Lesson 3: Assessing Security Posture with Software Tools Flashcards
Reconnaissance
A necessary part of attacking a network is to gather information about it. This process of information gathering is referred to as reconnaissance. Reconnaissance techniques can also be used by security professionals to probe and test their own security systems, as part of a security posture assessment.
Security posture assessments
When information gathering is conducted by a “white hat,” assessments are usually classed as either vulnerability scanning or penetration testing.
NIST’s Technical Guide to Information Security Testing and Assessment identifies three principal activities within an assessment:
- Testing the object under assessment to discover vulnerabilities or to prove the effectiveness of security controls.
- Examining assessment objects to understand the security system and identify any logical weaknesses. This might highlight a lack of security controls or a common misconfiguration.
- Interviewing personnel to gather information and probe attitudes toward and understanding of security.
Planning an audit will start with a determination of the scope of the assessment and a methodology. The next phase will be to put in place the resources to carry it out (qualified staff, tools, budget, and so on).
Vulnerability scanning
process of auditing a network (or application) for known vulnerabilities. Recall that a vulnerability is a weakness that could be triggered accidentally or exploited maliciously by a threat actor to cause a security breach. An unpatched software application, a host with no anti-virus software, and an administrator account with a weak password are examples of vulnerabilities. Vulnerability scanning generally uses passive reconnaissance techniques. A vulnerability scanner would probe the network or application to try to discover issues but would not attempt to exploit any vulnerabilities found. Performing Open Source Intelligence (OSINT) searches represents another type of passive reconnaissance.
Note: Vulnerability scanning can be described as “passive” in terms of comparing it to penetration testing, but note that there is an active component to host-based vulnerability scans. Many types of vulnerability scanners establish a network connection with the target host and exchange data with it. A purely passive test would use only network traffic analysis gathered by a tap or port mirror, but this method does not return very reliable or detailed results.
penetration test (pen test) or ethical hacking
essentially involves thinking like an attacker and trying to penetrate the target’s security systems. A pen test might involve the following steps:
- Verify a threat exists—use surveillance, social engineering, network scanners, and vulnerability assessment tools to identify vulnerabilities that could be exploited.
- Bypass security controls—look for easy ways to attack the system. For example, if the network is strongly protected by a firewall, is it possible to gain physical access to a computer in the building and run malware from a USB stick?
- Actively test security controls—probe controls for configuration weaknesses and errors, such as weak passwords or software vulnerabilities.
- Exploit vulnerabilities—prove that a vulnerability is high risk by exploiting it to gain access to data or install malware.
The key difference from passive vulnerability scanning is that an attempt is made to actively test security controls and exploit any vulnerabilities discovered. Pen testing is an active reconnaissance technique.
Ground rules (rules of engagement) for any type of security assessment should be made explicit in a contractual agreement and backed by senior management. These guidelines also apply to assessments performed by employees. Some things to consider are:
- Whether to use “No holds barred” or “smash and grab” testing—if agreed, the consultant will try to use any means to penetrate as far into the network and information systems as possible. Alternatively, rules can be agreed to circumscribe this freedom to act to protect data assets and system integrity.
- Whether to stop at the perimeter—having demonstrated that a vulnerability exists at the network edge, the consultant will stop and not attempt to exploit the breach or view confidential data.
- Attack profile—attacks come from different sources and motivations. You may wish to test both resistance to external (targeted and untargeted) and insider threats. You need to determine how much information about the network to provide to the consultant:
- Black box (or blind)—the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform the reconnaissance phase. Black box tests are useful for simulating the behavior of an external threat.
- White box (or full disclosure)—the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. White box tests are useful for simulating the behavior of a privileged insider threat.
- Gray box—the consultant is given some information; typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. This type of test requires partial reconnaissance on the part of the tester. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.
- Test system or production environment—ideally, tests would be performed in a sandbox environment that accurately simulates the production environment. However, this is expensive to set up. It may be very difficult to create a true replica, so potential vulnerabilities may be missed. Using the production environment risks service outages and data loss, especially with the “no holds barred” approach.
Note: Both vulnerability assessments and penetration testing can be disruptive to a network. Passive types of scanning software generate a large amount of network traffic and perform “port enumeration” against devices such as servers and routers. This can overload the network and cause devices to crash. Exploit modules can self-evidently crash a network and may even damage data, if performed carelessly.
- Out of hours—whether the consultant should only perform testing out of hours to avoid causing problems on a production network. The problem here is that network policies and intrusion detection systems are generally configured to view out of hours access as suspicious, so the penetration testing is not taking place in the network’s “real world” state.
- Full disclosure of test results to the company in a timely manner. The report should also contain recommendations for remediating vulnerabilities.
- Confidentiality and non-disclosure (to third parties) by the consultant.
Techniques, Tactics, and Procedures (TTP)
Analysis of sophisticated adversary Techniques, Tactics, and Procedures (TTP) has established various “kill chain” models of the way modern cyber-attacks are conducted. “No holds barred” penetration testing will generally use the same sort of techniques.
Reconnaissance phase techniques
Reconnaissance activities can be classed as passive or active. Passive reconnaissance is not likely to alert the target of the investigation as it means querying publicly available information. Active reconnaissance has more risk of detection. Active techniques might involve gaining physical access to premises or using scanning tools on the target’s web services and other networks.
- Open Source Intelligence (OSINT)—this refers to using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not.
- Social engineering—this refers to obtaining information, physical access to premises, or even access to a user account through the art of persuasion.
- Scanning—this refers to using software tools to obtain information about a host or network topology. Scans may be launched against web hosts or against wired or wireless network segments, if the attacker can gain physical access to them.
Initial exploitation phase (also referred to as weaponization)
exploit is used to gain some sort of access to the target’s network. This initial exploitation might be accomplished using a phishing email and payload or by obtaining credentials via social engineering.
Persistence
refers to the tester’s ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the tester must establish a Command and Control (C2 or C&C) network to use to control the compromised host (upload tools and download data). The connection to the compromised host will typically require a malware executable to run and a connection to a network port and the attacker’s IP address (or range of IP addresses) to be available.
Persistence will be followed by further reconnaissance, where the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it.
pivot point
Having obtained a persistent foothold on the network and performed internal reconnaissance, the next likely objective is to obtain a pivot point. This is a system and/or set of privileges that allow the tester to compromise other network systems (lateral spread).
escalating the privileges
The tester likely has to find some way of escalating the privileges available to him/her. For example, the initial exploit might give him/her local administrator privileges. He or she might be able to use these to obtain system privileges on another machine and then domain administrator privileges from another pivot point.
action on objectives
At this point, an adversary may be in a position to perform action on objectives, such as stealing data from one or more systems (data exfiltration). From the perspective of a pen tester, it would be a matter of the scope definition whether this would be attempted. In most cases, for a pen tester to have penetrated this far would be cause for urgent remedial work on the company’s security systems.
Follow these guidelines when implementing penetration testing:
- Consider the benefits of conducting a penetration test in addition to or instead of a vulnerability assessment.
- Be aware of the risks involved in conducting a pen test.
- Consider implementing pen test techniques as different phases in a simulated attack.
- Consider conducting pen tests using different types of box testing methods.
- Understand the different reconnaissance requirements associated with each box testing method.
Topology discovery (or “footprinting”)
part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network. Organizations will also use topology discovery as an auditing technique to build an asset database and identify non-authorized hosts (rogue system detection) or network configuration errors.
An attacker attempting to work out the network topology stealthily faces several problems:
- Gaining access to the network—both the challenge of connecting to the physical wired or wireless network and of circumventing any access control or authentication mechanisms that could block his or her equipment from receiving network traffic.
- Scanning stealthily—to prevent the network owner detecting and blocking the scans and being alerted to an intrusion event.
- Gaining access to the wider network from the local segment—this may involve defeating access control lists on routers and firewalls.
network mapping tool
performs host discovery and identifies how the hosts are connected together on the network.
ipconfig (Windows) command
command can be used to report the configuration assigned to the network adapter. The attacker can identify whether the network uses DHCP or a static IP addressing scheme.
ifconfig command
In Linux, the ifconfig command can be used to report the adapter configuration and enable or disable it or apply a different static IP configuration. Going forward, the ip command is intended to replace ifconfig. ip is a more powerful tool, with options for managing routes as well as the local interface configuration. The basic functionality of ifconfig (show the current address configuration) is performed by running ip a
ping command
can be used to detect the presence of a host on a particular IP address or that responds to a particular host name. You can use ping with a simple script to perform a ping sweep.
Address Resolution Protocol (ARP)
A machine’s Address Resolution Protocol (ARP) cache can also be examined for host entries (using the arp -a command). The ARP cache shows the hardware (MAC) address of the interface associated with each IP address the local host has communicated with recently.
Nmap Security Scanner
Most topology discovery is performed using a dedicated tool like the Nmap Security Scanner (https://nmap.org). Nmap can use diverse methods of host discovery, some of which can operate stealthily and serve to defeat security mechanisms such as firewalls and intrusion detection. The tool is open source software with packages for most versions of Windows, Linux, and macOS®. It can be operated with a command line or via a GUI (Zenmap).
The basic syntax of an Nmap command is to give the IP subnet (or IP address) to scan. When used without switches like this, the default behavior of Nmap is to ping and send a TCP ACK packet to ports 80 and 443 to determine whether a host is present. On a local network segment, Nmap will also perform ARP and ND (Neighbor Discovery) sweeps. If a host is detected, Nmap performs a port scan against that host to determine which services it is running. This OS fingerprinting can be time-consuming on a large IP scope and is also non-stealthy. If you want to perform only host discovery, you can use Nmap with the -sn switch (or -sP in earlier versions) to suppress the port scan.
tracert (Windows) or traceroute (Linux) command
tools provide a simple means of probing the path from one end system (host) to another, listing the intermediate systems (routers) providing the link.
You can use source routing options within tracert to pre-determine the path taken, but to discover a complete internetwork topology, you need a more advanced tool. You can use Nmap with the ‑‑traceroute option to record the path to an IP target address. The Zenmap tool can use this information to display a graphic of the detected network topology.
whois command
An attacker might be able to obtain useful information by examining a company’s domain registration records by running a whois lookup against the appropriate registry. The whois command is part of Linux and for Windows users is available as one of the utilities in the Sysinternals suite
DNS
An attacker may also test a network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount about the way the network is configured.
nslookup command
You can use the nslookup command in interactive mode to attempt a zone transfer
dig command from any Linux or UNIX machine
You can also use the dig command from any Linux or UNIX machine with the dnsutils package installed.
The command is an acronym for domain internet groper (dig). A zone transfer is often called an “axfr” after this switch sequence.
DNS harvesting
If DNS harvesting is successful, you will obtain IP addresses for servers in the target domain. You can use an IP geolocation tool to identify the approximate geographic location of the servers.