Intelligence in Offensive Security: How to Level Up + Financial Services
Image Remote Pen Testing

Flexible & Secure Remote Penetration Testing in a Changing World

As businesses move to more remote-based models, penetration testing and red teaming engagements must be able to do the same. Performing penetration testing and red team engagements remotely offers some unique challenges for organizations.

Challenges that we believe can be turned into benefits:

Emulating how an adversary may take advantage of the new attack surface opened by remote work, while maintaining the ability to perform traditional penetration testing.

Performing all penetration testing remotely, eliminating travel costs and other engagement overhead costs while saving time and effort.

As companies move to remote or hybrid work models, they rely more on enterprise collaboration and communication platforms (like Office365, Zoom, Slack, or Google Workspaces), remote desktop software, externally exposed VPNs, email, and endpoint security. Of course, more remote technologies give attackers a much larger attack surface. This means that companies that want to evaluate cyber resilience should seek a cyber security services partner that uses tactics, techniques, and procedures (TTPs) that address this larger attack surface, especially when testing from an external perspective.

TTPs for external testing should include advanced social engineering campaigns (phishing, smishing, and social media-based), direct access to password breaches, Advanced Persistent Threat (APT) style password spraying (low-and-slow with IP address rotation), and multi-factor authentication (MFA) defeats, all focused on pivoting from external penetration testing to internal access.

So what should organizations address when testing from an internal perspective, if a test is to operate under the same paradigm?

We believe that industry-leading remote attack platforms and solutions should allow for parity in the effectiveness of both external and internal engagement phases amid today’s changing threat landscape. A comprehensive Offensive Security test can be performed remotely by using physical implants, virtual implants, or both.

At Echelon, we enable physical implant-based remote testing engagements through our proprietary HARPI (Hardened, Advanced Remote Penetration Implant) platform, which simply requires that a company plug it into their network. This technology means that testing is held to the same rigorous standard, without needing operators onsite.

5 Ways HARPI Enables Comprehensive Internal, Remote Testing

1. Test your security against one of the most potentially damaging attack tactics

Your organization is only as secure as its most easily accessible infrastructure, and a physical implant-based penetration test allows you to test against a physical access scenario. Our HARPI platform uses the same tactics that a real, sophisticated threat actor would use to maintain a physical presence in your business without physically being there. It takes seconds to plug in, and its small footprint makes it easily concealable. Because of this, using the HARPI platform to test your business is not just a matter of convenience, it is also a way to ensure your internal security controls are sufficient to prevent a real attack using the same tactics.

2. Support black, gray, and white box testing models

Because of its small footprint, HARPI can be easily concealed for tests in which the security team has varying levels of knowledge about the engagement. Additionally, we can use a stealthy approach relying more on observation and covert techniques or increase the “noise” to a more direct penetration test-style approach with deep scanning.

3. Test Network Access Control (NAC) capabilities

HARPI plugs into your network via ethernet, but it connects back to Echelon’s infrastructure using an out-of-band solution. This allows us to maintain access regardless of NAC solutions, which we can then attempt to bypass. This connection back through an alternate method of communication also allows us to use the platform’s built-in wireless radio to scan for open Wi-Fi networks, testing another potential attack vector.

4. Test network ingress and egress

Using HARPI’s multiple connections, we test for ingress and egress abilities using both in-band and out-of-band methods. This testing allows you to understand what kind of data can truly transfer in and out of your network, how much data is able to be transferred, and whether data loss prevention (DLP) controls in place successfully prevent the transmission of sensitive data.

5. Allow for sophisticated attacks to be performed without a human presence

Attacks ranging from hash relaying, internal password spraying, and limitless custom scenarios tailored to your organization are all possible without needing to ship a team out to your organization. Additionally, using implant-based penetration testing allows for “convergence” scenarios in which an internal and external test can run concurrently until the external “catches up” to the internal, but with progress being made internally during the entire test. This increases the efficiency of a test by eliminating the need for it to be performed sequentially.

The Importance of Secure Implants and Our Infrastructure

Cybersecurity work is sensitive, and we take your trust seriously. We secure our implants and cloud infrastructure to ensure that our tests can only positively affect your security.

Implant Security

Though HARPI connects back to our cloud infrastructure to allow us to connect, it is only capable of opening a one-way tunnel; our operators can have interactive access to it, but it cannot open interactive sessions with cloud infrastructure. This ensures that if HARPI were to be compromised, it would not lead to a compromise of any client data in the cloud.

Additionally, no CI/PII is ever stored on HARPI, nor is any CI/PII ever accessed or transferred unless by specific request. Our operators are trained to alert Trusted Agents upon discovery of CI/PII and proceed as advised.

We encrypt all inbound and outbound communications, and all authentication is key-based. All these controls ensure that a compromise of an implant is not a compromise of any client assets.

Infrastructure Security

Our infrastructure is secured behind a VPN using MFA, and all internal infrastructure is managed using separate accounts using the principle of least privilege. We regularly conduct internal penetration tests to ensure that our infrastructure is hardened against threats, giving you peace of mind that you can trust we hold ourselves to the same standard as our clients.

Final Thoughts

Over the past two years, the worldwide workforce underwent a drastic and rapid paradigm shift that has brought with it new opportunities, attack vectors, and methods to test security. When you test your security, partner with a firm using the most modern, advanced tactics to test your readiness for tomorrow’s attackers.

Sign up to get Cyber Intelligence Weekly in your inbox.