Internal Network Penetration Test
Defense in Depth
Internal network pentests are an assessment of all systems on a company’s corporate (internal) network. When performing an internal network pentest, you are evaluating what would happen if someone was to establish a foothold in your environment; this could be accomplished by exploiting the external network, using an employees credentials, or a malicious employee taking action. Traditionally, companies have assumed they were safe if they had a hardened perimeter, but time has shown that you need much more than that. An egg is a common analogy when referring to a poorly secured network: you don’t want a hard exterior (egg shell) and then a soft middle with little-to-no security.
What Does an Internal Network Pentest Evaluate?
Inadequate Network Segmentation
Open Ports
Poor User Management Controls
Unpatched Systems
Weak Password Policies
Use of Insecure Protocols
Internal Network Pentest Methodology
The importance of a structured and consistent methodology in external network penetration testing cannot be understated. While every project differs in scope, goals, and the tools required – a consistent methodology ensures the thorough coverage of any attack surface. Our team utilizes a structured process that ensures quality work is performed for every assessment.
*If you’ve already viewed some of our other services you might notice a theme: the overall structure of our methodology is the same, but if you look closely the context & goals differ depending on the scope. In other words, yes, we admittedly copied/pasted the content and then edited the details for each scope.
Step 1: Information Gathering and Enumeration
The first step that X Security takes when assessing the external network of a company is to gather and enumerate information about the target; this is also commonly referred to as the reconnaissance phase. This step is critical as it creates a strong foundation of info that can later be used to identify vulnerabilities and attack paths. There are 2 different forms of reconnaissance in penetration testing:
- Passive Reconnaissance is the process of identifying information without ever directly interacting with the target environment. Good examples of passive recon include reviewing breached credential databases or reviewing job postings to discover the types of tools used at the company.
- Active Reconnaissance is the process of performing recon that directly pokes & prods the target environment. X Security assessors will utilize a number of different tools to scan IP blocks & systems to identify information about the hardware, hosts, and firmware.
Step 2: Threat Modeling
Threat modeling is an essential, yet often overlooked, step to a quality pentest. In this phase assessors will use the information they previously learned to map out the network architecture, operating systems, open ports as well as underlying services. Another critical part of threat modeling is categorizing different types of data that may be obtained during a pentest in a manner that will indicate the severity of different findings. Threat modeling helps pentesters understand more than just the technical aspects of findings and allows them to articulate their findings in a way that aligns with the business.
Step 3: Vulnerability Analysis
Once assessors move into the vulnerability analysis stage, they begin to utilize tools to identify potential vulnerabilities in the environment. Automated tools will help identify low hanging fruit vulnerabilities prior to our team shifting to where we spend most of our time: manual analysis & exploitation. We’re often asked what kind of automated tools we utilize for scanning & while the answer varies depending on the scope, we do regularly rely on some commercial tools that have our own custom built integrations such as Burpsuite Pro, Metasploit, and Nessus.
Step 4: Exploitation
In this stage of the penetration test, we begin to safely exploit identified vulnerabilities and misconfigurations to determine what the impact of different findings would be to the business. Our team will attempt to gain access to the devices & systems to gain a foothold into the internal network. The exploitation stage allows assessors to better understand how different vulnerabilities would effect the business & ultimately help the customer prioritize their remediation efforts. This plays a significant role in delivering a report that provides actionable next steps to customers. Among other things, below are a few issues that X Security attempts to exploit in an internal network pentest.
- Man-in-the-Middle Attackss: Adversaries who have gained a foothold on the internal network may perform what are called MITM attacks which is where network protocols such as LLMNR can be abused. By performing a MITM attack, an adversary can essentially trick users into trusting that they are a legitimate system & can capture information such as credentials.
- Lateral Movement: The reason lateral movement can have such a high impact is because when an adversary first gets access to the internal network, the odds of them having the right access to the most critical data is (hopefully) low. An attacker will perform activities such as abusing protocols (e.g RDP) to move laterally & increase their access. Successful lateral movement can be severely damaging if the internal network is not properly hardened & segmented. Successful lateral movement also plays a huge part in crippling ransomware campaigns.
- Common & Critical Vulnerabilities: If an environment isn’t properly patched on a continuous basis, attackers will leverage some well known and damaging CVEs such as EternalBlue (CVE-2017-0144), Spectre (CVE-2017-5753 & CVE-2017-5715), and Meltdown (CVE-2017-5754).
Step 5: Documentation & Reporting
At the end of every penetration test, clients receive a report documenting the results and providing actionable steps to improve the security of their network environment. During this stage X Security compiles everything from the pentest and puts it into a white labeled report for our MSP partners so that they receive a report ready for immediate delivery. What you’ll receive with the report is outlined below:
- Executive Summary & Strategic Recommendations
- Strengths & Weaknesses
- Technical Documentation: Testing Process & Screenshots
- Actionable Remediation Steps
- Summary Document (Provide to 3rd parties without exposing highly sensitive information)
It’s important to highlight the value of a good pentest report – they help guide strategic decisions and budgets, they’re provided to auditors for compliance & regulation needs, and they’re provided to enterprise customers who require their 3rd party vendors to perform annual pentests. For the channel community, a quality pentest report that not only looks good but provides actionable steps for both leadership & technical folks is a massive sales/marketing tool.
Step 6: Remediation Testing & Report Updates
Clients ultimately want a clean(er) bill of health. After a client follows the remediation steps outlined in the report, X Security will perform a remediation test to ensure that not only have all of the previously identified vulnerabilities been removed – but also checking to ensure no new vulnerabilities have been introduced during the remediation process. X Security will also reissue an updated report & summary document reflecting the remediated state.
*Remediation testing may have an extra cost. This is determined on a case-by-case basis at the end of the test and depends on the quantity of findings.