Critical Control 20: Penetration Tests and Red Team Exercises

How do attackers exploit the absence of this control?

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control. Most organizations do not exercise their defenses, so they are uncertain about their capabilities and unprepared for identifying and responding to attack.
Penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than a vulnerability assessment. Vulnerability assessments focus on identifying potential vulnerabilities, while penetration testing goes deeper with controlled attempts at exploiting vulnerabilities, approaching target systems as an attacker would. The result provides deeper insight into the business risks of various vulnerabilities by showing whether and how an attacker can compromise machines, pivot to other systems inside a target organization, and gain access to sensitive information.
Red team exercises go further than penetration testing. Red team exercises have the goals of improved readiness of the organization, better training for defensive practitioners, and inspection of current performance levels. Independent red teams can provide valuable and objective insights about the existence of vulnerabilities and about the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.

How to Implement, Automate, and Measure the Effectiveness of this Control

  1. Quick wins: Organizations should conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.
  2. Visibility/Attribution: Organizations should perform periodic red team exercises to test the readiness of organizations to identify and stop attacks or to respond quickly and effectively.
  3. Visibility/Attribution: Organizations should ensure that systemic problems discovered in penetration tests and red team exercises are fully mitigated.
  4. Visibility/Attribution: Organizations should measure how well the organization has reduced the significant enablers for attackers by setting up automated processes to find:
    • Cleartext e-mails and documents with "password" in the filename or body
    • Critical network diagrams stored online and in cleartext
    • Critical configuration files stored online and in cleartext
    • Vulnerability assessment, penetration test reports, and red team finding documents stored online and in cleartext
    • Other sensitive information identified by management personnel as critical to the operation of the enterprise during the scoping of a penetration test or red team exercise.
  5. Visibility/Attribution: Social engineering should be included within a penetration test. The human element is often the weakest link in an organization and one that attackers often target.
  6. Advanced: Organizations should devise a scoring method for determining the results of red team exercises so that results can be compared over time.
  7. Advanced: Organizations should create a test bed that mimics a production environment for specific penetration tests and red team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7)

Procedures and Tools to Implement and Automate this Control

Each organization should define a clear scope and rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at a minimum, systems with the highest value information and production processing functionality of the organization. Other lowered value systems may also be tested to see if they can be used as pivot points to compromise higher-value targets. The rules of engagement for penetration tests and red team analyses should describe, at a minimum, times of day for testing, duration of tests, and overall test approach.
Control 20 Sensors, Measurement, and Scoring
Sensor: Automated penetration testing tool
Measurement: Determine the number of systems that have vulnerabilities that can be exploited and determine to what level they can be exploited.
Score: 100 percent if no vulnerabilities can be exploited. Minus 5 percent for guest-level exploitation, 10 percent for user-level access, and 15 percent for root-level access.
Abonnieren Posts (Atom)