Most dangerous is the enemy, which you do not suspect.
(Fernando Rojas) The
IT infrastructure of a modern company can be compared to a medieval castle. High walls, a deep moat and guards at the gates protect from the external enemy, and practically no one watches what happens inside the fortress walls. Likewise, many companies: they make tremendous efforts to protect the outer perimeter, while the internal infrastructure remains deprived. Internal penetration testing is still an exotic and not very clear process for most customers. Therefore, we decided to tell about him everything (well, almost everything) that you wanted to know, but were afraid to ask.
The external enemy (a scary hacker in a black hoodie) looks intimidating, but a huge part of corporate information leaks are due to the fault of insiders. According to statistics from our Solar JSOC monitoring center, internal incidents account for approximately 43% of the total number of threats. Some organizations rely on protections โ often misconfigured โ that can be easily bypassed or disabled. Others do not view the insider as a threat at all and turn a blind eye to the flaws in protecting the internal infrastructure.
The problems that we identify when analyzing the "internal market" wander from company to company:
- weak and unchangeable passwords for service and privileged accounts;
- identical passwords for regular administrator and privileged accounts;
- ;
- ;
- ;
- ;
- .
: Windows- Active Directory.
Globally, penetration testing reveals how much a potential attacker can harm the IT infrastructure of a particular company. To do this, cybersecurity specialists conducting a penetration test simulate the actions of a hacker using real techniques and tools, but without harming the customer. The audit results help improve the security of an organization while reducing business risks. Such testing has two directions: external and internal. In the first case, the "white hacker" must find vulnerabilities that can penetrate the internal network (that is, break through that very fortress wall).
Internal penetration testing checks how vulnerable the infrastructure is to an insider or an intruder who has access to an organization's local network. Will they be able, if they wish, to control the LAN, freely move around it and influence the operation of individual servers? Such work is carried out on the internal network, and more often from the position of an employee with minimal privileges. At the same time, it is possible (and necessary) to check even those employees who have only physical access to computers (for example, cleaners, electricians, security guards, couriers, etc.).
The penetration test should not reveal all vulnerabilities existing in the company on all hosts on the internal network (this can be done using a vulnerability scanner or by correctly configuring vulnerability management policies). He has a completely different task: to find one or two routes that an attacker can follow in order to successfully attack his victim. The work execution focuses on security settings and Windows features. In a word, there will no longer be performed, for example, scanning open ports and searching for hosts with uninstalled updates.
How does this happen
Internal infrastructure security testing takes place in several stages:
Here is an example of how a similar internal penetration test took place in reality within the framework of one of our projects:
- First, we identified the file shares that hosted the web applications;
- SA (Super Admin) MS SQL;
- MS SQL sqldumper.exe xp_cmdshell LSASS, :
- .
Since internal penetration testing only considers the internal (obviously) infrastructure of an organization, it doesn't matter how an attacker got the initial access to the network - it does matter how he used this access. Therefore, the final report, drawn up based on the results of the pentest, describes the vulnerabilities not found, but the history of how the specialist moved through the network, what obstacles and difficulties he faced, how he bypassed them and how he completed the task. A specialist can detect several flaws, but to achieve the goal, one of the most optimal or interesting will be chosen. At the same time, all vulnerabilities noticed "on the way" will also be included in the report. As a result, the customer will receive recommendations for correcting shortcomings and improving the security of the internal infrastructure.
In fact, the internal penetration test continues the external one, answering the question: "What happens after a cybercriminal enters the network?" In comparison, the following methodology is usually used in the external perimeter penetration testing process:
Who enters the infrastructure
So, how the attacker got into the network is not important, therefore, at the initial stage of planning internal penetration testing, models of an insider or an external attacker can be considered.
- Insider model. An insider is a motivated internal attacker who has legitimate access to an organization's infrastructure, limited only by job responsibilities. For example, a real employee who decided to harm his company. Also, employees of support services (security guards, cleaners, electricians, etc.) can act as insiders, they have legitimate access to the office, but they do not have access rights to the infrastructure.
- External intruder model. The model does not focus on how access was gained (perimeter software vulnerability, credential leak, social engineering, or something else) to the organization's internal network. The starting point is the fact that the "outsider" is already inside.
After compiling a threat model, the situation itself is simulated, in which the performer will gain access to the infrastructure:
- ;
- . , (Wi-Fi);
- . : , , ;
- ยซยป , . (Command & Control), . , .
At the same time, pentesting is not aimless wandering around someone else's infrastructure. The "white hacker" always has a goal set by the customer. The most common scenario for internal penetration testing is to gain domain administrator privileges. However, in reality, attackers rarely seek to obtain such privileges, as this can draw unnecessary attention to them. Therefore, in most cases, domain administrator privileges will not be the goal, but the means to achieve it. And the goal could be, for example, taking over a corporate network, gaining access to a workstation and server, or to an application and a database.
Who needs it all
Is it even worthwhile for a customer to let penetration testers into their corporate network? Definitely worth it. This is where the most critical data and the main secrets of the company are located. To protect a LAN, you need to know all its nooks and crannies and shortcomings. And internal penetration testing can help with this. It allows you to see weaknesses in the infrastructure or check configured security controls and improve them. In addition, internal penetration testing is a more affordable alternative to the Red Team. Well, if the task is to demonstrate to the management that the allocated funds are not enough to ensure the security of the internal infrastructure, the internal penetration test allows you to back this thesis with facts.
Author: Dmitry Neverov, security analysis expert, Rostelecom-Solar