Creating the Perfect “Pentesting” Storm
Recently we underwent a SIGv5 audit for a customer of ours. From their page: “The Shared Assessments Program was created for all organizations that are concerned about information controls for personally identifiable client or consumer data in outsourced relationships. Originally created by six major US financial institutions, the Shared Assessments standards are used by outsourcers, service providers and assessment firms in a range of industries.” (http://www.sharedassessments.org/)
Of major concern to me was the information security assessment portion of the questionnaire. We had never truly implemented an in-house penetration test and rather than re-invent wheels, hire expensive contractors and so on, we developed our own “Red Team” to perform a quarterly penetration test and vulnerability assessment.
Before I go further on how this was accomplished, I’d like to explain the differences between a vulnerability assessment and a penetration test from a non-technical perspective. I choose to explain this not to those who are aware, but many are still confused over the two and the values of one over the other.
From a non-technical perspective in an analogy, a vulnerability assessment is the equivalent of hiring someone to take a look at your house from a security standpoint. The assessor will likely tell you something such as: “Well the inside of your house is visible from this side of the street by looking in this window”, “The front door was open, someone can walk in”, “Your roof is flat and it’s likely got a skylight someone can climb through.” Certainly it has its value.
A penetration test differs in the sense that someone is validating what they see. The results will be something akin to: “The front door was open however, I tried to walk in the door and I was met by a snarling Mastiff. No one is walking through that door!”, “I noticed the house was visible by looking through the window however, when I went to see what was accessible, I noticed it was nothing more than a picture and I really wasn’t seeing what’s inside…”, “I tried climbing through the roof but the moment I got there, I noticed you actually have a guardpost there!”, “I noticed the front door, walked in and was able to do whatever I wanted. To prove this to you, I left you a note in your dresser.”
With this said, which do you think provides more value at the end of the business day, the vulnerability assessment or the penetration test? With the analogy out of the way, I will explain what was done and why it was done, in the process of creating my in-house “Red Team.”
There are two attack vectors I needed to focus on when I set out to create my “perfect storm.” I needed to get a realistic point of view from that of an outside attacker. “What could a hacker see if he was focused on getting into my business?” and “What could an insider do to abuse his or her privilege?” Now, when I state “what can an insider do“, I’m not solely focused on one of my colleagues, I’m also worried about what would happen in the event someone launched a client-side attack.
For those unaware of what a client-side attack is, here is a brief explanation. All computers run software and some of this software is insecure. Imagine visiting a website where the website triggers your software to do whatever an attacker would like to do. Because the software is “local” to you (it’s on your machine or a machine on your network), an attacker is now the equivalent of an insider. Much similar to your co-worker. The attacker will have the same visibility as whomever is sitting next to you as you read this page.
With these tidbit explanations out of the way, let’s move into the technical aspects of this. I deployed two workstations to focus on attacking and two servers gathering and correlating data. One workstation was used to get information on the “attackability” from an outside scope (pure blackhat testing using Metasploit, Immunity’s Canvas, Maltego, W3AF, Accunetix, Netsparker and few other tools). The other workstation used the same tools but provided an inside point of view. “What would a blackhat hacker be able to do if he walked in this office right now?”
The two servers were gathering data in the same fashion. “What are we seeing from the outside and what are we seeing from the inside.” These servers are running a heavily modified version of OSSIM from Alienvault. OSSIM for those unaware, is an SIEM based on open source tools. Almost all networking and security related events are logged.
The beauty of configuring and deploying this kind of setup is that I can create such a targeted and focused penetration test where a blackhat couldn’t. Because I work here, I know firsthand what versions of software we’re running, I don’t need to enumerate users, etc., my testing was very granular and precise. The monitoring ensured me that whatever I tried was logged and an alert was sent out immediately. This allows me to test incident response, test vulnerabilities and weed out the false positives and give a concise report. Not a program generated report with pie-charts with semi-valid information. This is the difference in “I see it is possible to enter your front door” versus “I saw the front door, walked in, and man when that Mastiff snarled, I took a walk! No one is getting in that house of yours.”
How is a set-up like this of value? Let’s take a look at what I’ve accomplished. A decent penetration test could easily top the $80,000.00 mark. Imagine having to randomly perform a high level penetration test attack for the sake of staying PCI compliant. This would be done on a quarterly basis. While the PCI test is usually a scan of an outside IP address, Level1 merchants must have an on-site assessment done once per year 
I’ve mentioned the $80,000.00 price tag and it isn’t even a high price for a quality test. But how much would it cost to set-up and perform the testing in-house? Well, I like rounding off numbers to keep things simple so here goes a baseline:
$2,000.00 (2) Workstations (Dell Precision T5500 Dual Core Intel® Xeon® Processor E5503, 2.0GHz,4M L3, 4.8GT/s w/4GB of RAM)
$4,000.00 (1) Server running VMWare (PowerEdge R810 Intel® Xeon® E6510 1.73GHz, 12M cache, 4.80 GT/s QPI, 4C, 800MHz Max Mem w/16GB Memory)
$6,000.00 Immunity Canvas with all vulnpacks
$3,000.00 Metasploit Express
$1,445.00 Accunetix 
$16,445.00 (numbers are exaggerated with the exception of Acunetix)
So we have a baseline of a cost to do the testing in house. The server is split using VMWare with ethernet cards placed on different networks. One to give me an internal view, the other to give me an external view. The reality is, I didn’t need to buy a server since I have plenty, so technically, I could chuck the $4,000.00 off of the price tag. Immunity’s Canvas is also NOT $6,000.00 but I will say it is worth that much ;) The reality is, its likely close to about $3,000 with every bell and whistle (D2 pack and so on) give or take. So a realistic number would place me around the $7,000.00 – $10,000.00 mark to create a full blown “in-house Red Team.” To be quite honest, I could also throw in Core Impact (another excellent tool) and still keep my costs under $15,000.00 to complete creating a hellishly focused and realistic “Red Team.”
Application assessments are a different beast but even Klocwork Architect, beStorm, Codenomicon thrown into the pricing will save me in the long run. Remember the goal is to remain compliant. Even if I spent an outrageous $80,000.00 to create my “in-house” shop, it’s a one time charge. Not $80,000.00 per year (for those Level1 merchants). So the ROI is there for those who like playing with security metrics.
All of these tools may mean little to a company though. After all, to go out and spend this money and not understand how to use the tools is similar to saying: “Well, I think I need to go into Sears and buy every single tool to fix my car. Even though I know nothing about mechanics!” Not only would it be a waste of money, but a waste of time. A company will definitely need someone to configure the applications correctly and most importantly, understand what they are seeing. This is where system administrators, network admins, security engineers come into the picture. And this is also why they make the big bucks – at least in theory!
So how do you get an “expert hacker” in-house? Well, there are a few ways, you can either hire them or groom them ;) This I leave to managers to think about. The cost of sending your existing employees to bootcamps, e-classes at places like ElearnSecurity , IACRB , Learn Security Online  pale in comparison with outsourcing and or hiring new talent. Think about it for a moment from a BIA/ROI cost perspective to your business. You have an existing system administrator you pay N amount of dollars. Even if you sent him to all courses mentioned above, you’d spend about say $10,000.00 in training your employee. For starters, I’m sure many administrators would love the training. Sure there is the risk that the employee will leave right after learning, but this can addressed in agreements: “Employee acknowledges if he resigns or is terminated within one year of training, employee will pay for the course.” HR can guide these types of issues.
Anyhow, it is Friday and I’ve gone about writing for the past two hours. I will follow up with the technicalities and stages of the penetration testing soon. Stay tuned.
Leave a Reply
You must be logged in to post a comment.