Enterprises and government agencies conduct penetration testing (or pentesting) to simulate various attacks and discover how real cybercriminals can access their infrastructure. While the pentesters search for vulnerabilities and demonstrate possible attack vectors, there is one more project member whose role remains unclear to the customer – a cybersecurity analyst. They can provide unbiased expertise on the company’s protection. Kaspersky’s Security Services team provides insights into every stage of an analyst’s work and explains how they increase the efficiency of the project.
No two IT infrastructures are the same, and the most powerful cyber threats are tailor-made to exploit the specific vulnerabilities of individual organizations. Security assessment projects are conducted to test IT infrastructure and ensure it is secured against such cyberattacks. Pentesting – an adversary attack simulation conducted by cybersecurity experts – can be part of a security assessment project. It is relevant for companies from any field: from financial to industrial, from telecoms to government. However, it is crucial to have an expert who is able to estimate how efficient a pentester’s work is. This is where a cybersecurity analyst on the pentesting team comes to the rescue, and Kaspersky Security Services experts explain the role of a specialist like this in 8 stages.
Stage 1 assessing a company’s digital footprint before pentester starts their work
Analysts start their work before pentesters, gathering information about business systems and external resources from open source. They also check for data leaks available in public web resources that may involve customer’s and employees’ personal data, and domain credentials – the information which can be used, for instance, in social engineering attacks. Often, this data is sold on the dark web and the task of the analyst is to detect these references and warn the customer. All this information is collected to create potential attack vectors which will then be tested by pentesters.
Stage 2 highlighting network perimeter security problems, while the pentester focuses on breaking into the infrastructure
In most organizations, the cybersecurity state of the network perimeter is far from perfect. And at the next stage of their work, analysts examine instrumental network scan outputs and highlight key problems.
“For example, an analyst detects one hundred active hosts with remote management interfaces (like SSH, RDP, etc.) available from the Internet without limitations, but the pentester only needs one to break into the infrastructure. Analysts will still report that there are one hundred security network flaws. This specialist highlights all problems requiring attention and plays the role of a liaison between a pentester, a project manager and a company”, said Olga Zinenko, Senior Security Services Expert at Kaspersky.
Stage 3 turning the pentester’s report into a comprehensive picture with all the vulnerabilities and security flaws
An analyst obtains data from pentesters about all successful attack vectors and puts it into the report in more detailed way with descriptions of vulnerabilities and security flaws, proofs and screenshots of a certain incident. This helps in-house security specialists and top managers answer such questions as “What are the conditions for exploitation?”, “Which component is vulnerable?”; “What are the consequences of an attack – credentials theft, sensitive data disclosure, unauthorized access, etc.?” and others.
Stage 4 and 5: transfiguring vulnerabilities into threats, creating a visualization
At the fourth stage, threat modeling, all vulnerabilities are grouped into categories and then transfigured into threats. With information about the customer’s business systems, an analyst can assess which critical resources a cybercriminal will have access to in the event of an attack.
Then, the analyst visualizes all pentester actions on the scheme so that the customer can clearly see what happened during an attack simulation. In some cases, pentesters can also make use of the visualization – for example, to find additional attack vectors.
Stage 6: prioritizing which vulnerabilities should be fixed first (spoiler – not necessarily the ones of high severity)
When all vulnerabilities and threats have been identified, analysts move on to the prioritization stage to advise which vulnerabilities need to be fixed first. The vulnerabilities with the highest severity level do not necessarily get a priority. Analysts assess the overall impact of the attack vector, which employs a specific vulnerability, and the damage from its implementation. Then they check which vulnerabilities are easier and faster to fix, and which ones require major changes in business processes.
Vulnerabilities prioritization scheme
“We encountered cases where the critical vulnerability in the web application did not cause as much damage as the vulnerability with medium severity level in a critical system did. For example, in an online bank the exploitation of a non-critical vulnerability could allow exploitation of the whole chain of interconnected vulnerabilities that would lead to serious financial consequences”, – elaborated Olga Zinenko.
Stage 7 and 8: recommendations and three reports for SOCs and C-levels
At the penultimate stage of a pentesting project, an analyst makes a list of recommendations sorted by implementation timeframe. They are customized for specific customer systems and business processes and are based on industry best practices and cybersecurity frameworks.
At the last stage, three reports are provided: executive view, technical description, and machine-readable. Security Operation Centers (SOCs), IT- and security specialists would use the detailed technical report to learn more about possible attacks, be able to reproduce pentesters’ actions, and subsequently eliminate the identified vulnerabilities. Furthermore, technical specialists will use machine-readable results for the enrichment of customer’s cyber security products. C-level executives will use executive summary report with key security problems to estimate the cost of securing the company.