As more organisations begin to understand the importance of maturing their cybersecurity strategy, the focus is shifting away from a more ‘compliance-based’ plan and is logically developing towards a reactive security posture with a more modern, proactive and continual assurance approach. Infrastructure penetration testing is a crucial part of an ongoing security assurance programme, as well as being a distinct step in the journey.
In the following blog post, we’ll cover the reasons why an organisation would need an infrastructure penetration test, as well as the key as well as the key considerations that need to be made in advance of one.
What does infrastructure penetration testing cover?
Depending on the infrastructure-testing methodology, the test can cover a wide-ranging array of technologies, from smaller on-premises networks to hybrid cloud deployments, as well as container clusters, Hadoop datalakes and complicated Redis message queues between systems. It can also cover a wide range of operating systems, including endpoints running Mac OS X, Windows and Linux operating systems.
Infrastructure penetration testing can also complement web application testing, ensuring that the servers and networks supporting mobile and web applications are as secure as possible. This is now becoming an accepted industry best practice, as evidenced by the OWASP ASVS scheme.
Considerations during Infrastructure Penetration Testing
All penetration testing carries an amount of risk, the consultant will work with you to ensure that the quality of assurance can be achieved without introducing additional risk into the environment. Where development or test environments are used as part of risk mitigation, LRQA Nettitude recommends that wherever possible that environment is as close to identical in every way to the production environment. This will help ensure that all findings and recommendations are as focused as possible, allowing you to implement them into the Production environment after normal change control.
During the scoping process, explain what your primary security concerns are to the tester, as this will allow them to focus testing around those areas and risks. This may focus on the confidentiality of sensitive intellectual property or the availability of a critical line of business application.
LRQA Nettitude would recommend a grey-box approach to advanced infrastructure testing wherever possible. Assessments are always time-limited, and providing the tester with network diagrams or lists of key servers will prevent them from having to expend time to determine and enumerate this information. A skilled tester will also be able to ‘work back’ and show how they would have located the target systems in a longer period.
Advanced infrastructure penetration testing should always contain an element of manual exploitation of vulnerabilities to confirm the issue is present and allow any other post-exploitation activities to occur. This also allows you to measure whether any defensive controls (such as a SOC, or Endpoint Detection and Response software) were able to detect the exploitation attempt. Certain circumstances may make exploitation not possible, but manual confirmation of vulnerabilities should always take place.
The complexity of advanced infrastructure penetration testing
Due to the wide-ranging nature and variety of this type of assurance, it allows for a variety of different service offerings. These can range from simpler services such as automated vulnerability assessment with manual confirmation, to inter-continental networks and supporting VPN devices.
It is also possible to assess large-scale Active Directory for their adversary resilience and systems administration security, helping mitigate highly privileged credentials from being abused by attackers across the network and detecting malicious activity through enhanced logging and visibility.
Maximising value from infrastructure penetration testing
Infrastructure penetration testing sits within a wider security assurance framework, and its success is directly linked to leadership buy-in, and complementing infrastructure testing with other assurance activities. Examples of this can be found in firewall reviews, egress filtering assessments and build reviews, allowing the system or environment as a whole to be tested.
Assurance activities should always be as widely scoped as possible; this allows the consultant to examine as many of the supporting systems as possible and maximise the breadth of coverage and assurance gained. This also allows assessments to be made to the level of security awareness within the business (for example, the presence of passwords or sensitive information stored in file shares). As highlighted previously, the use of a grey-box approach will allow for the maximum time to be spent on determining, testing and exploiting vulnerabilities, as well as working closely with you to determine remediation that are achievable and realistic to implement.
Infrastructure penetration testing reports
Infrastructure testing reports should be extremely detailed, allowing for thorough explanation and exploitation of any vulnerabilities, as well as nuanced recommendations to strengthen the security of the system under test. Wherever possible, these should be backed up by industry-accepted standards such as the Center for Internet Security (CIS) or vendor best practices references.
One of the most effective methods for driving change and improving security is the production of an attack chain narrative. This allows the tester to describe how an attacker can leverage several smaller misconfigurations to compromise the system. These narratives are often suitable to present to senior leadership, allowing risk to be more accurately measured and remediation action prioritised.
These are the basics of an infrastructure penetration test and the essential components to consider. Maintaining your organisation's digital infrastructure is one of the most important aspects of your cybersecurity strategy and should be considered carefully.
Do you need help securing your organisation’s digital infrastructure? Contact solutions@nettitude.com