Infrastructure Penetration Testing

Unlike depth-based penetration testing, coverage-based penetration testing has a broader, “let’s keep looking” focus. With this approach, testers look for multiple ways to compromise an environment and exploit its vulnerabilities. In fact, they look for as many ways in, not just the easy ones, and don’t simply stop after the first exploit. Depth-based, in contrast, focuses on finding the path of least resistance, or the easiest way in. This is the path attackers will often take, but it doesn’t consider that there are multiple other ways, which may be a little bit more challenging to exploit.

The simple answer is reassurance. Our team of consultants will ensure that we have done everything possible to evaluate the security defenses you have in place at your organization. It is impossible to assess how well an organization’s defensive measures are working, unless they have been tested to react the way a vendor has claimed they are intended to perform. Many of our clients have discovered that their defensive 24/7 Security Operations Centre awareness teams failed at discovering an intruder in a timely manner, or fail to identify a breach of security. In addition, many Anti-Virus and Intrusion Detection System frameworks have failed at detecting malware.

Unfortunately, other clients called us only after they experienced a breach. At that point, the damage had already been done, which lead to a forensic assessment to discover how the breach occurred. By taking a preventive strategy your organization will gain access to our comprehensive reports, which are among the most inclusive in the industry. Our reports detail findings in an easy-to-read layout for executives, but also provide the necessary results, guidelines and suggestions that can help the technical staff mitigate the exploitable vulnerabilities found going forward. This allows management to share results with all organizational stakeholders involved to address the weaknesses in all related operations, and to help focus on the costs needed for investing in securing your entire IT architecture.

Both of these areas of assessment focus on different assumptions and attack surfaces. External infrastructure testing is concerned with what services, protocols, and applications are being exposed to the internet, e.g. web servers, log-in portals. These systems are considered the most vulnerable, as the constant bombardment of attacks from external threat actors create a high level of risk to all exposed areas. The systems that are exposed must have impeccable configurations focusing on hardening techniques, leaving no room for error, and must also be concerned with denial of service attacks.

The assumption with Internal infrastructure testing is that external threat actors have already penetrated external defenses to find a way inside or the threat is being sourced from an internal actor, which some consider a company’s greatest threat, or a vendor that has already been authorized for access. The primary focus areas for this type of testing are lateral movement and privilege escalation. The goal of this type of testing is to identify how difficult it is for an internal attacker to move around the internal network and to discover what type of sensitive data may be obtained in the process. This is also an effective way to test the awareness of the defensive team by identifying how quickly it takes for a defensive team to discover the presence of an intruder and if they were able to isolate how the intruder gained entry.

From our experience, we have found that intruders continuously find the weakest link and utilize the path of least resistance to enter an organization’s network. This path circumvents a firewall’s configuration and implementation. The purpose of a firewall is to only allow specified traffic in or out as authorized – but if an attacker can hide within permitted traffic, they can undoubtedly use it to enter and exit as required. Common examples can include utilizing web, DNS, or email traffic to keep from being discovered. In most cases, the common weakest link in organizations are the staff that fall victim to phishing-based attacks that can be used to gain a foothold into the internal network that may lead to an intruder exploring sensitive assets.

Depending on the scope and size of the engagement, most security testing engagements fall between the range of weeks to months. In that time, the assessment of the network infrastructure involves testing all assets in scope, which can include a large number of services, applications and protocols being used by those assets. Given the budget of the client, time restrictions, and scope of allowable testing rules, in most cases the time and budget spent would be better utilized on the actual testing of the assets. Our team of consultants can spend the entire allocated time and budget on trying to bypass external defense mechanisms or create a sophisticated phishing campaign (as is done in objective-based penetration testing) until we gain entry, but by that time the budget may be well spent, leaving little opportunity for the actual security assessment. As such, in most situations, providing our consultants with VPN credentials or planting a device inside the network to ensure the network infrastructure can be thoroughly tested in its entirety will provide the most value.