Never before has it been more important to think the unthinkable: what if an attack succeeds? (If you need some stats and arguments to persuade the Board of this, try this article of mine, of which this is a summary.) The solution to mitigate the threat of a successful attack is already very familiar to us all: defence in depth. But to what extent are those inner defences tested? What about a “second-level” penetration test, which would start from the assumption that a first-level defence has been bypassed?
Beyond a few run-of-the-mill scenarios, this type of penetration test is not widely considered – at least not that I’ve seen in the UK. First, let’s be honest, the reality is that such testing is often not required to tick the boxes necessary to achieve the minimum level of legal and regulatory compliance. Second, penetration tests are traditionally categorised by the amount of knowledge the tester has of the target system – for example, “white box” versus “black box”. (The OSSTMM also considers the level of knowledge the target has about the test.) Then we have the generic “external” versus “internal” test, which both carry assumptions about the initial level of access. For the external test, it’s usually zero or credentials have been supplied or an IP address has been white-listed. For the internal test, it’s implicit that the tester has physical (or virtual) access to the system (and possibly credentials to go with it).
There’s no reason, however, why a pen-test could not start from a more adventurous position of access. Consider, for example, the scenario of a compromised web server on which a web shell has been dropped – or indeed a SQL shell! A second-level penetration test could start with this in place for the tester to see what access could be achieved should such an initial attack ever succeed. This would obviously require careful configuration so that the web shell would only be accessible to the tester but this could be done quite simply.
So let’s make the level of initial access more of a variable in pen-tests and get creative. Think about various attack scenarios and what, if anything, is in place to thwart them should the first line of defence be breached. These can form the basis of scopes for further penetration tests and will really help an organisation to move forward with its security – in particular, preparing for and reacting to successful attacks.
Do add a comment if you’re in a company that has done this (well done you) or perhaps you’re a pen-tester that’s performed such a test (interested to know the scenario).