Penetration Tests and Red Team Exercises is #17 of the Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines and the second of the five not directly supported by automated measurement and validation. Cymbel provides professional services in support of all five.
Penetration Tests and Red Team Exercises as introduced by the SANS 20 Critical Security Controls:
Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control. Most organizations do not exercise their defenses so they are uncertain about their capabilities and unprepared for identifying and responding to attack.
Penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than the vulnerability assessments described in Control #10. Vulnerability assessments focus on identifying potential vulnerabilities, while penetration testing goes deeper with controlled attempts at exploiting vulnerabilities, approaching target systems as an attacker would. The result provides deeper insight into the business risks of various vulnerabilities, by showing whether and how an attacker can compromise machines, pivot to other systems inside a target organization, and gain access to sensitive information assets.
Red team exercises go further than penetration testing. Red team exercises have the goals of improved readiness of the organization, better training for defensive practitioners, and inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.
Cymbel can help you meet the SANS 20 Critical Controls prescribed standards:
- Conduct regular penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.
- Perform periodic red team exercises to test the readiness of organizations to identify and stop attacks or to respond quickly and effectively.
- Ensure systemic problems discovered in penetration tests and red team exercises are fully mitigated.
- Measure how well the organization has reduced the significant enablers for attackers by setting up automated processes to find:
- Cleartext emails and documents with “password” in the filename or body.
- Critical network diagrams stored online and in cleartext
- Critical configuration files stored online and in cleartext.
- Vulnerability assessment, penetration test reports, and red team findings documents stored online and in cleartext.
- Other sensitive information identified by management personnel as critical to the operation of the enterprise during the scoping of a penetration test or red team exercise.
- Devise a scoring method for determining the results of red team exercises so that results can be compared over time.
- Create a test bed that mimics a production environment for specific penetration tests and red team attacks against elements that are not typically tested in production, such as attacks against SCADA and other control systems.