For the past two years, we observed growing requests of companies towards realistic tests based on breach and crisis simulations. Indeed, the classic model shows its limits when an application or a network has been tested many times. One can be pretty sure that the first line is secured, but another one can also be completely blind about what could happen next if it is not the case.
Let’s compare this to a crown kept safe at the end of a long corridor with multiple doors. The highly secured main door is checked regularly. However, at some points, a critical flaw appears on the lock. The theft is patiently waiting at the door to take advantage of this flaw and immediately break-in. The path to the vault is carefully partitioned. Nevertheless, the in-between doors are either flawed or left open. For the intruder, this is straightforward access to the crown as well as the easy fall of the whole castle.
This is exactly what happens when you test the external network from the Internet. From there, the attack could extend across shared servers or connected network zones up to the most critical assets.
The “Defence-in-depth” concept is quite popular. Without “testing in-depth” it is not possible to simulate and evaluate the most realistic attack path an attacker will use. This is why realistic testing together with an “assume breach” methodology adds value for a better preparation to breach.
Realistic testing aligned with company maturity
With classic approaches, the organization’s penetration tests do not integrate nor consider the attacker profile properly. To fully benefit from the offensive Assume Breach approach, proper threat modelling must be associated with the testing: what is the attacker profile and what are the motives of an attack for a given perimeter?
Moreover, tests and recommendations shall suit the company’s maturity level. Recommendations shall not be too ambitious for the in-house workforce as well as aligned with the security budget. While the maturity increases over time, through incremental steps, we can push the testing and recommendation level further to simulate motivated and resourceful attackers.
The “assume breach” approach
As the “Defence-in-depth” concept applies to the whole information system and even further, the breach simulation is an approach for both application and infrastructure. Rather than assuming an attacker will never get inside the company or breach the Internet-facing applications, it begins from a compromised asset and aims to see if the breach can be extended to a larger scope.
As a breached application is by itself a serious issue, this initial access can lead to additional ones. For instance, this is the case when servers host multiple applications or when these servers share the same network. Even if the organization runs an application audit regularly, recent events have proven that no company is safe from mass exploitation of a vulnerable dependency or a backdoor.
Starting the test from a compromised application server offers a whole new attack surface such as access to the code, the configuration files and the data sources. This approach is particularly useful for shared application servers and databases along with cloud-deployed environments.
Infrastructure attacks from insiders
From an infrastructure point of view, the “assume breach” concept helps simulate the internal threats of a company. For a long time, companies did not consider the insider threat as relevant, but as shown by the yearly Verizon Data Breach Investigation Report, for some industries this risk is real.
Figure 1: Threat profile for Professional, Scientific and Technical Services Industry, Verizon DBIR 2019
The model highly changes between businesses, but also over time, depending on the current attack trends and the threat landscape. The starting points of an “assume breach” assessment could be:
– A company laptop, with all defences enabled and realistic business user credentials, to simulate a malicious employee.
– A piece of malware executed in the context of a company user session, to simulate a compromised user.
– A physical network interface, to simulate an external threat actor with authorized presence, such as cleaning personnel, facility employees, visitors…
The tests following a cooperative approach rather than an audit approach make sense for this kind of penetration test model. The interaction with the technical teams leads to tailored tests, close support and realistic recommendations. Something which is not possible with a purely black-box approach and automated tools.
We are happy to share and discuss this refreshed penetration testing model, which is a strong ally to the other kinds of security assessment. You can also learn more about the “Assume breach” approach and the zero-trust model with this SANS webcast.
Meet us here for even more interesting articles.
Excellium Pentesting Team.