- June 18, 2020
IT Attack and Defense Case Study
ITAttack and Defense Case Study
ITAttack and Defense Case Study
Thecompany we hired our team is in the retail industry, has a largeenterprise network, and processes over 100, 000 credit cardtransactions daily in over 100 store locations. As such, theorganization has a huge network infrastructure which links companyheadquarters, business offices, and retail stores. Our team wastasked with the duty of penetration test with much focus on the mostcritical devices and systems. The objective was to carry out the testwith minimal impact on their production environments whilst ensuringthat the organization’s backup devices and systems were nottargeted at once. Ideally, the Chief Information Security Officer(CISO) was worried that the test would most likely bring theirnetwork down, and thus requested that we focus on mail servers,database servers, DNS servers, firewalls, web servers, and routers.
Overviewof Technical Approach to Conducting the Test
Typically,a penetration test, also referred to as a pen test, is an endeavor toevaluate the security of an IT infrastructure through processes suchas securely trying to exploit weaknesses, potentially getting accessto the machine’s data or features. These weaknesses or flaws mayexist in operating systems, applications, risky end-user behavior, oreven, improper configurations. The process identifies the systemwhich can be used as a target, and a goal in particular then reviewsthe information that is available and uses various means to achievethe goal (Weidman, 2014). In retrospect, such assessments assist inthe validation of the efficiency of defensive mechanisms and end-useradherence to security policies.
Securityissues which are uncovered by a penetration test are usually reportedto the system owner in a penetration test report, which assessespotential impacts to the organization and provides suggestions ascountermeasures to mitigate the risks. Typically, the goals of apenetration test are varying depending on the form of an activitywhich has been approved for a given engagement, but the overall keyobjective is finding weaknesses that could be exploited by a personwith malicious intentions – hacker, as well as informing the clientof these flaws together with recommended strategies (EC-CouncilPress, 2011).
Thepenetration testing process can be divided into two key parts:discovering flaws – combinations of legal operations that providesthe tester with the power of executing an illegal operation, andspecifying the illegal operation (Allen, 2012). We aim to test forlegal executions which allow the tester to execute illegaloperations, including old hash or cypto functions, humanrelationships, unchanged salts in projects whose source code isvisible, as well as unescaped SQL commands. In retrospect, oneweakness may not be sufficient to permit a serious exploit whileleveraging many known defects and modifying the payload to representa valid operation, which is necessary in most cases. Inherently, weaim to achieve this agenda through Metasploit, which is a rubylibrary that contains a record of known exploits for common tasks.
Dueto the fact that we are on a time constraint (one week), we aim touse fuzzing, which is a common method for discovering weaknesses.Objectively, fuzzing is targeted at obtaining get an un-handled errorvia a random input. Ideally, we will use the random input in order togain access to less often used code paths, as frequently used pathsare normally error free. Errors are important as they show moreinformation, including HTTP server crashes which contain fulltracebacks, or are directly usable such as buffer overflows.
Typically,if a website contains 100 or more boxes for inserting text, some ofthem usually have a weakness for SQL injections this occurs onseveral strings. Thus, giving random strings to these boxessubsequently can hopefully hit the code path with bugs. Inherently,the errors are denoted by a broken HTML page it is not renderedcompletely as a result of a SQL error. In such as scenario, only textboxes are regarded as input streams, but software systems containvarious possible input streams, such as the uploaded file stream, RPCchannels, cookie and session data, as well as memory. In retrospect,errors can take place in any of the input streams and thus, the testkey goal is to initially get an un-handled error, followedimmediately by a determination of the weakness that prompted thefailed test case.
Aftera series of testing, debugging, and debugging, we have written anautomated tool for testing the understanding of the flaw till it iscorrect. Consequently, it is obvious on how to package the payload insuch a way that the target system sparks off its execution. In caseswhere this is not possible, it is our hope that a subsequent errorgenerated by the fuzzer will be more useful. Needless to say, using afuzzer will actually save time via not checking enough paths of codewhere exploits are not likely.
Inherently,there exists an array of security assessment tools, which can help inthe process of penetration testing, including proprietary and freeopen source software. Interestingly, some operating systemdistributions are built the goal of penetration testing, and containpre-configured and pre-packaged tools. In such a manner, thepenetration tester need not look for each tool, which might broadenrisks, including configuration errors, dependency issues, andcompilation errors. In addition, getting extra tools may proveimpractical based on the context of the tester (Engebreston, 2011).
Weaim to use one of the popular penetration testing operating systemssuch as WHAX – which is based on Slackware Linux, Pentoo – which isin turn based on Gentoo Linux, or Kali Linux – which,correspondingly, is based on Debian Linux. Intrinsically, severalspecialized operating systems provide penetration testing, but eachis dedicated to a specific field of penetration testing. We willemploy a number of Linux distributions, including application flawsand operating system weakness, and we will deploy these as targets.Ideally, such systems assist new security professionals in trying outthe newest security tools, including Metaspoiltable, the OWASP WebTesting environment (WTW), and the Damn Vulnerable Linux (DVL).
Usually,the payload – as referred to as in Metasploit terminology, or theillegal operation is likely to involve a webcam peeker, a passwordhash stealer, an ad popupper, a remote mouse controller, or a botnetdrone (Muniz & Lakhani, 2013). We shall take advantage of thelarge databases of known exploits that are maintained by somecompanies, and which offer products automatically test systems forweaknesses and flaws. These include: Metaploit, W3af, OpenVAS, Nmap,and Nessus.
Aclear timeline will be established for the penetration test. However,even though scope defines the start and end of the test, theengagement test defines everything, and the timeline will change asthe test progresses. Therefore, having a rigid timeline is not ourgoal, but rather we will create one in order to allow everyone toidentify the work to be done as well as the duties for each personinvolved.
Inprinciple, the report will be subdivided into two main parts – theExecutive Summary and the Technical Report – so as to showcase themethods, results, and the objectives of the testing which wasconducted. The executive summary will communicate the reader the mainobjectives of the penetration testing, as well as the high levelfindings of the test. Mostly, the CISO will be the intended audience.The executive summary will at least contain sections such as thebackground, strategic roadmap, risk ranking, overall posture, generalfindings, and recommendation summary. The background will explain tothe reader the key objective of the test, the details of the terms asspecified in the Pre Engagement section, and testing objectives. Theoverall posture will show the effectiveness of the test and ourability to attain the objectives which were set in the pre engagementsections.
Weshall identify and explain the overall risk ranking, which isbasically the score for tracking and grading risk. The generalfindings will offer a summary of issues which were discovered duringthe penetration test in a statistical format, while therecommendation summary will provide the reader with a detailedunderstanding of the tasks necessary to solve any identified risks,and the effort necessary for implementing the recommendations given.Finally, the strategic roadmap will include a plan which isprioritized, for repairing any insecure items which are discovered.In addition, it will map directly into the objectives identified andthe threat matrix created.
TheTechnical Report will contain the technical details of the test aswell as all of the components which were agreed on as the mainsuccess indicators in the pre engagement terms. Inherently, it willcontain sections such as the introduction, information gathering,active intelligence, personnel intelligence, passive intelligence,corporate intelligence, vulnerability assessment, post exploitation,risk exposure, vulnerability confirmation, and the conclusion. Theintroduction will describe the objectives, strength, and scope of thetest. Intelligence gathering, including indirect analysis from Googledorking for IP, will be provided to show the client the extent ofprivate as well as public information available.
Thevulnerability assessment will describe the methods used inidentifying potential weaknesses, which exist in a penetration testand the threat classification of each threat. Vulnerabilityconfirmation will review all undertaken steps in order to confirm thedefined weaknesses, by triggering the vulnerabilities in order toattain a certain level of access to the target system.Correspondingly, post exploitation will illustrate the relation ofthe ability of exploitation to the actual risk to the organization.Finally, risk exposure will provide risk values, corporate valuation,information criticality, as well as derived business impact.
Overall,this will be a detailed penetration testing, which will mainly focuson mail servers, database servers, routers, DNS servers, web servers,and firewalls. By using advanced systems and penetration dedicatedoperating systems such as Kali Linux, Pentoo, or Whax, we will beable to test the network infrastructure for possible vulnerabilitiesthat could potentially harm the network, especially when someone withmalicious intent gains access to the system.
Allen,L. (2012). Advancedpenetration testing for highly-secured environments: The ultimatesecurity guide. Birmingham:Packt Pub.
EC-CouncilPress. (2011). Communicationmedia testing. CliftonPark, N.Y: Course Technology Cengage Learning.
Engebreston,P. (2011). Thebasics of hacking and penetration testing: Ethical hacking andpenetration testing made easy. Burlington:Elsevier Science.
Muniz,J., & Lakhani, A. (2013). Webpenetration testing with Kali Linux: A practical guide toimplementing penetration testing strategies on websites, webapplications, and standard web protocols with Kali Linux. Birmingham:Packt Publishing.
Weidman,G. (2014). Penetrationtesting: A hands-on introduction to hacking.