.

Cyber Incident - is a pentest enough?

<<

24772433

User avatar

Newbie
Newbie

Posts: 34

Joined: Thu Oct 20, 2011 3:22 pm

Location: UK

Post Thu Nov 15, 2012 1:22 pm

Cyber Incident - is a pentest enough?

This is completely hypothetical but if a company knows they have been compromised in some fashion, maybe through information from their ISP or host, would a pentest be of any value; considering the company would want the current attacker removed and not told how other attackers could get!

Is Incident Handling/forensics the only way to go in this scenario? Following up with regular pentests.
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Nov 15, 2012 1:40 pm

Re: Cyber Incident - is a pentest enough?

In this situation, a pentest definitely is not on the top of priorities!

If an attacker is on the inside, your first step is to "stop the bleeding" - determining how the attacker got in so you can plug the hole. Once the company has worked through its incident response plan (assuming there is one), the thought of performing a pentest should start creeping in.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Nov 15, 2012 1:46 pm

Re: Cyber Incident - is a pentest enough?

A pentest would ALWAYS be of value.  But, whether or not it would make a difference immediately, knowing you've been compromised already, is the key. 

Forensics is often the fastest (and should be the immediate first step) way to determine how the current compromise happened, but might not give all the details, so following up with / in conjunction with a pentest (in this case, informed about what the forensic activities found, so you can be on extra lookout for said vulnerability and how they exploited it) would be a logical value add to the forensic actvities.

Obviously you have to better your security posture through remediation and recommended / continued testing, at regularized intervals (or not so regular, as well, to keep folks sharp.)  But those are secondary to, as ziggy_567 noted, the immediate activities of triage.

In short, all the above would be prudent, but the first concern should be determining the immediate cause and effect of the current compromise.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Matthias2012

User avatar

Newbie
Newbie

Posts: 12

Joined: Mon Sep 17, 2012 3:08 pm

Location: Germany

Post Thu Nov 15, 2012 2:53 pm

Re: Cyber Incident - is a pentest enough?

Short answer: NO!
Somebody told me, compare a Pentest with small picture.
A picture of a wall with a whole in it. You can see the hole, but what you don`t see is, did somebody used it, whats he doing inside and did he get outside the same way? And if it is a small picture are there some more holes you do not see on that picture.
Matthias Dörfer
_______________________________________________________
eCPPT - C|EH - MCITP
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Nov 15, 2012 2:58 pm

Re: Cyber Incident - is a pentest enough?

The pen test might tell you where the holes may be, but it won't tell you where the compromise or breach is.  It should definitely be something added to the preventive plan later on but I wouldn't say it should be a priority when first dealing with incident.  IR should be the first thing put into play and if the company doesn't have IR experience, they should get a hold of a company that specializes in it.  During the process it is important to try and locate where the leaks are and getting them plugged.  Find out what was lost as well, if the data wasn't critical to the company, then that may change how quickly you would address the issue.  If the breach is related to an advanced attacker, remediation may require additional monitoring time to try and find all possible compromised systems.  

Once that information has been obtained the remediation may need to get done all at once.  This may involve disconnecting completely from the net and remediate all compromised systems, implement new controls such as firewall rules, IDS/IPS, ACLs on vLANs etc...  Some companies will suggest you don't want to tip off the attacker too soon or they may drop additional backdoors in the environment that you may not find.  

Regular testing of the new security controls should then be scheduled to ensure they are doing their job.  It is important to ensure that a REAL penetration test is conducted in order to get the right assessment of your controls.  
Certs: GCWN
(@)Dewser
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Nov 15, 2012 6:04 pm

Re: Cyber Incident - is a pentest enough?

I think pen tests are most effective when an organization feels they have done everything they can to secure their environment and want to see how they measure up against an actual attack -or- there are known security deficiencies and they want verification of what the actual impact of a compromise would be. Neither of these are appropriate for the scenario you mentioned because the organization knows exactly where they stand: owned.

An odd but interesting scenario would be if they could not legitimately determine how the attack occurred. Say an attacker has installed a program that creates a basic reverse shell back to him or her, and this runs on an admin's desktop upon login. What if the actual attack, where the attacker pivoted through the network, occurred six months ago? Many organizations can't/don't retain logs past 30-90 days. All they know is there's a malicious program running on someone's desktop without a trail of information showing how it got there, and they can't determine how it could have possibly happened. It may have been has simple as social engineering, or it may have been a very intricate attack where the details are now lost. How do they validate their security posture if there are no obvious deficiencies?

Maybe a pen test would be a complimentary IH/IR activity in such a scenario. However, as everyone else has stated, procuring a pen test should never be the first thing you do upon learning you were compromised. Hopefully you've thoroughly covered the first step of incident handling and are now prepared for the rest.
The day you stop learning is the day you start becoming obsolete.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software