P ARALLEL I SOLATED

There are occasions where the multi-phased test is performed in parallel, but no information is exchanged between the consultants performing the tests. This is much more than limiting information to certain types or withholding data from the fol- lowing phase; it is not passing along any data from one phase to the next. The typical reasons for executing the engagement in this way are time limitations or the scale of the client’s company demands multiple resources and to perform serially would take an overwhelming amount of time and ultimately money (see Figure 7.2).

There are few security reasons to perform a test of this type to mimic a real assault. In nearly all cases, the driving factors are money and time. For those who have or plan to use this type of attack and do not have these driving limitations and desire to replicate some form of threat, the objectives should be reviewed to ensure a real-world scenario is being enacted.

SERIES SHARED

There is always the potential for an attacker to move from a digital attack to a physical one. This is especially true in comprehensive and well-funded attacks, such as espionage or terrorism. Also, there are examples of hackers failing to gain their targets through traditional mechanisms and resulting in physical theft of the infor- mation.

On the other hand, it can also include the criminal seeking and obtaining employment at the target company and waiting for the right opportunity to strike. The final attack may be theft or obtaining enough information about the company’s security measures and practices to launch a successful attack remotely (see Figure 7.3).

No matter the scenario, there exists a credible threat to organizations of indi- viduals gaining employment for the simple purpose of attacking them later. Given FIGURE 7.2 Multiple Simultaneous Tests without Sharing Information

Internet-based Tester w/ Zero Knowledge

Reconnaissance Enumerate Analysis Attack Results

Internet-based Tester w/ Limited Knowledge Internally- based Tester w/ General Knowledge 1 tester 2 testers 1 tester Time Phase 1 Phase 2 Phase 3

No Exchange of Information permitted between testers at any phase Tester cannot work on multiple phases

Specific information provided by the Target only at the start

threats of this nature, some companies will use multi-phased attacks performed in series by one or more consultants or even more than one consulting firm, using the best attributes of each company. The more people and services firms that are involved, the more difficult it is to share information, as opposed to one resource performing the entire engagement. Nevertheless, depending on the timeframe, invest- ment, and number of people and scale of the client, the typical number of consultants is low.

SERIES ISOLATED

Series multi-phased penetration tests where information is not transferred from one phase to another is typically practiced when each phase is considered unique, unrelated, and there is ample time allotted to the engagement. This technique is also leveraged when there is a great deal of management associated with each phase. For example, a customer may want an Internet-based attack to include reconnaissance, enumeration, and vulnerability analysis, but stop at that point to evaluate the discovered vulnerabilities and determine what they consider to be the next step in the engage- ment based on the findings (see Figure 7.4).

FIGURE 7.3 Sequential Testing Permitting Information to Flow from One Phase to the Next

FIGURE 7.4 Sequential Testing without Permitting Information to Flow from One Phase to Another

Exchange of information between testers at the completion/start of a Phase Internet-based Tester w/ Zero Knowledge _{1 tester} Phase 1 Internet-based Tester w/ Limited Knowledge Phase 2 Internally- based Tester w/ General Knowledge Phase 3 1 tester (or same tester) 1 tester (or same tester) Time Specific information provided by the Target

No Exchange of information at any point between testers Internet-based Tester w/ Zero Knowledge 1 tester Phase 1 Internet-based Tester w/ Limited Knowledge Phase 2 Internally- based Tester w/ General Knowledge Phase 3 1 tester (Cannot be the same as previous phase) Time 1 tester (Cannot be the same as previous phase) Specific information provided

by the Target only at the start of each phase/group

The same milestone management is typically applied to each phase, moving to limited-information Internet attacks and on to internally based attacks. Each phase is measured and evaluated on its own merits and there is no consideration or assumption of collaboration of the assumed threat type. Therefore, the use of this method makes a clear statement about the assumption of threat. By eliminating the exchange of information from one phase to another, it could be argued that an optional intrinsic value of the test is being ignored. Conversely, companies may not agree with the type of threat and actually glean insights from the fragmented attack style. In fact, there are arguments for and against series-isolated forms of a test. In either case, ensure that the test structure is reflective of the business goals for managing risk.

VALUE OF MULTI-PHASE TESTING

It is safe to assume that information is the key to a successful test, or a real attack for that matter, and managing information in a multi-phased, or even a straightfor- ward, penetration test can directly affect the true value of the test being performed. If the fundamental motive of having a penetration test executed against your envi- ronment is to see how well you stand up to a hacker, then you must consider the access and flow of information to maintain a real-world scenario. It is for this reason that imposed limitations can become the catalyst for limited or insignificant results from a test.

Based on the type of threat a company is seeking to replicate and test their network’s and system’s resistance to certain types of attack, the structure and method of a multi-phased attack becomes a key component of the value perceived at the conclusion of the test.

For example, in a parallel or serial-shared multi-phase attack information shared between the phases at certain times has the potential to increase the realism of specific threats. For example, in Figure 7.5, the gaps represented by the letters A, B, and C close as information from one phase is passed to another. Information feeds, such as 1 and 2, are passed to the Informed, yet External tester greatly escalating their potency in the overall test. As the Informed tester uses feeds 1 and 2 there is an opportunity to feed data to the Zero informed tester (feed 3) making her more effective, and the cycle continues.

There are several reports detailing the level of risk related to internal threats. For example, the ability for any half-baked person to download a sniffer, set up a trigger, and start collecting POP passwords is trivial, but this simple technique can lead to serious problems. Although this threat can be assumed for many companies, one cannot assume the extent of that exposure. Most, if not all, networks use switches, a networking device to segment networks that reduces network noise and enhances performance. One of the many attributes of switches is that packets go only to the destined segment. The result is Mr. Hackwannabe, sitting in the ware- house on a dedicated segment, is typically not going to see traffic between two distant networks. It is for this very reason organizations seek ethical hacking, to determine the level of exposure, but there needs to be more effort on deriving the probability of the attack to evaluate the real impact.

The above example is painfully simplified and does not demonstrate the innate complexity of attacks, internal or otherwise, but the goal is to provoke thought about the scope of an attack and the criticality of the structure and assumptions made about the attack methodology. Multi-phased penetration tests are an opportunity to test many types of threats by well-planned information management and timing of the phases. By manipulating information flow and when a test is performed, companies can achieve a greater understanding of the security of their environments, and usually in much less time than assumed.

EMPLOYING MULTI-PHASED TESTS

Employing a multi-phase attack has the potential to introduce several types of complexities and costs to the target. Nevertheless, many of these challenges are greatly outweighed by the potential for considerable value of the test. Understand- ably, complexity is the most prevalent reason for not seeing many of these engage- ments performed often. But complexity is not the only reason. Companies looking to have tests performed usually have a predefined perception of what they want, leading to a conclusion on the scope and methodology of the test they expect. Vendors of ethical hacking services are more than capable of performing complex tests, but comprehensive testing scares many of their customers.

In an effort to quell some of the confusion about what the value versus com- plexity can be when considering the use of multi-phased attacks, Tables 7.1 and 7.2 provide characteristics of each to help make a decision.

The easiest approach to a multi-phased test is to compare the scope of the test to the goals and look for opportunities to segment the engagement. If segmentation is a plausible avenue, one needs to investigate the advantages of how information can be used to gain the most value from the test. Although it does require more planning, keeping it simple will go a long way. Isolate the information that is to be shared between testers from the information provided by the target. Clearly define what type of information is needed to represent the threats that meet the objectives. FIGURE 7.5 Impact of Overlapping Information in a Multi-Phased Approach

Inside Tester Informed External Zero External Real Hacker A B C Time Information Exchange L evel o f T h r eat R e p li cat io n Threat Baseline 1 2 3 4 5 6

Once the information is identified, determine points within the engagement to pro- vide the data to get the most value. As long as the information is managed appro- priately, the opportunity to learn much more with roughly the same investment is considerable.