Continuous Penetration Testing SyCom Technologies
1.0 Continuous Penetration Testing Imagine a service that continuously monitors and reports on any new threats that emerge real time and provides a tactical picture of your current security posture 24/7. It can track existing vulnerabilities, map penetration test findings to actual solutions and monitor projects to ensure that they are delivered and not forgotten. Current penetration testing creates a security posture snapshot once a year. Regulatory compliance often dictates when Penetration Tests should be conducted. An example of regulatory compliance is PCI-DSS, which calls for Penetration Testing once a year and vulnerability assessments quarterly. Penetration Testing is evolving to become more than just a snapshot once a year. New and advanced methods of testing are being employed to help organizations maintain a constant tactical view. The old mantra is test when you change. But what if the world around you changes and thus makes you vulnerable? How do you know when this happens? Your systems could be vulnerable for a full 364 days before the next test discovers a problem. The future of Penetration Testing lies in the detection of a new threat surface automatically. Not only can it test and detect emerging threats and vulnerabilities before attackers can exploit them, but it can produce and send a remediation plan can be available to the CIO within hours. An expansion of this would be to conduct the mitigation overnight, perhaps securing a temporary bandage, until all threats have been reviewed. A combat team consisting of virtual machines, botnet scripts, communications servers, content delivery network and a vulnerability scanner is placed in the battlefield combat arena. Fig 1.1 An example of a combat team in the cloud.
Darren Manners Tel: 276 639 9575 dmanners@sycomtech.com This technology will automatically scan an IP address range, take input from various devices and identifying changes in web application security postures, new ports and IP addresses, and emerging threat vectors. This service (CPT) will send emails and simulate an advanced phishing/spear phishing campaign. Simply provide the emails and the duration/time events and an advanced attack will be simulated. Statistics will be provided and our remote botnet will also do post exploitation and gather further credentials/data for post examination and notification. Notifications are sent when a user clicks on the link and is exploited. Detection training is offered to response teams. Tailored training is offered when the user clicks the link. In this scenario, if a user clicks on the link, rather than be exploited, they are told how they were tricked, giving instant feedback. Using the attackers tools against them to protect IT systems and infrastructure, the continuous Penetration Test utilizes botnet technology to report, identify and test systems that attackers currently use to break into them. Expand this with 24 hour monitoring and engineer escalation to some of the industries leading certified Penetration Testers and you have a potential to find the threat before it is exploitable. Other available options include 24 hour monitoring, engineer escalation and remediation services Fig 1.2 An example of a combat team detecting a new IP address SyCom Technology Continuous Penetration Testing 3
1.1 So how does this work? An initial external Penetration Test is performed against an organization. The results are returned to the organization and SyCom Technologies can validate the findings of the initial Penetration Test and assist with remediation. The results are also fed back into our 24-hour network operation center (NOC) where a botnet is created specifically for your organization. The Botnet carries a number of automated Bots that perform various tasks. Ice Hole Ice-Hole is an email phishing program. Ice-Hole is stationed in the cloud. It can send scheduled emails as a particular user/users to a number of predefined emails. It will use a variety of templates and can target users based upon device (i.e. from a smart phone or desktop). It can even carry a payload and if clicked, will create a reverse shell back to the attacker. Then an attack bot will go to work on it. Org Scan Bots Scan Bots automatically scan the IP address range of the organization looking for new IP addresses. It will conduct an initial port scan of the newly found IP address. It will report the new IP address and any new ports discovered to the monitoring channel. Monitor Bots Monitor Bots take the input of the Scan Bots and continuously monitor the organizations securely hosted channel, looking for changes in the external security posture. Threats are passed to the Attack Bots to test. A human is now aware that a new threat exists and begins an initial assessment of the threat. Policy Bots A Policy Bot will be the decider of what to do when queried by an attack bot. Based on the organizations policy, the attack may or may not be filtered through. Attack Bots An Attack Bot will first query the Policy Bot on whether it is allowed to test the newly found threat surface. If allowed, it will automatically launch an attack based upon the service/port and other mitigating information found. It will then pass its results to the securely hosted IRC threat channel. The human operator will monitor the automated attack and begin the threat analysis statement.
Darren Manners Tel: 276 639 9575 dmanners@sycomtech.com Human Bot The human factor is not removed. Although technology can help, a human operator is monitoring the secure IRC channel 24/7. Once the initial testing is completed a human will create a threat assessment. The Service Level Agreement (SLA) will dictate how quickly the report is received in the inbox of the organizations security team. The SLA will also dictate how much depth and threat that SyCom Technologies can perform automatically. SLA s can range from escalating threats to remediation teams as quickly as possible or create a meeting to identify the best course of action based on the new threat data. Response speed can be customized for each organization. The Human Bot can also escalate the threat finding. Confirmation and threat assessment involves more than one Human Bot. As the threat increases so do the level of attention, seniority of engineers and escalation. We pride ourselves at SyCom on our skill set and training. We can provide review by top certified Penetration Testers within minutes, if the SLA allows. The Continuous Penetration Test also conducts a daily vulnerability assessment. The Initial Penetration Test results are stored, and any new vulnerabilities or threats are reported. The organization can request an ondemand scan more than once a week to review changes needed. The test can also be reviewed by a QSA to meet PCI requirements. SyCom Technology Continuous Penetration Testing 5
Fig 1.1 The Initial Creation of the Organizational Botnet