Penetration Testing

Fundamentals
February 1, 2017

Presented by
Mike Weber, VP Coalfire
Housekeeping

• Submit questions during the webinar using

the question area in the control panel on
the right side of your screen.

• We will answer as many questions as possible

during the Q&A portion of the webinar until the
top of the hour. We respond to all remaining
questions via email after the webinar.

• Attendees will receive a PDF of the slide

presentation and a link to the recorded webinar.
Coalfire at a Glance

• Thought-leader and trusted advisor in the fast-growing cybersecurity market

• More than 1,400 customers across a broad set of industry sectors
• More than 500 employees in 12 locations in North America and Europe
• A sophisticated portfolio of cyber risk advisory and assessment services
• Industry-leading ethical hacking and technical testing team
• Cyber solution selection and design services to optimize overall security
environment
• Cloud-based CoalfireOne℠ Enterprise Risk and Compliance Platform,
used by more than 800 clients
• Backed by the Carlyle Group and Chertoff Group
Technical Testing Capabilities
Offensive Capabilities
• Network penetration tests
• Red team operations
• Application/mobile testing
• Physical and social engineering
Defensive Capabilities
• Vulnerability assessments
• Threat hunt operations
• Digital/Data Forensics
• Assessment program accelerators

Tools development
Thought Leadership • Cortana Pack • Malleable C2 profiles
• CrackMapExec • Minions
• Doozer • PowerSploit
• Egress-Assess • PowerTools
• Empire • PowerForensics
• Eyewitness • Uproot
• Hashbot • Veil-Evasion
• KrbCredExport
Speaker Introduction

Mike Weber, VP Coalfire

Mike Weber oversees operations, including penetration testing, application
security assessments and compliance validation, digital forensics services,
and incident response services, for Coalfire.
He has more than 18 years of experience in senior security positions in
various technical fields, including enterprise security planning and policy
development, network engineering, vulnerability assessment, risk
assessment, penetration testing, system administration, and programming.
He is an expert in the development and management of information security
programs tailored to highly regulated industries such as government,
healthcare, banking, and utilities.
Agenda

• What Is A Vulnerability Assessment?

• What Is Penetration Testing?
• Types Of Penetration Tests
• Know Your Pen Tester
• Testing “Maturity Model”
Time To Discover A Breach

Source: Verizon DBIR 2016, page 10

Learning About A Breach

Source: Verizon Data Breach Investigations Report

First Things First…

Engaging in technical testing means:

• Unexpected traffic will be generated!
• There will be impact.
• There may be disruption.

Prerequisites for any engagement

• Define scope
• Vet methodologies with client
• Approve access to systems
• Establish dates and times
• Exchange contact information
Vulnerability Assessment
What’s A Vulnerability Assessment?

• A vulnerability assessment
is not a penetration test.

• It’s a testing process that identifies

components with known flaws within
an organization’s IT infrastructure and
applications.

• The goal of a vulnerability assessment

is to prioritize remediation as part of
an organization’s vulnerability
management program.
Vulnerability Assessment

Scoping Methodology Considerations

Technical information Technical tool delivery Credentialed or uncredentialed?

Number of systems Vulnerability scanner-driven Wireless included?
Physical locations Machine-identifiable vulnerabilities Working hours or after hours?
Standardized vulnerability ranking Exclusion lists / known issues?
Data destruction policies?
[Generalized] Methodology

• Engagement Planning
• Vulnerability Analysis
• Reporting
Vulnerability Assessment

Key takeaways
• Defines scope based on systems to be assessed
• Mostly uses automated scanners
• Discovers known vulnerabilities
• Finds only technical shortcomings
• Provides tactical recommendations in a lengthy report
• Facilitates internal security management processes
Penetration Testing
What Is A Penetration Test?

• A penetration test is a real-world attack performed by security experts

on a company’s IT infrastructure to discover exploitable security flaws.

• Ultimately, a penetration test is a security professional emulating a threat, acting on

the attack surface with one or more attack vectors that comprise
an “attack scenario.”

• The goal of a professional pen test is to discover vulnerabilities so they can be

addressed and remediated before the “bad guys” find them and exploit them.
Penetration Test
Scoping
Scoped based on test objectives
and environment to be tested
Number of Systems / Physical
Locations
Different testing objectives
necessitate different levels of
effort
Results in a “time-box”
Methodology
Delivery augmented with technical
tools but this is not the primary
driver
Human-driven
Finds technical and logical
vulnerabilities
Findings ranked based on impact
Considerations
Narrow or broad scope?
Impact on response teams
Working hours or after hours?
Exclusion Lists / Known issues?
Data destruction policies?
Penetration Testing
KEY COMPONENTS
• Threat Emulation
• Attack Surface
• Attack Vectors
• Attack Scenarios
• Methodology
Threat Emulation

Defined: What’s dangerous?

• Your adversary
• Anonymous Attackers
• Trusted third-parties (vendors, integrators)
• Malicious / compromised customers
• Malicious insiders
• Non-malicious insiders
Attack Surface

Defined: What can be attacked?

• Network gear
• Wireless
• Security appliances
• Applications
• Operating systems
• Workstations
• “People” / “processes”
• Facilities
• Databases
Attack Vectors

Defined: Ways to attack something

• Operating system vulnerabilities
• Brute force attacks
• Denial of service
• Physical access / forensics
• Phishing
• Application flaws
• Business logic flaws
Attack Scenarios

Defined: Emulation of a threat carrying out a given attack vector

on an attack surface.
• External “anonymous” attacker finding web application vulnerabilities
in an organization’s publicly accessible web application.
• Attacker who has a foothold on an internal device and is sniffing
the network to capture password hashes or other sensitive data.
• Compromised third party with access to part of the environment, who
then attacks what can be “seen” through a limited access environment.
• External attacker attempting to gain a foothold on a user-level workstation
or account through phishing campaigns delivering malware.
[Generalized] Methodology
• Engagement Planning
• Reconnaissance / OSINT
• Attack Planning / Threat Modeling
• Vulnerability Analysis
• Exploitation
• Post-Exploitation
• Reporting
Pen Test vs. Vulnerability Assessment
• A vulnerability assessment (scan) is “an inch deep and a mile wide.”
• A penetration test is the opposite: a narrow focus, specific to the client, taking
exploitation to the furthest extent possible.
Methodologies Compared

Penetration Testing Vulnerability Assessment

Engagement Planning Engagement Planning
Reconnaissance / OSINT
Attack Planning / Threat
Modeling
Vulnerability Analysis Vulnerability Analysis
Exploitation
Post-Exploitation
Reporting Reporting
Types of Penetration Tests

• Network Penetration Test

• Application Penetration Test
• Appliance / Internet Of Things (Iot) Penetration Test
• Enterprise Penetration Test
• Red Team
• Reverse Engineering / Zero-day Research*
PENETRATION TEST TYPES

Network Penetration Test

Attacks against operating systems, services,
and infrastructure that support an organization
• Threat emulated
– External: anonymous attackers across
the Internet
– Internal: adversaries that have gained
access to the internal environment
• Attack surface
– Operating systems
– Infrastructure
– Commercial off-the-shelf (COTS) products
PENETRATION TEST TYPES

Application Penetration Test

Attacks against an application and its supporting

infrastructure with the objective of gaining enhanced
access or privileges to the application
• Threat emulated: credentialed
and uncredentialed adversaries
• Attack surface: the accessible portions
of an application
PENETRATION TEST TYPES

Appliance / Embedded / IoT

An attack against a physically or logically deployed product
and its supporting infrastructure with the objective of
compromising the system or negatively impacting the
integrity of the solution for others
• Threat emulated: an attacker that has gained physical
access to a device
• Attack surface: the physical and logical devices,
network connectivity to the device, and backend systems
PENETRATION TEST TYPES

Enterprise Penetration Test

Attacking all of an organization’s attack surface –
including the technology, people and processes that
support it – with the objective of gaining as much
access as possible in each scenario.
• Threat emulated: unique per each selected scope
• Attack surface: specified by client, thorough
testing, includes all appropriate attack vectors
• Approach: Covert or Cooperative
• Comprehensive service
PENETRATION TEST TYPES

Red Team Operations

• Emulate the tactics of real-world threat actors
• Training of Blue Team / Incident Response staff
• Actively exercise the full incident response loop
• Gauge minimum time to detect, minimum time to recover
• Post-exploitation offensive data analysis
PENETRATION TEST TYPES

Reverse Engineering / Zero-day

• Research engagement

• Performed on discrete software

components

• Clients are solution vendors

Penetration Testing

Key Takeaways
• Requires one or more objectives for a successful test
• Scope is based on the attack scenarios
• Effort is ‘time-boxed’
• Discovers both technical and logical vulnerabilities
• Reports should be succinct
• Recommendations are strategic
• Enhances internal security operations processes
Know Your Pen Tester
Know Your Pen Tester
• How large is their staff?
• What is their reputation in the industry?
• What are their qualifications?
• Do they do background checks on new hires?
• Do they participate in and support industry
associations, forums, and events?
• Do they have a quality assurance program?
• Do they use quality commercial products
as well as freeware and shareware?
• Do they make their own tools / known for coding
capabilities?
Testing “Maturity Model”
 Testing Maturity Model
Your Maturity Level Recommendation

LOW LOW

• No / weak security policies and awareness • Vulnerability Assessment

• Minimal Vulnerability Management program • External Network Penetration Testing

MODERATE MODERATE

• Security checkpoints in dev lifecycle • Application / Solution Penetration Testing

• Dedicated security products in-house • External and Internal Penetration Testing
• Staff with defined security responsibilities • Enterprise Penetration Testing

HIGH HIGH

• Functional Security Operations Team • Red Teaming

• Well developed security governance • Hunt Operations
Questions?
Mike Weber
mike.weber@coalfire.com
877.224.8077

www.Coalfire.com