Shibboleths and Logical Fallacies

Penetration testing falls into three basic categories based on the posture
of the organization you’re up against. Reality obviously has shades, but
here are the main groupings I always seem to run across during internal
assessments.

1. Trivial Joke

2. Standard Mess

3. Seriously Stout

And here are some of the primary metrics:

• Asset Management:

  • Do they know what all their systems are?

  • Is that information kept up to date?

  • Would they know if a new system came onto the network?

• Patching:

  • Do they have an automated patching system?

  • Are patches verified, or are they just assuming they were
    applied?

  • Do they patch everything, or just the stuff that’s not too “scary”
    to touch?

• Visibility

  • Do they run their own regular vulnerability scans?

  • Do they have their own IDS and/or IPS systems?

  • Do they have logging and auditing enabled?

  • Are they actually REVIEWING this information?

  • Any solution for real-time alerting/monitoring?

• Hardening

  • Are there standards that are followed for hardened system
    deployments?

  • Is the environment scanned for superfluous services?

  • Do they follow a least-privilege philosophy, or are they in “just
    make it work” mode?

The more of these questions that result in blank stares the easier it is to
get domain admin and harvest critical data. If the answer is no to more than
a few of these questions the group is going to fall into either category 2
or 1. Only people doing all of that stuff (and lots more) end up with
decently tight networks/systems (3).

Reality

It’s easy to get excited when exploiting systems, pulling hashes, cracking
them, getting domain access, etc., but it’s a false high. What are we doing
really? In the cases of 1 and 2 the enemy is either in a coma or not even
there. How is that a battle? It’s nothing but knowing how to find the
droppings of apathy and underfunding, and then knowing what to do with them.

No, you didn’t. The vast majority of penetration testers out there are
successful not because they’re exceptional, but because their targets are
open wounds. Attacking these networks is like pushing over little kids.
Congratulations on that.

Real penetration testing doesn’t start until two things are true:

1. The network/system you are attacking is administered by a serious,
   properly-resourced security team.

2. There are no known, serious vulnerabilities.

If you start with a brick wall and have to invent new ways of getting
in — that’s impressive. Until then you’re simply a monkey with a bag of
tricks. Maybe you are a smarter monkey who can do more with less, or maybe
you’ve created a few of your own tricks, but you’re still just a monkey.

I know because I am one.