Leveraging Penetration Tests to Test Detection Capabilities
Red Team and Purple Team engagements are designed specifically to test your detection and response, but penetration tests can also be used to find gaps in detection capability.
By: Nate Drier
As a lead for the Secureworks® Adversarial Security Testing team, much of my time is spent talking with customers about our capabilities and services. Our services range from straightforward network testing to complex, sophisticated threat-actor simulation, and everything in between. We've got a large, diverse team with deep technical skillsets so we can deliver virtually any adversarial scenario our customers can dream up. In the past, this has included testing guidance systems, hacking electric city public transit from the internet, and developing zero-day exploits against third-party appliances to sneak past some of the best defenses in the world.
In general, our testing portfolio breaks down into 2 main categories:
- Test the systems
- Test the response
Testing systems is straightforward; we perform a test against infrastructure to identify vulnerabilities. This process includes our testing offerings like API testing, web app testing, wireless testing, penetration (external, internal) testing, etc. Even phishing, social engineering, and physical security testing can fit into this category, although we end up testing people along with systems.
Testing responses is where our longer-term Red Team engagements come into play. Stealthy Red Team engagements and collaborative Purple Team projects are designed to test a client's ability to detect and respond. Sure, we might use some of the same tactics designed to test systems (such as living off the land and emulating normal user behavior), but the end goal isn't to identify vulnerabilities across the network – it's to exercise the defenders. If our simulated tests can get clients training to detect and defend using their own tools, on their own networks, against real-world adversaries that they are going to face, it's a big advantage for that client. They get applicable experience with defense and detection, and more importantly, they identify gaps. The only thing worse than a breach you have detected is one you haven't detected. According to our 2018 Incident Response Insights Report, following nearly 1,000 engagements, our responders have found advanced attackers went undetected for an average of 380 days , demonstrating that gaps in detection can have huge implications.
However, you can get the benefit of highlighting gaps in detection before you invest in Red Team testing. In many cases, a properly executed, goal-based penetration test can highlight some of the same gaps a more expensive, long-term Red Team engagement would. A few key things to remember:
- A penetration test isn't designed to be stealthy or sneaky. It should set off a bunch of alerts, either on your perimeter or your internal network. To make the best use of your time and resources, pen tests are usually run 'at speed,' and we don't try to be stealthy. Our goal is to identify issues and show ways to compromise target systems, not evade your security monitoring. However, you can use your detection capabilities to try and track the actions of your tester (without interfering with their progress).
- Your penetration test report should contain enough information to correlate activities with your detection systems. Every attack might not be time-stamped, but you should have a general idea of what techniques were used to gain entry, what systems were compromised, and what accounts were used.Note: Not all security companies perform goal-based penetration testing. If your current penetration test does not have a detailed narrative and looks more like scanner results, you might not be getting a quality, goal-based test.
- A penetration test isn't a replacement for a Red Team and vice versa. They play different roles in an overall security testing program. This overview serves to highlight a small area of overlap between the two services that clients don't always consider.
The questions I ask many of our clients after a penetration test include:
- Could you have written the report narrative before we did?
- Did you know when we achieved compromise of certain systems, dumped hashes from a domain controller, ran PowerShell post-exploitation tools on some systems, or detailed the accounts we used to access target systems?
- Can you tie those activities to a specific day of testing? A specific hour?
- What things in the report surprised you, because you weren't alerted to them happening in real-time?
If the answers are primarily “no,” it might be a good exercise to go through during your next penetration test.
While the tools and techniques we use during a Red Team test closely mimic those of threat actors, the tactics we use during typical penetration tests can accomplish many of the same things you'd want to identify during a more robust testing engagement. If you're not ready for a full-scale Red Team engagement, a quality penetration test can give your detection systems a thorough review and help highlight gaps.