A guest post by Florian Hansemann – @HanseSecure
More and more frequently the terms ‘Vulnerability Assessment’, ‘Penetration Testing‘ and ‘Redteaming’ are misused or misinterpreted. Whether the reason for this wording lies with the sales teams of the corresponding service providers (Pentesting sounds more like CyberCyber than Vulnerability Assessment 😉 ) or elsewhere is irrelevant.
The important thing is that the company knows what is hidden behind the term and when it should be used. Therefore, this article will describe the various technical security audit possibilities and explain when each method should be used.
A vulnerability assessment uses mostly automated procedures and generic scanners to detect security vulnerabilities in systems. These can be, for example, pending patches, weak passwords or a misconfiguration. These scans should be done periodically as the result of a one-time scan may be irrelevant after the next patchday. In the end, there should be a process of vulnerability management which prioritizes and documents the detected problems accordingly.
- Default Credentials [cisco:cisco]
- Missing Patches [CVE-2017-0144]
- Open Ports [databases]
- Missing Security Configurations [HTTP Security Header, SMB Signing, etc.]
- Weak Cryptography [SSH or TLS]
A vulnerability assessment should continuously identify as many vulnerabilities as possible in a short period of time in order to find and fix “simple” security vulnerabilities as quickly as possible.
In contrast to vulnerability assessments with automated procedures, penetration testing is primarily using manual techniques to detect more complex vulnerabilities that could not be detected by scanners. These can be both logic errors in the implementation of some software, as well as problems in organizational regulations of a company.
In addition, the vulnerabilities in a penetration test are validated and exploited to achieve a predefined target. This goal may be acquiring domain administrator rights or accessing an email from a specific user of the company.
- Cleartext Credentials on Client/ Server [excel sheet on client]
- Discovering unknown Vulnerabilities [CVE-2018-7272]
- SQL Injection [CVE-2019-7139]
- Deserialization [CVE-2017-9822]
- Local Privilege Escalation (through misconfiguration or vulnerable software) [CVE-2019-12042]
- Bypassing Security Measurements [Applocker, MS SmartScreen]
- Bad Asset Management [discovering forgotten/ unknown systems]
More complex vulnerabilities are sought which can not be found by automated scanners and the effectiveness of the security measures taken at the technical, organizational and personnel level is checked.
These types of assessments use state-of-the-art attack and obfuscation techniques (such as MITRE ATT&CK) to penetrate a business and achieve a specific goal. At the same time, the “defense team”, the so-called BlueTeam, should detect the intrusion and react accordingly. For more information on this new type of assessment, I recommend this blog, which published a number of sources at the end of 2018 that provide additional information about redteaming.
- Missing Logging on One or More Server/ Clients
- Weak Log-Correlation
- Bad Detection Rate
- No Automated Notification
Of course, redteaming is also about uncovering vulnerabilities in all levels of the goal, but training the BlueTeam is clearly in focus.
Which Method is Right for Your Company?
This can not be answered on a flat-rate basis, as this depends on the security level of the company/target.
Security Level: Low to Medium
If security assessments have not yet been carried out, then only vulnerability scans should be used to determine how the security level basically looks and to raise this to a satisfactory level.
Security Level: High
After a company performs vulnerability scans and closes the detected gaps, penetration testing can be used to uncover more complex gaps.
Security Level: High to Very High
If the company already uses aspects such as SOC, SIEM and Blueteam in the company, then at this stage these elements should be trained and optimized through redteaming assessments.