External Attacks

The more common type of penetration test is from the perspective of the external attacker. The penetration tester, also called the pentester, launches a series of attacks from outside the target’s network. In most cases, the pentester conducts the tests from a computer connected to the Internet. The tester simulates the actions an attacker would take when developing an attack on your organization.

Although each penetration test is different, many tests follow similar paths. Here is a common flow a penetration tester follows to develop attacks:

1. Reconnaissance—Here, the tester collects as much information about the target environment as possible. At this stage, the tester is collecting both technical and nontechnical information. Both types of information can help the tester determine how the organization operates, where it operates, and which characteristics the organization and its customers value. The purpose of the attack will drive the process. In an actual attack, if an attacker wants to extract or modify data, all efforts will be directed toward the data of interest. If the attacker wants to harm the organization, the target of the attacks will be what the organization values. An organization that markets safety to its clients would suffer from confidential data disclosure, whereas an organization that prides itself on high availability would suffer most from being shut down. Information gathered by the tester or attacker in the reconnaissance phase drives all subsequent activities.

2. Footprinting—After collecting general organizational information, the next step is to learn as much as possible about the target’s technical architecture. At this point, testers use tools to query and identify as many identified nodes in the target network as possible. The process of footprinting means determining the operating system and version for each node. Operating system information helps identify a node’s possible purpose and the next step is to learn more about the node.

3. Scanning and enumeration—The next step collects detailed information about each node. Testers can use automated tools to scan each node, identifying open and active ports. Testers can also query open ports to determine which services are running on a selected node. In this manner, testers can develop a detailed map of the target’s technical environment and get a good picture of what hardware and software make up the target’s infrastructure.

4. Vulnerability identification—Once the testers have all the available information on operating systems and running software and services, the next step is to explore known vulnerabilities in the target’s environment. For example, if scanning and enumeration reveals the target is running Microsoft Internet Information Services (IIS) web server version 6.0, the testers would search for known vulnerabilities with that specific version.

5. Attack planning—A complete attack plan would include all identified vulnerabilities in the target environment, sorted by exploit difficulty and impact. In most cases, testers will start with the easiest attacks that produce the largest impact. The attack plan is a sorted list of attacks that the testers will carry out along with the procedures to execute the attack and collect results information.

6. Attack execution—The execution phase follows the attack plan and launches each attack against the target environment. Testers grade the success of each attack and the effectiveness of security controls to mitigate the attack.

7. Collecting and presenting results—The final step in a penetration test is to compare the attack plan with the attack results. Testers will collect all result information from each attack and present a report of overall test performance. The report should analyze the effectiveness of existing controls and make recommendations for any changes that would increase security.

Blocking malicious traffic using IP intelligence is highly complicated and an emerging approach for many companies. Keeping up with all the latest attacks and keeping a skilled workforce can be expensive and overwhelming. Consequently, companies are hiring firms to perform these specialized activities. Network traffic would be routed to the vendor’s Internet connection and once validated as safe would be forwarded to the company’s network. This reduces the company's network traffic to what is considered legitimate and safe. The company F5 is a leader in this field and more information can be found on their website at https://support.f5.com/csp/article/K10978895.

Internal Attacks

Not all attacks occur from external sources. Many attacks originate from within an organization’s own networks. These types of attacks can originate from compromised computers running malware or from attackers who have bypassed access controls and gained a foothold inside your network. In either case, attacks from within your organization can be more dangerous than attacks from the outside.

Internal traffic and activities are generally regarded as more trusted than external traffic. The general idea is that if a user has successfully satisfied stringent access controls, that user should be trusted. This general trust makes internal attacks dangerous if an attacker is able to circumvent access controls and operate from within your internal networks.

To measure your organization’s ability to handle internal attacks, you should conduct internal penetration tests as well as external tests. There are two main types of attacks that may originate from within your organization:

• Internal attacks on your organization—An internal attack is one in which an attacker is able to compromise your access controls and either establish a presence inside your networks or place malware on an internal computer. In either case, the attacker has access to your resources at a higher level of trust than a general external user. Internal attacks generally target your organization.

• Internal-to-external attacks on another organization—An attacker might choose to use your infrastructure to launch an internal-to-external attack on another organization. There are two main reasons for using one organization to attack another. First, an attacker could use your organization to launch an attack in an attempt to hide the attack’s true origin. Second, the main goal of the attack could be to place the blame on your organization and cause you to incur embarrassment and possibly other consequences.

Regardless of the reasons, internal penetration testing of your security controls is to ensure both types of attacks will not succeed. Your goal is to ensure internal attacks on your organization will not compromise your security and attacks on other organizations will not be allowed past your networks. Both external and internal penetration testing ensure your environment is secure from attacks in both directions.

Intrusive Versus Nonintrusive Testing

Penetration tests are simulations of attacks. In most cases, attacks on information systems and infrastructures are intended to cause damage of some sort. That means if you fully simulate attacks, there will likely be some impact that results. Any test that simulates an attack and results in damage is an intrusive test. A test that only validates the existence of a vulnerability is a nonintrusive test.

For example, suppose your organization runs the Apache web server. Penetration testers discover a vulnerability in the version of Apache running on your primary web server. The vulnerability, if exploited, will cause the web server to crash. Scanning and enumerating your web server computers to collect data is generally a nonintrusive test, whereas exploiting the vulnerability and actually crashing the web server is an intrusive test.

As you develop a penetration plan, assess the impact of each test and carefully consider whether you want to allow intrusive tests against your environment. If all your security controls are sufficient, even intrusive tests will fail to affect your environment. But any deficiency in your controls could allow an intrusive test to have a negative impact on your systems or networks. The best way to handle such intrusive tests in a safe manner is to perform them against a test environment that is an exact copy of your production environment.

Configuration Management Verification

You learned about the importance of managing network information earlier in this chapter. Recall the FCAPS approach to network management. The C in FCAPS stands for configuration. RANCID and Canner are tools that help manage network configuration settings. It is important to aggressively control your network devices’ configuration settings. RANCID and Canner, along with other available tools, can help you create baselines of configuration settings and compare changes over time. You should develop a schedule and process to frequently compare configuration baselines and verify all changes to your network’s configuration.

A solid network configuration-management process makes it easy to classify any configuration changes as authorized or unauthorized. You just compare baseline differences to your authorized changes list to see which changes occurred that were not authorized. Because every configuration change has some effect on what traffic flows through your LAN-to-WAN Domain, it is important to manage authorized changes and detect any unauthorized changes. Implementing the FCAPS approach will help formalize the process and make your networks more secure.