Advanced Penetration Testing and Enhanced Red Teaming
If you asked me what HORNE Cyber wants to be known for, I would quickly reply with “incomparable penetration testing.” From its conception, HORNE Cyber has placed heavy emphasis on the methodology used by its cyber operations specialists in penetration testing and red teaming engagements. Why do we feel penetration testing is so important? In our experience, we have found penetration testing and red teaming to be one of the most valuable investments an organization can make related to its cybersecurity efforts. However, there is no current standard when it comes to penetration testing services offered within the industry.
In fact, most penetration testing is simply a scan for publicly known vulnerabilities that may or may not be actionable on your network. While a good baseline, this approach often doesn’t improve your overall security posture. We are on a mission to create the gold standard through our advanced penetration testing and enhanced red teaming methodology by taking the approach of today's attackers.
Our manual, human-driven approach is what defines advanced penetration testing and enhanced red teaming. This approach and methodology enable us to discover organization-specific vulnerabilities which are often zero-day, or previously-unknown, vulnerabilities. When we discover a zero-day vulnerability in the course of an advanced penetration test, we work with the client to determine the best strategy for remediation. Often times, if the zero-day vulnerability is identified in a third-party providers’ solution, we will disclose the vulnerability directly to the provider so that it can be verified, and a patch can be distributed for all customers. If a zero-day vulnerability is reported to the provider and verified, a Common Vulnerabilities and Exposures (CVE) identifier is often assigned to document the vulnerabilities.
For example, during a recent advanced penetration testing engagement, Tyler Holland, a cyber operations specialist at HORNE Cyber, identified zero-day vulnerabilities in Symantec’s Industrial Control System Protection (ISCP) product, earning CVE-2019-18380.
This product is designed to protect industrial control systems (ICS) in private and national critical infrastructure from USB-borne malicious software. Due to the secure nature of ICS, they are often difficult to attack via common methods. However, some of the most successful ICS attack have occurred via infected USB drive. For this reason, Symantec ICSP is meant to “sanitize” USB drives that are brought into a secured ICS environment.
CVE-2019-18380: Findings and Implications
The two issues identified, as listed in CVE-2019-18380, allow an attacker to remotely gain administrative privileges to an ICSP device and potentially weaken the defenses of an ICS network.
The first vulnerability allows an attacker to create a new user account on the target ICSP device. However, the new user account created by the attacker is not have administrative privileges. The second vulnerability allows the attacker, via its new user account, to change the password of any other user account, including those with administrative privileges. As a result, the attacker is able to gain administrative privileges to the ICSP device and potentially impact the effectiveness of the device in preventing USB-borne malware from infecting the ICS network.
Recommendations for Symantec ICSP Customers
After the two vulnerabilities were verified, Symantec patched the vulnerabilities and released V18.104.22.168. Symantec recommends customers patch and restrict access to ICSP devices, only allowing users and workstations what have an operational need to access the device(s). When software and devices, such as ICSP, provide access to web interfaces, administrative controls, and API endpoints, HORNE Cyber recommends reducing the attack surface as much as possible.
HORNE Cyber would like to acknowledge and show appreciation to Symantec’s quick response and patch for the identified issues.
This case study exemplifies the importance of advanced penetration testing and enhanced red teaming. We believe these exercises will create a new standard for penetration testing among our clients and their peers as they expose organization-specific vulnerabilities that, in other engagements, would likely go undetected. Our approach emulates the actions of a true attacker and that, we argue, is of the utmost value to every organization of any size and in any industry.