ACM - Computers in Entertainment

Continuous Penetration Testing

By Darren Manners

Everything seems to move so fast. What was secure today becomes the weak link in your armor tomorrow. In January 2016, the head of the NSA’s Tailored Access Program (TAO), Rob Joyce, was the main event at Usenix Enigma security conference and talked about how the NSA goes about exploiting systems. He went beyond the normal stuff like basic security (which some companies still lack) or going after IT admins. He gave us a good insight into how highly funded advanced persistent threats from state nations or organized crime think. He showed that these organizations only need our defenses down for a moment. Those times when a vendor asks for a backdoor or ports to be opened, or when an administrator makes a mistake in a firewall. That’s all the attackers needs sometimes. In other words, they are watching you all the time. Nothing new there. So why do we still only test once a year?

I realized the limitations of point in time penetration tests years ago when, as a penetration tester, I conducted a test and a month later the company was breached with a new exploit. At the time, the exploit was not available to the public/community. As the price of exploits on the black market increase and the real reason to keep zero day exploits from nation states for either offensive or defense military means continue we will see less and less cutting edge exploits handed to the community.  So while point in time penetration testing does a good job of identifying risk, is it responsive enough for today’s fast changing environment.

If you drink from the security cool aid you will already know that penetration testing is adapting with the rise of adversarial simulation or red teaming. These terms tend to address the zero day problems by not worrying how a hacker got in, but can the attacker be spotted and identified. The focus in these tests is on defense in depth and detection. It is really a counterbalance to mimicking advanced attacks without the need to first break in. It tests the response of blue teams as well as all that expensive detection equipment you have.  But even this type of new testing cannot see how our threat surface is evolving minute to minute.

The evolution to the world of continuous penetration testing was pretty simple. I looked at what the hackers were doing with advanced bots and how they are streamlining and automating attacks.

The continuous penetration testing can be “noisy” looking for low-level exploits that would obviously alert detection tools and block simple attackers, as well as using advance social engineering to mimic the known attack vectors via PowerShell, Microsoft Word/Excel macros and other client side attacks that may not be as noisy. It can even include as credential stealing campaign, using legitimate access to circumvent detection. However our attacks can be removed from every day alerts, as the defender will always know the source. We also add adversarial simulation into the mix as well using advanced tools to test those internal detection and blue teams.

The one major advantage to continuous penetration testing has is spotting those mistakes or errors that may only be open for a day or an hour or two. As Rob Joyce mentioned, it only takes a temporary crack. We can mimic this with advanced automated bots. These bots can be individual or chained together to form super bots to automate advanced attack patterns. It also gives a better return on investment. If you test last week, how do you know this week you’re still good?

Now before I start the penetration-testing world on fire (I can hear testers arguing that this is sacrilege, that we are superior beings that cannot be automated – I remember web developers saying the same thing back in the day though) I realize that not everything can be automated. That is why our continuous penetration testing service is a hybrid operation. At times bots are there to alert the analyst to new potential threat vectors, other times its left to the analyst to use the most important part of the test, their brain.

The main aim of the bots is to conduct everything that can be automated or is a repetitive task. The human is the part of interpretive portion of the test or to conduct something that simply cannot be automated. However, as time goes on, the more intelligence we can put into the bots, the smarter they become.

So all we did was take best of breed products, a number of smart bots that can adapt to environments, drop in a human analyst with the experience to understand and be ready to interpret results and make them all talk the same language and run it 24/7 365 days of the year. So why hasn’t this been done before…oh wait it has, as mentioned by the NSA, the bad guys are already doing it to you.

For more information on Continuous Penetration Testing, please email [email protected]