An Infrastructure Penetration Test is one of the best ways to discover weaknesses, vulnerabilities, misconfigurations, and threats located within your infrastructure. To conduct a Penetration Test, highly skilled engineers utilize the same tactics, techniques, and procedures as real-world attackers in a safe and controlled manner. The difference between a real attack and a penetration test is the manner in which it is conducted. Utilizing a predefined scope and rules of engagement, engineers securely conduct tests without harming your environment and while providing an accurate picture of an attack. Utilizing these findings, your organization can discover operational deficiencies.
High-profile security breaches occur at an alarming rate every day. If you spend anytime monitoring information security news, you know this is not a new trend. As malicious actors develop new and increasingly sophisticated attacks, the need for effective defenses grows.
Traditionally, items such as firewalls, anti-virus software, and an educated work force was considered the best defense in keeping your organization safe and secure. Today’s businesses require a much more layered approach to security. Next Generation Firewalls, Anti-Virus software, and Continuous User Training is just the beginning of maintaining a security posture. Conducting tests against those products to ensure effectiveness is integral to your security.
When to Test?
Determining when to conduct penetration testing varies greatly from industry to industry. You might have certain regulations and compliance standards to meet, each with their own required guidelines. For most organizations, though, this is not the case. Best practices suggest conducting infrastructure penetration testing at least annually. Also, here’s is a list of events which could trigger a need for testing:
New Infrastructure Deployment
Change in Software Usage
Change in Firewall/IPS Rules
Migration to Cloud Services
Types of Test
There are three different types of Infrastructure Penetration Tests (Black Box, White Box, and Grey Box). The differentiator between tests lies in how much information is provided to the engineer prior to conducting the test. An explanation of each is below:
Black Box – In a Black Box Penetration Test, the engineer conducting the test receives zero information about the network or systems they are testing. This type of test best replicates an attacker who has no knowledge about the organization they’re attacking.
White Box – Prior to conducting a White Box Penetration Test, the engineer conducting the test receives full knowledge of the infrastructure from the client. This can include network maps, OS details, user information, and patching levels. A White Box Test, in most cases, generally represents an internal attacker.
Grey Box – With a Grey Box Penetration Test, the engineer conducting the test receives some information about the infrastructure. This can be represent an external attacker such as a contractor/vendor or an attacker who was able to gain some information about the organization.
Each type of test has its own pro’s and con’s and can differ in the amount of time required to conduct the test. When determining which type of test to choose, you should always consult with your testing team to ensure the test meets your objectives.
The Phases of Testing
Infrastructure Penetration Testing is conducted in 5 distinct phases.
This is a critical phase. The goal of this passive phase is to gather as much information about an organization and potential targets to exploit. During this phase, the testing team will utilize multiple sources of information to discover potential entry points into an organization’s network. These points of entry can be physical, electronic, and/or human. Many companies do not realize how much information they place in the public realm. Therefore, they don’t realize how this information, when combined with their employees’ public profiles, can be used by an attacker. Some of the sources of information a testing team might utilize is:
Scraping Social Media Sites
Domain Name Searches, Reverse DNS Lookups, Mail Exchange Records
Search Engine Querying
Dark Web Discovery
Public Records (State and Federal)
This is the first phase with active testing. A team’s goal in Network Enumeration is to discover all resources in a target environment. Once a resource is discovered, the testing team conducts further tests to fingerprint which operating systems the resources are running and, more importantly, what services are running on them. The testing team will attempt to gather the following information:
Network Resources and File Shares
User Account Information
Host Names / Operating System Details
Applications and Banners
DNS and SNMP Details
At the conclusion of the Network Enumeration Phase, the testing team will develop a network map of the environment they are testing. More often than not, the team will discover resources an organization didn’t realize existed.
Vulnerability Analysis discovers flaws or misconfigurations in systems and applications. These vulnerabilities can include but are not limited to: host and service misconfigurations, insecure application design, insecure network segmentation, and unpatched devices. The Vulnerability Analysis allows the testing team to assign a priority level to each tested resource based on threat criticality. The results of the Analysis forms the “Playbook” for the Exploitation Phase. Generally, resources found to contain critical vulnerabilities are likely to be exploitable by the testing team. Therefore, these will be a high priority for the next phase. Vulnerability Analysis can be broken down into two categories, Active and Passive Analysis. Active Analysis is more commonly used. Here’s the differences:
Active – During active Vulnerability Analysis, the testing team will attempt to communicate directly with the resource being tested. To validate the vulnerability, minor changes may be introduced to the resource being tested and can generally be discovered on the tested resource by reviewing logs.
Passive – A Passive Vulnerability Analysis is conducted in a manner where no changes are introduced to the tested resource. The majority of the time, vulnerabilities are discovered by reviewing passive network and/or system application capture files. At the completion of a Passive Vulnerability Analysis, a system should show no signs of any changes because none would have been introduced.
The Exploitation Phase focuses on gaining access to resources by exploiting vulnerabilities discovered in the previous phase. Priority of attack is determined via a high value target list which considers the probability of success and value to the organization. During this phase, active exploitation takes place against hosts in the environment. The testing teams’ goal is to gain access to resources that they otherwise should not have access to. During this phase, numerous defense mechanisms are in play against the testing team. Each of the items listed below present an obstacle for the team to overcome:
End Point Protection (Anti-Virus, Host Firewalls)
Network Based IDS/IPS
Human Interaction (Network Defenders)
The Exploitation Phase can provide an organization with a snapshot of how well their policies, procedures, equipment, and people detect and respond to an attack. This is a unique opportunity for an organization to use the test as a learning event.
The Reporting Phase is the Final Phase of the engagement. During this phase, the team will compile the results from the engagement into one easily digestible document. If the report generated from the engagement isn’t clear, concise, and accurate the value to the organization is lost. To provide an organization with a report that is easily understood by both technical and non-technical staff, the report is broken down into two very different sections designed to be distributed to different recipients. The two sections are the Executive Summary and the Technical Report.
Executive Summary – The goal of the Executive Summary is to communicate the findings in a non-technical high level. The target audience for the Executive Summary is individuals in the organization that are responsible for strategic decision making. The Executive Summary should include at a minimum the Overview, Objectives, Testing Approach, Scope, Focus, and Findings.
Technical Report – The goal of the Technical Report is to communicate the findings in a much more technical nature. The target audience for the Report is individuals in the organization who will be tasked with remediation. The Technical Report will include at a minimum, a list of vulnerabilities, the process in which the testing team exploited the environment, reproduction steps for validating exploitation, and most importantly resources and information for remediating findings.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.