The purpose of a penetration test is to explore your business from the perspective of an attacker and, most importantly; to discover and understand the various weaknesses that may be in your environment and how to protect your business from them. There are countless ways that attackers compromise systems and applications, but the end-result relates to their motivation. To understand their motivation, we must first know the various threats we’re up against.
What are the threats attacking my business?
- Script Kiddie: A script kiddie is a loose term that relates to a summer student that, in an effort to learn about technologies, may find themselves exploiting and obtaining unauthorized access to various environments. While their underlying motivation may not be malice, they break various laws. Script Kiddies often rely on other attackers exploits and tools (scripts) and run as many as they can against a target in an effort to breach a chosen environment. They target everything and have the lowest skill level. Their motivation is often social status (bragging) and the thrill.
- Hacktivist: A hacktivist is a newer term that refers to an attacker that is motivated by an almost activist mentality. Their attacks are typically targeted at political or corporate entities as a result of a perceived wrong-doing. While their attacks frequently result in Denial of Service, they have also breached countless organizations from a number of industries. The collectives “Anonymous”, “Lulzsec”, fall under the category of a Hacktivist.
- Blackhat: A Black Hat is an individual whose sole income relies on their attacking and taking advantage of the information they obtain. Their motivation is often financial and will leverage compromised systems to fulfill their requirements. Compromised systems are commodities and the information contained on them may be sold, or leased as a service for spam, ads, or to enable the spread of malware to your customers.
- Organized Crime: More and more, organized crime has evolved on the internet and while conventional organized crime would target physical locations and large companies, these groups have capitalized on targeting end users. Ransomware, Shareware, Spyware, Spam networks are almost always run by an organized team of attackers. Similar to a Blackhat, these threats are motivated by money and essentially run a business that will sell you the key to unlock your own data (ransomware), scare you into paying for fake antivirus software (scareware), obtain unauthorized access to your bank (spyware) or use your system to send or coordinate spam. There are countless opportunities we’ve left out including crypto-currency, mining and DDoS. Organized crime is often sophisticated in their attacks and, like a business, hires developers to maintain their malware and evade antivirus detection in order to preserve their access.
- Advanced Persistent Threat: Advanced Persistent Threat (APT) is not a term we use often but it relates to more of a state-sponsored attacker that focuses on achieving an objective. Stuxnet, Duqu, and WannaCry are three examples of such attacks and are very well funded ($1M+). These are by far the most sophisticated attackers that we only ever hear about when they fail. APT is seldom the cause of corporate attacks and we find even our own (simulations) attacks are misread as an APT.
What motivates a hacker to compromise my website?
Understanding the various threats, the motivation to compromise your website depends heavily on the attacker. Targets of opportunity, who do not patch or adopt secure configuration standards, are a target for lower skilled attackers who may compromise your website just because they can. As the threats escalate to more advanced attackers, motivated by financial means, they explore your website as a conduit to interacting with all of your customers, as a warehouse of information they can sell, or resources they can use to send spam, spread malware, or mine cryptocurrency.
Not all attackers are focused on stealing credit cards, but this is one of the easiest commodities to sell on the internet. The PCI Council understands this and this is why the focus of each of their requirements mandates the protection of cards. If privacy-related information is compromised, or your users’ passwords are compromised, their requirements do not apply.
Why do I need a penetration test?
If you store, process, or transmit Credit-cards, the PCI council may mandate that you do so. If not, there are various regulatory requirements most countries that mandate protection of privacy-related information (PII) via the PIPEDA law in Canada, personal health information (PHI) via the PHIPA law in Canada. While regulation is the entry-point that mandates protection of information, maintaining customer confidence in your brand, and the protection of trade secrets are concerns that are too often overlooked.
In 2002, the United States created a simulation to explore their response to various threats. When it was completed, it was the most expensive military simulation in American History topping $250 million dollars, with 13,500 service members spread across 17 locations. The hypothesis, was that, given the number of future technologies, and strategies they have, it would be very unlikely for the opposing team to win. During this simulation, the US team, which was called the blue team, had access to countless streams of data, technologies and controls. The adversaries, led by Paul Van Riper was the red team. Paul has been widely praised for having “created the conditions for successful spontaneity” by making quick decisions based on the information obtained.
The US found that they were up against a threat that didn’t follow the perceived rules they followed, and during the initial attack, Paul’s low-tech attack pre-empted the US forces attack and quickly overwhelmed their monitoring systems. After an awkward silence, the Blue team leader conceded that the red team “sunk my damn navy” and had inflicted “an extremely high rate of attrition, and a disaster, from which we all learned a great lesson”.
If we draw a parallel to this simulation, and with there being red teams and blue teams it is very easy to do so, corporate blue teams have countless controls, sensors, and logs in place they are monitoring. They are often so overwhelmed by information, they make mistakes, or miss critical events that may be an indicator of compromise. The blue team follows the rules (law) and may not attack adversaries no matter how tempting it may be.
Cutting through the noise, the red team’s purpose (penetration tester), is to explore the technical landscape of your organization, and attempt to find and exploit a weakness in your defences. The deliverable of a penetration test is a concise list of recommendations centred around closing the gaps that they have found. Training and experience play a tremendous role in the quality of this deliverable which is why choosing a penetration testing company proves so difficult. Paul Van Riper’s spontaneity directly relates to the creativity that we, as penetration testers, try to emulate through each of our assessments.