How Exposure Management Can Make Pen Testing More Effective

Pen testing needs to be supplemented with a routine vulnerability scanning schedule to pick up changes that may introduce vulnerabilities over time, to improve efficiencies in the overall process and to reduce the overhead costs in the penetration testing process.

In my work as an Offensive Security Certified Professional, I've had the opportunity to have a front-row seat to some of the challenges facing government agencies as they look to reduce cyber risk, particularly when it comes to the role of penetration testing. While penetration testing is a fundamental part of practicing good cyber hygiene, it is costly and provides only a point-in-time assessment.

Government agencies looking to use pen testing face barriers to procurement, long lead times to scope a test and a lack of resources to perform penetration testing against all external and internal systems. In my opinion, pen testing needs to be supplemented with a routine vulnerability scanning schedule to pick up changes that may introduce vulnerabilities over time, to improve efficiencies in the overall process and to reduce the overhead costs in the penetration testing process.

It’s important to combine pen testing with regular patching of operating systems, software and applications. However, even up-to-date systems can be exposed through misconfigurations or poor coding practices.

In my experience, large organizations prioritize addressing compliance at the expense of developing proactive and preventive approaches, like routine vulnerability scanning. At the end of the day, attackers are continuously on the hunt for vulnerabilities in your systems. So, if you are not doing the same on an ongoing basis, you have already fallen behind the attacker.

Recently, I've had the opportunity to help one large federal government agency with its exposure management efforts using Tenable Security Center (formerly Tenable.sc). It proved to be a very effective vulnerability management tool that helped the agency quickly identify vulnerabilities at scale, discover unknown assets and fix security weaknesses in multiple systems. But it wasn't only helpful to the agency’s vulnerability management team. Tenable Security Center supported several other teams with various tasks in the offensive, defensive, compliance and risk areas to significantly reduce exposure. For example, Tenable Security Center’s audit scanning feature allowed us to assess the slippage between standard operating environment golden images and live endpoints to ensure there was no drift from pre-configured hardened and compliant solutions.

How exposure management makes penetration testing more effective

Penetration testers don’t merely hack systems. There are many other components that make up a penetration testing engagement, including:

• scoping the target system or changes to it;
• understanding the individual components of the system and how they integrate with other systems or technologies to determine attacker perspectives and test cases;
• identifying the responsible branches;
• writing a penetration test plan;
• hacking;
• writing a report; and
• retesting findings once patches or mitigations have been applied.

Penetration testers like to focus on the hacking part, especially exploiting a range of complex vulnerabilities or chaining together multiple vulnerabilities in a unique way to demonstrate impact to the customer. That’s where our skillset is. The rest is a time-consuming necessity, particularly so in agencies that are not using a vulnerability management tool to manage exposure. It’s in assisting these other parts of the penetration testing process where the power of Tenable Security Center really shines through to ultimately give the testers better information and more time to hack, resulting in higher-quality findings.

For example, at the large federal government agency, Tenable Security Center allowed me and other penetration testers to streamline our work and free up more time for hacking. Since systems were already undergoing routine vulnerability scanning, we knew straightaway what components made up the system, the technologies that were used and which agency branches owned which assets. We were able to accomplish all of this before even having the first scoping meeting.

The advantage? With much of the enumeration and low-hanging fruit already identified, we could easily get a test plan in place and begin hacking. This gave us more time to focus on complex test cases and demonstrate greater impact in the event an attacker exploited the vulnerabilities we found. After the penetration test report was delivered, it was then also possible to rely on the routine vulnerability scans to verify that some of the findings were fixed. Conducting Nessus remote and local scans in Tenable Security Center can significantly help reduce the time and effort to identify some of these common issues, without relying on the penetration testers to perform this work.

Again, this gave our team more time back to focus on the stuff that matters.

Keeping on top of the latest technologies and Common Vulnerabilities and Exposures (CVEs) is a challenging task. Another great thing about Tenable Security Center is the plugins that are released daily. Reverse engineering these plugins — for example, analyzing the traffic they send over the network to a target host — proves to be an effective way to understand some of the newest vulnerabilities and how they could be exploited. In some cases, the plugin source code (Nessus Attack Scripting Language) is also shared and since it uses a familiar scripting style, plugins can be easily customized to perform unique operations tailored to the agency’s environment and goals.

Additionally, certain issues pop up from time to time. It is important to know that a penetration Three examples I’ve seen:

• a team of engineers disabled authentication on a network drive when working on a particular project
• numerous old and outdated decommissioned servers suddenly switched back on by accident, exposing vulnerable systems to the network that can allow an attacker to move laterally
• a project team successfully fixed issues they found (e.g. switching on JMX authentication) only to have the vulnerabilities unintentionally reintroduced weeks or months later through rollback changes.

These kinds of regressions are not detected quickly without continuous exposure management. Yet, most penetration testing is done infrequently, sometimes with gaps of a year or more between tests. Tenable Security Center can help pen testing teams keep on top of vulnerabilities and misconfigurations by retesting and verifying its state every day or week and generating easy-to-use dashboards that keep the penetration testing team informed.

Key takeaways to improve cybersecurity posture

• Implement a routine vulnerability scanning capability for external and internal systems. Using a tool like Tenable Security Center, this can be up and running in a short time, quickly providing actionable items to reduce cyber exposure and keep critical data and systems safe from attackers.
• Know your assets. One of the greatest blockers to improving cybersecurity is simply not knowing what systems you have on your network. Tenable Security Center doesn't only have to be used to search for vulnerabilities, it also can be used to find your lost, unloved and forgotten assets.
• With the above two points in mind, it is worth noting that many compliance frameworks (e.g. National Institute of Standards and Technology) are requiring organizations to maintain an inventory as well as to continually scan for vulnerabilities.
• Keep systems up to date with the latest operating systems, software, and patches. Agent or credentialed scans by design aim to identify vulnerable and outdated versions and can help you recognize shortcomings in existing patch management cycles.
• Perform penetration testing on high-impact assets. This will provide a deep understanding of the vulnerabilities in a specific system and how to fix them. Between penetration tests, continuously perform vulnerability scanning against high-impact systems to ensure changes over time do not introduce new or previously remediated vulnerabilities.

Conclusion

To recap, here are the various ways the Tenable Security Center has aided our pen testing efforts.

Source: Tenable, June 2023