Over the last few years of conducting penetration test engagements, we’ve seen all kinds of cultures, attitudes, and habits in hundreds of IT departments across various organizations and industries. Many of the IT staff treat cyber security differently, depending on several of these factors. Some IT staff don’t feel the pressure as much as others, and some are genuinely involved and want to learn more about what you’re doing so that they can protect their organization. From our experience and even speaking with other consultants, one thing is for sure: many organizations don’t take full advantage of network penetration tests.
During one of our recent internal penetration tests, we were impressed with how involved the IT department was with the consultant performing the penetration test. In many (not all) cases, consultants may experience the IT department probing for information to work against the consultant, just so that they can eventually end up with a nice, clean deliverable. However, it was relieving that, in this particular case, the IT department was willing to provide more valuable information to help maximize the time and value of the engagement. This is something every network staff should learn from and embrace.
While some may argue that IT staff should leave consultants (or penetration testers) alone, there are also many benefits to working together.
Monitoring and Alerting Controls
During your penetration test, your IT staff should be requesting activity information from the consultant so that they can review their monitoring and alerting controls. At the end of each day, your IT staff should attempt to correlate any logs and alerts with the activities performed by the consultant during that day and those specific time frames.
If it’s not possible to match the consultant’s activities with your security controls, it should be an important task to fix and validate these issues before the consultant concludes their engagement. If you do not do this, then you are not taking full advantage of your penetration test engagement. If you can’t work with a consultant on fixing any deficiencies in your monitoring and alerting mechanisms, then there’s a high chance that you won’t be able to detect an adversary once the consultant leaves.
Detection and Response Times
In addition to testing and validating monitoring and alerting, another important thing that should be fine-tuned (if necessary) is the detection and response times with the implemented security technology. The longer an attack goes unnoticed, the bigger the potential impact. According to Verizon Wireless’s Data Breach Investigation Report from 2018, 68% of data breaches were undetected for several weeks, months, and even longer in some cases.
While there could be a number of complex monitoring and alerting controls that can make it hard to catch key events, there are also a number of high priority security events that should trigger an immediate response from network administrators. Some of these high priority security issues include, but are not limited to:
- Password-based attacks against Active Directory domain user accounts.
- Wide usage of higher privileged domain user accounts (e.g., domain admin logging into several systems in a short period of time).
- Rogue device responding to DHCP solicit requests, Link-Local Multicast Name Resolution (LLMNR), and/or NetBIOS Name Service (NBNS) traffic.
- Execution of applications such as Windows Command Prompt and PowerShell.
- Mass usage of local administrator accounts (especially if local administrators share the same password, which is something we recommend not doing).
Another option could be to implement honeypots. During a penetration test, consultants (and even adversaries) typically look for the low hanging fruit to gain an initial foothold. You could also set up a few honeypots to reduce the time it may take to detect an attack. In the event some activity is detected in a honeypot, this could be indicative of an active attack within your environment. We have personally seen a small number of organizations use honeypots, although it can be a very simple and effective solution for capturing attackers.
At Vonahi Security, our consultants test controls and procedures implemented by the organization to ensure that all controls are working effectively. Doing so allows organizations to maximize the time, value, and effort put towards helping our customers with combating against cyber-attacks.
Any questions, tips, or comments, tweet us on Twitter at @vonahi_security.