Detection Reflection: Analyzing 9 Months of Rapid7 Penetration Testing Engagements

Share and earn Cybytes
Facebook Twitter LinkedIn Email

The second annual “Under the Hoodie: Lessons from a Season of Penetration Testing” report is out! Our new research shares key findings from 268 Rapid7 penetration testing service engagements conducted between September 2017 and June 2018. In this post, we’ll review interesting detection trends, including exactly where our red team found success, especially when your internal network is in scope.

Detecting a penetration test should be considered a key milestone in your organization’s security program maturity, as it indicates the ability to detect compromise in real time. This isn’t easy to do—for the 249 engagements where detection was attempted, our team was not spotted 61% of the time.

What magnifies this statistic is the fact that most (82%) of these penetration testing engagements were one week or less—this places a stringent timebox on the range of tactics, techniques, and procedures (TTP) our pen testers can employ. That’s the value of “Under the Hoodie:” it directly exposes the key behaviors our pen testers use time and time again to gain administrative control over networks. From a detection perspective, focus needs to be applied along three axes: vulnerabilities, credentials, and misconfigurations. It’s essential to identify malicious behaviors that abuse these three categories.

Compromised credentials: The holy grail for adversaries

If the data you need to protect is on your internal network, you need visibility into authentications and account impersonation. Nearly every major public (and undisclosed) breach has had compromised credentials used over the course of the attack. This is because of the relative ease of obtaining credentials once internal network access is achieved.

Given LAN or WLAN connectivity, we found that penetration testers were able to capture credentials 86 percent of the time.

We found in our report that more organizations are running internal pen tests now (32 percent), which is up from 21 percent from last year, but the ideal is to do both tests in tandem for obvious reasons.

The big challenge is that your employees may authenticate across multiple IP addresses, assets, applications, and cloud services. If you’ve manually retraced a user’s activity via log files, you’ve directly felt investigation pains here. If you haven’t, Randy of UltimateITSecurity walks us through the elaborate process in Correlating DHCP, DNS, and Active Directory data with Network Logs for User Attribution.

The challenge is two-fold: sending the right user data, and then using it to build a baseline of “healthy user behavior.” This need for user behavior analytics was the initial driver behind InsightIDR, our threat detection and response solution—to consistently expose compromised user accounts and detect insider threats. If you use Active Directory in your organization, InsightIDR can identify risky user behavior across network, endpoint, and cloud. From a single view, you can access all of your security logs, endpoint data, and user behavior alongside vulnerability and exploit data from InsightVM and Nexpose.

Is that door supposed to be open?

Misconfigurations are when security controls aren’t properly implemented or reviewed after continuous network evolution. These are particularly dangerous because unlike vulnerabilities, misconfigurations can be much more difficult to spot. They encompass a wide range of issues, including:

Lack of least-privilege principles for accountsHaving an admin account that isn’t used or monitoredPassword reuse due to a poor password policyMisconfigured settingLack of patch managementLack of network segmentationOutdated/stale firewall rules

When the internal network was in scope, our pen testers leveraged a misconfiguration 96% of the time. Similar to vulnerabilities, this is a category where it is impossible to completely eliminate all risk. Therefore, network segmentation should be implemented to provide defense-in-depth, alongside detection controls that can monitor that security policy is being enforced.

InsightIDR gives you deep visibility into users and assets, allowing you to proactively reduce risk by identifying unknown admins, shared accounts, and suspicious processes across your environment.

Along with its real-time threat detection, this gives you an unprecedented edge against pen testers and attackers alike. If you’d like to learn more, walk through our H!NT detection experience and sign up for our Summer Webcast series!

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?