Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control. Most organizations do not exercise their defenses, so they are uncertain about their capabilities and unprepared for identifying and responding to attack.
Penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than a vulnerability assessment. Vulnerability assessments focus on identifying potential vulnerabilities, while penetration testing goes deeper with controlled attempts at exploiting vulnerabilities, approaching target systems as an attacker would. The result provides deeper insight into the business risks of various vulnerabilities by showing whether and how an attacker can compromise machines, pivot to other systems inside a target organization, and gain access to sensitive information.
Red team exercises go further than penetration testing. The goals of red team exercises are to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent red teams can provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation.
1. Quick wins: Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.
2. Quick wins: If any user or system accounts are used to perform penetration testing, carefully control and monitor those accounts to make sure they are only being used for legitimate purposes.
3. Visibility/Attribution: Perform periodic red team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively.
4. Visibility/Attribution: Ensure that systemic problems discovered in penetration tests and red team exercises are fully tracked and mitigated.
5. Visibility/Attribution: Measure how well the organization has reduced the significant enablers for attackers by setting up automated processes to find:
- Cleartext e-mails and documents with "password" in the filename or body
- Critical network diagrams stored online and in cleartext
- Critical configuration files stored online and in cleartext
- Vulnerability assessment, penetration test reports, and red team finding documents stored online and in cleartext
- Other sensitive information identified by management personnel as critical to the operation of the enterprise during the scoping of a penetration test or red team exercise.
6. Visibility/Attribution: Include social engineering within a penetration test. The human element is often the weakest link in an organization and one that attackers often target.
7. Visibility/Attribution: Plan clear goals of the penetration test itself with blended attacks in mind, identifying the goal machine or target asset. Many APT-style attacks deploy multiple vectors--often social engineering combined with web or network exploitation. Red team manual or automated testing that captures pivoted and multi-vector attacks offers a more realistic assessment of security posture and risk to critical assets.
8. Configuration/Hygiene: Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.
9. Advanced: Devise a scoring method for determining the results of red team exercises so that results can be compared over time.
10. Advanced: Create a test bed that mimics a production environment for specific penetration tests and red team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.
CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7)
Milestone 3: Network Architecture
Each organization should define a clear scope and rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at a minimum, systems with the organization's highest value information and production processing functionality. Other lower-value systems may also be tested to see if they can be used as pivot points to compromise higher-value targets. The rules of engagement for penetration tests and red team analyses should describe, at a minimum, times of day for testing, duration of tests, and the overall test approach.
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining red team and penetration exercises and how those efforts can be valuable to enterprise personnel when identifying which vulnerabilities are present in the organization. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.
Step 1: Penetration testers perform penetration tests of production systems
Step 2: Automated pen-testing tools perform penetration tests of production systems
Step 3: Automated pen-testing tools inform penetration tester of vulnerabilities discovered
Step 4: Penetration testers perform more extensive penetration tests of test lab systems
Step 5: Auditors evaluate and inspect the work performed by automated pen-testing tools
Step 6: Auditors evaluate and inspect the work performed by penetration testers
Step 7:Penetration testers generate reports and statistics about the vulnerabilities that have been discovered.