When we talk about cyberattacks, we often think of malicious activities coming from external attackers, while internal attacks are on the rise. In the Insider Threat Report 2019, it is reported that 59% of the companies surveyed had suffered such an attack in the past year.
Protecting yourself from the inside against these attacks is therefore just as important as defending yourself from the outside.
What is an Internal Pentest?
During an internal pentest, tests are performed from inside the company or sometimes through a VPN. Most of the time, pentesters go to the company’s buildings, bring their equipment and put themselves in the shoes of an internal attacker.
Why Perform an Internal Pentest?
An internal pentest enables you to measure the risk for your internal network to be compromised. This involves detecting incorrect configurations, identifying internal vulnerabilities that can be exploited by an attacker and measuring the consequences on the internal network if a machine were compromised. Then, solutions are recommended, so that the flaws can be corrected.
What are the Differences with an External Pentest?
The first difference is that more elements can be tested from within an organisation. The external attacker has only a limited view of the internal network of its target.
The second notable difference is that the profile of the attacker is not the same. Any employee and staff related in a way or another to the firm and its premises (providers, suppliers, guests, etc.) might be, intentionally or not, at the origin of an attack or of a leak of sensitive data. Their access to the company’s internal network is a potential risk.
The third difference is that additional social engineering attacks are possible, such as dropping USB keys.
Implementation of an Internal Penetration Test
When preparing an internal penetration test, the first step is to define the attack scenario. Will the pentesters put themselves in the shoes of an intern, an employee or a visitor? Will they have access to a wired or wireless connection? Will they have access to a guest only network or to the network used by employees? Several scenarios can be chosen to carry out the most exhaustive possible audit.
Network Mapping
Once on site, the pentester starts to map the network, listing all accessible servers, proxies, routers, workstations or other hosts. Even a printer can be used for malicious purposes by intercepting documents being printed, for example.
Then comes a more detailed identification of the servers. It is necessary to determine their type and role in the network. After that, pentesters scan the ports of all the hosts they have found to look for services that are being used. The network users are also enumerated.
Identifying Vulnerabilities
After the port scan, the versions of the services and operating systems used are studied. The pentester looks for those that are no longer up to date or no longer maintained. Not updating your equipment means exposing yourself to known and often documented vulnerabilities, therefore to proven attacks.
The audit goes on by listening to traffic on the network with a packet analyzer like Wireshark. Some communication protocols are not secure but still used. Likewise, Wi-Fi communications must be encrypted to ensure that the data sent is not readable by an attacker. Encoding methods such as WEP (Wired Equivalent Privacy) and some versions of WPA (Wi-Fi Protected Access) are easily cracked.
The pentester then controls that the different networks are hermetically sealed from each other. For example, in the guest areas there may be forgotten Ethernet plugs that are linked to the corporate network, cancelling the utility of dedicated Wi-Fi.
Exploiting Vulnerabilities
Once all vulnerabilities have been listed, pentesters begin to exploit them and focuses on the most representative or interesting ones from an attacker’s point of view.
From the service versions, they might find the default login and passwords for the different services and hosts. It often happens that these are not modified. By intercepting traffic network (with for example ARP Poisoning), valid credentials are sometimes obtained.
Default passwords and passwords collected by sniffing are tested. Targeted attacks against vulnerable hosts are launched to gain privilege in the network and to retrieve sensitive data. Other attacks are launched in order to see after the end of the audit if they have been detected by the company’s network defence system.
What to Do After an Internal Penetration Test?
Once the pentest is completed, the first thing to do is to correct flaws that have been detected, i.e., make updates, replace systems that are too old to be kept, ensure that applications and have access only to what they need on the network. The permissions of everyone must be carefully managed and they must be made aware of cybersecurity.
Ideally, a network monitoring system (IDS / IPS) should be set so that suspicious activities, such as port scanning, can be noticed and blocked.