A modern security myth

Tassi Carter, Security Consultant
March, 2014
5 mins read

Traditional penetration testing required no specific technical details of the target systems to be provided before a test was sanctioned. Instead, only high-level details, such as the name of the target would be issued and the testing team would need to identify the systems owned by the organization and formulate a plan of attack. This allowed for a very open-ended test to be performed and provided a more realistic view of the attack paths that could be exploited in order to compromise the target organization’s assets.

Over the years, this approach to testing has been modified into finely scoped engagements that focus on specific sets of systems within isolated environments which are commissioned on a per-project basis. For example, a penetration test against an example organization’s public facing infrastructure is likely to be limited to a specific set of IP addresses provided by the client and tested within a strict timeframe


Testing in this manner, whilst it is valuable in enhancing the security of the systems tested in isolation, does not always provide a realistic view of an organization’s overall security. This is because many organizations believe that once these isolated systems are tested and any uncovered vulnerabilities are addressed, the organization is secure. However, attackers are fully aware of this penetration testing culture and are exploiting the “gaps” left by this approach.


Attackers are not restricted by a defined scope and will attempt to identify as many security weaknesses as possible that will provide the path of least resistance into the organization while focusing on specific goals. This will often involve chaining together multiple attack vectors that bypass security controls and provide direct access into an organization’s internal network.


The actual steps taken to perform these attacks will vary between different groups of attackers, dependent upon the target organization. However, the general approach usually consists of a number of phases, with one vital phase being the exploitation of human trust. Rather than trying to break into systems directly, attackers are targeting the users of those systems and leveraging their access to compromise the organization in order to achieve their end goal.


How are these attacks being performed?

In a typical attack, an organization will first be investigated in order to identify methods to bypass any security defenses/controls and gain the initial foothold into the organization. This will include identifying specific individuals to target and the relevant technologies in use.


The attackers will then compromise at least one system which can then be used as a platform on which to perform further attacks. This access is usually achieved through the use of a client-side attack delivered through spear phishing or watering holes.


Client-side attacks exploit human trust by manipulating unsuspecting users into downloading and executing malicious files sent via email, or directing them to a malicious website (a watering hole) resulting in malware being installed on their machine. This provides unauthorised access to the victim system and a foothold in the network. To find out more information about these methods of attack, please see the following article authored by F-Secure Consulting consultants: 


Once the initial foothold is gained, the attackers will typically attempt to leverage their access by stealing credentials or exploiting vulnerabilities in other systems in order to move off the individual workstation and get persistence on the network through remote access or command and control (C&C) to conduct the rest of the attack.


Once persistence is achieved, they will attack with the goal of disrupting or destroying key information through Computer Network Attacks (CNA) and/or the aim of intelligence gathering from competitors/adversaries through Computer Network Exploitation (CNE).


Most of the time, the approaches used to perform these attacks are neither new nor innovative and consist of common attack techniques that have been known about for over a decade. However, organizations are failing to keep up with implementing strategies to effectively limit their exposure to these attacks. Attackers are constantly evolving their approach and so it is important that defenders evolve with them. Penetration testing is an important part of an organization’s security strategy, but it must be utilised in a manner which is effective and gives an accurate view of the organization’s security.


How can we defend against APTs?

Organizations should be incorporating a cyber-defense security programme into their existing security strategy. This will provide an understanding of the threat actors that are likely to target their organization, the assets that they are likely to target and how they are likely to target them. This information should then be used to formulate a long-term security strategy that takes a holistic view of the organization, not just of isolated systems. The security strategy should be asset-centric and aim to prevent attacks using the scenarios that have been identified as being the most likely to succeed.


Penetration testing should be integrated into the strategy to simulate those threat actors as closely as possible, so that a realistic view of the organization’s security can be formed. The results of penetration testing should then be used to demonstrate where security deficiencies exist and that the defenses subsequently put in place are effective.


Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs