Sometimes the best defense is a good offense. To first do this, you need to think the way the offense of the other team thinks. In cybersecurity, this is done via penetration (pen) testing which serves the purpose of finding network flaws that could potentially be exploited by attackers sometime in the future. One statistic that is constantly quoted is how there is a hacker attack every 39 seconds in the U.S. alone. The one thing about this statistic is that it is over 11 years old. This makes you rethink its current validity and how much more often a hacker attack happens now in comparison to 2007. Considering that today’s complex security landscape harbors emerging threats on a regular basis, we must face the fact that we encounter a plethora of more vulnerabilities than ever before.
Through developing a mature security team and enabling them to work to their full potential, organizations must be proactive in deploying a penetration testing program alongside their vulnerability management program. Once an organization understands that these programs are a necessity to implement, they must follow through with conducting an internal penetration test. These internal pen tests require all hands-on deck to thoroughly document all known vulnerabilities and the necessary actions that an organization needs to fill those vulnerabilities. Without further ado, let’s look at the steps for conducting an internal pen test and why your organization needs one more often than you might think.
Internal Penetration Test
An internal penetration test is similar in nature to an external penetration (pen) test, but with less variables and options for testing. Whereas external pen tests allow organizations to test in either a black, white, or grey box methodology, internal pen testing does not have that type of flexibility. A black box testing methodology requires the attacker to have little to knowledge of the organization’s existing security structure, but since internal pen testing is carried out by an internal employee, it is impossible for them to not have any knowledge of the network architecture before the test is conducted.
Since the simulation of an internal pen test scenario is done when an attacker is present inside the organization’s network, it can holistically test vulnerabilities, passwords, network configurations, and internal monitoring controls all at once. An internal pen test calls for a security engineer to connect to the organization’s internal network and gain access to sensitive organizational resources via an internal network connection. This test is a real scenario that happens often in organizations where a malicious actor gains a foothold on an internal asset and exploits it. This malicious actor could either be a present or former employee or an external entity that has acquired internal server login credentials via the negligence of a current employee.
An internal pen test is done within the building access or host security system whereas an external test simulates an attack on the organization via an internet connection. The main difference is that even though both look to weed out possible vulnerabilities, an external pen test focuses on an attack originating from outside the perimeter of the company’s firewall whereas an internal pen test is carried out from within the confines of their firewall. Due to the closed quarters attack measurable in place, it takes a coordinated effort by the attacker to access unauthorized resources. This makes the role of the support staff essential for documenting the progress of the attacker and tracking the vulnerabilities that are present within the organization.
Once the attacker has connected to an active network port from within the internal network, they must source the location of specific network authentication credentials that give them administrator access. This essentially unlocks all doors in their favor and since they don’t have a firewall to sneak past, the attack could be carried out much more quickly, thus giving the attacker more time to exploit vulnerabilities if they exist. The most devastating part of an internal attack is the fact that these scenarios entail the attacker already having detailed insider knowledge of where coveted files are located within the network and where they are located. This is a luxury that external attackers don’t usually know from the start of their exploitation campaign(s).
Internal Penetration Test Checklist
92% of organizations with a cybersecurity program in place conducted pen testing per a 2015 survey. 35% of these survey respondents cited their desire to reduce risks in their network infrastructure through conducting a penetration test. Whether it’s a malicious insider or simply a negligent employee who exposes your organization to a phishing attack, organizations must consider evaluating their cybersecurity efforts from an attacker’s point of view who has already gained access to the internal network. This is where conducting an internal pen test comes into play. Let’s review the specific series of events that your organization needs to adhere to for conducting an internal pen test that keeps your company safe from internal threats:
Preparing for an internal penetration test takes following the checklist from preparation to reporting. Let’s begin with preparation which first requires that you plan technical points of contact for the team to use before, during, and after the testing commences. Your organization must select the internal point person who will be on call during the test to ensure that all responsibilities maintained in the scope of the test are met. Once this internal point person is identified, a team needs to be deployed that aligns with what is being tested. Having this alignment in place allows your organization to better facilitate an effective line of communication during the pen test.
Once the team is configured, the preparation must detail how the test scope, objectives are in line with the prioritized business goals. Sure, you could audit everything, but if a portion of what is being assessed isn’t on scope, then it’s going to be a drain on your budget and your team’s time. Once the scope has been defined, your organization must also decide which approvals and access controls are necessary for the pentester to obtain prior to the execution of the test.
The next step is to create a formal approval agreement with the pentester that must be signed prior to conducting the pen test. Since an internal pen test is essentially the mimicking of a cyber-attack, it’s best to get everything that is anticipated to be carried out in writing for a formal agreement to ensure that everyone is on the same page. This last portion of the preparation process should involve intricate discussion between the pentester and senior staff that outlines which parts of the organization’s systems are to be tested and which are off-limits.
Following the commencement of the internal pen test, the pentester will first seek out any available vulnerabilities using a myriad of tools and tricks (the same ones that are effortlessly deployed by malicious attackers). From this point, the pentester will examines the internal IT systems for any weaknesses that could possibly be used to disrupt the integrity of the network. With the access the testers gain in a secured system, advanced techniques and analysis are done to measure the magnitude of the damages that could be caused by each vulnerability. The source of each vulnerability is tracked by software which allows the organization to address each weakness upon the test’s completion.
Internal pen tests are preferable to organizations that wish to mimic the actions of an actual attacker exploiting weaknesses in network security without experiencing the lasting exploitation effects. As the attack techniques cybercriminals use have evolved, so to have internal pen testing exploitation methods. The task of exploitation is used to identify potential weaknesses in a cybersecurity program for the IT team to remediate after the test has commenced. Sensitive data that is usually stolen in these real-life (not pen test) scenarios usually either pertains to research documents, company financials, or customers’ payment information. The pentester is tasked with mimicking a true internal attack which not only looks to acquire sensitive company information, but also cover their tracks to prevent the company from finding out that they initiated the breach.
In the end, an internal pen test can provide organizations with an instant picture of the biggest risks to their network infrastructure based on the overall security of their internal IT. Following the completion of the internal pen test, the pentester and security team must report to the senior staff (and possibly the board and/or stakeholders) their findings and formulate a plan for remediation of said vulnerabilities. The final report will assess the overall health of the organization’s network while also offering recommendations for how to combat a malicious attacker when they perform the series of maneuvers that they did during the test. These reports are prepared in a format that prioritizes remedies that are necessary to fix the identified vulnerabilities.
Protecting Against Internal Threats
According to one report, the average time it takes for U.S. companies to detect a breach in their network is 98 days with some breaches not being discovered for 197 days. With more of today’s cybercriminals employing “internal methods” for penetrating organizations, companies need to be proactive in their approach towards patching up their vulnerabilities well before a malicious attacker exploits them. Employing security measures on the inside and outside allows the organization to possess a “defense-in-depth” approach to their information security and eliminate blind spots and vulnerabilities.
The internal pen test is also intended to test the Intrusion Detection System and the forthcoming employee response to the detection of a rogue attacker in the network. Even though rogue employees are a likely occurrence for your organization, it is still paramount to keep your critical internal systems secure on the off-chance that one is roaming in the midst. No matter the source of the attacker, one thing that’s for sure is that their motives and methods are varied, which can make them harder to anticipate. Therefore, security teams must be aware of all vulnerable points in the authentication of employees for access to sensitive company information that could possibly be used as attack vectors.
The fact remains that more of today’s cyberattacks don’t look like external threats. They look more like internal users who are accessing systems and services abnormally. Unless security teams are focused on their network security controls, they risk the attacker compromising their system via phishing techniques to gain access to sensitive systems under the radar. Using information gathered from an internal pen test allows the organization to plan a defense against any hacking attempt. Internal pen tests can check for misconfigurations such as faults in error handling that would allow employees to access and inadvertently leak information online. With user privacy and data security being a top concern, it’s recommended to conduct internal tests as often as your organization performs external pen tests.
Sometimes, internal pen tests get put on the backburner by organizations. The reasons for not putting enough effort into internal pen tests as external pen tests pertains to the comprehensive nature of an external pen test. Companies possibly feel that if they can remediate any vulnerabilities in their external and internal network that were identified via an external pen test, that a specifically internal pen test is unwarranted. An internal pen test should be used as a type of quality assurance (QA) test gives the organization a deep look at possible flaws in network architecture and design, operating system (OS), application configurations, while also giving needed input on human behavior. When the internal pen test is conducted in line with the necessary tasks in the checklist that we have defined above, your organization can sleep better at night knowing that you have far superior internal IT security than before.