MULTI-PHASED ATTACKS

Many companies look to have several types of penetration testing performed in parallel or series in an attempt to gather as much insight into their security posture as possible. Usually multi-phased tests are based on source points of the test, information provided to the testers, when the information is provided, and any supporting materials associated with the test, such as a username and password. Multi-phased tests represent a plethora of management and value challenges due to the number of phases or resources working on the engagement, but the value realized from the exercise can be exceptional.

In a multi-phased test, the concept is to determine the security posture of the organization at various levels of access and knowledge that a hacker may potentially obtain. In this scenario, an Internet-based attack is typically performed with zero knowledge provided to the tester, followed by limited access attack, such as a VPN account, dial-up access, or a username and password to a terminal system such as Citrix or Microsoft’s Terminal Server. The final step is for the customer to provide the tester with internal access to the network. This is usually accomplished by allowing the tester to act as an employee with all the usual credentials. On some very rare occasions, the client requests the internal tester to act as an administrator within the organization.

There are few situations where providing administrator access to the tester provides any value to the customer for obvious reasons. With administrator access virtually anything is possible, negating the effectiveness of the test. However, for companies who employ separation of duties, this can be beneficial to measure the ability of a single person to perform administrative functions that would normally require more than one employee. Separation of duties is a practice whereby certain tasks require more than one person to accomplish them, thereby reducing the ability of a single person to make illegitimate changes to systems. A very simple concept in theory, but difficult to implement and maintain, especially in companies that have limited administrative or security staff.

In a serially performed engagement, one or more consultants is used in each phase before moving on to the next. In parallel, multiple consultants are used at the same time performing each exercise simultaneously. In each type, the exchange or

transfer of information about the client’s network to the testers increases, providing more insight to the various vulnerabilities. How this information is shared and used throughout the penetration test can impede or support the overall value of the test and the results will be reflective of the type of threat trying to be replicated. As you can see, this can become very complex and the value of the test rides on the ability of the client as well as the professional services organization to properly plan and execute in accordance with what the test was determined to mimic.

By combining types of attack, such as from the Internet with no information, with limited information, and from inside the target, with how information is shared among these phases, a great deal of insight from the test can be had. The key is determining the information to provide to the testers, when, and in what context relative to the other testers and phases. In a series multi-phased attack, this is fairly simple because when one phase ends another starts, providing a direct correlation to the information timing. In contrast, in a parallel attack the flow of information and when one tester is privy to data collected by another can greatly affect the outcome of the test. In many cases companies will seek a parallel test to shorten the time allotted for the test and avoid the complexity altogether by asking that infor- mation not be shared.

So what is the big deal? The fact is that information about a target’s network, systems, or applications is key to the entire test. More data available to the testers means more opportunity to find a vulnerability or exploit a weakness. Depending on how you interpret your security posture, level of exposure, and threat signature, you can tweak the test to best reflect the available investment and business demands concerning security.

If a company is concerned about collusion between an employee and an outside hacker, then a parallel attack with sharing information between them is needed. On the other hand, if the client is worried about a hacker targeting her company (starting with the Internet and then gaining employment), a serial attack should be used. Finally, there is a time limit to the test that may demand a parallel test to mimic an attack by a single person (moving from hacker to employee, such as a serial attack), but using multiple testers not sharing information learned about the client’s envi- ronment during each phase. The following explanation should help in summarizing each of the four types:

1. Parallel shared 2. Parallel isolated 3. Series shared 4. Series isolated

PARALLEL SHARED

Multiple resources attacking the client network from the Internet, with limited access, and internal presence at the same time, and sharing information between them to gain added benefits, is an example of a parallel-shared attack structure.

Companies should employ this type of attack when they are concerned about employees collaborating with hackers to obtain information or money. It is worth noting that many crimes, physical and digital, that result in financial losses—typi- cally cash—are the result of insider participation in the planning and execution of the crime. The timing of sharing information can also influence the ability to mimic the threat. In some cases, the information from a previous phase is concealed from the following phase until a certain point is achieved or the second phase has reached a dead end. Previously obtained characteristics about the target are then shared from one tester to another to stimulate the following phase, and so on throughout the engagement. In addition, some clients have placed stipulations controlling the type of information that is conveyed from one phase to another.

For example, the Internet penetration test may be immensely successful in obtaining usernames and passwords to critical systems. If this data were to be utilized during the second, or limited, information phase, the customer-provided username and passwords could be negated, adversely affecting the entire test-to-threat strategy. One of the more complicated aspects of the parallel-shared method (shown in Figure 7.1) is the direction of the information flow. It may be readily assumed that information is flowing outwardly, such as the internal threat resource sending data to the Internet-based attacker to support the external attack. However, there may be situations where the limited or even the Internet-based attacks can obtain interesting information to assist the internal tester. An example is the internal tester, acting as employee, may not have electronic or even physical access to certain parts of a data center that may store all the electronic commerce transactional data. In contrast, the Internet attacker may have collected information about the system, such as a pass- word or an application hole, that is better exploited internally due to other cyber obstacles facing the outside tester.

FIGURE 7.1 Impacts of Multiple Attackers Sharing Information Simultaneously

Exchange of information between testers throughout the execution of each phase Internet-based

Tester w/ Zero Knowledge

Reconnaissance Enumerate Analysis Attack Results

Internet-based Tester w/ Limited Knowledge Internally- based Tester w/ General Knowledge 1 tester 2 testers 1 tester Time Phase 1 Phase 2 Phase 3 Specific information provided by the Target