Cipher Podcast: Cybersecurity Tips from a Penetration Tester
Cipher’s Portugal CTO Sergio Alves joins the podcast with an eye-opening episode on penetration testing. He covers the difference between a vulnerability assessment and penetration test. Sergio understands how hackers operate. Then he goes into the Cyber Kill Chain components, including phishing and web server exploits. The guys also go over noteworthy attack techniques and tactics. Finally, Sergio goes over how application security testing works.
Visit the podcast page for all episodes or listen on the platforms below.
Podcast Episode Transcript
Pete: Welcome everyone, my name is Peter Hackett. I am the Global Program Director for Cipher. In today’s episode, we are going to discuss some cybersecurity tips from a Cipher penetration tester. Also with me today is my colleague Scott Croskey, the Global Chief Information Security Officer for Cipher. We are also pleased to have with us today the Chief Technology Officer for Cipher Portugal and Head of Cybersecurity Operations of our Portugal SOC, Sergio Alves. Sergio comes to us today from Coimbra Portugal.
Sergio, how are you today?
Sergio: Hi Peter and Scott, I’m good and thank you for having me in Cipher’s Podcast and congratulations for its success.
Pete: Sergio, as CTO and Head of Cybersecurity Operations for Portugal, can you discuss some of your roles and responsibilities?
Sergio: In simple terms, my main responsibility is to ensure a healthy and quality delivery across all Cipher’s service portfolio. My secondary role is to manage the Red Team services delivered from Portugal to clients around the globe.
Pete: Sergio, some of our listeners may or may not know, but Cipher has been in the business of cybersecurity for over 20 years. As you well know, one of our core competencies is Red Team Services and you oversee the delivery of this service. I know that our methodologies and processes bring a deep and broad industry expertise from over two decades of cybersecurity experience to help companies mitigate risk while minimizing their investments to build a solid security posture. As you’ve been keen to tell me in the past, we work as part of our customer’s internal security teams, adjusting our services to fit their needs. Can you discuss in general terms how a Penetration Test and Ethical Hacking service is delivered from start to finish?
Sergio: Sure Pete. First of all, you’re right, indeed our Red Team services are among the most mature ones as it is part of our specialized and core services, and of course, we do it since ever basically.
Regarding our specialized services, I think it’s important to clarify that our RedTeam mainly delivers two types of projects, Application Security and IT Infrastructure Security. Within these two types, we have two ways or methodologies of executing the projects, one is focused on the vulnerability and risk assessment and the other on penetration testing.
This is an important context to give as it is indeed the first step of a project, defining it’s objectives. Does he want to thoroughly assess vulnerabilities and risks across its network?, or does he want to simulate a real attack scenario?
This is usually done in pre-sales among with other tasks, such as the definition of a scope.
I will briefly explain how we deliver a more traditional Penetration Test project, where a client wants to simulate a real attack scenario:
1 – As I mentioned, we start with understanding what are the objectives of the client, is it to simulate a real attacker that is positioned inside the network premises? Or is just to assess the possibilities of intrusion from an external threat?
2 – We then move to the definition of the scope, usually in a pentest, it’s the all the constituency of the client, so all the digital infrastructure that is owned by the client.
3 – For the sake of this example, let’s assume that this project’s objective is to simulate an insider threat, so any rogue adversary that somehow position himself inside the network, even if it is with low privilege access, such as a guest would have.
4 – Usually, only a small group of people inside the client knows about the testing, that will allow us to, if necessary, exploit not only the digital systems but also the people if necessary.
5 – I will not go into testing details, but it’s important to mention that this is where expertise and broad knowledge about the inner workings of an IT infrastructure environment is crucial, since it will make the difference between an average and a good delivery.
6 – We also do our best to not get detected, avoiding security detection and prevention systems that can disrupt the successful exploitation of the network.
Pete: What happens if you do get detected by the client?
Sergio: That’s a good question Pete, in some cases, the client also looks to test their Blue Team or their SOC processes so, it’s a good thing for him because in that case the defense mechanisms are doing its job.
7 – Long story short, as the process goes towards the main objective, typically to reach a high priviledge access inside the network, typically domain admin, if we’re talking about a Windows network, we will collect all data that is relevant to the client such as, vulnerabilities, risks, attack vectors, that ultimately led the team to its objectives.
Last but not least Pete,
8 – As important as to reach the objectives of the project, is to deliver the results to the client in an objective and clear way. So we tend to spend a good amount of effort in the reporting phase as it’s quite important that the client understand what and how we did it and mainly what are the security risks that his organization is facing. And that’s basically the whole process of a penetration test, in short words.
Scott: Sergio, we’ve discussed in the past about the cyber kill chain and the MITRE ATT&CK framework. I really like the MITRE ATT&CK matrix because it goes into specific detail about each attack technique that has been observed by threat actors, and at what stage of the cyber attack process the technique is conducted. When it comes to Initial Access, what seems to be the most successful vector for access to a computer system?
Sergio: The MITRE Attack framework is really awesome as it gives not only a view of the attack but also how to defend it, at least conceptually. I will split my answer in two if you don’t mind:
1 – If you want to get your foot inside an organization, the most obvious way is to exploit the human component, through spear phishing vectors or as the MITRE describes as Valid Accounts. This is why is so important to create and spread awareness among users, and also is important to constantly monitor the Internet for signs of compromise in every way possible. Exemplifying, usually in big organizations we can always find compromised credentials publicly available that we can use in a penetration test. We tend to include this vector in the low-hanging fruit, as it’s one of the first things we do. Available credentials can give us direct access to, e-mail, VPN, Internet facing applications, etc.
2 – The second most common way to gain access is exploiting public available applications or services. Even if the application has no entry points to exploit, a badly configured webserver can lead us to successful exploitation of the network.
Scott: The next step after initial access is typically establishing persistence. For our listeners who don’t know that this is, persistence is when the attacker looks to establish a foothold on the computer system in the event their initial access vector is discovered by a network defender. What seems to be the more successful methods you’ve used in the past to establish persistence on computer systems?
Sergio: The simpler way to maintain access to a network or a single system is to create make use of current user accounts, but this can also trigger alarms. So we tend to use vectors such as installing rogue agents, usually known as backdoors, that will reverse connect to our attack infrastructure in a covered way. Again, not get detected is also part of the objectives usually.
Scott: Privilege Escalation can be done before or after persistence is established. In this attack sequence of events, the adversary looks to gain elevated privileges on the compromised computer system, allowing them to have full control of the system. What seems to the most common methods to elevate privilege?
Sergio: The most common method is by far the retrieval of domain admin hashes through the exploitation of vectors such as dumping credentials and hashes from compromised systems directly from the system’s volatile memory. A successful vector is an attack called pass-the-hash, where we don’t even need to crack the user hashes, as we can use them directly inside the Windows environment. Essentially we tend to take advantage and exploit the environment functionalities, namely, the internal authentication and authorization mechanisms. More advanced techniques such as remote desktop session hijacking is another common one in Windows environments. In other environments, we can look for local vulnerabilities that can allow us to run code as admin/root or another user.
Scott: Another technique used by adversaries is to conduct discovery activities on the network they have gained an initial foothold into and then further penetrate that network. This is commonly referred to in the INFOSEC community as lateral movement. Can you discuss how this typically occurs and some of the more common methods you have used in the past which have been successful?
Sergio: Lateral movement is essentially gaining access to other computer systems or devices inside the network to look for other ways to escalate inside the network or just to search for sensitive information that can potentially be used in other attack vectors. This can be done using any of the attack vectors that I mentioned previously. Remember, everything counts when we’re talking about a penetration test and there are a lot of context aware attack vectors that will vary from environment to environment. But typically, collected credentials or hashes or even exploiting vulnerabilities in services usually do the work.
Scott: Thanks Sergio. And from there, we know that the adversary can conduct their intended effects. Depending on their motivations, they can do a wide array of activities. Common examples are establishing Command and Control nodes on that network, exfiltrating sensitive data, conduct activities to profit financially such as setting up cryptocurrency mining software throughout the network, etc. And in some cases where there is a nation-state or hacktivist activity, more damaging impacts can be done such as website defacement, destroying data, and even destroying computer systems through various methods. Penetration testing is just one of our Red Team Services. Pete, did you want to explore any other topics today with Sergio?
Pete: Yes. Sergio, another service category in our Red Team Services portfolio is Vulnerability Assessments and Forensic Analysis. Can you talk a little bit about what is involved in those services?
Sergio: As I explained in the beginning of our conversation, the vulnerability assessment services aim to identify every and all flaws that exist in systems, usually we tend to support ourselves with technology such as a vulnerability scanner that will do the major work in these assessments. We can do it in an isolated project or as a continuous service so that the client is constantly aware of the vulnerability risks in their networks. In these projects or services we tend to put the expertise in the reviewing of the results, putting some extra knowledge and giving a risk perspective to the client that sometimes will not understand what a particular vulnerability can mean to its digital assets.
Forensic analysis usually happens when there is an incident or suspect behavior in a network or a system. The most common situation to happen is the client to contact us when he in fact knows there was some intrusion or data exfiltration. This is a service that a pentester can also do because he knows how attackers move and hide inside systems. There are simpler or complex scenarios in forensic analysis and usually the client looks for attribution and what was the damage, and we seek to provide those in a non-biased fashion, so sticking to the facts and findings. These services are also very methodical as the artifacts and collaterals can be used in a criminal case.
Pete: Another service line is Application Security Testing and Code Review. I know you are very passionate about this activity. Can you talk about what this service line involves?
Sergio: We are indeed, specially because it represents more than 75% of the total projects we deliver from our team in Portugal. Application security is a different animal, so to speak, than penetration testing, even if sometimes we explore the possibilities of gaining access to an infrastructure through exposed applications. Application Security Testing generally involves a more strict use of a methodology, like OWASP’s, so that we and the client be assured that tests were done in all entry points and flows in every way possible. Application security also has this interesting side of finding non-expected behaviors from the application that can trigger logic vulnerabilities, so not the typical technical ones like Injections or mis-configurations.
Regarding Source Code Analysis, we usually deliver it as a service, so within the SDLC of the client, we will operate a technology that will do the automated part and we will complement with expertise in terms of parsing false positives and further analysis. It’s a good complement to the dynamic analysis as it goes very deep into the application and can detect vulnerabilities that may not be exploitable through the dynamic analysis.
Regarding the delivery, as we are very methodical regarding the process, we always define quite well the scope and objectives of the project or service and again, we put effort in the deliverables as they are as important as the job itself, so showing to the client all the tests that were done even if not successful.
Scott: Sergio, when it comes to web applications, I’m a big fan of the Open Web Application Security Project (which is abbreviated OWASP). Can you talk a little bit about how you use this community to conduct our application security testing activities?
Sergio: Sure Scott. OWASP foundation is a great partner since I can remember. They really have helped organizations to be better prepared against application threats. We all know very well the OWASP TOP 10, that evolved throughout the years and it’s a go to when we’re talking about application security risks. I mean, even now and then, clients do require that we use the extended version (Web Security Testing Guide) so they have a clear view on all the tests that we perform during an audit. We indeed use and abuse OWASP since it provides a very mature framework, constantly updated and we use their documentation to support our delivery as well. We believe that it’s a great add-on to the deliverables and clients now see it as the go-to-standard.
Scott: And when it comes to the OWASP Top 10 Web Application Security Risks, in your opinion, which two or three areas should companies focus on that will provide the best return on investment for their time?
Sergio: I will directly say that companies need to invest in training their developer teams. In topics like how to design secure architectures and write secure code. It’s easier said than done, but with a good foundations training, dev teams quickly understand that there are 2 or 3 fundamental problems that if properly corrected will turn applications much more resilient to attacks. I will give one example of a classic fundamental problem on secure software development, that is input validation. Input validation actually is the core reason why the most of the OWASP TOP 10 risks are enumerated. Input validation is one of the most important aspects of application security as it will assure that the applications will receive and interpret the incoming data as it is expected.
Secondly, I would like to address the usage of components with known vulnerabilities. It’s easy to understand why, there are tons of open and freely available resources used everyday in the development of applications and services and organizations take advantage of it. They spare costs on the process and usually they will not have to reinvent the wheel. The issue is that these third-party components can also have vulnerabilities, and adding to the equation, sometimes such components are not continuously developed and its support depends on the time available of the private developer. It’s a complicated situation.
Resuming, I would suggest that organizations focus on training their developer teams, be sure to have a proper SDLC process and to contract specialized services that will assess their applications and it will give a different perspective on risks.
Scott: Great, thank you Sergio! This has been a great conversation. Pete, over to you.
Pete: Thanks Scott. Sergio, do you have any final thoughts you’d like to share with our listeners?
Sergio: Well, first I want to thank our listeners that spent the time to ear our thoughts on this topic. I would like to finish saying that there are 3 or 4 things to turn an IT infrastructure more resilient to attacks, like a good and organized asset inventory for instance, so know and organize your home basically. You’ll be better prepared to respond. Another one is to be constantly patching your systems against known security threats, align with the business requirements but be sure to patch. Last but not least, create and spread awareness on all people as they will be exploited by an attacker to gain access to the digital and even the physical infrastructure. Also, be prepared for the worse, assume incidents will happen. Acquire specialized services that will give you a non-biased risk assessment on your environments.
Thank you Scott and Peter.
See you next time.
Pete: Scott and Mike, thank you for your time; this has been very informative, and I look forward to our next Podcast. For anyone of our listeners who are interested in our services, to include Red Team Services, please reach out to us via our marketing department, which can be reached at:[email protected]