"Hack us to be beautiful"
Disclaimer
This article reflects the personal experience and opinion of its authors and was written to encourage the community to discuss. No names will be called here, no one will be shown with a finger.
We will try to draw attention to what we consider to be a problem of the modern Russian market of information security services.
Introduction
To make the context understandable to the readers, we decided to start from the background. The article was written by an information security analyst (me) and a penetration tester (by my colleague InfiniteSuns ).
Working with customers, we are systematically confronted with a lack of understanding of the essence of the services we provide. Often this misunderstanding is due to the fact that it was transferred to the customer from the company that provided these services. Once during the course of conducting an internal pentest, the elevation of privileges and the elimination of the means of protection on the office machine provided by the customer puzzled the head of the information security service.
Further, in the course of the discussion, it turned out that before that, under the name “Pentest”, the customer was sold a scan of the internal network using “nmap” with the parameter “--script vuln” . Naturally, once again the customer expected similar behavior from the pensters and was genuinely surprised when they started capturing his domain controller.
Sometimes it happens that during the work a separate stage allocates control over the elimination of vulnerabilities identified in the previous study. It also happens that for this the customer provides a report on this very previous study. Looking at such a report, sometimes you wonder at the ingenuity of your colleagues in the market.
Automated scanning of vulnerabilities is sometimes sold at least as pentest, at least as a security analysis. In such conditions it is not surprising that we have to hear from customers something like “Hack us so that it is beautiful.” At some point we realized that we were not the first to notice this:
We leave the reader to think about the question - why there is no clear understanding of the ordered services and their results? Due to the incompetence of information market participants? Or do they intentionally drive customers by the nose, selling simpler services under the guise of complex and expensive ones?
Since we are not happy with any of the two options, we felt the desire to share our own vision and formed a small CheatSheet for practical information security services.
CheatSheet
Types of jobs
Let's look at five different jobs:
')
- Penetration Testing
- Redtimming (Red Team Assessment)
- Security Analysis
- Vulnerability Scanning
- Security Audit
For convenience, we divided all information regarding the above works into two levels:
- Basic (mainly article body)
- Advanced (hidden under the spoiler for those who want to learn more)
The “Base Level” addresses the following key points:
- purpose
- Focus
- Level of maturity IB
- results
The Advanced Level addresses the following key points:
- Examples of tasks
- Methods of achieving the goal
- Work plan
- Completion criteria
Penetration Testing
Purpose:
Determine whether the current level of infrastructure protection can withstand an intrusion attempt by a potential attacker with a specific goal.
Achievement of the task. In this case, the question of the completeness of the detected vulnerabilities is not worth it, but all the vulnerabilities involved in the attack vectors are reflected.
Focus: The depth of the study is more important than the width.
Level of maturity of IB: Medium to high.
Results: The fact and / or probability of hacking (penetration) and obtaining information by the attacker.
- Get unauthorized access to customer information, their funds and other data.
- To penetrate from the office segment in the "battle", where the working servers are located.
- Disrupt the availability of a particular service.
- Get access to the file system with certain rights.
- Compromise software source codes from version control system.
Methods to achieve the goal: All available methods and tools that meet the constraints set by the customer (including social engineering, brute force attacks, etc.). Researchers are looking for the shortest and cheapest way to achieve goals.
Finishing Criteria: The project ends either when the goal is achieved or after the project time has elapsed (if many vectors are considered).
Work plan:
- Get preliminary information about the object (all available sources of information are used).
- Create a network map, determine the types and versions of devices, operating systems, services, applications in response to external influence.
- Identify vulnerabilities of network services, services and applications (including basic analysis of web applications with detection of vulnerabilities that contribute to the achievement of the goal).
- Analyze the vulnerabilities of internal and external resources.
- Prepare suitable attack scenarios. Carry out attacks related to social engineering and / or denial of service attacks (as agreed).
- Perform penetration.
Redtimming
Purpose:
Determine / measure how well your organization can detect and counter a real attack. At the same time, the issue of completeness of detected vulnerabilities is not worth it. only vulnerabilities are of interest, exploitation of which will help to compromise your organization.
Increase the organization’s commitment to confront Advanced Persistent Threat.
Get a more realistic understanding of the risk to your organization.
Focus: It is more important to model malicious actions in the same way as Advanced Persistent Threat.
Level of maturity IB: High.
Results: Confirmation of the ability of the organization’s information security services to counter a real attack.
- As quietly as possible get into the perimeter of the organization and get access to confidential information in any way possible.
- Identify physical, hardware, software vulnerabilities, as well as vulnerabilities to social impact from real intruders.
Methods to achieve the goal: All available methods and tools aimed at a multi-component and comprehensive attack against software, equipment, people and objects.
Completion criteria: The project ends either at the request of the Customer or at the expiration of the project time.
Work plan:
- The work plan depends entirely on the business processes of the Customer.
- Includes plans for penetration testing, sociotechnical research, and physical security testing (offices, warehouses, etc.).
Security analysis
Purpose:
Find all known and potential vulnerabilities and weaknesses that could lead to a breach of confidentiality, integrity and availability of information.
Formulate recommendations to improve the level of security.
Focus: Width is more important than depth.
Level of maturity IB: From low to medium.
Results: The most complete list of detected vulnerabilities and shortcomings.
Methods to achieve the goal: Research using the black / white / gray box method, analyzing the source code, analyzing the structure, functions, technologies used, confirming the detected vulnerabilities.
Completion criteria: The project ends upon completion of checks for the presence of vulnerabilities of all types in all the declared subsystems.
Work plan:
- Determine the method that is appropriate to use for security analysis.
- Build threat and intruder models, if necessary.
- Perform instrumental and manual checks for individual types of vulnerabilities (eliminating false positives and identifying vulnerabilities that are not detected by automated tools).
- Investigate vulnerabilities to confirm their availability and exploitation.
- Exploit a number of the most critical vulnerabilities (as agreed).
Vulnerability Scanning
Purpose:
Find and evaluate all known vulnerabilities in organization information systems.
Regularly maintain and update the state of information security of the organization.
Focus: Width is more important than depth.
Level of maturity IB: From low to medium.
Results: The most complete list of known vulnerabilities found.
- Scan the organization's external network perimeter for the presence of vulnerable services.
- Investigate changes in open ports for services on an organization’s external network perimeter.
- Perform an internal perimeter scan for vulnerable services.
- Analysis of the presence of known vulnerabilities of web application components.
Methods for achieving the goal:
- Automated inspections in accordance with the selected tool.
- Processing by researchers and / or analysts of the results of automated checks and the elimination of false positives
Completion criteria: The project ends upon completion of all checks provided by the automated tool.
Work plan:
- Identify tools that can be used for automated scanning.
- Conduct instrumental checks
- Conduct a manual analysis of the test results (elimination of false positives)
Security audit
Objective: To check whether the information system (or its components) and processes comply with the requirements, best practices or recommendations of regulatory acts, standards and documentation of equipment and software manufacturers.
Focus: Volume of fulfillment of requirements and recommendations is important.
Level of maturity IB: From low to high.
Results: Conclusion on compliance with the requirements / recommendations.
- Check the conformity of the information system STO BR IBBS.
- Check the compliance of the information system with the Order No. 21 of the FSTEC of Russia.
- Check web servers for compliance with CIS recommendations.
Methods to achieve the goal: Manual or automated inspections in accordance with the chosen method.
Completion criteria: The project ends upon completion of all checks provided by the methodology.
Work plan:
- Adapt the method to the object of study.
- Make a list of checks
- Conduct manual and / or automated checks
Source: https://habr.com/ru/post/345646/
All Articles