Motivated attackers do not stand still in their attempts to compromise your network, and neither should your approach to testing your security program. How can you stay ahead and outmanoeuvre the adversaries?
In this video, Jared McLaren, Secureworks Technical Lead for Application Security Testing, discusses the strengths of combining security tests to drive new insights for improvements.
Listen to the full webcast to learn more about the most common attack vectors and how to defend against them.
So this engagement started off with the network team performing an external penetration test of a large financial client. They're a pretty secure client. The networking team had worked really hard to find issues and there weren't really any major vulnerabilities out there. Everything was patched, everything looked great. So we started taking a focus on a teleconferencing server that the client had in their environment. The networking team did a great job, they actually found a new vulnerability that allowed them to innumerate user names off this teleconferencing system. And then the next thing you do in an external penetration test is you start password spraying based on those usernames. So you know, you look for weak passwords like password123, changeme, spring2019, things like that.
So after bouncing through these user names and a password spray they got authenticated access. And from that point forward handed it off to me and the application team to look at this application from an authenticated perspective. And there was some interesting stuff there. We saw areas where there were file uploads and things like that. So we tried attacking content of the files, names of the files, things like that. And we were able to actually influence a file creation and inject content into that file being created. And with that scenario we actually got remote code execution on this conferencing solution. And this was on a fully patched server. So this was a nice zero day that we had just come up with to allow code execution to get further into the client's network. To be able to see what a motivated attacker could really do. And that's that great combination of network and application that we provide here.