Prior to launching a targeted attack against an organization, threat actors conduct thorough reconnaissance missions, gathering intelligence on employees, the infrastructure, and more. They want to know every possible inch of the attack surface to find every potential exposure before they make their move, using an array of tools and tactics to exploit vulnerable infrastructure.
Cybercrime is expected to increase by 15% per year, leading many organizations to take a more proactive approach to defend their infrastructure. They have adopted attackers’ techniques and tools to implement offensive security programs, hoping to identify vulnerabilities and close security gaps before attackers can find and use them. Unfortunately, many fall short because they overlook the need for effective reconnaissance, leaving much of the attack surface unanalyzed and exposed.
This article explores the challenges offensive security teams face dealing with limited visibility and how they can improve it.
Conducting Asset Reconnaissance
Offensive security without in-depth knowledge of an environment is ineffective. Security teams need access to information they can build on in their pursuit. This information can come at the start of an engagement in the form of architectural diagrams and asset information, or testers can gain it through active investigation and intelligence gathering. Without a complete view of what is contained in an engagement’s scope, vulnerabilities will be missed, leaving a gap for attackers to find them first.
What Attackers Look For
Malicious attackers build up a collection of knowledge through scanning, probing, and observation to determine the full scope of a target. When collecting data on employees, they may look for LinkedIn or other social media profiles, gathering even something as simple as email addresses to use for a phishing campaign and which typically serve as usernames for company logins. Additionally, they may look for seemingly benign personal information like interests and group memberships that could help in designing more authentic and targeted spear phishing. In examining the infrastructure, they are looking for accessible endpoints, open APIs, available ports, and services that might indicate application and software versions that they can research to determine potential vulnerabilities.
As most attackers don’t know every detail of a target to start with, they may investf time in enumerating as many targets as possible . Similarly, offensive security teams may start with what they assume is a full or partial view of the targeted scope in clear-box or translucent-box testing. However, everything that is presented may not actually be all that is available.
Shadow IT can be lurking in organizational infrastructures, their presence unknown and unapproved by IT. Accounting for 30 to 50% of an organization’s existing IT infrastructure, these assets are generally unaccounted for outside their creators and are often made to fill temporary needs such as temporary databases, support applications, or test systems.
In addition to shadow IT, the shift to remote work has also inadvertently increased risk. Countless devices now make up home networks–routers, smart phones, doorbell cameras, gaming systems, tablets, and more. Home devices are also more likely to be misconfigured or go unpatched, as organizational security teams have no access to these devices.
All of these unaccounted-for systems sit exposed for malicious attackers to discover in the future. Additionally, each employee has free reign to add new devices to their home, thus rapidly expanding the attack surface. Incomplete asset intelligence is a fallacy that can cause targets to be missed, leaving attackers with more potential entry points and organizations with a false impression of their security status.
Savvy testers work to act like malicious attackers to provide an accurate picture of what threats pose the most risk to an organization. Approaching all offensive security engagements with the assumption that there might be undiscovered resources helps to set the right mindset. By allowing for the potential of the unknown, testers avoid falling into the trap of only working with the data they receive. This approach helps teams remember to take steps to investigate deeper.
Trust But Verify
Information provided by internal teams to facilitate offensive security engagements is only the best understanding on their part of what is present. Testers should keep this in mind and should consider directing scanning tools to analyze areas that are in the available attack scope but do not have listed resources.
Anything discovered in this manner is an immediate finding as it was not initially known. Identifying such an asset also helps reduce the organizational attack surface, as it is likely easily removed, eliminating the significant risk with minimal effort.
Additionally, organizations should consider these risks when determining the scope of their engagements. Network penetration tests should be considered in order to focus on network security and the potential pathways created by home networks and shadow IT. For example, identifying vulnerable VPNs can show exactly how far an attacker would be able to go once they exploited them.
Just telling testers to look for additional resources in the engagement scope is not enough to identify them. Offensive security testers need practical tools to deliver accurate analysis promptly. Not all tools provide equally on these factors. If the tool cannot deliver value within the allotted time frame of a testing engagement, it offers no practical value.
Automated pen testing tools help save time by reducing the efforts such tests would take if done manually. Further, such tools can be comprehensive solutions, providing options to run different types of tests all from one console. For example, Core Impact enables running intelligence gathering for network, web application, and client side penetration testing, giving robust context for multiple engagements.
Layering tools is one of the best ways to ensure you’re able to efficiently run a successful test. For instance, a thorough vulnerability scan can help provide risk context, such as exploitability and asset criticality information. From there, penetration testing can validate those vulnerabilities, actively testing them to see if they can be exploited. Finding tools that integrate can further streamline and centralize this process.
Assemble the Right Security Stack
Organizations implementing offensive security testing need to uncover everything as an attacker would. Doing this takes a combination of the right people, processes, and technology working together. Using the right tools streamlines security efforts, empowering teams to efficiently and effectively assess your organization. Building a stack of tools that work together via interoperability or integrations simplifies the entire process lifecycle from scoping to remediation by placing the information at the fingertips of testers.
Learn More About the Benefits of Layering Your Security
See how our Offensive Security Bundles can improve visibility for your testers, strengthening and streamlining your security efforts.