Trustwave Blog

How Trustwave Uses Enterprise Penetration Testing to Fortify a Client's Defensive Posture

Written by | Aug 25, 2023

Anyone who has played a Tower Defense-style game, (Plants Vs. Zombies being a favourite) knows the only way to hold off the hoard of brain-eating zombies is to know your weaknesses before the next wave attacks and to plan accordingly. 

 

Oddly, preparing a cybersecurity defense is somewhat similar: the player/organization knows attacks are coming, they have an idea from where and how they will be conducted, and they need to place the proper pieces on the board at the right place to stay safe. 

 

And one of the best methods for an organization to learn where to place its defensive pieces is by conducting an enterprise penetration test (EPT). After all, an organization can't prepare an effective defense until its strengths and weaknesses are known.

 

Trustwave as a Force Multiplier

 

Trustwave is here to help ensure your defensive posture is strong and properly tuned to repel an attack. The Trustwave SpiderLabs team has conducted thousands of penetration tests, and with more than two decades of global industry leadership in vulnerability research and findings, we thoroughly understand the threat landscape of known, unknown, and emerging threats.

 

Our elite analysts, threat hunters, and researchers offer support to EPT clients using a blend of onshore, nearshore, and offshore penetration testers. These tests adhere to a CREST-certified methodology, ensuring top-notch, adaptable, and cost-effective testing. To further enhance the EPT service, a local Technical Account Manager (TAM) is assigned to ensure clients derive maximum value from their testing investments.

 

The established methodologies, aligned with industry standards, empower us to uncover even the most intricate vulnerabilities, offering world-class testing solutions to enterprises worldwide.

 

Trustwave has meticulously crafted targeted and comprehensive testing programs designed to fulfil client testing objectives. These programs can be implemented on a flexible basis or integrated into long-term testing strategies. While spontaneous testing provides valuable insights at specific points, a pre-defined security testing program offers a comprehensive perspective on enterprise risk evolution. The presence of a dedicated TAM further equips clients with an expert mentor who reviews findings, devises remediation strategies, and oversees ongoing validation testing.

 

Every EPT engagement culminates in a detailed report outlining actionable roadmaps for remediation. These roadmaps address gaps, facilitate patch implementations, and foster the growth of your organization's security posture.

 

What Exactly is an EPT?

 

Penetration testing is a form of Offensive Security where a human-led team assesses an organization's cyber defenses. 

 

The primary objective is to identify vulnerabilities and then use those vulnerabilities to gain further access into the environment under test. Regular penetration tests aid organizations in mitigating vulnerabilities that are highly susceptible to exploitation by human attackers.

 

Unlike a vulnerability test, pen testing is primarily a manual process in which skilled, experienced teams use various tools and techniques to gain access.

 

In most cases, organizations preselect the systems to be targeted in a pen test and give the tester some inside knowledge about them, such as what an authorized user might have. This is called gray box testing. Other times, pen testers go in with no information about the target to perform black box testing or with a wealth of information and even open dialog with the client security team (white box testing).

 

What are Trustwave Penetration Test Covers

 

A Trustwave penetration test is extremely detailed and utilizes not only the current standards and technologies but brings in the decade's worth of institutional cybersecurity knowledge the company has in its collective memory. 

 

The end result of an EPT is a report that covers every aspect of the test and gives the client complete insight into its security strengths and weaknesses.

 

Let's look at what a typical client report includes.

 

Executive Summary – This covers the general guidelines outlined in the contract covering how the SpiderLabs' pen testers will conduct the test, the areas to be tested, and a brief overview of the results.

 

For example: XYZ Inc. engaged Trustwave SpiderLabs to perform an External Network Penetration Test.

 

The primary objective of this security test was to evaluate the resiliency of XYZ Inc.'s systems and network to various attacks launched from the Internet.

 

SpiderLabs conducted the test between the dates of January 1 - 20, 2023. Over these dates, during the predetermined testing times, a SpiderLabs consultant analyzed and tested the attack surface of XYZ Inc.’s target perimeter network to find and exploit any vulnerability discovered.

 

The targets comprised a single website and a list of 32 IPv6 and legacy IPv4 addresses.

 

Test Scope – Every test is based on agreed upon limits imposed by the company.

 

XYZ Inc. set limits on the scope of the test. Trustwave performed the testing as an external, unauthenticated user with minimal knowledge of the environment (i.e., blackbox testing methods). The rules of engagement followed for all testing included the use of techniques commonly used to exploit vulnerabilities and gain access to systems, but not techniques that intentionally destroy data or harm the ability of devices to function, such as denial of service attacks.

 

Results Summary - The summary includes the definition of what the Trustwave team deemed a compromise or vulnerability based on the agreed-upon parameters. It then lists any system or application SpiderLabs was able to compromise during testing, and it documents significant vulnerabilities discovered that may require an additional attack vector beyond the scope of the initial engagement to leverage a compromise.

 

Tactical Recommendations – Included here is a detailed list of methods the client can use to fix the issues found during the test.

 

This list can include additional penetration testing using different parameters, red team testing, or the need for the client to bring in additional security resources, and how the client's current security program compares to the CIS (Center for Internet Security) Controls. If the client does not have an established information security program based on industry best practices, SpiderLabs advises it to review the CIS Controls for Small- and Medium-Sized Enterprises (SMEs).

 

Testing Methodology – Here SpiderLabs breaks down how it conducted the penetration test. 

 

SpiderLabs will note in the report:

 

  • The primary goal in conducting the penetration test was to circumvent system, network, and application security controls and as such, gain access to systems and designated data an unauthorized user should not be able to obtain. Working within the defined parameters of the test, including time constraints, SpiderLabs attempted to identify and exploit whatever system, network, and application vulnerabilities were necessary to achieve the above-stated goals.
  • In performing the test, SpiderLabs may not have located and detailed all vulnerabilities inherent in the environment; rather, the testing is meant to ascertain as a whole, the resiliency of the exposed network perimeter to a determined attacker. Thus, the concentrated attack simulation was structured in such a way as to enable XYZ Inc. to accurately understand their current controls and how they could be circumvented during an actual attack.
  • No attempts were made to disguise any attacks, as this was not a stealth penetration attempt. It should be noted that real attacks might not be as obvious to system administrators. The noise generated by this engagement is not typical and should not be used as a comparison to judge actual penetration attempts by malicious individuals.

 

Narrative – In this section, the SpiderLabs team pulls together the entire event from start to finish and thoroughly explains the team's goals, tactics and results. 

 

Here are a couple of examples showing how the report will describe the work: 

 

  1. The goal of this test was to gain either systems-level access, demonstrate a proof of concept for a vulnerability discovered, or to be able to extract sensitive data in some way from the test environment. The goal was not to document every vulnerability discovered but only those vulnerabilities that the consultant deemed worthy of further investigation or remediation, as they could lead to further exploitation.

 

  1. Additional websites were discovered on the same pair of IP addresses when using the discovered hostnames, including a mixture of login screens and blank pages. This highlights the importance of testing hostnames rather than IP addresses, as these sites would not have been discovered without the hostnames. As these hostnames were discovered via open-source reconnaissance, additional hostnames may have gone undetected.

 

 

Risk Assessment – The team then breaks down the findings in an easily digestible manner, so the client gets a clear view of its problems. The report uses a bulleted list of the critical, high, medium, and low risks that SpiderLabs found during the test. 

 

A critical finding could be that the attack scenario tested in this exercise succeeded and resulted in a systems compromise, and a "high" rated finding could be that no controls to prevent the exploit are present or controls to prevent the vulnerability from being exploited are ineffective. Medium and Lower rated risks are that exploiting the discovered vulnerability requires a skilled attacker, making it less likely the vulnerability is dangerous, or that controls are in place to prevent, or at least significantly impede, the vulnerability from being exploited.

 

Here is an example: 

 

Findings – Here, the report individually lists every finding with a description, remediation plan, and the evidence that it exists in the client's system. Here is an example.

  

Issue: Backup Files Downloaded from Web Server Information Leak

 

Description: During the assessment, it was discovered that backup files were present on the web server, which could be downloaded without any authentication. The following backup files were discovered:

 

A copy of the PHP source code for the billing application hosted at https://billing.example.org including what appeared to be database credentials.

 

The backup data appeared to be old, as the layout of the live application on https://billing.example.org appeared to differ significantly from the recovered source code. Similarly, usernames and passwords found in the database backup did not appear to be valid on the live system. For this reason, the severity of this finding has been reduced.

 

Remediation: Ensure that backup and any other sensitive files are not accessible from the web server. SpiderLabs recommends that a routine 'house-keeping' exercise be carried out to remove any backup or old unnecessary files from the web server.

 

Evidence: Sample directory listing from the file "src.tar":

 

 

Additional information may be included in an attached appendix, but with this report in hand any Trustwave client is better prepared to defend itself.