The year was 2020, people were delighted to read another article about how bad it is to open letters from strangers, especially with attachments, how dangerous it is to insert dubious flash drives into a computer, how in a distant country hackers transferred millions of dollars from one account to another at the snap of their fingers. The analytics, which said that 7 out of 10 banks can be hacked by the efforts of two hackers in a couple of evenings, seemed to be commonplace to people in 2020. As for ordinary users, they were not even scared: they simply perceived such news as a separate Marvel universe and occasionally asked familiar computer scientists to hack VK. And only security experts understood that everything was not as simple as it seems …
In 2020, the word “pentest” is already familiar to many, and all mature companies carry out such work on a regular basis. Some have even formed a staff of specialists and self-test daily. The number of information security tools (ISS) is constantly increasing, the best information security practices are distributed on the Internet for free, information security processes are built according to the best methodologies. At the same time, the thought still sits in people’s minds that nothing is a hindrance to hackers: if they need something, they will achieve it. As a direct penetration testing specialist, I want to talk about this phenomenon today.
“What was a feat for the previous generations, for the next is a regular job”
10-15 years ago, information security was associated with fun: you could hack everything, and you got nothing for it. Everything was “full of holes”, but it frightened few people. The hackers racked up for interest and bragged about their feats to friends at the bar. Today information security is already a big business, hacking something can be easily and quickly possible only by accident, and doing it “expertly” is expensive.
The threshold for entering the practical area of information security has become higher: if earlier someone could afford to come to the customer not in the best physical shape, repeat a couple of videos watched on the Internet, and hack the organization, for example, take a domain controller, now this can be done far not everywhere. Problems are starting to occur at every turn and in every area, in part, at least because recommendations from previous pentests have been adopted. Below I will discuss the problems that can be encountered when starting work on a penetration test.
Internal testing (or disloyal employee)
Let’s take a penetration test from the internal network: now you can’t even connect to an organization’s network outlet just like that. You come to a customer, take out a laptop, connect with a wire to Ethernet and … nothing. You assume that you need to bypass the control of connected devices, and it’s good if you need to find a legitimate MAC address somewhere, but if it binds to a port? What if the number of MACs on one port is limited? And if there is 802.1x (Cisco ISE) with certificates and competent profiling? Then you need to find a domain account with a client certificate in addition, or crash MITM into someone else’s traffic and pretend to be a printer or proxy through a legitimate host. Do you feel it? This is not for you to quickly knock your fingers on the keyboard, as shown in the movies.
You start scanning, as usual, subnets (10.0 / 8, 172.16 / 12, 192.168 / 16), and all ports are closed or filtered, and then access is completely lost. These are our favorite ITUs with a properly configured segmentation policy. You slow down, use shady reconnaissance techniques, but you are thrown out when using exploits: it’s already IDS / IPS, and goodbye, unauthorized access.
I made my way to the host, but then the antivirus will either finish you off, or the SIEM will burn you, and if you got the shell, it turns out that it has limited rights, and all the current patches for LPE are rolled out, and in addition the lsass.exe process is isolated. In addition, the mechanisms for detecting anomalous user behavior are screwed on, DLP is implemented, albeit poorly configured, but your running PowerShell on the accountant’s workstation will already be noticed.
If you physically try to hack someone else’s PC while an employee is on sick leave, you will find that the BIOS is password protected, the hard disk is encrypted with a bitlocker in conjunction with a pin code and a TPM module, and nothing can be extracted from the computer.
I got an Active Directory domain account and you are glad that you will now carry out your favorite attacks on AD: Kerberoasting, AS-REP Roasting, delegation attacks, but that was not the case. Everything is provided, passwords are not “brutal”, attacks on the domain are detected by Microsoft ATA, and outdated hosts are separated into a separate domain, in addition, the architecture is built using RedForest , and that’s it, even a compromise of the user’s domain will not bring the desired result.
External Testing (Internet Hacker)
You are trying to hack something on the outer perimeter, and Anti-DDoS and WAF are already there, the application is developed on the principles of SSDLC and tested before being released in production. Data between client and server is encrypted and any user input is validated in several ways. Sometimes an application is written on some newfangled framework and is overlaid with a bunch of enterprise-techs, the developers themselves have just figured out how to add a module in six months, where are you going with your fuzzing using the “black box” method for a week?
Mobile testing (hacker with phone)
Let’s take a mobile application, here the platform itself already protects would-be developers from many shots in the foot. Traffic in the open form will soon be completely banned. Conscious developers have shifted the emphasis to protecting the server side, because if the server does not implement “holes”, then they will not work in the client. Those who went further, mastered the OWASP Testing Guide, learned how to detect root devices and implement ssl-pinning. And that’s all, the impact of other shortcomings is insignificant.
Wi-Fi (hacker with Wi-Fi adapter)
There is no point in discussing it too much. Either wpa2-enterprise is used with client certificates or not. Now wpa3 is on its way, even service traffic is encrypted there, and the session key is reliably protected. At first, of course, there will be errors in implementation, but these are no longer the shortcomings of the whole protocol.
One more, additional factor: all GIS are now starting to unite into one ecosystem, and as soon as you touch one edge, the whole web begins to shake. Just looking at the family of solutions from Cisco and Microsoft, as a pentester, I am already frightened by the pain of attempts to covert work in the following years. Moreover, “auto-testers” appear on the market, for example, PenTera or Cymulate solutions, which will soon begin to take some of the bread from pentesters. And there are still information security startups with Machine Learning, neural networks, pseudo-AI ahead. So far, it all looks damp, but for a couple of years …
Someone will say that this is an ideal situation, and there will always be holes, and I will answer that, watching how information security matures in companies, I come to the conclusion that in two years the “cost” of hacking will be quite high even for experienced specialists … I think that in the near future, hacking a bank remotely will be as rare as physically robbing it in 2020 (do you know many recent successful cases?).
What did I end up with? Security is becoming more complex, and, perhaps, in the future, the problems in this area will become more controllable. But should we just close our eyes and wait for the future to come? No, we must take steps to build this very future.
5 tips for companies
- Start using the gray box more often in pentests.
Everyone is already tired of scanning your hosts with nmap and Nessus, then determining the software version, stumbling upon a bunch of information security tools and trying to detect and bypass them by unmasking signs. As a result, the lion’s share of time is spent on routine work that is not beneficial to you and not interesting for technical specialists. Think over the model of the intruder and the real terms, provide login accounts and instructions for working with the system, consult the specialists on the work, you yourself want to be hacked and revealed all the pitfalls. Use each time a new intruder model and a starting point, go from all sides or from each component, only in this way you will build an echeloned defense.
There is such a joke: 10 pentesters will not be able to withdraw even one ruble, even if they hack all the servers of the bank. This is partly true, because here you need a person who understands the software of a particular bank, who works with it every day, and not a specialist in hacking from outside.
- Spend more time on pentests.
Historically, work on pentests (in one direction) takes one or two weeks, which is already an extremely low assessment of the objectivity of any work. Vulnerabilities are not always found quickly. It is necessary to increase the interval and allow specialists to carry out thorough analytical work.
- Try Red Teaming or continuous pentest.
When you bring in a new administrator, how long does it take for them to sort things out? A few months? And this is only for their own range of tasks, what can we say about pentesters who must come-see-win in a couple of weeks? For this, Red Teaming is needed to give the “attacking” specialists the time commensurate with the time spent on the attack by real attackers (3-9 months).
- Develop an internal team.
If there are enough resources, then it is even better to develop your team: these guys will definitely be able to build a matrix of connections and components and go to systematically test each element, which no external organization can do.
- Build an ecosystem.
A lot of scattered information security systems do not lead to anything good. Going to 100,500 web panels and watching events is not the most effective solution. Build the system from the beginning so that each component enriches the others, and they all work interconnected.
How to be a novice pentester
- Download qualifications faster.
The entry threshold is growing every day. It’s time to finish reading the articles about Bug Bounty payment for a discovered password on GitHub and gain points in CTF, it’s time to start plowing seriously. Deploy virtual machines, raise virtual infrastructure and industrial information security systems, and go ahead – reconstruct them.
- Think over your specialization and focus on it.
You can no longer be an expert in everything. Choose the in-demand areas that you like and study them first. But if you try to master everything, you will not have time to do anything. I have thousands of unread messages in telegram channels and the same number in twitter. Until you read only information security news for the last day, the “thought fuel” in your head is already running out, and the brain is simply overloaded.
- Be with the community.
Form a professional social circle: it is much more efficient to do something together than to sit alone in a closet. In the movies, a lone hacker breaks into the world, but in reality there is an APT with clear roles and tasks for everyone: one scans, another exploits, the third analyzes, the fourth withdraws money. Be open and share knowledge, because others have already done what you are planning 100 times, and, conversely, you can help them reduce the time for routine and free it up for creativity.
What to do for regular users
You are unlikely to read this article, but still. Security under control: do not wait for the weather by the sea, come up with a normal password for yourself, take awareness-raising courses in information security and just follow their advice. Trust me, it’s not difficult.
I wrote this article not to show how good everything is in information security, but so that you can make sure that everything is not as bad as many are used to thinking. Negative news allows us to develop and get better, but answer: we are safer than 10 years ago? Well, if you didn’t, who of you can hack, for example, VK: not a user, not throw XSS, but just the whole infrastructure?