Slovenia is one of the countries where security testing has already been established in the process of comprehensive cyber security management. This attitude is crucial when taking further steps towards cybersecurity improvements. It would be reasonable to perform a security test after any change that could affect the overall security of information assets.
Nowadays, information systems are adapting to business needs more than ever before. We add new users, change their roles (rights), and connect new devices, including the mobile ones. The settings of directories, authentication systems, firewalls, and other devices are subject to the constant business-driven changes. Furthermore, there are more and more vulnerabilities that we need to manage. Therefore, there is an increasing need for constant, continuous, and consistent security testing.
Continuous security testing is a great challenge
At least two reasons make continuous security testing pretty much impossible:
- A huge number of trained pentesters or equivalent security experts would be needed to offer continuous security testing to all companies. There is a shortage of these professionals, not only in Slovenia, but also worldwide, and there is no end in sight to this situation in the near future.
- Such security tests would be very expensive.
The consistency of the service has always been a burning issue. For example, when you negotiate with builders to make a deal, you would most likely choose someone with references and experience, and you would probably rather pay a bit more to get higher quality. In consulting, the discrepancy between the quality and consistency of the service provided is even greater. Even if you choose the best contractor, an additional drawback is the limitations, which are a pre-agreed compromise with the client, and are often related to the price of the service.
To point out one example of such limitations: most clients prefer security testing to be performed between 8 a.m. and 4 p.m. However, hackers don’t really care about your workday. They will probably carry out the attack when you least expect it. Therefore, we recommend testings are performed at unusual hours.
Another advantage of night testing is the co-occurrence of the automatic processes, such as backups. During these processes, important passwords are sent over the network and the pentester has the opportunity to hack them, which makes test results even more reliable. Last but not least, we must also take into account the fact that the consistency of the service provided may depend on the ‘daily form’ of the service provider, and recently also on the limitations associated with measures to contain the Covid-19 pandemic.
Nowadays, most companies are already conducting ongoing security testing. They usually use vulnerability scanners that are very user-friendly. Using CVSS, these tools also rank vulnerabilities, so companies tend to eliminate them this way – critical first, then high, and so on, as long as the elimination of the vulnerability is cost-effective.
Tackling vulnerabilities by rank can be misleading
A manual security test sometimes reveals that some critical vulnerabilities cannot be exploited at all. On the other hand, there are quite often some very important vulnerabilities ranked with the info level. It may also happen that two vulnerabilities with a lower rank can be exploited together, but not individually. This phenomenon is called vulnerability chaining. In such cases, the model of eliminating vulnerabilities by rank is not appropriate, as we usually do not eliminate all vulnerabilities that can be exploited. On the contrary, we might eliminate vulnerabilities that could not be exploited anyway.
Therefore, it would be better to try another approach: to manage possible exploits instead of vulnerabilities. A tool that enables such tests is quite a novelty in the industry; its advantage is that it detects vulnerabilities as well as tests the actual possibilities of intrusion. And most importantly: it reveals the root vulnerability which enables us to break the chain of vulnerabilities if we eliminate it. This prevents the possibility of intrusion, although there are other vulnerabilities in the chain. And this is our main goal: to prevent exploits and intrusions.
Use strong passwords
I would also like to point out a vulnerability that exists in most networks, but is not detected by any vulnerability scanner: weak passwords. Passwords compliant with outdated guidelines regarding length, complexity, frequency of changes etc., are often weak because they can be found in dictionary attacks. Therefore, it is very important to check such vulnerabilities with an automated password cracking tool.
Which security testing can be fully automated?
Automation makes sense and is possible for technologies that are used in most companies. These are called domain technologies; the Windows domain is typically used. Protocols, such as NetBIOS, SMB, LDAP, different versions of NTLM etc. are used. Vulnerabilities found in these technologies are very similar or even identical in all companies, especially if the default settings are used. To show possible consequences of a cyber intrusion, it also makes sense to automate lateral or vertical movements, which show how a hacker can use an abused device to abuse other devices connected to the network and penetrate the most confidential information. This is exactly the point where manual security tests performed by pentesters encounter an important obstacle – time to carry out the project. Most pentesters are able to perform lateral movements, but usually they run out of time.
Automated penetration testing by the book
Or as pentesters like to put it: follow a methodology. One of the recognized methodologies is called PTES and follows 7 key steps. It turns out that all these steps can be automated where the findings of the previous step apply to the following steps. To preserve integrity, it is reasonable to include all techniques of the MITRE ATT&CK framework.
Many doubt the reality of automation. But it is malware itself that proves it is possible. A forensic analysis of ransomware can be found online, showing the techniques used by the MITRE ATT&CK framework. If black-hat hackers know how to automate this, why wouldn’t the white-hat ones do it as well?
Technologically, the automation of security tests can be performed in two ways. With or without an agent. The agent-free solution runs a real automated pentest and can test all devices on your network. The solution with an agent performs attack simulations on and between devices with an agent installed. Each solution comes with advantages and disadvantages.
However, the key message is the common feature of both types of tools: they do not report false positives. Why? Because these tools not only detect vulnerabilities, but also safely check for possible exploitation of these vulnerabilities.
1000 pentesters on their job while you’re having your morning coffee
The results of automated security tests have so far always surprised both the customer and us. We were usually just having our morning coffee when the computer with PcySys PenTera installed already cracked several domain passwords and gained the privileges of a domain administrator. It gained complete control over the Windows domain. And most importantly, once the initial integration is complete, such a security test can easily be performed by anyone in the company. Feels like 1000 pentesters are just a click away … anytime.
What would an optimised security testing be like?
At Carbonsec, we see the future of security testing in the perfect ratio between automation and manual testing. Automation makes sense and is possible when using the right tools. This is the only way we can continuously and consistently perform security tests that give relevant results: which intrusions are actually possible on your network. However, automation does not and cannot work for all technologies. Typically, dedicated applications (web, mobile as well as client) still need to be tested by qualified pentesters. The same applies to demanding analyses of network architectures and other forms of cyber security consulting.
These new tools allow us to intensively focus on testing those segments of the network where our work is irreplaceable.