October 13, 2010
Traditional Penetration Testing is DEAD - BSIDES Atlanta
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
BSIDES for those of you that haven't had the privilege in attending has spread like wildfire. Originally a side conference setup for presenters that didn't make it into BlackHat, it has grown and continues to move across the country with small to mid-sized conferences. I had the luxury in speaking at the most recent BSIDES in Atlanta. This was a joint presentation with Eric Smith (@infosecmafia) and myself on the current situation of penetration tests in the industry. We both have heavy consulting and corporate experience in penetration testing and get to see a true representation of how these things are currently being run in the industry.
To start off on somewhat of a tangent, the penetration testing field can be looked at in two different lights. One, companies are accustom to these tests are familiar with it and are rating fairly well with traditional testing methods. The second is that penetration tests, which are intended to simulate a breach, are failing in truly identifying impact or a true representation of an attack. Let's take the current penetration testing methodologies, little time is spent on the true intelligence gathering phase and is purely scan and mass exploitation based.
Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers. Don't get me wrong, they absolutely have their purpose, make sure we didn't miss anything, and heavily incorporate into a vulnerability management program to make sure your doing things right. Handing a sixty page 'penetration test' report with five hundred vulnerabilities does absolutely nothing for a company aside from a check mark for whatever regulatory and compliance initiatives they have underway. It's time for a reality check:
Penetration testing has to be something that measures the organizations business risk and impact if a breach were to occur. When attacking an organization you have to understand what is sensitive and what hurts the company the most. Intelligence gathering is one of the most important elements of a penetration test as well as understanding and learning the network. Learn your target, understand your target, develop your attack specifically around your target, nothing is out of scope. If you notice the exploitation phase is a small sliver of the overall cycle. If you fail on running an exploit you failed on the intelligence gathering and foot printing of your penetration test, you should never fail on an exploit and have a high success rate on whatever your fire at the target. If your going against a client and you run into a sophisticated perimeter that has millions invested in it, why fight that, go around and attack the human element and fly right past that sophisticated perimeter defenses... Once your in, now what?
This is where the heavy intelligence gathering comes into play. Where can I have the most impact on the organization and how do I represent that? WOW I GOT DOMAIN ADMIN!!!!!! OMG I GOT ROOT! That's fantastic buddy, I'm happy for you but that doesn't mean squat to me. Present them with their intellectual property, future projections, show the ability to change their product, confidential and trade secret information or whatever you identify as what hurts them the most. Chris had an example that resonated with me, change the medical companies formula who your pentesting to cyanide, would that impact them in a negative manner? Would it cripple the organization as a whole? What hurts them the most?
Wrapping things up, we'll get there as an industry, we're still new at all of this (some of us have been doing it for years). The general hurdle is the lack of talent and focus when it comes to penetration testing. Some companies do a magnitude of services and lack the specializations in this arena. Companies are being handed a false sense of security and a lack of full adoption in the industry because of the lack of value. It's the companies responsibilities to have the expertise to defend itself, but we're relying to heavily on the basics and not growing our security programs in a manner that will improve our security posture. We're also significantly challenged with the basic penetration tests, how do you go against a cheap vulnerability scan penetration test to something that will cost significantly more than that and be done right. Businesses don't understand the difference, they just go with the cheapest buyer, they don't know what they are about to purchase sucks. I'm on a different side, I'm not in consulting, I'm a corporate dude. I know what a good penetration test is, and how effective to utilize it within my organization. We need to hire qualified people that get it, I will pay extra for a group that knows what they are doing vs. a super cheap scan. The industry is bleeding, let's step it up and do it the right way.
This was our talk at BSIDES Atlanta, we had a couple of zero-day attacks to show how we need to step it up and the sophistication needed in order to pull these types of attacks off. Special thanks to Eric Smith (@infosecmafia) for being a bad mofo and doing outstanding on the presentation, and Chris Nickerson (@indi303) for all of the help and having one amazing talk.
- Good hackers don't need to utilize expensive vulnerability scanners.
- Good hackers don't use automated penetration testing.
- Attackers don't have a scope or timeframes.
- Attackers don't stop after they get root.
- Attackers don't have portions taken out of scope. (Oh we're only assessing our PCI zone *giggle*)