Identifying a Quality Pentest - Sedara Whiteboard Series

Show Notes

In this episode of the Sedara Cybersecurity Whiteboard Series, our Lead Pentester Nick Aures talks about what to look for in a quality pentest. Nick breaks the talk down into 4 key takeaways:

• A Vulnerability Scan is NOT a Pentest
• How to identify a qualified vendor
• What you should expect from the engagement
• What you should expect from the report

Take a look, and we hope it's helpful.

If you're finding our content useful, sign up for Sedara Declassified to make sure you get it sent right to you every month, and of course, if we can help you with anything directly, feel free to reach out.

Transcript

0:00

Hi, I'm Nick Hours lead pen tester here at Sedara. And welcome to the Whiteboard Series. Today, I want to talk about what to look for in a quality pen test. So what we see here at Sadara is a number of our clients who have basically talked to us about some of their previous Pinterest experiences or engagements, and it's been a mixed bag. Sometimes you'll get people who are very happy and we're just moving to a new vendor, entertaining new vendors out of what they consider a best practice. Other times, people were more skeptical with the results and come to us with a lot of questions in terms of what they really should be looking for out of a pen test. And that's exactly what we want to discuss here today. So the big the biggest thing is a vulnerability scan is not a pattern test. It may be part of a pen test, but only a small part of a pattern test. In fact, if we look at one of the most industry recognized pen test certifications called Offensive Security Certified Professional OCP, they have about 900 pages of content that you review for that exam, and 30 of those pages are dedicated to vulnerability scanning. So you can imagine the rest of that content is very human, human, interactive, driven kind of content. You're not just clicking scan and seeing what happens. So if we look at OCP and the following certifications that come after that, they actually get increasingly difficult and more complicated and and less involved in vulnerability scanning and more involved in manual human interaction with different technologies in terms of probing them for vulnerabilities. So that that's one one big thing right there is, is vulnerability scans are not a pen test. A couple other things is even if you want to factor in a vulnerability scan being a big part of your attack, surface reduction will call it. You know, there's plenty of things that could go wrong with vulnerability scan. First, you have to account for all of your assets. If you don't know where all of your assets are, there's going to be missed vulnerabilities potentially because there's missed assets in terms of scanning. If you are setting your scans up to be authenticated, what you should. You have to make sure. Not only do you have credentials that are supplied to the scanner for all of your Windows devices and everything on Active Directory, but you also have to think about things like any routing and switching gear, which maybe requires different sets of credentials. And a lot of times those are not as easy to scale as like an Active Directory credentials. So other things that you can think about in terms of what can go wrong with vulnerability scan is again missing credentials, missing assets, and then interpreting the results, which aren't always super obvious. So those are a couple of things that are potential downfalls of a vulnerability scan in itself on top of that, not really being the whole PAN test. So when somebody tries to pass that off as a pen test, it's really it's it's not doing yourself a favor if if you're really trying to lock down your environment. Furthermore, a vulnerability scan will only really identify easy to find vulnerabilities, and those are not necessarily low value vulnerabilities. But there's a good chance that they've already been found or or are very simple to exploit. We would call the type of attacker that can exploit these sort of things a script, kitty, that just basically means they don't really need to know a ton to do the damage. That's that's that comes from a vulnerability like this. So it's not all bad with vulnerability scanners. There's there's a lot of things that are good from things I just started talking about like, like finding some pretty bad, easy to find vulnerabilities. It's a good way to just kind of chop that off. You know, another thing is certain compliances like PCI compliance, for example, which is basically anybody who processes any sort of credit cards, they part of their compliance is actually having to get these vulnerability scans done semi-regularly. So it may not even be an option. You may have to have that as part of your security plan. However, again, it is not a pen test. So if you're going to start looking for a quality pen test, how do you start? Where do you start? Well, you want to identify a qualified vendor, which is a company that will offer the pen test, obviously, but has somebody on staff who is certified most likely in one of the industry recognized certifications for ethical hacking? The one I spoke about prior offensive security certified professional is certainly a really well known one. Certified Ethical Hacker C H is another common one and CompTIA offers the pen test plus certification. These are all certifications that if there's a pen tester on the staff of a vendor who has these certs, there's a great chance they know what they need to know to get through a pen test efficiently. There's really no shortcuts to these exams or certificate certifications. They're proctored. They're not open note for the most part. So, so if you find somebody with these certs, they know their stuff. Usually another thing that a well qualified company will make obvious during a pre engagement exercise, which is basically the period of time that you work with a vendor and trying to identify what the pen test would encompass. That engagement should be just as much driven by the vendor as it is by the client. So, you know, obviously the vendor wants to sit down, they want to listen. Everything client has to say that's important. But at the same time, they're the experts in the subject. So they should have done a good amount of research about your organization prior to that scoping exercise, assuming there's no issue in terms of permissions or things of that nature, what sort of things would the vendor know already? Usually it's like what sort of domains are your own sub domains that you own public IP addresses, potentially, sometimes even email addresses, email systems you're using. A lot of that stuff can be very easy to identify for a well qualified vendor, and when they meet with you, they should be encouraging that you put it all in scope, meaning that it's all part of the pen test. And the reason why is because the penthouse is supposed to be replicating what a real world attacker would do. And so when we hear vendor or I'm sorry, when we hear clients say, you know what, we want to take this out of scope, we want to take that out of scope. We understand a lot of times it's there's budget reason or we already know this is bad, so let's just avoid that. But real world attackers isn't going to do that. They're just going to go after anything they can if it fits their need or their goal. So we usually try to work through this detailed scoping process as much as we can personally sadara and this way. The client knows that we are just diligent. You know, we've done our research. We care to find as much as we can. Similar to how an attacker would do so. And then we want to ask questions for growing the scope and areas that we don't have visibility to. So your internal network, your land network, whatever you want to call it, we don't have access to that prior to a pen test engagement. So while we won't have necessarily your internal IP and server names and such, we know the right questions to ask. And really any skilled or qualified vendor should those things would be, you know, what IP ranges do you have in place? What compliances are based around those IP ranges, if any? Do you want wi fi testing? Do you want social engineering? How do you want social engineering completed? Should we send mail? Where should we just do credential harvesting? You know, just that sort of question and logic should be very obvious during the pre scoping engagements. So it really again kind of just continues to build on what a vendor is trying to prove they know or at least prove that they're comfortable and executing. So at this point, hopefully you've identified that the vendor you're considering getting a pen test with is is credible via you know, asking about certifications, kind of observing how that pre engagement scoping exercise went, you know, seeing how passionate they are really about what is best for your environment versus just selling a pen test, right. You want them to actually care. It's it's your security, it's your business. So let's say we've got all that out of the way. You're ready to pull the trigger on a given vendor. What should you expect during the engagement and engagement started? Well, a pen tester tries to stay quiet, usually again, just like a hacker and a malicious hacker, I should say. You know, their goal is to find everything of value in the network and figure out how that would impact the business. Sometimes that's theft of intellectual property, or sometimes it's simply, you know, let's use a bad attacker, for example, to deploy ransomware. In either case, the attacker, good or bad, needs to have the highest level of privilege that they possibly can before they decide to execute the attack. And to do so, they usually have to move around the environment a little bit, ideally without getting caught. Getting caught could make their job much more complex. So if you don't hear from a pen tester through an engagement, that's not necessarily a sign that they're not diligently hard at work. However, there is some very important open lines of communication that should exist during the engagement. This would be primarily in the event that something negative happens that could just be a performance issue on a given server that's being tested. This could be just super suspicious activity that there's evidence of. The reason the line of communication would be so important is because the client should feel very comfortable going straight to the pen tester. I guess the real point here is knowing that the pen tester has answers other than yes or no. Basically, when they when they talk through the process with you of any really given situation that occurs during the engagement, it just sheds light on the fact that they're confident what they're doing and they know what they're talking about. So you have open lines of communication. You are going through your engagement. Know if anything bad happens, it's that's really the main reason why a communication would occur during the engagement. You're starting to wrap up and you're looking forward to that report. What do you want to look for in the report? What what what are your expectations be? Well, again, not to beat up on the vulnerability scan, but if it looks like that's all you have in in your report, that is a red flag. That is certainly potentially a indication that some vendor maybe just put your information into a scanner, head go, you know, kind of printed up the report, maybe put some branding on it and delivered it that way. So what things besides vulnerabilities listed in a in your final report, what kind of indicate that you've got a good quality pan test? Well, yes, the list of vulnerabilities is good, but how they actually impact your business is usually something the vulnerability scanner cannot do. It will not understand if you are in possession of of intellectual property or, you know, maybe it will recognize credit cards or Social Security numbers. But there's just so much that it doesn't know in terms of how your specific business is impacted by those vulnerabilities. So what we like to see at the end of of a list of vulnerabilities would actually be something like an attack narrative that talks a lot about how those vulnerabilities are leveraged together to create a bigger impact. So, for example, there may be one vulnerability that seems like it's not super serious, and maybe there's another one that it's a medium. It's it's not super severe. It's not on its own going to crumble the organization. But there's plenty of times where, for example, a low and a medium severity vulnerability together can create a critical impact. And again, a vulnerability scanner on its own is not going to do this, not going to know that. And a pen test will be able to elaborate on that a lot more. A pen tester may not know the ins and outs of every last piece of your business, but they have the human element of taking everything that they've seen and painting a picture. And again, something happens with a vulnerability scanner. So when you're looking at your report, if it's missing any of that kind of custom logic into how it integrates into your business, there's a pretty high chance it was a really basic scan of your environment. And if there's a lot to talk about, there's there's a good chance that you've got a high quality pattern test. One last thing that I will say we've started to notice in the industry is companies offering a automated test or some sort of pen test in a box. They don't want to use the words vulnerability scanner, but they're really just a I guess a fancy vulnerability scanner. It's still missing the human element. At the end of the day, even if there is a little more configuration involved, it's still a product that a malicious party or or an ethical party could analyze and figure out what it's not doing or what it is doing and just work around that because that is what cybersecurity has been historically, is a game of cat and mouse. So let's say you've gotten a report from a vendor and you're not really sure what you got. You don't know if it was a vulnerability scan cloaked as a pen test. You don't know if it was just a pen, a great effort pen test. But there really wasn't a lot to talk about because you're doing well. If you're not sure, there's a good chance the vendor didn't sit down with you and go through that report, which is something we always do. We want to make sure that anybody that looks at the reports we deliver understands them completely, and they're delivered with a phone call that explains to everything you're looking at. So if you're looking at a report and you're not sure what you're looking at, we're probably the right people to contact. You can go to Sadara security dot com and you could get more information about contacting us. We'd be happy to look at some of these reports and tell you what we think will be honest. We don't want your your network security to struggle because of any assumptions that were made on a report. Thank you for watching the Whiteboard Series from Sedara. My name is Nick. You can feel free to reach out to us at our security dot com for more information. Thank you.