Although the numbers aren’t out for 2013, the 2012 trend report published by Mandiant stated that the median time it takes to detect APTs is 416 days. The same report noted that 94% of the time breaches are detected by a third-party and not the affected company. This means most companies did not know they were breached for over a year and someone else had to tell them. These numbers are also loosely supported by the 2012 Version Breach Report and reflect trends that we have seen during penetration tests.
These statistics highlight the importance of not just proactive vulnerability identification, but also effective detective controls, and secure infrastructure configurations. Although there is no perfect solution to prevent or detect a breach, using a layered assessment approach can help prepare organizations to defend, detect and respond to APT and other threats.
Below is an example of what a 3-phase approach could look like:
Phase 1: Validate Infrastructure Configurations
During this phase of testing the goal is to verify that the environment’s network architecture and configurations are implemented securely.
Verify and Authorize Connected Systems
Validate that systems connected to the network are legitimate company assets or approved 3rd party systems. This should help reduce the risk of onsite attackers and unintended exposure to malware through partners and vendors. Having a good Network Access Control (NAC) solution in place is often a good start. However, there are less expensive alternatives.
Reduce APT Communication Channels
Ensure that the network architecture is configured in such a way that it helps prevent attackers from using common communication channels for command and control of malware. This often includes locking down DNS configurations, using authenticated outbound proxies, and enforcing restrictive egress filters.
Isolate Sensitive Assets
Ensure that sensitive applications, systems, and data are isolated in separate networks to help make it harder for attackers to find and gain unauthorized access to high value resources.
Phase 2: Proactively Identify Vulnerabilities
During this phase the goals are to validate that preventative controls have been implemented correctly, validate previously identified vulnerabilities have been fixed, and of course identify new vulnerabilities in the environment. This phase naturally overlaps with detective control testing which will be covered in phase 3.
On the Network
Protect the perimeter, internal, and wireless environments by identifying vulnerabilities before attackers do via vulnerability assessments and penetration testing. This should include anonymous testing of the servers, networks, and applications in the environment. However, make sure issues are actually tracked and remediated. It usually helps to assign an owner to each vulnerability and set clear expectations around when it should be fixed.
On the Endpoints
Reduce attacker’s ability to gain access to and escalate privileges on endpoints such as servers and workstations through host based penetration tests. At a minimum this should include authenticated penetration testing and a configuration review based on industry standards.
In Critical Applications
Stop internet facing web applications from becoming entry points into the environment. Ensure that authenticated application penetration testing is done to identify vulnerabilities that could leave the entire organization at risk. Any internet facing application that is connected to the corporate network should be considered a high priority. During penetration tests we often gain access to low priority internet facing applications like blogs that allow us to pivot onto the corporate LAN.
Educate users and IT employees through tests focused on administrative controls that are intended to prevent email phishing, phone based phishing, and onsite compromises. Make sure to provide practical examples, relate topics on a personal level, and include incentives to help motivate company-wide participation.
Phase 3: Evaluate Existing Detective Controls
The goal of this phase is to determine where the detective control capabilities of an environment start and stop. It can also be leveraged to validate that incident response plans work as expected. The general approach should involve emulating attacker and malware behavior to test controls at different levels.
On the Network
Validate that detective controls on the network such as WAFs, IDS, and IPS are configured to effectively identify common network discovery and attack signatures. At a minimum, this should include the scanning activities, brute force attempts, execution of exploits, transfer of sensitive data, and communication to known command and control systems.
On the Endpoints
Ensure that endpoint protection and DLP solutions make it difficult to compromise a host, escalate privileges, and steal sensitive data. Also verify that endpoint protection is capable of identifying and blocking common malware and anti-virus bypass techniques.
In Critical Applications
Test application and database controls to ensure attacks like SQL injection can be identified during the attack and not just after. Also attempt to create triggers that will generate alerts if a database and service account is taking uncommon or unauthorized actions on the database, system, or network.
Verify that logging, alerting, canaries, and SIEM configurations ensure that unexpected high risk events and anomalies are identified so that the proper incident response plan can be executed before the compromise gets out of control. Also leverage your employees to send alerts to the right people if they identify suspicious system behavior, email, phone calls, or onsite presences.
Being proactive about network and application penetration testing is a great first step. However, they should be executed within a larger strategy that includes detective control testing to get the most out of it. You may not be able to keep all of the bad guys out, but a least you can create an approach that will allow you to identify a breach so you can take the appropriate actions. Good luck and hack responsibly!