Lead Image Photo by Simeon Jacobson on Unsplash

Lead Image Photo by Simeon Jacobson on Unsplash

Improved defense through pen testing

Black Hat, White Hat

Article from ADMIN 48/2018
Discover indicators of compromise with open source pen testing tools.

Cybersecurity professionals often call the steps taken by pen testers the "hacker lifecycle." In a previous article [1], I outlined the pen test discovery process. In this article, I focus on the typical steps that pen testers undertake to automate and orchestrate attacks (Figure 1). In a future article, I will show how each of these steps can be detected by a good security analyst with the right tools.

Figure 1: Typical steps in the hacker lifecycle.

Although more than a single hacker lifecycle exists, Figure 1 shows many of the steps that most attackers will take when compromising a resource in the cloud – or even in a traditional network. I've seen quite a few useful pen testing/hacker lifecycle models, and although none are perfect, two of the more popular models are the Cyber Kill Chain© (copyright Lockheed Martin) [2] and the MITRE ATT&CKTM model [3].

Rather than say that all models have their strengths and weaknesses, I would argue that a good pen tester will customize and alter basic steps along the way according to the nature of the organization being tested. The main steps will be similar; however, a pen tester would make different decisions attacking a small business web and database server to compromise credit card information than in attacking a publishing company with the goal to obtain valuable intellectual property.

With that in mind, you should focus on choosing some sort of model and then customize it for your own organization. This way, you will emphasize certain areas and steps of the hacker lifecycle that are the most important for your particular situation. Cybersecurity is very context specific; what works in one organization or situation might not stand up well in another.

From Defender's Dilemma to Hacker's Dilemma

Pen testing should be used to improve the "blue team" (see the "Red Team, Blue Team" box). As a pen test is conducted, it leaves behind indicators of attack (IoAs) and indicators of compromise (IoCs). An IoA is basically evidence left behind, even if a particular attack doesn't lead to a break-in or data breach. An IoC is evidence left behind if an attack has successfully tricked or breached a security control. For example, an IoA could be a system scan or an unsuccessful attempt to create or exploit a buffer overflow condition. An IoC would show up when an attacker has been able to exploit a buffer overflow successfully, or otherwise gain unauthorized access to a system.

Red Team, Blue Team

The past few years have seen massively successful attacks on Facebook, EquiFax, and British Airways. Every sector seems to be implicated. With each of the attacks, it was determined that most were one of the following:

  • Focused on compliance, rather than proactive security.
  • Using default installations of their intrusion detection system (IDS) and security information and event management (SIEM) tools.
  • Not using a 24/7 monitoring company.

Interestingly, most of these organizations had good activity between the red team (pen testers) and blue team (security analysts). The problem was that the two teams rarely coordinated with each other. These organizations were focused on compliance rather than really figuring out how to protect the "crown jewels" of their organization and improve their IDSs. Imagine if these organizations had used their red and blue teams appropriately.

Typical reasons for pen testing include compliance and fixing weak areas in your security approach, but unless you coordinate both the pen test and analytics functions carefully, you're likely wasting your time.

More importantly, companies that are the most successful at managing cybersecurity threats are those that focus on the steps hackers have to take to be successful. Too often, IT workers worry about what is often called the defender's dilemma : "If I make one mistake, then the hacker will get through."

This type of thinking is less useful than focusing on what the industry calls the attacker's dilemma . Consider Figure 1, again. It outlines the typical steps an attacker has to take, whether a resource is in the cloud, is a supervisory control and data acquisition (SCADA) system, or is a typical Windows server or notebook computer. In many ways, the hacker has the more difficult job. After all, the attacker has to consider the following problem: "If I make one misstep as I go through this attack chain, I'm going to be discovered."

One mistake during any of the phases (e.g., discovery, persistence, escalation, data egress), and the hacker will get caught. It's the responsibility of the pen tester and the security analyst to work together and improve intrusion detection and SIEM systems so that they more readily find the telltale traces and artifacts and report them accurately.

A number of companies and organizations consider themselves to be too small to have separate, dedicated cybersecurity teams. However, the point isn't really to create teams of individuals; rather, the point is to help a company create the proper functionality to refine and customize existing security controls already in place and justify additional security controls, as necessary. No matter how large or small the IT activity or company might be, the focus should be on how pen testing and security analytics companies can improve security control implementation. For example, how can the pen testing team help improve the IDS and SIEM thresholds?

Conducting an Attack

Now it's time to look at the typical steps that pen testers take to automate and orchestrate attacks. In this article, I use Metasploit. For better or for worse (usually worse), Metasploit has become the poster child for pen testing. Although better tools are out there, including those that talented pen testers create themselves, most pen testers have to get pretty creative, which means that they start coding their own exploits according to their situation. Other times, they're lucky enough to use preexisting tools such as Metasploit, Burp Suite, or Browser Exploitation Framework (BeEF) to manipulate web-based connections.

Table 1 is a quick overview of the steps a pen tester takes when penetrating systems, and I'll take a look at each of the steps in detail.

Table 1

Pen Testing Steps

Activity Description Tool(s) Used Hacker Lifecycle Step
Profile the resource and/or user Use active and passive scanning techniques to identify vulnerable people, processes, and systems WHOIS, Shodan, Maltego, Nmap, Metagoofil Discovery/reconnaissance
Initial attack Use social engineering to deliver attack vector End user/Metasploit Penetration
Defeat authentication Transfer the Windows SAM, or the Linux /etc/shadow file Metasploit Meterpreter Pen/escalation/lateral movement
Create legitimate re-entry point Decrypt the accounts database file/info John the Ripper/online resources Pen/persistence
Edit the registry to ensure easy re-entry Insert a specific registry key to open a port or activate a service such as the Remote Desktop Protocol (RDP) Meterpreter/BeEF Persistence
Alter or steal data Obtain or change sensitive information Native tools on victim system Action on objectives/data egress
Exploit trust relationships Identify preexisting shares and stored credentials Native tools/Meterpreter Lateral movement

Penetration, Insertion, and Persistence

Figure 2 shows the typical Metasploit directories. One of the best things applications like Metasploit brings to the table is the ability to automate processes. For example, if you want to use open source intelligence (OSINT) tools such as WHOIS and Shodan, why not configure Shodan to use these tools automatically?

Figure 2: Metasploit directories.

From there, you can run Metasploit and choose directories on the basis of your needs. If you want to conduct scans from within Metasploit, for example, you can configure Metasploit to work with both Nmap and Shodan (Figure 3). The results of the now-combined functionality of both Shodan and Metasploit are shown in Figure 4.

Figure 3: Using the Shodan API within Metasploit.
Figure 4: Results of Shodan/Metasploit search.

In the scan, you've used Metasploit and Shodan together with the type of automation and efficiency that can help you discover information quickly and exploit it. This approach also allows you to use Metasploit to create more effective reports about your activities. One of the most overlooked activities in pen testing is the reporting stage; by automating and combining the discovery and penetration functions, you can better go back and retrace your activities during the report stage. The result will be a more thorough, accurate report.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus