Penetration Testing is Easy — Too Easy

Penetration testing falls into three basic categories based on the posture of the organization you’re up against. Reality obviously has shades, but here are the main groupings I always seem to run across during internal assessments.

1. Trivial Joke

2. Standard Mess

3. Seriously Stout

And here are some of the primary metrics:

• Asset Management:

  • Do they know what all their systems are?

  • Is that information kept up to date?

  • Would they know if a new system came onto the network?

• Patching:

  • Do they have an automated patching system?

  • Are patches verified, or are they just assuming they were applied?

  • Do they patch everything, or just the stuff that’s not too “scary” to touch?

• Visibility

  • Do they run their own regular vulnerability scans?

  • Do they have their own IDS and/or IPS systems?

  • Do they have logging and auditing enabled?

  • Are they actually REVIEWING this information?

  • Any solution for real-time alerting/monitoring?

• Hardening

  • Are there standards that are followed for hardened system deployments?

  • Is the environment scanned for superfluous services?

  • Do they follow a least-privilege philosophy, or are they in “just make it work” mode?

The more of these questions that result in blank stares the easier it is to get domain admin and harvest critical data. If the answer is no to more than a few of these questions the group is going to fall into either category 2 or 1. Only people doing all of that stuff (and lots more) end up with decently tight networks/systems (3).

Reality

It’s easy to get excited when exploiting systems, pulling hashes, cracking them, getting domain access, etc., but it’s a false high. What are we doing really? In the cases of 1 and 2 the enemy is either in a coma or not even there. How is that a battle? It’s nothing but knowing how to find the droppings of apathy and underfunding, and then knowing what to do with them.

No, you didn’t. The vast majority of penetration testers out there are successful not because they’re exceptional, but because their targets are open wounds. Attacking these networks is like pushing over little kids. Congratulations on that.

Real penetration testing doesn’t start until two things are true:

1. The network/system you are attacking is administered by a serious, properly-resourced security team.

2. There are no known, serious vulnerabilities.

If you start with a brick wall and have to invent new ways of getting in — that’s impressive. Until then you’re simply a monkey with a bag of tricks. Maybe you are a smarter monkey who can do more with less, or maybe you’ve created a few of your own tricks, but you’re still just a monkey.

I know because I am one.

Related posts:

1. The Difference Between a Penetration Test and a Red Team Engagement

2. A 3-Tiered Approach to Securing Your Home Network

3. My View on Abortion

4. The Real Internet of Things: Details and Examples