By Tom MacDonald | Senior Security Consultant at Nettitude
As more organisations begin to understand the importance of maturing their cybersecurity strategy, focus is shifting away from a more ‘compliance-based’ plan and is logically developing towards a reactive security posture with a more modern, proactive and continual assurance approach. Infrastructure penetration testing is a crucial part of an ongoing security assurance programme, as well as being a distinct step in the journey from .
In the following blog post, we’ll cover the reasons why an organisation would need an infrastructure penetration test, as well as the key as well as the key considerations that need to be made in advance of one.
What does infrastructure penetration testing cover?
Depending on the infrastructure testing methodology, the test can cover a wide-ranging array of technologies, from smaller on-premises networks to hybrid cloud deployments, as well as container clusters, Hadoop datalakes and complicated Redis message queues between systems. It can also cover a wide range of operating systems, including endpoints running Mac OS X, Windows and Linux operating systems.
Infrastructure penetration testing can also complement web application testing, ensuring that the servers and networks supporting mobile and web applications is as secure as possible. This is now becoming accepted industry best practice, as evidenced by the OWASP ASVS scheme.
Considerations during infrastructure penetration testing
All penetration testing carries an amount of risk, in which the consultant will work with you to ensure that the quality of assurance can be achieved without introducing additional risk into the environment. Where development or test environments are used as part of risk mitigation, Nettitude recommend that wherever possible that environment is as close to identical in every way to the production environment. This will help ensure that all findings and recommendations are as focused as possible, allowing you to implement them into the Production environment after normal change control.
During the scoping process, explain what your primary security concerns are to the tester, as this will allow them to focus testing around those areas and risks. This may focus on the confidentiality of sensitive intellectual property, or the availability of a critical line of business application.
Nettitude would recommend a grey-box approach to advanced infrastructure testing wherever possible. Assessments are always time limited, and providing the tester with network diagrams or lists of key servers will prevent them having to expend time to determine and enumerate this information. A skilled tester will also be able to ‘work back’ and show how they would have located the target systems in a longer time period.
Advanced infrastructure penetration testing should always contain an element of manual exploitation of vulnerabilities to confirm the issue is present and allow any other post-exploitation activities to occur. This also allows you to measure whether any defensive controls (such as a SOC, or Endpoint Detection and Response software) were able to detect the exploitation attempt. Certain circumstances may make exploitation not possible, but manual confirmation of vulnerabilities should always take place.
Complexity of advanced infrastructure penetration testing
Due to the wide-ranging nature and variety in this type of assurance, it allows for a variety of different service offerings. These can range from simpler services such as automated vulnerability assessment with manual confirmation, through to inter-continental networks and supporting VPN devices.
It is also possible to assess large scale Active Directory for their adversary resilience and systems administration security, helping mitigate highly privileged credentials from being abused by attackers across the network and detecting malicious activity through enhanced logging and visibility.
Maximising value from infrastructure penetration testing
Infrastructure penetration testing sits within a wider security assurance framework, and it’s success is directly linked to leadership buy-in, and complementing infrastructure testing with other assurance activities. Examples of this can be found in firewall reviews, egress filtering assessments and build reviews, allowing the system or environment as a whole to be tested.
Assurance activities should always be as widely scoped as possible; this allows the consultant to examine as many of the supporting systems as possible and maximise the breath of coverage and assurance gained. This also allows assessments to be made to the level of security awareness within the business (for example, the presence of passwords or sensitive information stored in file shares). As highlighted previously, the use of a grey-box approach will allow for the maximum time to be spent on determining, testing and exploiting vulnerabilities, as well as working closely with you to determine remediation that are achievable and realistic to implement.
Infrastructure penetration testing reports
Infrastructure testing reports should be extremely detailed, allowing for thorough explanation and exploitation of any vulnerabilities, as well as nuanced recommendations to strengthen the security of the system under test. Wherever possible, these should be backed up by industry-accepted standards such as the Center for Internet Security (CIS) or vendor best practices references.
One of the most effective methods for driving change and improving security is the production of an attack chain narrative. This allows the tester to describe how an attacker is able to leverage several smaller misconfigurations to compromise the system. These narratives are often suitable to present to senior leadership, allowing risk to be more accurately measured and remediation action prioritised.
So, there you have the basics of an infrastructure penetration test and the essential components to consider. Maintaining your organisations digital infrastructure is one of the most important aspects of your cyber strategy and should be considered carefully. Need some help securing your organisation’s digital infrastructure? Head over to our security and network solutions to find out more.