For the past two years, we observed growing requests of companies towards realistic tests based on breach and crisis simulations. Indeed, the classic model shows its limits when an application or a network has been tested many times. One can be pretty sure that the first line is secured, but another one can also be completely blind about what could happen next if it is not the case.

Let’s compare this to a crown kept safe at the end of a long corridor with multiple doors. The highly secured main door is checked regularly. However, at some points, a critical flaw appears on the lock. The theft is patiently waiting at the door to take advantage of this flaw and immediately break-in. The path to the vault is carefully partitioned. Nevertheless, the in-between doors are either flawed or left open. For the intruder, this is straightforward access to the crown as well as the easy fall of the whole castle.

This is exactly what happens when you test the external network from the Internet. From there, the attack could extend across shared servers or connected network zones up to the most critical assets.

The “Defence-in-depth” concept is quite popular. Without “testing in-depth” it is not possible to simulate and evaluate the most realistic attack path an attacker will use. This is why realistic testing together with an “assume breach” methodology adds value for a better preparation to breach.

Realistic testing aligned with company maturity

With classic approaches, the organization’s penetration tests do not integrate nor consider the attacker profile properly. To fully benefit from the offensive Assume Breach approach, proper threat modelling must be associated with the testing: what is the attacker profile and what are the motives of an attack for a given perimeter?

Moreover, tests and recommendations shall suit the company’s maturity level. Recommendations shall not be too ambitious for the in-house workforce as well as aligned with the security budget. While the maturity increases over time, through incremental steps, we can push the testing and recommendation level further to simulate motivated and resourceful attackers.

The “assume breach” approach

As the “Defence-in-depth” concept applies to the whole information system and even further, the breach simulation is an approach for both application and infrastructure. Rather than assuming an attacker will never get inside the company or breach the Internet-facing applications, it begins from a compromised asset and aims to see if the breach can be extended to a larger scope.

Breached applications

As a breached application is by itself a serious issue, this initial access can lead to additional ones. For instance, this is the case when servers host multiple applications or when these servers share the same network. Even if the organization runs an application audit regularly, recent events have proven that no company is safe from mass exploitation of a vulnerable dependency or a backdoor.

Starting the test from a compromised application server offers a whole new attack surface such as access to the code, the configuration files and the data sources. This approach is particularly useful for shared application servers and databases along with cloud-deployed environments.

Infrastructure attacks from insiders

From an infrastructure point of view, the “assume breach” concept helps simulate the internal threats of a company. For a long time, companies did not consider the insider threat as relevant, but as shown by the yearly Verizon Data Breach Investigation Report, for some industries this risk is real.

Figure 1: Threat profile for Professional, Scientific and Technical Services Industry, Verizon DBIR 2019

The model highly changes between businesses, but also over time, depending on the current attack trends and the threat landscape. The starting points of an “assume breach” assessment could be:

– A company laptop, with all defences enabled and realistic business user credentials, to simulate a malicious employee.

– A piece of malware executed in the context of a company user session, to simulate a compromised user.

– A physical network interface, to simulate an external threat actor with authorized presence, such as cleaning personnel, facility employees, visitors…

Cooperative approach

The tests following a cooperative approach rather than an audit approach make sense for this kind of penetration test model. The interaction with the technical teams leads to tailored tests, close support and realistic recommendations. Something which is not possible with a purely black-box approach and automated tools.

We are happy to share and discuss this refreshed penetration testing model, which is a strong ally to the other kinds of security assessment. You can also learn more about the “Assume breach” approach and the zero-trust model with this SANS webcast.

Meet us here for even more interesting articles.

Excellium Pentesting Team.

Cookie	Duration	Description
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

About us

Career Opportunities

Get in Touch