• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • About
    • Secure360
    • UMSA
    • Get Involved
  • Events
    • Secure360 2021
    • Student360
    • Past Events
      • 2020 Secure360 Twin Cities
      • 2020 Student360
      • 2019 Secure360 Twin Cities
      • 2019 Student360
      • 2018 Secure360 Twin Cities
      • 2018 Secure360 Wisconsin
      • 2018 Student360
      • 2017 Secure360 Twin Cities
      • 2017 Student360
      • 2016 TC Secure360 Conference
      • 2015 Secure360 Conference
      • 2014 Secure360 Conference
      • 2013 Secure360 Conference
        • 2013 Secure360 Conference Speaker Presentations
      • 2012 Secure360 Conference
  • For Sponsors
    • Secure360 Twin Cities
    • Student360 Sponsors
  • For Speakers
    • Secure360 Speaker Details
    • Student360 Speaker Details
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

Detective control testing during penetration tests

February 20, 2014 by Scott Sutherland

HackerAlthough the numbers aren’t out for 2013, the 2012 trend report published by Mandiant stated that the median time it takes to detect APTs is 416 days. The same report noted that 94% of the time breaches are detected by a third-party and not the affected company. This means most companies did not know they were breached for over a year and someone else had to tell them. These numbers are also loosely supported by the 2012 Version Breach Report and reflect trends that we have seen during penetration tests.

These statistics highlight the importance of not just proactive vulnerability identification, but also effective detective controls, and secure infrastructure configurations. Although there is no perfect solution to prevent or detect a breach, using a layered assessment approach can help prepare organizations to defend, detect and respond to APT and other threats.

Below is an example of what a 3-phase approach could look like:

Phase 1: Validate Infrastructure Configurations

During this phase of testing the goal is to verify that the environment’s network architecture and configurations are implemented securely.

Verify and Authorize Connected Systems

Validate that systems connected to the network are legitimate company assets or approved 3rd party systems. This should help reduce the risk of onsite attackers and unintended exposure to malware through partners and vendors.  Having a good Network Access Control (NAC) solution in place is often a good start. However, there are less expensive alternatives.

Reduce APT Communication Channels

Ensure that the network architecture is configured in such a way that it helps prevent attackers from using common communication channels for command and control of malware. This often includes locking down DNS configurations, using authenticated outbound proxies, and enforcing restrictive egress filters.

Isolate Sensitive Assets

Ensure that sensitive applications, systems, and data are isolated in separate networks to help make it harder for attackers to find and gain unauthorized access to high value resources.

Phase 2: Proactively Identify Vulnerabilities

During this phase the goals are to validate that preventative controls have been implemented correctly, validate previously identified vulnerabilities have been fixed, and of course identify new vulnerabilities in the environment. This phase naturally overlaps with detective control testing which will be covered in phase 3.

On the Network

Protect the perimeter, internal, and wireless environments by identifying vulnerabilities before attackers do via vulnerability assessments and penetration testing. This should include anonymous testing of the servers, networks, and applications in the environment. However, make sure issues are actually tracked and remediated. It usually helps to assign an owner to each vulnerability and set clear expectations around when it should be fixed.

On the Endpoints

Reduce attacker’s ability to gain access to and escalate privileges on endpoints such as servers and workstations through host based penetration tests. At a minimum this should include authenticated penetration testing and a configuration review based on industry standards.

In Critical Applications

Stop internet facing web applications from becoming entry points into the environment. Ensure that authenticated application penetration testing is done to identify vulnerabilities that could leave the entire organization at risk. Any internet facing application that is connected to the corporate network should be considered a high priority. During penetration tests we often gain access to low priority internet facing applications like blogs that allow us to pivot onto the corporate LAN.

Administrative Controls

Educate users and IT employees through tests focused on administrative controls that are intended to prevent email phishing, phone based phishing, and onsite compromises. Make sure to provide practical examples, relate topics on a personal level, and include incentives to help motivate company-wide participation.

Phase 3: Evaluate Existing Detective Controls

The goal of this phase is to determine where the detective control capabilities of an environment start and stop. It can also be leveraged to validate that incident response plans work as expected. The general approach should involve emulating attacker and malware behavior to test controls at different levels.

On the Network

Validate that detective controls on the network such as WAFs, IDS, and IPS are configured to effectively identify common network discovery and attack signatures. At a minimum, this should include the scanning activities, brute force attempts, execution of exploits, transfer of sensitive data, and communication to known command and control systems.

On the Endpoints

Ensure that endpoint protection and DLP solutions make it difficult to compromise a host, escalate privileges, and steal sensitive data. Also verify that endpoint protection is capable of identifying and blocking common malware and anti-virus bypass techniques.

In Critical Applications

Test application and database controls to ensure attacks like SQL injection can be identified during the attack and not just after. Also attempt to create triggers that will generate alerts if a database and service account is taking uncommon or unauthorized actions on the database, system, or network.

Administrative Controls

Verify that logging, alerting, canaries, and SIEM configurations ensure that unexpected high risk events and anomalies are identified so that the proper incident response plan can be executed before the compromise gets out of control. Also leverage your employees to send alerts to the right people if they identify suspicious system behavior, email, phone calls, or onsite presences.

Being proactive about network and application penetration testing is a great first step. However, they should be executed within a larger strategy that includes detective control testing to get the most out of it. You may not be able to keep all of the bad guys out, but a least you can create an approach that will allow you to identify a breach so you can take the appropriate actions. Good luck and hack responsibly!

Filed Under: Guest Posts

About Scott Sutherland

Scott Sutherland is a security consultant responsible for the development and execution of penetration test services at NetSPI. His role includes researching and developing tools, techniques and methodologies used during network and application penetration tests. As an active participant in the information security community, Sutherland performs security research in his free time and contributes technical security blog posts, presentations and tools on a regular basis through NetSPI. You can find him blogging on the NetSPI website and on Twitter.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

No tweets found.

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2021 Secure360. All rights reserved.