It’s more important than ever for cybersecurity professional to understand how attackers can gain access to sensitive company or customer data. While it’s still important to examine vulnerabilities in isolation, the ability to understand attack paths and how attackers can gain access to data.
These realities have led to several advancements in the area of penetration testing—essentially, simulated cyberattacks to check for vulnerabilities that hackers could exploit. In general, pen testing is a good way for organizations to gain an initial view of their security weaknesses, which can help them develop the right security strategy. Pen tests are a good precursor for establishing true vulnerability management programs and robust security strategies. For organizations with more mature security programs, pen testing is useful for continuous improvement and exploring specific areas of their security posture.
In their RSA session on virtual pen testing using risk models, Joel Amick, TIAA’s director of cyber analytics and data science, and Jack Freund, TIAA’s director of cyber risk, explained the concept of virtual pen testing in detail. In a nutshell, they explained how virtual pen testing can enable automated data feeds and model execution from real-time assessment inputs, how a model can simulate loss scenarios associated with attack successes, and how it can be used for offline cyber resiliency testing.
Freund and Amick pointed out two major challenges. The first is that network complexity requires either thoughtful abstraction for simplistic modeling or detailed development to appropriately articulate assumptions and behaviors to add. The second is that multiple and overlapping exfiltration paths and attack scenarios are needed to fully represent the attack surface.
Pen Testing Advances
Trustwave SpiderLabs has added a lot of new features to its pen testing tool that principal consultant Matthew Lorentzen says is 10 times more powerful in creating realistic and unpredictable security testing environments.
Sheepl 2.0 is focused on internal network behavior within a Windows network; the AutoIT language that Sheepl creates is a Windows-specific platform. Sheepl also can interact with Linux or embedded systems over common management protocols like SSH. Key Sheepl 2.0
With Sheepl 2.0, Trustwave SpiderLabs has rewritten the core to make the tool fully modular. This makes adding tasks less complex, and allows security pros to create Sheepl blueprint files. This creates the ability to develop a library of Sheepl that perform specific types of activity. Sheepl provides a robust way of executing attack signatures while complimenting the noise commonly found within a traditional corporate network environment, Lorentzen said.
“Sheepl has always been geared towards a solution for replicating real-world users through the tasks and behaviors that Sheepl executes, which supports the goals of both attack and defense,” he explained. “If we can accurately model malicious user activity, this gives organizations something to detect.”
The main difference between Sheepl and other approaches to pen testing is the structure for the execution and the flexibility of the tasking. “Sheepl has been designed from the beginning to remove the predictability of when task assignments are executed,” Lorentzen said. “Predictable behavior leads to complacency, which ultimately reduces the effectiveness of measuring a response, whether it’s within a lab training environment or from Sheepl deployed onto a live network.”
According to Lorentzen, the most important use cases for Sheepl include executing techniques from the MITRE ATT&CK framework; creating forensic artifacts on an endpoints to allow the reconstruction of events; generating noise through common user activities like browsing or creating documents; and monitoring process and responding to certain events, such as a specific program starting, which could then be stopped.
Aside from adding additional tasks, Lorentzen said he plans to add in even more realistic behavior in future editions of the tool, such as providing typing abilities and introducing errors into that typing. He also plans to add something he calls “traits”, where Sheepl will have traits that are different from others, such as always opening a specific filetype that is deemed trusted or activating macros in a spreadsheet. “Traits will enhance the output by allowing you to specify tasks and then further personalize the Sheepl output through trait assignments relevant to the respective task,” he added.
Tripwire also announced a pen testing solution at RSA, but instead of offering it as a product, it’s service-based. The Penetration Testing Assessment Service provides organizations with cybersecurity experts, who discover and then exploit vulnerabilities to assess the security of an organization’s IT environment. More specifically, it helps ensure that critical assets including network services and configuration, web applications, wireless infrastructure, client-side and internal infrastructure, and social engineering and physical assets, are secure.
Product manager Onyeka Jones explained that the service combines pen testing techniques with vulnerability assessment activities, configuration reviews, and architecture analysis to provide an in-depth view of network and application interrelationships. In some cases, the assessment also includes evaluating policies and hosting interactive discussions with client staff members.
Once assessors fine and review weaknesses, they can analyze the potential impact on the organization and recommend ways to address the weaknesses. “Then we can move on to actually helping them implement critical security controls.” Jones said.
As for the future of penetration testing in general, organizations need to put more focus on the access users have, Lorentzen said. This is especially true as organizations continue to adopt cloud-based resources, and the lines between internal and external perimeters continue to blur.
“Traditional penetration will still have a role in meeting compliance and regulatory needs and it is an excellent way of an organization assessing a baseline,” he added. “Building on this baseline requires a focus on detection and response to fully understand how an attack can be managed to minimize potential damage.”
