Inside-Out Pen-Testing Still Rare

(This article was originally published on the Findings From the Field blog.)

Industrial Defender's penetration testers report that they see "inside-out" penetration testing engagements only rarely. In such engagements, the tester starts from some point on the operations network and attempts to compromise equipment on the enterprise network. More conventional "outside-in" attacks do represent a greater risk to most enterprises, but "inside-out" tests really should be carried out more frequently than they are now.

Inside-Out Penetration Testing

Jacob Kitchel, Senior Security Consultant at Industrial Defender defines "inside-out penetration testing" as:
A penetration test where the tester is located inside, and has access to, the operations network and wants to expand access outside of the that network.
In contrast, both "external" and "internal" penetration tests are more common. In an external test, the tester starts from outside the corporate network, usually from somewhere on the Internet, and tries to break into the corporate network. An "internal" test is where you assume an insider or compromised computer on the corporate/business network. The tester/assessor starts from that machine and tries to achieve specific objectives, such as compromising a corporate Active Directory server, or the corporate mail server. Most penetration tests of operations networks start as "internal" tests: the assessor/tester starts on a corporate computer and either tries to gain access directly into an operations network, or tries to break into other corporate assets and leverage that access to gain entry into an operations network.

The good news is that when Industrial Defender testers do see inside-out testing, it generally means both corporate and operations security teams have internalized a unified security message. When inside-out tests arise, they tend to be part of a bigger plan. Inside-out testing tends to happen as part of an overall assessment of risks due to operations networks, assessing risks to the entire business, not only the risks to operations networks.

The Case for Inside-Out Testing

Most operations networks have fewer machines than enterprise networks, and are accessible by fewer individual users. This means there is usually a lower likelihood of an attack originating on operations networks. The likelihood of an attack originating on an operations network is still significant though. Operations patch programs, if they exist at all, tend to be further "behind" than their enterprise counterparts, because of the extensive testing requirements needed to ensure the availability and integrity of changed control systems. This means that operations networks are generally more susceptible to malware on removable media, or to attack from malicious insiders, than are enterprise networks.

If an operations network includes remote, unmanned sites, the risk is even greater. Remote sites are often protected by fences, locks and alarm systems. Even with such defenses though, a determined adversary can generally gain entry. It may take hours or sometimes even days to mount a response to a physical access alarm from a very remote site. Given this, the question becomes: how much damage can an adversary with lock-cutters and a laptop do in the hours it takes for authorities to reach a remote site? Can such an adversary compromise other equipment on the operations network and cause outages or serious malfunctions? Can they use the opportunity to plant malware on a handful of enterprise machines for later exploitation? A capable adversary can very quickly do a great deal of damage both to operations and to enterprise networks. A comprehensive assessment of risks due to operations networks must take into account risks to the entire organization.

Looking Forward

Increased inside-out pen-testing would go a long way toward clearing up persistent problems with operations cyber-security. For example - industrial security vulnerability assessment teams report that they still encounter "allow all outbound connection" rules on a majority of firewalls protecting operations networks. Not only do such rules allow malware which does somehow compromise operations networks to contact command and control servers, it also allows such malware to mount assaults on parts of the enterprise network. This topic is covered in detail in an earlier post "Security Basics: Egress Filtering."

Another example - assessment teams report that a majority of operations networks are still "flat" - there are no controls on connectivity within those networks. This means an adversary on any part of the network can attack any other part of the network. This is in spite of the "star" topology of most operations communications. Remote sites generally communicate only with the control center, not with other remote sites. SP-99 level 2 network components generally communicate only with level-3 plant systems, not with the other level-2 networks that may be present at a large facility.

A second layer of firewalls segregating these communications endpoints would greatly reduce the number of systems open to attack from a single compromised system or remote site. Specifically:
  • Connections between remote sites can usually be forbidden,
  • Connections from one client machine to another can usually be forbidden, and
  • Depending on the types of systems involved, connections from one server machine to another can often be forbidden.
"External" testing of operations networks - launching "internal" tests/attacks from enterprise networks and from vendor or partner networks - does address the greatest risks to operations networks. However, regular "inside-out" testing addresses other significant risks to both operations and enterprise networks. Inside-out testing may not be needed as often as "external" testing of operations networks, but it really should should be carried out much more frequently than it is now. Some inside-out testing is essential if you want a comprehensive picture of threats to the whole business which arise from operations networks in the business.

No comments:

Post a Comment