Author: Theos

Penetration Testing vs Red Teaming 

Penetration Testing vs Red Teaming

Given the rise of Cybercrime and advancement of tools and techniques in cybersecurity, Organizations must work to continuously test and improve their security programs. There are different security assessments that an organization can employ for this. However, with the limitations on budget and resources, it is essential to understand and choose the one that best suites the organization’s needs.  

In the forefront of security testing methods are Penetration Testing and Red Teaming. Both these methods simulate an attack from an adversary, using real world strategies and techniques to discover vulnerabilities in the organization. However, there are key differences between each method and it best to understand their differences and know when one is most appropriate to use over the other: 

Goals

Penetration tests have different goals than Red Team engagements. 

The goal of a Pentest is to find as many vulnerabilities as possible and exploit them through any means possible. Its goal is to find as many ways to compromise the target and assess the risk to the business.  

However, Red teams do not try to compile a long list of all your company’s vulnerabilities. A Red Team’s goal is to find a way, even just one way, into your organization and (depending on agreement) access whatever critical data or asset there is to access without getting caught.  

A Penetration test helps the organization discover holes in their systems that an attacker can use. A Red Team exercise helps the organization find gaps in their process, people and technology and test how effectively they can respond to a successful attack. 

Scope

Penetration tests have limited scope while a Red Team, essentially, doesn’t have these limitations. 

Penetration tests are usually limited to a specific application, server, environment or to a specific network or range, etc. Limitations may also include testing hours or testing durations. 

However, for a Red Team engagement, other than some minor business critical systems (or people), there are generally no limitations to the application or network you can leverage. You are open to compromise a UAT or production server. And you can send your attacks during and off work hours. 

Attack Vectors

There are different types of Penetration tests such as Internal, External Network, Application, Wireless, Social Engineering, etc. In each of these, the testers are limited to attacks for that specific context or type of test. For instance, for an application pentest, a test is usually only limited to using web related attack vectors. 

However, for a Red Team exercise, its Free-For-All, anything goes. Red Teams usually have complete freedom to use whatever attack or technique they can use to get in. Red Teamers can send in USB sticks, send phishing emails, or physically break into your office to get the necessary access. 

The only exception for Red Teams would be attack vectors that you have agreed to deny or exclude from the engagement. Red teams may be designed based on a scenario and thus Tactics, Tools and Techniques may be agreed upon to be limited for that scenario. 

Time

There is a major difference in the duration of a Penetration test vs a Red Team exercise. 

Penetration tests are usually done between 1-3 weeks depending on the scope and type of test.  

However, a Red team can run between 4-8 weeks, sometimes even longer depending on the size of the company and the scenario agreed upon. 

Cost

And lastly is the significant Cost difference between a Pentest and Red Team. 

Because Red Teams requires more time, more effort and expertise, it is understandably more expensive than a regular penetration test.  

Overall, Penetration testing and Red Teaming are essential parts of an organization’s security program. Both of them have different goals and bring different value to an organization. However, one is never better than the other; both of them are equally important to improve an organization’s security. They just need to be aligned with the organizations needs and current level of maturity. 

Penetration Testing Methodology

What is Penetration Testing? 

Penetration testing, also known as Pentest or Ethical Hacking, is an authorized security exercise designed to find and exploit vulnerabilities on a system, network or application. It is a simulated attack performed by cyber-security experts, mimicking real world strategies and techniques, aimed to identify weaknesses on the system and evaluate how an attacker can take advantage of them. 

Vulnerability Assessment VS Penetration Testing

While a Vulnerability Assessment also tries to identify vulnerabilities or weaknesses in a system (usually using an automated scanner), Penetration testing goes beyond that and tries to also exploit these vulnerabilities manually. A pentest not only reports these vulnerabilities but also demonstrates how these can be used, leveraged or even chained to compromise the target system. Escalation will also be attempted to demonstrate how deep an attacker can access due to the compromise and therefore better evaluate the overall exposure and security posture of the organization. 

Penetration Testing Approaches

Penetration testing can be conducted in one of three ways: Black, White or Grey box testing. 

The Black Box testing approach is done from the perspective of an outsider or external adversary with limited knowledge or information of the target system. This approach can be seen as the most authentic, demonstrating how an attacker with no inside knowledge would target and compromise the system. While this approach most closely mimics real world attackers, the process of discovering vulnerabilities takes significantly longer than other testing approaches due to the lack of internal knowledge. As a result, time spent by tester is not fully maximized and some components may not get tested. 

The White Box testing approach is done with full knowledge of the target. This knowledge includes technical and functional specifications, architecture/network diagrams, access matrix, source codes and other relevant information. This approach allows for the tester to discover all attack vectors possible and perform a more comprehensive analysis on the system. However, this approach requires much more effort to conduct and may even require more sophisticated tools. 

The Gray Box testing approach is a bit of a combination or a compromise of Black Box and White Box. In this approach the tester has some knowledge of and some level of access on the target system. This eliminates much of the time spent doing reconnaissance and allows for more time to do security testing.  

Penetration Testing Process 

In general, a penetration test can be structured in 6 phases and that is: 

  1. Planning 
  2. Reconnaissance 
  3. Vulnerability Analysis 
  4. Exploitation 
  5. Post-Exploitation 
  6. Reporting 

In the Planning phase, the details of the pentest exercise are discussed and agreed upon. These includes agreement on the Scope and limitations on the test, the testing approach as well as timelines and rules of engagement. Logistical requirements are also detailed on this phase such as test accounts, VPN access, IP whitelisting, etc. The goal of this phase is to ensure the exercise runs smoothly and that the objectives of the exercise are fully achieved. 

In the Reconnaissance phase, the tester gathers as much information about the target as possible and mapping out the full attack surface of the target. This is done through a combination of passive and active methods.  

Passive methods do not involve direct interaction with the target. This includes gathering of information from Open-Source Intelligence sources (ie DNS records, google search, etc). While Active Methods involves direct interaction with the target to get relevant information. This includes port scanning, application mapping/spidering, internal DNS queries, etc. 

All the information gathered is then analyzed and use to draw attack vectors that can be used in the next phases. 

In the Vulnerability Analysis phase, tester uses different techniques to discover flaws in the target system or infrastructure. Discovery can be done through manual testing or automated means (using a vulnerability scanner). These flaws are then evaluated to determine accuracy and potential exploitability based on the scope and the objectives of the engagement. 

In the Exploitation phase, vulnerabilities that have been evaluated are then exploited to attempt to validate its potential risk. The aim of the exploitation is to establish some level of access on the system for post-exploitation and demonstrate the compromise. Demonstration can be done through a Proof-of-Concept or through an actual compromise on the system. 

The Post-Exploitation phase covers activities that can be done after a successful exploitation on the target. This includes privilege escalations, later movements, data exfiltration and others. The aim of this phase is to determine the extent of the compromise that can be done, and its value based on the sensitivity of data, purpose of the asset, effect to overall operations, etc. 

Lastly, the Reporting phase involves documentation and presentation of results of the pentest engagement. The report will detail the scope and objectives of the pentest, the vulnerabilities found, the risk they bring to the organization and recommendations that the organization can take to fix these vulnerabilities and mitigate the risks.  

The Report is the arguably the most important part of the engagement. This should be communicated in a way that it can be easily understood and be acted upon by the stakeholders both executive and technical. 

What is CSPM?

What is CSPM?

Cloud Security Posture Management or commonly referenced as CSPM is a key security control for organizations who are on a cloud-first strategy and focused on migrating their data and applications to cloud.  Most of the successful attacks on cloud environments are due to misconfiguration and mismanagement. 

By 2021, 50% of enterprises will unknowingly and mistakenly have some IaaS storage services, network segments, applications or APIs directly exposed to the public internet.1

1Gartner Research – Innovation Insight for Cloud Security Posture Management, 25 January 2019

Why do you need CSPM?

Whilst the cloud-first strategy provides speed, agility, increased levels of productivity and flexibility, it also brings the challenges of being exposed to heightened cyber security threats as the cloud environments are available on the internet, and the highest of all threats are data breaches.   

The are many options available to configure the components in a cloud environment to support business acceleration but also provides the opportunity for misconfigurations.  Some common ones are, 

  • Security policies which govern the configurations are overly permissible 
  • Access to data storage is not required nor encrypted 
  • Access paths from networks are not secured 
  • APIs drive the operations of cloud which are easily misconfigured and mismanaged due to the numerous multi-cloud resources often needed to operate the application 

Traditional on-premises security technologies such as firewalls and intrusion detection and prevention systems work well where a perimeter is clearly defined which does not bode well in a cloud environment where the ideology of a perimeter does not exist. Other challenges to the traditional on-premises solutions are, 

  • Cloud configuration changes happen at speed and scale which the manual processes established with on-premises tools are unable to keep up 
  • With a multi-cloud environment, a centralized view of the constant change against a baseline of secure practice is not available 
  • Finally, and most poignantly, the perimeter as we know has near enough dissolved with access to cloud resources is available from anywhere 

What does CSPM do for you?

CSPM provides non-stop visibility, monitoring, reporting and remediation of cloud infrastructure and application security posture​.

Key must have features of a CSPM: 

VISIBILITY● Centralized view of all your cloud environments 
● API driven for speed and accuracy 
● Coverage of cloud models (SaaS, PaaS, IaaS) 
GOVERNANCE● Security policies based on industry best practices (NIST, CIS, CSA) couple with regulatory and business operations compliance 
● Continuous monitoring for misconfiguration and non-compliance 
REPORTING● Real-time reporting on configuration deviation and control failures 
REMEDIATION● Step by step guided remediation to speed up response time 

How do you consume CSPM?

With each of the above requirements for CSPM, understanding your current baseline will drive the selection of correct technology and security partner for the deployment of CSPM.  Data to establish are, 

  • Breakdown of your current subscriptions across IaaS/PaaS (AWS, Azure GCP), and SaaS (M365, Google Workspace, Box) cloud environments 
  • Application interactions between the cloud environments, both user to system and system to system (typically API calls) 
  • Regulatory and business compliance requirements 
  • Training and support needed for your security operations team 
  • Technology provider integration with your cloud environments 
  • Choose a CSPM solution which is SaaS delivered 
  • A business case on involving an implementation partner who can help accelerate the effort 

In closing, CSPM is a crucial step toward securing your organization’s presence to progress business workload migration into cloud.  CSPM supports security teams to provide the feedback to developers to embed a security by design mantra into their development process.  Operating in cloud environments places security on everyone’s responsibilities and CSPM helps make this process easier. 

What is CASB?

What is CASB?

Migration to cloud had begun from the turn of the millennium.  However, now organizations are beginning to move their business critical and sensitive systems, including data from Human Resources and Customer Relationship (CRM) to cloud.  Now it is time to gain total visibility on how these sensitive data is accessed, updated, and moved. 

Cloud Access Security Brokers or commonly referenced as CASB provides the capabilities to organizations to effectively secure and monitor their cloud-based data.  CASB began by looking at the cloud problem of Shadow IT but nowadays it has matured to network traffic inspection to obtain the visibility on how data is being accessed and transmitted, giving the possibilities to apply security policies. 

Why do you need CASB?

Some of the major challenges organizations have are: 

  • Pushing their on-premises DLP capabilities to cloud 
  • Identification of cloud account compromises 
  • Shadow IT threats 
  • Continuous monitoring of cloud applications and the ever increase in API usage 
  • Protection for a workforce who continue to be highly mobile 
  • Separation of duties between the cloud consumer and cloud provider not clearly defined and owned 

What does CASB do for you?

Key must have features of a CASB:

AUDIT● User and Entity Behavior Analytics (UEBA) to determine deviation from baseline 
● Ability to profile patterns based on application, data and cloud usage 
● Provide actionable items to security operations to main posture 
DATA SECURITY● Single tool to provide a view on where the data resides 
● Close tracking of data movement 
● Integration with cloud systems 
● Integration with current security toolset 
● DLP enforcement 
● Deep network traffic visibility 
● Encryption/tokenization techniques to provide data protection controls 
CONFIGURATION COMPLIANCE● Alignment to industry best practices and benchmarks from NIST, CIS, CSA 

How do you consume CASB?

There are numerous methods when deploying CASB.  Each of them should be evaluated in line with the business requirements and how technology is the enabler.  Some of the methods available are,

API Integration ● Out of band implementation with integration between the CASB tool and cloud environments 
Agent/Forward Proxy ● In line implementation with visibility on activities by managed assets for both managed and un-managed applications and data 
Agentless/Reverse Proxy ● Agentless implementation with visibility on activities by managed and un-managed assets for managed applications and data 

Business considerations when choosing a suitable CASB technology, 

  • Prioritize your applications to aid the determination on the critical ones to be part of the CASB pilot 
  • Identify current technologies in production which can integrate with the CASB solution 
  • Investigate the suitability of using the methods described above, especially when utilizing more than one to achieve the target objectives. 

As organizations move business critical and sensitive systems and data to cloud, the application use cases also increases which further places security strain on the residence and movement of data.

Delivering an end-to-end Vulnerability Management programme to reduce attack surface

Customer’s profile:

cosmetic manufacturer company, headquartered in US, which has 500 employees across seven offices globally. The company designs and manufacturers exclusive brands and private labels for mass, drug and specialty retailers and provide outsourcing solutions to leading beauty companies operating worldwide. ​

Customer’s challenge:

  • The business was recently acquired by a Private Equity firm with a mandate to uplift the entire security posture of the company. The requirements covered all aspects of information security with a global footprint and a need to provide ongoing security management over several years.​
  • The customer was seeking a security partner who could implement and run a breath of security services globally, at a commercial point commensurable with a mid-size enterprise.

Solution delivered:

Theos delivered an end-to-end VM programme, which includes the following: ​

  • Implement vulnerabilities scanning platform and configure scan templates and schedules. ​
  • Performed Vulnerability Discovery & Penetration Testing: initially perform a vulnerability discovery on all its Internet facing systems, and conduct penetration testing on up to 3 external-facing applications or systems. ​
  • Deliver Vulnerability Management: scanning the entire estate for vulnerabilities, which will then be validated and remediated by Theos. Theos does validate findings and dismiss false positives to facilitate the remediation process and ensure a quicker time to fix issues.

Security values delivered to the customer:

  • Both external and internal network risk down FROM critical TO medium during first quarter implementation. ​
  • External network –  low risk maintained for 7 months straight since the completion of the implementation. ​
  • Internal Network – continuous VM practice enables system owners to remediate vulnerabilities as they are discovered. 

Delivering GRC Consulting Services for a global crypto market leader

Customer’s profile:

A blockchain company, with 200+ employees across 3 offices globally. A crypto market capitalization of USD 2.2B as of June 2021. The company provides end-to-end solutions to bring blockchain businesses from a strategic planning to product deployment. The Company’s software introduces a new blockchain architecture designed to enable vertical and horizontal scaling of decentralized applications. 

Customer’s challenge:

  • As a blockchain company that has operations in US and Asia, the customer had an urgent need for GRC consulting services to meet compliance requirements from various regulators and investors across the globe. ​
  • They needed a security partner to strengthen their security policies by aligning it to the latest regulatory requirements and internationally recognised standards to secure trading licenses

 Solution delivered:

Theos provided the following services to the customer: ​

  • Mapped regulatory requirements to internal security controls to fulfil their regulatory requirements and to strengthen their internal security policies ​
  • Completed vendor security assessments for 40 technology vendors (including SaaS, plugins and on-premise solutions) to lower 3rd party risks​
  • Designed and implemented security policies based on the regulatory and standard requirements. ​
  • Designed a Security Awareness Programme to help the customer better handle their critical systems and/or exchange 

Why Theos?

  • Our experience in delivering GRC for Financial Services customers in APAC: our security consultants are qualified to perform consulting services on a global scale for customers and have 10+ years of experience in delivering security and compliance engagements in APAC for customers in the fintech and financial services sector. 

Adversary Emulation for a technology business in Asia

Customer’s profile:

A technology company head-quartered in Hong Kong providing IT services to enterprises globally

Customer’s challenge:

Recent incidents involving third party compromise

Solution delivered:

Theos delivers two Red Team Cyber Assessment each year to the customer by emulating a real attack scenario, with the goal of improving the security defences as well as the security response to actual real-world attacks. ​

  • As part of the assessment, Theos performed an Advanced Persistent Threat (APT) attack, which aims to gain access to and exfiltrate sensitive information within the customer’s HR and Finance Department. ​
  • The Assessment follows a Black Box Approach, which mimics how an attacker typically approaches an APT attack. This means the client does not share any specific knowledge as to the internal workings of the organisation. THEOS will have no pre-existing access to any asset, or information of the internal architecture and security controls.

Valued delivered to the customer:

  • Actionable insights into the successful attack vectors leveraged during the exercise with recommendations around policies, systems and processes​
  • Re-run of the successful TTPs once the remediation had been implemented​
  • Successfully met regulatory requirements

Adversary Emulation with APT Scenario for one of the largest insurances in Asia

Customer’s profile:

One of the largest insurance company in Asia, 6000 employees and agents 10 countries in Asia. The company offers life and medical insurance, general insurance, employees benefits. 

Customer’s challenge:

  • Annual exercise to assess the cyber resilience of a specific business unit​
  • Regulatory requirement to conduct at least one red team exercise per year​
  • Strategy of continuous security improvement based on rotating assessments

Solution delivered:

  • Theos conducted an end-to-end Advanced Persistent Threat scenario with no initial knowledge of the target users, assets and infrastructure​
  • The objective of the exercise was the identification and exfiltration of sensitive information, with a focus on customer data​
  • The exercise was successful in that the objective was met within the timeline and boundaries set under the agreed rules of engagement

Values delivered to the customer:

  • Actionable insights into the successful attack vectors leveraged during the exercise with recommendations around policies, systems and processes​
  • Re-run of the successful TTPs once the remediation had been implemented​
  • Successfully met regulatory requirements

Protecting 8000+ endpoints for one of the largest insurances in Asia

Customer’s profile:

One of the largest insurance company in Asia, which has 6200+ employees across eight offices within the APAC region. The company offers life and medical insurance, general insurance, employees benefits. 

Customer’s challenge:

  • Looking for a partner to implement the solution covering their entire endpoint estate.​
  • Required product expertise as well as strong technical investigation and troubleshooting skills to ensure a smooth and fast deployment.​
  • Full technical documentation was also a requirement.

Solution delivered:

  • Theos completed the full policy and configuration implementation within a week, and worked with the client as agents were rolled out. Deliverables included a Technical Design and a Troubleshooting Procedure.​
  • The following deliverables were completed: Technical Design, Policy Implementation, Design and Handling of Upgrade Process, Troubleshooting of deployment and compatibility issues, Defining the Standard Operating Procedures, Defining the Response Playbooks, Integration with third party tools and applications. 

Values delivered to the customer:

  • Our experience & expertise: Our experience and expertise in defining an effective security programme that is relevant to the customer by leveraging on their current investment and complementing their old architecture with market leading security technologies. ​
  • On-time delivery: During the implementation, Theos identified a compatibility issue and worked with the product vendor to overcome this issue and proceed with the deployment, which was successfully delivered in 2-months of time. 

Delivering VAPT programme for one of the largest stock exchanges in SEA

Customer’s profile:

One of the largest stock exchanges in South East Asia, with 200+ listed companies as of 2021, and a market capitalisation of USD200+ million as of 2021. 

Customer’s challenge:

The client is one of the Stock Exchanges in Asia. Being a prime target for malicious actors, they need to constantly test the strength of their applications and systems to minimise the risk of compromise. They were looking for a partner to engage in the long term to deeply understand their architecture and applications while providing a flexible commercial framework.

Solution delivered:

  • An annual retainer for Vulnerability Assessments and Penetration Testing across the entire application estate of the Stock Exchange with a minimum of 30 tests per year. ​
  • Ethical Hackers are deployed within the stock exchange as well as remotely to look for flaws and vulnerabilities that an attacker could exploit. Recommendations and remediation services are provided on an on-demand basis.

Values delivered to the customer:

  • Local and remote Ethical Hackers available on-demand.​
  • Leverage on our past learnings on delivering to large FSI customers in Asia, as all projects are delivered in-house and not outsource to contractors. 
  • 1
  • 2