Navigating Network Security: A Structured Approach to Security Testing

By Steven Kenyon, Penetration Tester, Razorthorn Security

Companies must prioritise a comprehensive and proactive approach to network security. Among the most effective strategies to ensure robust defence mechanisms is rigorous penetration testing. By adopting an “assumed breach” mentality, organisations can better prepare for potential attacks, ensuring they are not merely reacting to threats but actively preventing them.

The Assumed Breach Approach to Network Security

The concept of an “assumed breach” approach is simple, yet profound. It operates on the premise that attackers have already penetrated the network. This mindset shifts the focus from merely defending the perimeter to a more holistic view of security which emphasises detection, response and resilience within the network. It encourages companies to adopt a layered security strategy, constantly evaluating and enhancing their defences against sophisticated attacks.

The alarming statistic that 82% of data breaches involve a human element, such as phishing, pretexting, insider threats or the use of stolen credentials, underscores the urgent need for organisations to embrace an “assumed breach” mentality in their cybersecurity strategy​ (IT Governance UK)​. This approach operates on the premise that breaches can and will occur, largely due to human error or susceptibility to social engineering tactics like phishing.

At Razorthorn Security, we recommend applying the assumed breach model and securing from the inside outward.

Start with internal vulnerability scans and internal penetration testing, as attackers could gain access to your networks through many different paths.

1. Internal Vulnerability Scans

The first step involves conducting comprehensive internal vulnerability scans. This phase aims to identify known vulnerabilities within the system that could be exploited by attackers, such as outdated software, missing patches or misconfigurations. Regular vulnerability scans help maintain a baseline of security health and guide further, more detailed assessments.

2. Internal Penetration Testing (With and Without Basic User Credentials)

This step delves deeper into assessing the robustness of the network security by simulating attacks in two distinct scenarios: without credentials and with basic user credentials. These simulations aim to uncover not just vulnerabilities but also configuration issues that could lead to full system compromise or unauthorised access to sensitive information.

Testing without credentials mimics an attacker’s initial breach into the network, focusing on exploiting vulnerabilities in network services and applications. This scenario is crucial for understanding how an external attacker, without prior access to any user credentials, could navigate through security measures to gain a foothold within the network. It highlights critical weaknesses in the configuration of network devices, improper security settings and vulnerabilities that could be exploited to gain unauthorised access. The primary goal here is to identify and mitigate entry points that could lead to deeper network penetration.

Conversely, testing with basic user credentials simulates scenarios where the attacker either impersonates a legitimate user or exploits compromised user credentials. This approach provides a clearer picture of the potential damage an insider threat or a cybercriminal with minimal access could inflict. It allows testers to:

1. Assess Lateral Movement: Evaluate how an attacker could move within the network from the initial access point, identifying paths to more valuable targets.
2. Identify Privilege Escalation Opportunities: Discover vulnerabilities and misconfigurations that could be exploited to gain higher levels of access, potentially allowing full control over critical systems.
3. Evaluate Access to Sensitive Data: Determine the ease with which sensitive data can be accessed or exfiltrated, revealing gaps in data protection mechanisms.
4. Test Configuration and Access Controls: Beyond exploiting software vulnerabilities, this testing scenario scrutinises configuration issues and the effectiveness of access controls, which could inadvertently grant attackers more privileges than intended.

Including testing with credentials is vital for a more comprehensive security assessment, as it uncovers not just exploitable software flaws but also weaknesses in the configuration of security policies, user access levels and system settings. These vulnerabilities, if left unaddressed, could facilitate unauthorised access to sensitive areas of the network, leading to data breaches, system compromises and other security incidents.

3. External Penetration Testing

Once internal assessments are complete, the focus shifts to external penetration testing. This phase evaluates the organisation’s perimeter defences, including firewalls, web applications and external-facing servers. The goal is to identify vulnerabilities that could be exploited by an external attacker to gain unauthorised access to the network.

4. Full Red Team Assessment

The apex of a structured penetration testing programme is a full red team assessment. This extensive exercise transcends the scope of traditional penetration testing by emulating a comprehensive cyber attack against the organisation’s digital and physical defences. It’s designed to challenge the entire spectrum of an organisation’s security measures, testing not just the technological barriers but also the human factors and processes that underpin the overall security posture.

Initial Access Techniques

A key feature of the red team assessment is the use of diverse and sophisticated initial access techniques. These methods closely mirror the tactics employed by real world attackers to breach network defences:

1. Social Engineering and Phishing: Leveraging deceptive communications designed to trick employees into granting access or disclosing sensitive information.
2. Spear Phishing: Targeted attacks against specific individuals or departments with crafted messages that appear highly credible, aiming to steal credentials or deploy malicious payloads.
3. Exploitation of External Vulnerabilities: Identifying and leveraging weaknesses in publicly accessible web applications, servers or network infrastructure to gain unauthorised access.
4. Physical Access Attempts: Utilising covert entry tactics or social engineering to gain physical access to sensitive areas, enabling direct attacks on internal systems.
5. WiFi Attacks: Exploiting vulnerabilities in wireless networks to intercept data or gain network access.
6. Password Spraying: Attempting common passwords across many accounts to gain unauthorised access without triggering account lockouts.
7. Malicious USB Sticks or Charging Cables: Distributing devices embedded with malware to compromise systems when connected or used by unsuspecting employees.

Covert Techniques to Test Defensive Teams

In addition to these access techniques, red team assessments employ covert methods to evaluate the effectiveness of the organisation’s defensive teams. This includes:

1. Stealthy Movements and Lateral Transitions: Mimicking the tactics of advanced persistent threats, the red team operates quietly within the network, attempting to move laterally and escalate privileges without detection.
2. Data Exfiltration Simulations: Testing whether the security team can detect and respond to unauthorised data transfers, which are often the end goal of cyber attacks.
3. Bypassing Detection Mechanisms: Employing techniques to evade security monitoring tools, aiming to test and improve the detection capabilities of security systems and response teams.
4. Mock Insider Threats: Simulating actions of a malicious insider to assess how well the organisation can detect and mitigate threats originating from within.

By incorporating these varied attack vectors and covert operations, a full red team assessment provides a comprehensive evaluation of an organisation’s preparedness against sophisticated cyber threats. It not only reveals vulnerabilities in the technology stack but also tests the efficacy of the security protocols, employee awareness programmes and the incident response team’s ability to detect, respond to and mitigate real world attack scenarios. The insights gained from this phase are invaluable, offering a realistic appraisal of how the organisation’s security measures perform under the stress of an advanced and persistent attack, thereby guiding strategic improvements to enhance overall security resilience.

Conclusion

By following this structured approach to penetration testing, companies can ensure a comprehensive evaluation of their network’s security. Adopting an “assumed breach” mentality to network security not only prepares organisations for the inevitability of cyber attacks but also enables them to detect, respond and recover more effectively. In the face of ever evolving cyber threats, a proactive and thorough testing strategy is not just recommended – it’s essential for safeguarding the digital assets that are critical to an organisation’s success.

For any assistance you might need with network security, get in touch – we’d be happy to help.