Prep Like a Pro: Penetration Testing Steps To Get You Hack-ReadyThe first pentest can be a wakeup call for most organizations. But regular pentesting is a crucial component of good cybersecurity hygiene. By: Nate Drier, Secureworks Adversary Group
Penetration testing (pentesting) is a key component of every healthy cybersecurity strategy. Just like every writer needs an editor, every SecOps team needs an outside pentesting partner to test their assumptions, uncover overlooked errors and ultimately validate the quality of their work.
But to get the most from your engagement with a partner like Secureworks® Adversary Group (SwAG), it pays to prepare. After all, you don’t want to make things too easy for us. And you don’t want to pay us to find an issue you could have easily found yourself or addressed with good security hygiene.
Here are some of the penetration testing steps to address to get the most value from your engagement with the Secureworks Adversary Group.
- Do some serious vulnerability scanning and patching. If you have a known vulnerability in your environment, we’re going to find it and exploit it just like the bad guys do. We will then take advantage of that initial “breachhead” to move laterally around your environment until we hit paydirt. But those vulnerabilities aren’t a mystery, so you don’t have to wait until after we find them to fix them.
Plus, Secureworks offers a great vulnerability management solution, Taegis™ VDR, also used during our vulnerability assessments, to help you get the job done both before your SwAG engagement and on an ongoing basis afterwards.
- Complete your MFA rollout. Passwords alone won’t protect you from the bad guys. And they certainly won’t protect you against us — because as you can read here, SwAG has built a password-cracking "beast” that can crack an impressive amount of passwords in a matter of hours. So, every user account better be protected by multi-factor authentication (MFA).
Of course, if you haven’t started an enterprise-wide MFA initiative, or if you’re having trouble getting executive support for one, your SwAG engagement will most likely prove in no uncertain terms just how essential MFA is. Our engagements and narrative reports show business impact is often reported by our customers to give them the ammunition they need to get buy-in and budget. That’s just another way adversarial testing can deliver value.
- Validate your asset inventory. There’s a truism in our business that you can’t secure what you don’t know you have. Yet time and time again, we’ve called our client to let them know we’ve compromised an internet-facing system — and there’s a moment of silence on their end for a moment as they realize they didn’t even know that system was there.
Don’t let this happen to you. Get your inventory right. Be especially diligent about getting a complete inventory of all the SaaS, PaaS, and other as-a-service cloud assets your organization is currently using.
- Check your privileges. Once we get past your perimeter and have compromised one or more user accounts, we’re going to exploit any excessive privileges associated with those accounts to work our way closer to our goal. So, watch out for situations where admin-level privileges aren’t being sufficiently restricted. Also look for and rigorously eliminate cases where admin rights for one system unnecessarily grant a user admin rights to a bunch of other systems too.
Yes, I know granular permission management can be a time-consuming pain. And, yes, I also know that sometimes someone gets mad at you when you inadvertently deny them privileges that they actually need. But it’s a lot easier to handle that call and fix that problem than it is to deal with a six-figure ransomware demand. Trust me on this.
- Select some targets based on potential business impact. We don’t actually need any specific targets to start pentesting your network. We can just start breaking in and rooting around if you so choose. But you know your business, financials, industry and industry-specific regulatory risks better than we do. So, you’ll get more value out of your SwAG engagement if you let us know what kind of threats or system compromise worry you and your executive leadership the most.
For a healthcare provider, it might be the theft of patient data. For an industrial manufacturer, it might be compromised of networked robotic/IoT equipment on the assembly line. But don’t make us guess what your nightmare scenario might be. Tell us. We can leverage our existing methodologies to help address common threat scenarios.
- Think iteratively. Pentesting should not be an isolated event. Instead, it’s something you should do on a regular basis to continuously drive your organization’s cybersecurity up the maturity scale. And mix it up, explore common threat models and determine whether you could benefit from Wireless Penetration Tests or certain applications security tests.
The first time we pentest an organization, we tend to find all kinds of issues like missed CVEs, MFA, excessively vulnerable trust relationships, etc. This is a great way to validate if there are ways to improve your threat and vulnerability management program with a solution like Taegis™ VDR.
The next time we come back, clients have almost always improved security significantly—both because of the specific issues we uncovered in our first test and because that test tends to be a wake-up call for all concerned. Once our customers learn the right penetration testing steps to truly evaluate their defenses, they start to see their systems in a whole new light. The value of working with SwAG doesn’t end there. By our end of engagement, reports have a lot more gold stars than gotchas, it may be time to consider other tests and exercises to challenge defenses and response. Learn more about the adversarial tests and exercises to select based on your objectives.