Risks assessed during a pentest generally focus on attacks perpetrated from outside the information system. Indeed, a classic approach consists of first testing the risks of external attacks (black box pentest), and then the risks of attacks from a customer or partner access (grey box pentest).

Risks of internal attacks, particularly from an employee’s access, are often considered less important. Apart from the fact that internal attacks represent a smaller volume of potential attackers, it can be assumed that insider threats are underestimated partly because of the trust placed in employees.

Unfortunately, malicious actions committed by employees are increasing, often with more serious consequences, given the privileged position they enjoy and the information they have access to. According to the Insider Threat Report 2020, almost 70% of organisations surveyed say they feel vulnerable to internal attacks, which they are also experiencing more frequently.

Assessing and preventing insider threats is therefore essential for any organisation undertaking a security strategy. And penetration testing is one of the most effective tools for identifying the impact of an internal attack. In this article, we outline the nature of insider threats and how this type of risk can be specifically assessed during a pentest.

What is an insider threat?

In cybersecurity, an insider threat refers to the IT risk arising from an organisation’s internal users or from individuals closely linked to the organisation. These users may be current or former employees, customers, service providers, subcontractors, partners, etc. What they have in common is that they have direct or indirect access to the organisation’s resources, which they can use intentionally or unintentionally to cause damage to the IT and network infrastructure or internal applications.

In practice, customers, service providers, subcontractors and partners are generally considered to have an intermediate status between external attackers and internal users of a company’s information system. It is usual not to neglect risks from customers and partners, but to be more permissive about internal risks, especially in small and medium-sized companies.

Furthermore, contrary to popular belief, not all insider threats are the result of malicious motives or intentional actions. In many cases, security incidents occur as a result of human negligence, errors or failure to take adequate security measures. Clicking on a phishing email, un-updated workstations, weak passwords, loss of business equipment, etc. are all potential risk vectors that can compromise an organisation’s resources.

Malicious insider threats are generally initiated by two typical user profiles:  

  • On the one hand, there are those attracted by the lure of profit, who may use their access to steal sensitive data, strategic documents or intellectual property (e.g., the source code of an application) for resale on the black market or for personal use.
  • On the other hand, there is the threat from internal attackers motivated by hostility against their employer or by a desire for revenge, who take advantage of their privileged access to company resources to harm the company.

No company is immune to potential insider threats, whether intentional or not. However, the risk is greater in large companies, those with a high turnover, and, naturally, those that do not – or at least not effectively enough – raise awareness of cybersecurity issues among their employees.

Beyond the identification of internal risks and the implementation of adequate controls, it is possible through penetration testing to simulate an internal attack in order to measure the real impact and, at the same time, to concretely test the effectiveness of the protections in place.

Types of internal attacks performed during a pentest

By providing the pentesters with the same access as a company employee, they can simulate a malicious internal attacker and attempt to access resources that should not be accessible to them.

The type of tests performed will depend on the target of the pentest: web application, network infrastructure, human factors (social engineering), etc.

Web application penetration testing

For a web application pentest, the pentesters will have access to a standard level of rights, if the solution is used internally, or will have access to the back office, if the platform is used by B2B or B2C customers.

If the solution is used internally: the objective is to go further than black box testing and find flaws accessible to an authenticated user. This makes it possible to check the correct partitioning of rights levels, to test the possibilities of improper behaviour as well as all the technical flaws that could be exploited by a malicious user.

For a platform used by customers: having access to the back office is relevant, particularly if there are several levels of privileges for back-office users, in order to test the partitioning. Otherwise, having access to the back office may be useful for testing the possibilities of access to other parts of the information system. This can be used to test the risks in the event of an attacker taking control of the back office, either by exploiting a technical flaw or by stealing credentials.

A common example we see with our customers is having a secure web platform when it is for B2B or B2C customers. Applications for internal use (a back-office application for example), are generally robust against external attacks. However, when authenticating as an internal user or administrator, it is very common to find both a lack of granularity and a lack of vigilance regarding security flaws.

In some cases, applications for internal use are poorly protected, even against external attacks, because they are not identified as requiring protection, considered to be of low sensivity or not listed as exposed online. However, taking control of a vulnerable web application can be a significant risk if it is on the same server as other web applications or if it communicates with other components.

Internal network penetration testing

An internal network pentest usually includes consideration of insider threats. It is very rare that the tests are limited to the risks of external attacks (black box network penetration testing), allowing in particular to test the possibilities of access to the WI-FI network without a user ID. In this case, vulnerabilities in the technologies used (WEP/WPS/WPA) or brute force attacks may allow an external attacker to access your network.

In general, for tests on the internal network, the pentesters have the same level of access as employees with a minimum level of rights on the company’s information system: workstation, standard account on the domain, access to the wired and/or WI-FI network, etc. This makes it possible to test the partitioning of rights (possibilities of access to critical resources or taking control of servers or administrator workstations, etc.), as well as all the technical vulnerabilities that could be exploited by a malicious employee or an external attacker who has gained access to your network.

Nevertheless, the risks of internal attacks by users with more privileges on the company’s information system should not be neglected or underestimated, as we often observe. Indeed, anyone can be a threat, and in most IT teams for example, not all users have the maximum level of access. Thus, providing different types of access (standard employee access as well as higher specific access) enables a more detailed and complete analysis of the risks of internal attacks. This is all the more relevant and important if the company has set up specific partitions by type of activity (separate network, access to specific tools, etc.).

Social engineering penetration testing

During a social engineering pentest, the pentesters will have access to the same level of information as the company’s employees. Depending on the situation, this may include: a complete list of first names, last names, positions and contact details, email addresses, internal details of the functioning of certain teams, precise information on internal tools and technologies used.

In theory, the level of information provided to the pentesters will depend on what you want to test as an internal threat level. Giving as much information as possible can distort the tests, because most of the time, internal attacks are based on partial (or imperfect) knowledge of the company. This is why it is interesting to provide only the information that the employees really have (company activity, internal tools, organisation charts, contact details) so that pentesters can build and execute realistic attack scenarios.

Concrete examples of social engineering tests that relate to risks from an internal attacker or someone who has gained information about the company: 

Concrete examples of social engineering tests that relate to risks from an internal attacker or someone who has obtained information about the company:

  • Bouncing on internal company news to get people to open a malicious file sent by email.
  • Use the knowledge of the relationships between the different departments of the company and the people who work there to steal an identity.
  • Knowing the tools used internally to clone them and attempt to steal credentials.