I LOVE security testing.
There, I said it.
Penetration Testing, Red Teaming, Threat Emulation… I LOVE it all. Looking at a system, learning about the individual components, understanding how they were intended to work together, and pushing those preconceived limits… it energizes me.
When I first started in this industry, asking clients (whether internal or external) to whitelist (now we call it an Allow List) source IP addresses for testing was a common practice. It remains so to this day.
Recently, something about this process was bugging me…
Paulie (the young dude in the baseball cap) is indeed correct.
But so is Senior (the old dude with the killer stache).
Queue Dramatic Narrator: The limited perspective of most security assessment fails to consider multiple layers of functional security controls, and can create a false sense of urgency.
Most organizations, including our clients, spend tens (if not hundreds) of thousands of dollars on their defense-in-depth strategy. This may include next-gen, machine-learning, heuristic, buzzword, buzzword, buzzword versions of:
- Web Application Firewalls (WAF)
- Intrusion Prevention Systems (IPS)
- Runtime Application Self-Protection (RASP)
- Interactive Application Security Testing (IAST)
You get the idea… These tools are an integral part of the organization’s security posture, and excluding them from security testing (via the Allow List) fails to tell the whole story.
So, how can you properly evaluate the security posture of an organization, taking into account the organization’s compensating controls?
Systemic Threat Evaluation Methodology
Allow me to introduce you to White Oak Security’s Systemic Threat Evaluation Methodology (a.k.a. S.T.E.M.)!
Penetration Testing Process
For those of you who have participated in a penetration test, you will surely notice some familiar phases:
- Planning
- Reconnaissance
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
These phases still align with popular methodologies like the Penetration Testing Execution Standard (PTES) and OWASP Testing Guide. However, keen-eyed observers will also notice that cute light blue locked lock with an x on it called “Remove From Allow List”.
So, how does that cute little locked lock help White Oak Security add value to the penetration testing process?
Pentesting With & Without Allow List Access
The initial phases of the security assessment are performed from the Allow List (whitelisted) perspective. These Allow List phases offer several important benefits:
- Less likely to miss True Positives
- More accurate snapshot of the defects within the root systems / apps
- More efficient
At this point, White Oak Security has gained a detailed understanding of the security defects impacting the root systems / apps. Now, let’s add some additional value.
By removing the Allow List access, White Oak Security reverts to the unprivileged perspective of standard attackers. Our expert pentesters can now leverage the list of known security defects and repeat the Exploitation phase without the Allow List access. Armed with the list of known security defects, we can now evaluate the effectiveness of security controls with unparalleled precision.
Queue Dramatic Narrator: Will the WAF prevent this darn Cross-Site Scripting (XSS) vulnerability? Will the IPS protect our system from that notorious EternalBlue exploit?
In general, the additional test phases do not add a significant amount of time to the initial engagement scope. In most cases, White Oak Security already has working exploit code (or proof-of-concepts) that simply need to be replayed without the Allow List access or perspective. In some cases, the regular (without Allow List access) attack is initially blocked, but White Oak Security is able to leverage advanced exploitation techniques in order to bypass compensating controls.
If the compensating controls prevent the attack, White Oak Security can then adjust the severity rating to provide a more accurate representation of the real-world impact on the organization.
Vulnerability Analysis
Now let’s take this concept a step further and repeat the Vulnerability Analysis phase, again focusing on the known security defects. If the compensating controls make vulnerability identification more difficult or make the attack more difficult to exploit, White Oak Security can then adjust the difficulty of exploit rating accordingly. Again, this provides a more accurate representation of the real-world impact to the organization.
So that’s pretty cool, but are there any intrinsic benefits that we haven’t considered yet?
Queue Dramatic Narrator: You bet your sweet bippy there are!
Alternate Mitigation Options
If a particular exploit was not protected by the compensating controls, it is often easier to implement a rule within the IPS/WAF/whatever to block the exploit than it is to fix the root cause of the defect. This may decrease the risk rating to an acceptable level for the organization, or may at least buy some additional time until the root cause can be addressed.
Security Tools ROI
Determining the true ROI of security is inherently difficult. Some might even say it’s downright impossible. However, if the STEM methodology indicates that the compensating controls prevent few defects (or even no defects – YIKES!), it may be time to reconfigure the compensating controls, or even consider alternate solutions entirely. Conversely, if the compensating controls prevent most defects (or even all defects – YAY!), it becomes clear that the cost of those compensating controls is entirely justified.
Systemic Threat Evaluation Methodology Conclusion
Ultimately, the Systemic Threat Evaluation Methodology (S.T.E.M.) is not rocket science, but rather a simple and efficient methodology extension that adds a whole lot of additional value. Your organization can implement STEM internally or can leverage third-party vendors such as White Oak Security to help implement STEM throughout your organization’s penetration testing universe.
Queue Dramatic Narrator: The time has come. Go forth and get unleash your inner STEM. Add value to the security assessment process and gain a crystal-clear vision into the true security posture of your organization.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.