Why penetration testing doesn't stop Advanced Persistent Threats (APT).
Penetration testing is intended to simulate the actions of a real world attacker by identifying security weaknesses that could impact on the confidentiality, integrity and availability of a target organisation’s assets. If executed correctly, penetration testing can be a very effective method of identifying areas within an organisation where security controls need to be enhanced in order to limit the opportunities for a successful attack.
Traditional penetration testing required no specific technical details of the target systems to be provided before a test was sanctioned. Instead, only high level details, such as the name of the target would be issued and the testing team would need to identify the systems owned by the organisation and formulate a plan of attack. This allowed for a very open-ended test to be performed and provided a more realistic view of the attack paths that could be exploited in order to compromise the target organisation’s assets.
Over the years, this approach to testing has been modified into finely scoped engagements that focus on specific sets of systems within isolated environments which are commissioned on a per-project basis. For example, a penetration test against an example organisation’s public facing infrastructure is likely to be limited to a specific set of IP addresses provided by the client and tested within a strict timeframe.
Testing in this manner, whilst it is valuable in enhancing the security of the systems tested in isolation, does not always provide a realistic view of an organisation’s overall security. This is because many organisations believe that once these isolated systems are tested and any uncovered vulnerabilities are addressed, the organisation is secure. However, attackers are fully aware of this penetration testing culture and are exploiting the “gaps” left by this approach.
Attackers are not restricted by a defined scope and will attempt to identify as many security weaknesses as possible that will provide the path of least resistance into the organisation while focusing on specific goals. This will often involve chaining together multiple attack vectors that bypass security controls and provide direct access into an organisation’s internal network.
The actual steps taken to perform these attacks will vary between different groups of attackers dependent upon the target organisation. However, the general approach usually consists of a number of phases, with one vital phase being the exploitation of human trust. Rather than trying to break into systems directly, attackers are targeting the users of those systems and leveraging their access to compromise the organisation in order to achieve their end goal.
In a typical attack, an organisation will first be investigated in order to identify methods to bypass any security defences/controls and gain the initial foothold into the organisation. This will include identifying specific individuals to target and the relevant technologies in use.
The attackers will then compromise at least one system which can then be used as a platform on which to perform further attacks. This access is usually achieved through the use of a client-side attack delivered through spear phishing or watering holes.
Client-side attacks exploit human trust by manipulating unsuspecting users into downloading and executing malicious files sent via email, or directing them to a malicious website (a watering hole) resulting in malware being installed on their machine. This provides unauthorised access to the victim system and a foothold in the network. To find out more information about these methods of attack, please see the following articles authored by MWR consultants:
Once the initial foothold is gained, the attackers will typically attempt to leverage their access by stealing credentials or exploiting vulnerabilities in other systems in order to move off the individual workstation and get persistence on the network through remote access or command and control (C&C) to conduct the rest of the attack.
Once persistence is achieved, they will attack with the goal of disrupting or destroying key information through Computer Network Attacks (CNA) and/or the aim of intelligence gathering from competitors/adversaries through Computer Network Exploitation (CNE).
Most of the time, the approaches used to perform these attacks are neither new nor innovative and consist of common attack techniques that have been known about for over a decade. However, organisations are failing to keep up with implementing strategies to effectively limit their exposure to these attacks. Attackers are constantly evolving their approach and so it is important that defenders evolve with them. Penetration testing is an important part of an organisation’s security strategy, but it must be utilised in a manner which is effective and gives an accurate view of the organisation’s security.
Organisations should be incorporating a cyber-defence security programme into their existing security strategy. This will provide an understanding of the threat actors that are likely to target their organisation, the assets that they are likely to target and how they are likely to target them. This information should then be used to formulate a long term security strategy that takes a holistic view of the organisation, not just of isolated systems. The security strategy should be asset-centric and aim to prevent attacks using the scenarios that have been identified as being the most likely to succeed.
Penetration testing should be integrated into the strategy to simulate those threat actors as closely as possible, so that a realistic view of the organisation’s security can be formed. The results of penetration testing should then be used to demonstrate where security deficiencies exist and that the defences subsequently put in place are effective.