Red Team: Penetration Testing

Generally, organizations do an annual pentest when there is a major change to their environment.

The answer really depends on what’s motivating clients to do them.

Compliance/Regulatory requirements typically require an annual pen test.

PCI at a certain volume of transactions is now requiring bi-annual. Some clients, especially those who develop apps look to align them with product updates/releases, either with new versions or on a monthly or quarterly basis.

Red Team engagements are done by companies because they actually care to test real threat actor operations where activities are not limited to specific scope/networks/types of test, rather they are goal oriented. I.E. can you get to something I’m protecting that’s valuable by whatever means – social engineering, physical, and network intrusions. Red Team engagements done correctly last longer and cost more than a penetration test. They are also not required by compliance standards like pen tests. Therefore Red Team engagements are more likely to be cut if the organization is struggling financially due to covid.

Having certifications is not a bad thing but in the context of Red Team, pen testing, web apps, and hacking in general, they do not provide assurance someone is good at delivering those.

It’s really common for folks in offset to have a pile of certs but aren’t good at hacking whereas the best hackers known rarely (if ever) have certs because their skills alone earn them careers.

The number one factor in having a secure environment is the configuration of the security product and managing change to maintain a secure configuration. Buying a product doesn’t automatically help make the environment secure, its configuration does. In any functional category, a well-configured inferior product would perform better than a poorly configured “top-rated” product.

• They might not have the skill set to do so.
• They want an expert opinion from a team that focuses on offense/defense.
• Internal teams typically do many things without focus on security or pen testing
• They want outsiders’ opinions without the background or influence of group think internal teams may have. Outsiders may approach the engagement from different angles that internal teams never thought of before.
• They want to test true-outsider operations to simulate real motivated attacker that does not have prior knowledge of the environment.
• Some clients only have one of those teams (red or blue) internally so they ask us to participate as the other half to form a purple team.

• Do you have visibility into what data is stored in your cloud and who it’s shared with?
• Are your Identity Management and permission process well documented, tested, and monitored?
  Have you had external party test the security of your cloud environment?
• It’s common for companies to have dozens, if not hundreds, of AWS accounts. What does centralized governance look like? Do you apply security individually to each of those or is it applied centrally?
• We see clients struggle with writing and managing IAM (identity access management) in AWS. It’s tedious, complex, and hard to manage/audit. Have you solved this problem? How do you validate that the least privilege principle is applied to your IAM. It’s an area we excel in. We go after root problems and strategic improvements rather than just tactical changes.
• Are your cloud environments entirely isolated from your other infrastructure (on-prem/data center)? We can assume breach exercises where you put us on an AWS/Azure/Google VM and we try to pivot into the data center or offices.

Speak with confidence, offer sample reports that show real engagement, and references, and that we find things that other teams do not.
Our AWS lead presents at AWS’ massive annual conference re: Invent and is an authority on all things AWS. Get him on the phone with any customer and he will impress them. Offer an hour brainstorming session with him – his skill will sell itself.

For Red Team (not MSSP), we document technical details, provide ways to replicate, and suggest technical solutions to fix the issues discovered. We also provide a summary of the findings for non-technical folks and attestation reports for customer’s clients

We tailor our executive summaries and consider their specific business/industry and try to put risks in context. We try to analyze the entire project and come up with strategic initiatives. Are there common problems that we can tackle? Is there an area they are stronger than others and what is the path to improve that?

We do not believe in flippantly throwing recommendations over the fence and it becomes the client’s problem. We have production operations experience so try to make our recommendations practical and detailed. We work hand in hand with many clients resolving these issues in production so have familiarity with nuances and can help avoid potential issues. Our pen-testers are available to the client during the entire remediation process.

CISO is looking for assurance that the environment in the scope of a pen test cannot be used to break into their environment and subsequently data they are protecting is exposed or their operating environment disabled by ransomware.

Depending on the type of company and structure, they might translate security issues identified in Red Team engagements into operational risks. Identified risks then are analyzed for impact, the likelihood of occurrence, cost to remediate and cost if an event associated with a risk occurs and the decision is made on how to proceed.

This is an opinion and depends on CISO’s motivation. I think a CISO perfect pen test is one that in their eyes was done thoroughly by experienced engineers that could not compromise the network. At the same time pen test can sometimes be used as a way of documenting problems to get the budget to fix them or make strategic changes.
Sample report – CipherTechs Sample Report – External, Internal & Phish Penetration Test.pdf

We see CISOs use us in different ways but my favorite scenario is when they weaponize us. The CSO has an agenda and uses us as a tool to further their agenda (e.g. they want NAC so they have us come to own the internal network to highlight the point). Screenshots of the CEO inbox win the action. It is harder to turn down a project/budget when the pentest report shows dire consequences of the vulnerability.

Our reports provide data to help set their priorities and objectives for the next 1-2 years. Most CISOs are sitting on risk management databases, and large quantities of known vulnerabilities within the company, but the pentest report helps them measure which issues can cause the most damage and should be prioritized.

The perfect pentest is one that demonstrates the practical risks of critical vulnerabilities, earns time/effort for remediation, and leads to those vulnerabilities being closed. When we walk away we have left a mark on the network and the client is measurably more difficult to breach.”

Typically they do not interact. At times client project sponsors want to use external offensive teams to test the ability of the defense to detect and respond. Collaboration may happen post-engagement as a purple team-type exercise, to tighten up defensive capabilities.

“There are some differences in industry verticals. Some of it depends on regulations and some of the core business of the company.
Financial services and Healthcare are heavily regulated and typically have a well-defined program to manage important aspects of cyber security – configuration standards, testing, patching, identity management, etc.

Education clients tend to be much more open, often there are not well-defined programs or controls in place to manage the environment from a security perspective.

Clients with industrial systems – power plants or manufacturing – rely heavily on segmentation to protect network systems that operate the industrial systems. However, the systems within these environments tend not to be updated frequently leaving them vulnerable.”

Since January 2019 we have performed 218 engagements.

• 44% – Web application Assessments
• 25% – External Penetration Tests
• 11% – Internal Penetration Tests
• 4% – Social Engineering
• 16% – Other -Wireless, standalone mobile, physical security etc.

Someone who is interested in testing real-life motivated third parties looking to target an organization scenario. Pen tests test specific scopes (network, office, cloud) they attempt to identify all security issues in that scope. Even if successful they typically stop at the perimeter without moving inside. They do not test users or physical locations, cloud services, or wireless.

Red Team engagement is goal-oriented engagement, that doesn’t test everything, just aims to find “a way in” and then move on. Those could be network-based, social engineering, physical access, etc.

Those goals could be:

• Can you get to source code for the app we sell?
• Can you hack into my financial system to move money
• Can you get to the PII data we store and process for our business
• If a low-privileged user’s computer got hacked, can that be used to gain access to other sensitive systems.

Indicators would be:

• A client has something valuable they care about that their business would suffer greatly if it was taken/revealed/owned etc.
• Maturity – a client has a well-defined and executed cyber security program. Can you take it to next level to see if it actually works well.

The CyberMaxx Offensive Security Team Difference:

• Team of skilled and experienced hackers passionate about offensive security. Strict hiring requirements to maintain this identity.
• We do not depend on vulnerability scanners. We start where vulnerability scanners stop.
• Active exploitation. We compromise networks and applications.
• Tailored reporting and thoughtful context. Specific executive summaries.
• No ” filler” reports. We report true risks and don’t include junk.
• Relationship oriented. When a new high-risk vulnerability comes out, we contact customers from previous engagements to warn them.
• We can talk to your board and to your graybeard. Skilled in addressing technical and executive audiences.

• Does your environment change? do you run tests after major changes?
  Do you feel your pen test firm provides you with good findings that go beyond a scan?
• Do they see what information is available about your org on the web – password dumps, git repositories, “gray web” etc, that can aid the third party in network intrusion.
• Do you rotate your pen test vendors to get a fresh set of eyes? We commonly find things others missed.
• Do you have web applications, do those get tested?
• Is there anything that lacks details in the report?”

Active Directory and host hardening. AWS hardening. Office 365 (now Microsoft 365) hardening. Purple teaming to improve visibility/detections. EDR. WAF.

• Good ones do – Bad ones run vulnerability scanners and show a report.

A small budget may be the only limiting factor. If an organization has sensitive data they want to make sure it’s protected, or make sure it would not be easy for them to be hit with ransomware, they will benefit from a pentest. It would probably be a very short (2-3 days) engagement.