Internal Penetration Test
Service Overview ⫘
The objective of an Internal Penetration Test is to demonstrate weaknesses in systems or network services (highlighting that "the chain is only as strong as the weakest link") and/or how to leverage the weaknesses to move through the network and gain access to target systems or data. The test includes exploitation of vulnerabilities, username and password discovery, lateral movement between systems inside and outside of the target environment, and pivoting through compromised hosts. The test exposes security flaws that vulnerability assessments do not usually detect, and is more aligned with how modern threat actors attack and compromise network environments.
Service Methodology ⫘
The Secureworks approach to advanced network security testing is based on an internally developed methodology, derived from industry best practices and extensive security testing experience. Secureworks works closely with you to determine in-scope and out-of-scope targets.
Prior to the test, Secureworks will schedule a kickoff call to establish rules of engagement, level of effort, scope, risk acceptance, initial access requirements, reporting requirements, test timelines, and schedules.
Listed below are components of the test:
Initial Access - Threat Model Selection ⫘
With threat actors breaching network perimeters and gaining access to internal networks with a multitude of different initial access vectors, utilizing the most appropriate threat model(s) for an Internal Penetration Test is important to ensure there is a high level of realism that appropriately fits your environment, threat actor concerns, and overall goals for the test.
Secureworks offers several starting points for Internal Penetration Tests which aim to examine your network via different threat models as described below:
-
Rogue Employee / Malicious Insider
-
Simulated DMZ Server Breach
-
Endpoint Compromise
-
Credential Compromise
-
Custom scenario: If the above models do not seem to fit your environment, or if you have a specific threat model edge case that you would like to explore, Secureworks Adversary Group consultants will help find build out a customized plan for the engagement during a scoping call.
Remote Testing Appliance ⫘
For certain threat models, Secureworks makes use of Remote Testing Appliance (RTA) for Internal Penetration Tests. RTA is a custom-built virtual machine that allows the testing consultant to access internal networks. When RTA is booted, it phones home to Secureworks infrastructure via a secure channel. RTA can be provided in OVA format for traditional hypervisors such as VMWare and Virtualbox, as well as cloud compute instances such as AWS EC2 (as an AMI) and Azure. There are a few things to note:
-
The RTA requires the following resources: 32 gigs of disk, 4 gigs of ram, 2 vCPU cores
-
RTA placement in the network is important and can make a large difference in the outcome of testing. The RTA is best placed in a user environment where the tester is able to both simulate the most likely starting point of an attack, and also to be able to listen in on network traffic from user machines. RTA placement in a server environment is typically not ideal and may have considerable differences in outcome from user environments.
-
Ensure that Networking is configured for Bridged mode in your VM software before testing begins.
-
The VM connects outbound on port 443 to https://connect.remotetesting.secureworks.com. If your firewall does not allow port 443 outbound to this host, a whitelist will need to be added. In addition, make sure the firewall allows the VPN protocol over port 443 specifically, otherwise any protocol-inspection firewalls will likely block the connection.
Endpoint Compromise Requirements ⫘
For an Internal Penetration Test utilizing an endpoint compromise threat model, the following is an overview of required preparations before the start of the engagement:
-
Customer to provision a domain-joined Windows system which will be used as the initial access host.
- This can be a virtual machine or laptop—whichever you would like to use as long as it is domain joined.
- The system should be configured so it does not hibernate or sleep.
-
Customer to provision a domain user which is indicative of a typical employee or role
- This can be a trusted agent / real employee or a newly created account
- This will be the account that is used to execute a payload or provide access to the initial access endpoint.
-
Secureworks will provide a customized payload to be executed on the provisioned system by the provisioned user to establish command-and-control. Defenses such as EDR/AV can remain active on this host; however, if the payload is caught, the payload and/or network traffic must be whitelisted or the system placed into a monitor-only mode (alert but not prevent/block) to progress the exercise forward.
Network Discovery ⫘
Secureworks performs port-scans of IP ranges you provide to identify live hosts. This test includes activities such as scanning a range of IP addresses to identify top transmission control protocol (TCP) ports in use and identifying specific applications and potential version information through banner grabbing. For external tests, scan data is delivered after the test is complete, detailing live hosts and top open ports. Port-scan data is not included with internal test reports.
Open Network Services Enumeration ⫘
Secureworks interrogates network services to determine additional information about Customer network that could lead to compromise. Examples include the following:
- DNS host name lookups, brute force zone transfers and DNS relays
- SNMP operating system, software, and network and user enumeration
- SMTP open mail relays and user enumeration
- NetBIOS/SMB domain policy disclosure, including password policy
- LDAP domain policy disclosure and enumeration
- Network service banners for exploitable software
- Web servers for default usernames and passwords and file upload vulnerabilities
- Unknown services to locate potential backdoors
Open Network Services Exploitation ⫘
Secureworks will use information from "Open Network Services Enumeration" to attempt compromise of network services. Examples of techniques used include the following:
- Brute-forcing of password protected, network-based services (Secureworks will request a password lockout policy in order to avoid account lockouts)
- Authentication bypass of vulnerable network services
- Exploiting outdated vulnerable services using public exploits
- Identifying and exploiting network backdoors
- Performing Man-in-the-Midlle attacks
Note: Use of captured credentials, while not a software vulnerability, is a common vector of attack. Use of captured credentials and publicly disclosed breach data are considered in-scope. The use of any exploits with high risk of Customer service impact will be discussed prior to use.
Post Exploitation and Lateral Movement ⫘
Secureworks will attempt to identify compromise vectors for the wider network and domain infrastructure. The following techniques may be used to show the impact of compromise from earlier phases:
- Using gathered credentials and access tokens to compromise additional systems
- Evading antivirus and end-point protection on compromised systems, further exploiting compromised hosts without detection
- Retrieving additional network and domain passwords and elevating privileges to achieve Domain Administrator or root-level access
- Scrutinizing Active Directory settings to identify misconfigurations leading to privilege escalation
- Exploiting domain trusts, network routes, and bridged networks exposed by compromised systems
- Searching for business-critical data
Note about Vulnerability Scanning: In internal environments, mass vulnerability scanning can sometimes cause disruption. Secureworks will select specific targets deemed vulnerable to perform some vulnerability scanning. However, the report will only details vulnerabilities leading to code execution, sensitive information leakage or authentication bypass.
Remote Retest ⫘
Secureworks will conduct one (1) remediation validation ("RV") for only the high- and critical-severity findings listed in the final report. After primary test completion, Customer has ninety (90) days in which to remediate issues, schedule the RV, and have Secureworks perform the RV. Customer must submit the RV request through email to the Secureworks point of contact for the assessment within thirty (30) days of delivery of the final report or the RV is forfeited.
Note: Secureworks only conducts RVs remotely, regardless of whether the assessment was conducted on-site.
Outcome ⫘
Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report will include the following:
- Executive summary
- Methods, detailed findings, narratives, and recommendations if any
- Attachments as needed for relevant details and supporting data
Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before the expiration of the review period, the report will be deemed final.
Upon completion of the Services, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by the Customer designated contact, within five (5) business days of such email confirmation, the Services and this SOW shall be deemed complete.
Scoping information ⫘
Due to the goal-based nature of internal testing, all systems attached to the internal network are in scope. Any system not explicitly excluded from testing may be compromised and used during attempts to attack the target systems. However, the focus of the engagement is compromise of the defined target systems.
Think of internal target systems as the goals of the penetration test, and consider choosing a sampling of systems to be targeted. For example, critical systems like domain controllers, web servers, file shares, cloud compute systems and critical workstations all make good targets. In addition, systems from varying security zones can be helpful to test firewalls and segmentation. For example, say we place the RTA in a general user network in your NYC headquarters. If that network in NYC is supposed to have zero access to a datacenter in Dallas, adding some of those datacenter systems as targets can help verify the segmentation thats in-place.
Scope | Description |
---|---|
Internal Penetration Test - Small | Up to 50 internal target IP addresses IP addresses for the test must be all internal; otherwise, separate work effort is required. |
Internal Penetration Test - Medium | Up to 250 internal IP target addresses IP addresses for the test must be all internal; otherwise, separate work effort is required. |
Internal Penetration Test - Large | Up to 500 internal IP target addresses IP addresses for the test must be all internal; otherwise, separate work effort is required. |
Work is conducted during business hours of the Secureworks consultant. After-hours feature is available for an additional cost.
The complete Service Description for this service can be found here: Penetration Testing