Security Training
Security Certification
Cyber Security Graduate School
Internet Storm Center
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software SecurityCritical Control 20: Penetration Tests and Red Team Exercises
previous controlThe process and tools used to simulate attacks against a network to validate the overall security of an organization.
Note: This control has one or more sub-controls that must be validated manually.
How do attackers exploit the absence of this control?
Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control. Most organizations do not exercise their defenses, so they are uncertain about their capabilities and unprepared for identifying and responding to attack.
Penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than a vulnerability assessment. Vulnerability assessments focus on identifying potential vulnerabilities, while penetration testing goes deeper with controlled attempts at exploiting vulnerabilities, approaching target systems as an attacker would. The result provides deeper insight into the business risks of various vulnerabilities by showing whether and how an attacker can compromise machines, pivot to other systems inside a target organization, and gain access to sensitive information.
Red team exercises go further than penetration testing. The goals of red team exercises are to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent red teams can provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation.
How to Implement, Automate, and Measure the Effectiveness of this Control
1. Quick wins: Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.
2. Quick wins: If any user or system accounts are used to perform penetration testing, carefully control and monitor those accounts to make sure they are only being used for legitimate purposes.
3. Visibility/Attribution: Perform periodic red team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively.
4. Visibility/Attribution: Ensure that systemic problems discovered in penetration tests and red team exercises are fully tracked and mitigated.
5. Visibility/Attribution: Measure how well the organization has reduced the significant enablers for attackers by setting up automated processes to find:
- Cleartext e-mails and documents with "password" in the filename or body
- Critical network diagrams stored online and in cleartext
- Critical configuration files stored online and in cleartext
- Vulnerability assessment, penetration test reports, and red team finding documents stored online and in cleartext
- Other sensitive information identified by management personnel as critical to the operation of the enterprise during the scoping of a penetration test or red team exercise.
6. Visibility/Attribution: Include social engineering within a penetration test. The human element is often the weakest link in an organization and one that attackers often target.
7. Visibility/Attribution: Plan clear goals of the penetration test itself with blended attacks in mind, identifying the goal machine or target asset. Many APT-style attacks deploy multiple vectors--often social engineering combined with web or network exploitation. Red team manual or automated testing that captures pivoted and multi-vector attacks offers a more realistic assessment of security posture and risk to critical assets.
8. Configuration/Hygiene: Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.
9. Advanced: Devise a scoring method for determining the results of red team exercises so that results can be compared over time.
10. Advanced: Create a test bed that mimics a production environment for specific penetration tests and red team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7)
Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Milestone 3: Network Architecture
Procedures and Tools to Implement and Automate this Control
Each organization should define a clear scope and rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at a minimum, systems with the organization's highest value information and production processing functionality. Other lower-value systems may also be tested to see if they can be used as pivot points to compromise higher-value targets. The rules of engagement for penetration tests and red team analyses should describe, at a minimum, times of day for testing, duration of tests, and the overall test approach.
Control 20 System Entity Relationship Diagram:
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining red team and penetration exercises and how those efforts can be valuable to enterprise personnel when identifying which vulnerabilities are present in the organization. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.
Step 1: Penetration testers perform penetration tests of production systems
Step 2: Automated pen-testing tools perform penetration tests of production systems
Step 3: Automated pen-testing tools inform penetration tester of vulnerabilities discovered
Step 4: Penetration testers perform more extensive penetration tests of test lab systems
Step 5: Auditors evaluate and inspect the work performed by automated pen-testing tools
Step 6: Auditors evaluate and inspect the work performed by penetration testers
Step 7:Penetration testers generate reports and statistics about the vulnerabilities that have been discovered.
List Of Controls
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Critical Control 4: Continuous Vulnerability Assessment and Remediation
- Critical Control 5: Malware Defenses
- Critical Control 6: Application Software Security
- Critical Control 7: Wireless Device Control
- Critical Control 8: Data Recovery Capability
- Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 12: Controlled Use of Administrative Privileges
- Critical Control 13: Boundary Defense
- Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 15: Controlled Access Based on the Need to Know
- Critical Control 16: Account Monitoring and Control
- Critical Control 17: Data Loss Prevention
- Critical Control 18: Incident Response and Management
- Critical Control 19: Secure Network Engineering
- Critical Control 20: Penetration Tests and Red Team Exercises
This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to http://www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.
You may use the following code to embed the 20 Critical Controls on your site:
<iframe src="http://www.sans.org/critical-security-controls/?iframe=1" width="1000" height="1200" />
