a vulnerability assessment and a penetration test however, some examples below are provided, so the reader can get a feel for some of the issues reported during an assumed compromise internal penetration test.
Examples
- During the assessment, network shares are found to be accessible to any authenticated user. One of the identified shares was was to contain software development files. These files were not encrypted and contained one of the database passwords in plain text. This granted access to a database containing sensitive customer information.
- During the assessment, several servers were configured to allow standard users remote desktop access. These servers were then identified to be affected by privilege escalation vulnerabilities, allowing a standard user to become an Administrator. Once Administrator privileges were obtained, it was possible to extract credentials out of the servers memory. This granted access to a Domain Administrator account and subsequently resulted in a domain-wide compromise.
Having visibility of issues and how they can be leveraged and exploited to gain further access to the network, it allows your organisation to easily assess the risk this may present to your business.
Finally, we also report on any defensive measures/security controls currently in place, and if necessary, include guidance on enhancing them. This could be implementing segmentation, data ex-filtration controls and strategies for implementing the principle of least privilege.
Scope
The engagement commences from the perspective that an adversary has already breached your external perimeter. Therefore, initial access is provided to allow us to access the internal network. Where you want us to start from, is up to your organisation. However, if your organisation has never had an internal penetration test before, we recommend starting from the most commonly accessed (normally main office) network and keeping the scope as broad as possible, allowing us to assess all avenues and gain a complete picture of your network.
The scope could include areas such as:
- Active Directory
- Switches/Firewalls/Miscellaneous Network Devices
- User Endpoints such as Laptops, Desktops, Tablets.
- Cloud services such as Microsoft Office 365, Azure and AWS etc.
- Servers
Whatever an adversary might be able to access if they landed within your internal environment, we want to keep within the scope of the assessment. This is important as there could be security holes currently present which we may not identify, due to scope exclusions. Additionally, any areas of your network that you identify as "high risk" should also be included. Examples of "high risk" assets could be database servers that store customer information or file servers that store sensitive intellectual property.
The sky is the limit
Whilst a great way to assess the entire internal network, this security testing methodology can also be used to test other scenarios, as well as defensive controls. Other scenarios that are commonly tested might include:
- Employees that work from home, connect in to the internal network via VPN. Access has been restricted to only assets required for their role. If one of these user's were compromised, they should only have access to what has been provisioned. Is this the case? If not, what could they do?
- A third-party needs access to our network, to perform maintenance and updates to specialist equipment. Measures have been put in place to ensure that they can only access those systems. Is that actually the case if one of these users were compromised?
The points provided above are examples of assumed compromise or objective-driven Penetration Tests. This type of Penetration Testing can provide tremendous value particularly when complemented with traditional attack surface reduction exercises such as standard Penetration Testing and Vulnerability Assessments.
Let Adversify help
We strive to help our customers identify security weaknesses so that they are able to properly evaluate them and make an informed decision about the actual risk to their business.
If you like what you've read so far, then please don't hesitate to get in touch to find out how we might help you assess your internal network for weaknesses. We will take you through a free non-obligation consultation where we will discuss all your cyber security needs and concerns. Taking into account budgetary constraints, we can work together to come up with a plan that suits your organisation.
Remember, an adversary only needs one opportunity.