I've been thinking a lot about penetration testing, malware, and the future. These are some of the thoughts that are too long to tweet (twitter.com/curtw).
Before a recent penetration testing engagement I negotiated the scope with the client and was able to expand it. In years past, the scope was network facing - typical nmap type scans combined with some SQL Injection testing and XSS checks. This time around, after dealing with many compromises in my day job, I felt that it would not be fair to the client to keep the scope limited in such a non-realistic manner. My reason for this scope expansion was to more accurately reflect the type of targeted attacks that exist in the wild and test the organizations security posture surrounding such attacks as well as potentially trigger the incident response function.
Shouldn't be a big surprise that the penetration test was successful inasmuch as I was able to compromise the client as a result of the expanded scope that included client-side and social engineering vectors. It's not like SQL Injection (and other web application security issues) and other network facing issues have gone away (see Microsofts SMB2 vulnerability from October of this year, and MS08-067 from October 2008 for instance) but the low-hanging fruit is certainly getting picked over, with less remotely exploitable network-facing bugs of substance being released, at least to the public. Dave Aitel of Immunity Inc. talks about how hard it is to perform modern exploitation, and about the extensive team resources required to write a *reliable*, professional quality exploit that's suitable for professional engagements. The bar keeps rising, and some innovations appear in the old techniques (such as Vista Heap exploitation methods) but the overarching trend is more and more towards client vulnerabilities as the lowest hanging fruit, with more than a dash of social engineering mixed in to ripen the fruit enough to allow easy harvest. This is exactly how the criminal attackers are getting in. Even generic attacks, such as the mass SQL Injection worms targeting ASP systems (ASProx and others), have been very fruitful for the attackers who have dropped poisoned links all over the web, just waiting for the next uninformed person who doesn't know any better and has an unpatched Adobe Reader, Adobe Flash, or other client-side issue (ActiveX control, etc) hanging out in the breeze like a mile-wide flypaper, just waiting for the next attack to sink it's teeth deep into the unsuspecting system to fulfill whatever criminal motives are at play. The dropping of Zeus/Zbot, Torpig, Clampi/Ilomo and a whole host of other modern criminal malware is very common and I don't even know how targeted such attacks that I see actually are. From what I see in my day job where I concentrate more on defense, opportunistic infection abounds. If the opportunistic attacks are this successful, imagine the targeted attacks, the "spear phishing" or even worse/better (depending upon ones side of the fence) "spear phishing" with 0day or recently patched bugs in the attackers bag-o-tricks. We hear about some of this, with people such as as Mikko at F-Secure posting educational blog entries that show targeted attack bait files. But how much more is going on that we won't ever hear about?
Do those who perform penetration testing let ourselves be satisfied with ineffective and outdated methodologies such as throwing nmap against server X,Y,Z? Or hammering away for SQLi or XSS bugs, while not being able to touch the clients or engage in social engineering? I hear working penetration testers complain about this phenomenon to this day, even while other more progressive pentesters commented years ago that they would not even take an engagement that included such a narrow scope (see Anthony Zboralski's comments from 2005 on the DailyDave list - http://seclists.org/dailydave/2005/q1/145).
To stagnate in the past is a disservice to our clients, and to the guild of penetration testing professionals. Yes, I realize that there are no enforceable standards or licensing bodies for penetration testing at this time, and that the field has been criticized as being uneven and unprofessional. But let's think about the false sense of security that a client could obtain when the scope is so narrow that only a ghost's fart would squeeze through.
Targeted attacks on the client and the user *must* be added to the arsenal if we want to reach parity with the criminal attackers who have no such limiting framework or scope constraints. This is just to catch up with what's going on NOW. In the near future, I suspect we'll need to get mobile devices integrated into the scope as they start being attacked further. Other new technologies must also be considered and should become part of scope discussions on a regular basis. Are clients willing to pay for this? I think that once the attacks on such systems reach the press and if we can make a case for it, clients will start to slowly realize that there is value to be obtained. Obviously, progressive clients and those with more to protect are already engaging in such matters (although I have no stats, and nothing to back this up other than hearsay)
To further feed these thoughts, last night during a bout of insomnia, I came across the slides from the latest Hack In The Box conference in Malysia and read Ed Skoudis' slides with interest. Ed's keynote can be found at http://conference.hackinthebox.org/hitbsecconf2009kl/materials/KEYNOTE%203%20-%20Ed%20Skoudis%20-%20The%20Bad%20Guys%20Are%20Winning%20-%20Now%20What.pdf and is very relevant to the matter at hand. His keynote is entitled "The Bad Guys are Winning, Now What?" and makes several very good points to several segments of the security space. In his section addresses to penetration testers, Ed makes some excellent points such as these:
"If a test scope is defined broadly enough, we almost
always get in
– Sure, if you take all of the interesting attack vectors off
the table, you may thwart us… but not the real bad guys
– “Just look at these four servers… see what you can do…”
– The real attackers aren’t limited that way"
Followed on the same slide with:
"So what? If pen testers can’t help target
organizations actually improve their security, they’re
just showing off
–Thus, it is more important than ever to express findings in
business terms… and to emphasize the appropriate
It's not too difficult to imagine how such findings might be useful to the client. Here are a few ideas:
1) Client awareness. Many may not be aware that the attack surface has shifted. I know my most recent client didn't really consider it and had invested a large amount of resource in protecting the servers, but only a small amount of resources on client protection. The recommendations in the penetration test report have changed this dynamic already. This can be a big help in raising the bar against malicious attackers and also making the next penetration test that much more challenging.
2) Better technical monitoring and controls. Anyone who has been audited knows that the auditors talk about controls, controls, controls. While auditors may hammer on password issues over and over again (at least in my experience) it can't be denied that they are often a weak link and are re-used in many places between different trust zones. For instance, multi-factor authentication is going to make things a bit more challenging for an attacker and/or a penetration tester. Is the cost of such technologies worthwhile to the client in the face of modern attacks? That's their call, but I'd like to think that a successful penetration test might put this option on the table in a manner that it was not before. Let's hope that a pentest might put this on the agenda with the same, or a similar urgency to what might happen if the client had gotten nailed first by a targeted malware attack, with keylogger and internal system compromise via pivoting techniques. Kevin Richards, who I worked with at Denmac Systems, once told me that PAIN is the motivator that gets things done, where FEAR doesn't work. He used the example of a root canal. Let's hope that the perceived PAIN of a penetration test might be enough to wake people up before the REAL PAIN arrives. In such a way, a skilled penetration test might serve as an inoculation.
3) Synchronize the concerns of the organizations clued-in technologists (let's hope that they exist!) with the business and administration of the organization. In at least one organization that I've worked directly with, the presence of a finding by a third party legitimized a long-standing concern that had been expressed, but repeatedly ignored by management. This is nothing new, but seems to happen all the time.
Cutting-edge conference presentations and offensive security research seems to be pointing increasingly at client-side methodologies, social engineering and phishing. Materials by Attack Research (such as PhishScrape.rb, the signed Java Applet attack, PDF embedding and more), the Metasploit Project (too many features to list), Inguardians (The Middler by Jay Beale and crew), CORE Security (CORE Impact's extensive and rich client-side exploitation and post-exploitation framework) and a whole host of others are presenting tools and techniques that can of course be utilized by the "bad guys" just as easily as the "good guys". I don't have a great answer for this issue at this time, as it falls into a grey area that reflects the more nuanced and complex aspects of our modern world, not to mention the endless debates over full, partial and non-disclosure. While such dynamics are increasingly playing out, some have expressed a moral distaste for engaging in phishing techniques, whether they be exercises or part of a penetration test. I say that it's time to get over such scruples - it's a valid tool in the professional arsenal and should not be ignored in the name of a false morality while the attackers run wild.
I recall a mailing list where someone was arguing that engaging in such techniques was unethical and immoral, and that they would never do such a thing to their people. I suppose those people are letting the attackers have first dibs. Which would you rather have testing your organizations defenses? I'll let my doorknobs be rattled by the police first before the thieves, thank you.
I also recall an article written by the ISSA that I read in May of 2008 that referred to the "cult of penetration testing". While I have respect for people who have put energy into organizations such as the ISSA, I found the particular article to be short-sighted because it didn't address the gap between assessment and testing methodologies and real-world attacks, all in the name of taking some sort of moral high ground. While the perceived moral high ground is held by the shining knights of Security, the users are down at the bottom of the hill, falling into the muddy ditch, and often don't even realize that they are in the ditch. How can one really get exposure without getting their hands dirty?
PCI-DSS (payment card industry data security standards) has brought about a renewed attention in forcing organizations to pay more attention to the *minimum* security guidelines. Part of this involves penetration testing. PCI-required penetration testing is a large boon for the industry and for those that wish to hone their skills in these areas.
While some will certainly disagree with me, I think that a modern penetration test that does not include client-side vulnerabilities, social engineering, and even a simulated targeted malware attack is not in synch with the modern threat landscape and therefore represents an increasing disservice to the client over time. As penetration testing kits start to look more like malware (connectback shellcode, download and execute shellcode, XSS to binary download, etc), this may create or increase conflict between anti-malware vendors and penetration testers. The intent of an encoded standalone metasploit binary payload, carrying something such as meterpreter, the HYDROGEN trojan within CANVAS, or the Core IMPACT Agent ("agent deployed") may be legitimate (in the right hands) but it certainly carries with it the same types of behavior demonstrated by botnet and criminal malware agents. People engaged in professional penetration testing know that it's easy to slide past anti-malware and IPS defenses. The criminal attackers know this too, which places a real challenge upon the anti-malware vendors to evolve to manage the emerging threat. I see evolution in this space happening, and I know there are some really skilled and extremely bright people working in the anti-malware field and I give kudos to them, but the overall trust of anti-malware tools seems to be decreasing over time.
As malware becomes increasingly criminal, and as the public can't fully count on anti-malware tools to help them (although they clearly do reduce infection rates), new strategies must be considered that pit user convenience against security, or suggest a re-working of fundamental use models that must be considered (such as Joe Stewart's suggestion to use an isolated, dedicated system for financial transactions).
When I was doing security consulting in Chicago in 2001, a supervisor of mine used to talk about how it's important not to use a $300 lock to protect a $100 bicycle. This point is well taken, and must be applied to the resources that matter. PCI's requirements and other breach disclosure laws seem to be helping point towards these dynamics. In the landscape of such breaches and other related phenomenon, those that wish to continue to increase their craft in the guild of penetration testing appear to have a rich future ahead of them, and have the opportunity to provide an extremely valuable service to their clients and employers, as long as evolution is allowed to take place.
I'm interested in your respectful comments here, or on Twitter (https://twitter.com/curtw) and appreciate being able to engage such a talented group of people.