Chapter 13
IN THIS CHAPTER
Examining why a retest is a good thing
Testing and retesting … and testing and retesting: The reiterative process
Knowing when to retest
Using the report and risk register to choose what to retest
Doing the retest
After you’ve conducted a pen test, written your report, and made your recommendations, the next step is to make sure all that work was done correctly for the sake of an increased security posture. What that means is that it’s time to retest.
There are important reasons to retest:
When you can run a retest and produce a clean and healthy report, this is the final outcome you hope for, but the process is iterative. In this chapter, I cover the fundamentals of conducting a retest and show how the iterative process makes a circular workflow that builds on mitigation and remediation efforts.
After you conclude the phases of pen testing and become more familiar with that process and have made recommendations from the output of your ethical hacking, it’s time to do it all over again. This time, however, hopefully when you retest, there is less to find! This is one of many benefits to retesting.
Pen test retesting benefits include:
Triggers alert you to the need for a retest. Whether you retest (and when) is determined by whoever’s in charge, or you may make the suggestion yourself.
Figure 13-1 shows the workflow for both a pen test and a retest, where you find the following workflow items:
Do an assessment of information required to conduct a pen test.
This may be part of a project plan (or a bigger project program) where you have a stakeholders meeting to gather requirements, as I discuss in Chapter 9. Regardless, when this step is done, you have goals and the scope for your test.
Conduct a pen test.
See Chapter 10 for details.
Report out your findings.
Delivering a report, covered in Chapter 11, is likely always a part of your pen testing duties. A subtask or process might be to make recommendations and guide the mitigation process (if that is part of the project scope) and help to work with the risk register.
Technically, at this point, the pen test is complete, but you might be asked to retest.
Retest and report on the new findings.
The process could keep going if you don’t get the all clear.
Note that the workflows shown in Figure 13-1 are barebones representations of what the process will look like. You might need to include sub processes in additional swim lanes that point to change control/management and other sub process areas.
After you report, make recommendations, and then retest, you absolutely need to re-report it no matter what — even if you don’t have any recommendations or items to update on the register. This is why you must continually ask, is the problem solved?
The pen test process flowing into retest (refer to Figure 13-1) should be a trigger-based system where a retest becomes a process task in your pen test program on a continuous basis post your first pen test for the organization. Once that first pen test is done and the workflow begins, retests should be qualified at all times based on the process of reporting, finding remediation, and then retesting.
You can also schedule them on a need basis. In Figure 13-2, I set up a process where the risk register is consulted by priority. If a risk is identified as Tier 1, it’s immediately retested as soon as possible. Tier 2 or 3 risks might be able to wait until the monthly or quarterly vulnerability scanning to take place.
Also, you want to ensure that the retest is followed the same way as the original pen test. The same approvals, process, communication, discussions, and workflow must be followed as was covered in Chapter 10.
If you’ve conducted the pen test thoroughly and diligently documented what you did and what you found, deciding what to retest can be, dare I say, easy? You’ll rely on your documentation, the report, and the risk register.
In Figure 13-3, I have updated my documentation to reflect what changes were made to the vectors and threats identified in the pen test report. I also took the recommendations provided and some of the risk register items to create a visual of what my report may look like so I can use it as reference when putting together a retest plan.
Here you can see the suggestions in place and a retest may have blocked all of my vectors to enter the network externally. Some of these examples include:
If all this is done, retest all of it to ensure that every one of these changes have in fact worked and more importantly, have not opened other issues or exposed other flaws.
The goal of reporting (see Chapter 11) is to focus on what needs to be done based on the goal of the project or the scope of the task you have been given. Defense in depth needs to be considered in all aspects of a retest. You should go back over the original report, documentation, findings, and other items and artifacts and rescan everything you already tested, or you can focus on areas that may have been compromised.
The threat of specific areas should remain the focus, and you should work to mitigate any threats reported in those areas. As I mention in Chapter 11, this is one of the reasons why you don’t want to clutter your reports. Some things may be implied such as overall scan of the network. You may want to simply focus on the edge where you were able to gain access via the edge and hop to another router and gain more access.
You’ll want to review the report prior to retesting to know where to focus your retesting efforts after mitigations have been implemented. If, for example, a pen test was requested to ensure that the security posture of the web architecture was sound in light of recent concerns made internally by IT professionals, you’ll review the report to find:
Figure 13-4 shows some of the remediations you may want to make, such as using SSL/TLS, to reduce risks in a web architecture.
By closing an item on the risk register, you can mark it as complete and ready for retest. Consider, as example, two items identified in the pen test report and shown in Table 13-1. Here you can see the item number on the risk register, the priority or tier rating, and the pen tester’s notes.
The register could include the recommendations, too, or those can be in a separate document. Whatever the fix is for each item, it needs to be assigned, change control followed to mitigate the issue, and then marked as complete. In this example, the two items found were important to fix to get to the next phase, which is the retest. Depending on the risk and other factors, you can also accept the risk and monitor it if you can’t repair it at the time you find it.
A retest will likely show that this issue no longer exists. If a retest flags the issue again, it goes back into the report and the risk register item is reopened.
You must address all risks in a priority manner. As I marked in the notes in Table 13-1, one of the items is a high priority. If the default credentials are not handled immediately, an exploit will likely happen sooner rather than later.
TABLE 13-1 Reviewing the Risk Register for Issues to Retest
Pen Test Notes |
Tier |
Risk Register Entry # |
Conducting a pen test on 11/1/xx, an Apache Server Web Server was found running with an IP of 219.3.4.12, which is accessible via port 80 from the public Internet. Having conducted a vulnerability scan and pen test probing the ability to log in, the default credentials were found and able to be used, which allowed full access to the system remotely. This vulnerability requires an immediate response and is labeled Tier 1. Recommendation is to change the default credentials into a honeypot and/or disable access to the default account. |
1 |
17 |
Conducting a pen test on 11/1/xx, a Cisco Router was found running with an IP of 10.2.11.1, which is accessible via port 23 from the internal corporate network. Having conducted a vulnerability scan and pen test probing the ability to log in, conducting eavesdropping of this device and capturing credentials sent in cleartext, it was found that this device can be accessed and manipulated. This is the default gateway to an access layer network with no access to the distribution or core as it is protected via ACLs. This vulnerability requires a response and is labeled Tier 2. Recommendation is to disable telnet and applied SSH for secure access. |
2 |
24 |
To do a pen retest, you follow the same steps from Chapters 9 and 10. You select your tools after your goal and scope have been defined, get appropriate permission and access, set up logging, and then move to gain change control and final approvals to begin. Nothing has changed except you’ll focus on specific areas, items, and artifacts derived from the last pen test, the report, and the risk register.
As you conduct your test, keep these points in mind:
Pay close attention to the old report and what the new information is showing. For example, you may be re-running Metasploit and finding services, ports, and IPs are responding, some of which may be closed, but others might now be open. For example, in Figure 13-5, you can see that NTP (the network time protocol) service is now operable on a server that wasn’t reported with the original pen test scan.
When configurations were made to disable some services, maybe someone accidently turned one on. Or added a new function to secure a service inadvertently turned on a server service you didn’t want enabled.
Whatever the scenario, make note of your exact steps and findings when identifying any new vulnerability. It may be something you pick up on a vulnerability assessment, but for the pen retest, you should try to exploit it.
As you did with the pen test, find a way in. Using the Nmap ntp-monlist, for example, you can gather information about the NTP server to see what it tells you. Figure 13-6 shows how you can use Nmap to query an NTP server service and identify (or map) it, so you can see what the NTP master server is, the clients, and peers.
Through this mapping, you can then attack the master once identified to potentially be crashed with a destroy attack, such as an overflow or DoS, and basically throw the entire network into a tailspin. Document this exploit in your log.
18.117.182.179