HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 32 guests and 1 member online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow Cyber Incident - is a pentest enough?
EH-Net
May 19, 2013, 09:51:00 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Cyber Incident - is a pentest enough?  (Read 9491 times)
0 Members and 1 Guest are viewing this topic.
24772433
Newbie
*
Offline Offline

Posts: 33


View Profile
« on: November 15, 2012, 12:22:58 PM »
This is completely hypothetical but if a company knows they have been compromised in some fashion, maybe through information from their ISP or host, would a pentest be of any value; considering the company would want the current attacker removed and not told how other attackers could get!

Is Incident Handling/forensics the only way to go in this scenario? Following up with regular pentests.
Logged
ziggy_567
Sr. Member
****
Offline Offline

Posts: 361


View Profile
« Reply #1 on: November 15, 2012, 12:40:42 PM »
In this situation, a pentest definitely is not on the top of priorities!

If an attacker is on the inside, your first step is to "stop the bleeding" - determining how the attacker got in so you can plug the hole. Once the company has worked through its incident response plan (assuming there is one), the thought of performing a pentest should start creeping in.
Logged
--
Ziggy


eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+
hayabusa
Hero Member
*****
Offline Offline

Posts: 1630



View Profile
« Reply #2 on: November 15, 2012, 12:46:06 PM »
A pentest would ALWAYS be of value.  But, whether or not it would make a difference immediately, knowing you've been compromised already, is the key. 

Forensics is often the fastest (and should be the immediate first step) way to determine how the current compromise happened, but might not give all the details, so following up with / in conjunction with a pentest (in this case, informed about what the forensic activities found, so you can be on extra lookout for said vulnerability and how they exploited it) would be a logical value add to the forensic actvities.

Obviously you have to better your security posture through remediation and recommended / continued testing, at regularized intervals (or not so regular, as well, to keep folks sharp.)  But those are secondary to, as ziggy_567 noted, the immediate activities of triage.

In short, all the above would be prudent, but the first concern should be determining the immediate cause and effect of the current compromise.
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
Matthias2012
Newbie
*
Offline Offline

Posts: 10


View Profile
« Reply #3 on: November 15, 2012, 01:53:58 PM »
Short answer: NO!
Somebody told me, compare a Pentest with small picture.
 A picture of a wall with a whole in it. You can see the hole, but what you don`t see is, did somebody used it, whats he doing inside and did he get outside the same way? And if it is a small picture are there some more holes you do not see on that picture.
Logged
Matthias Dörfer
_______________________________________________________
eCPPT - C|EH - MCITP
3xban
Hero Member
*****
Offline Offline

Posts: 605


View Profile WWW
« Reply #4 on: November 15, 2012, 01:58:26 PM »
The pen test might tell you where the holes may be, but it won't tell you where the compromise or breach is.  It should definitely be something added to the preventive plan later on but I wouldn't say it should be a priority when first dealing with incident.  IR should be the first thing put into play and if the company doesn't have IR experience, they should get a hold of a company that specializes in it.  During the process it is important to try and locate where the leaks are and getting them plugged.  Find out what was lost as well, if the data wasn't critical to the company, then that may change how quickly you would address the issue.  If the breach is related to an advanced attacker, remediation may require additional monitoring time to try and find all possible compromised systems.  

Once that information has been obtained the remediation may need to get done all at once.  This may involve disconnecting completely from the net and remediate all compromised systems, implement new controls such as firewall rules, IDS/IPS, ACLs on vLANs etc...  Some companies will suggest you don't want to tip off the attacker too soon or they may drop additional backdoors in the environment that you may not find.  

Regular testing of the new security controls should then be scheduled to ensure they are doing their job.  It is important to ensure that a REAL penetration test is conducted in order to get the right assessment of your controls.  
Logged
Certs: GCWN
(@)Dewser
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #5 on: November 15, 2012, 05:04:34 PM »
I think pen tests are most effective when an organization feels they have done everything they can to secure their environment and want to see how they measure up against an actual attack -or- there are known security deficiencies and they want verification of what the actual impact of a compromise would be. Neither of these are appropriate for the scenario you mentioned because the organization knows exactly where they stand: owned.

An odd but interesting scenario would be if they could not legitimately determine how the attack occurred. Say an attacker has installed a program that creates a basic reverse shell back to him or her, and this runs on an admin's desktop upon login. What if the actual attack, where the attacker pivoted through the network, occurred six months ago? Many organizations can't/don't retain logs past 30-90 days. All they know is there's a malicious program running on someone's desktop without a trail of information showing how it got there, and they can't determine how it could have possibly happened. It may have been has simple as social engineering, or it may have been a very intricate attack where the details are now lost. How do they validate their security posture if there are no obvious deficiencies?

Maybe a pen test would be a complimentary IH/IR activity in such a scenario. However, as everyone else has stated, procuring a pen test should never be the first thing you do upon learning you were compromised. Hopefully you've thoroughly covered the first step of incident handling and are now prepared for the rest.
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.061 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.