In financial services, penetration testing is a regular cybersecurity exercise that organizations have been conducting for years. After all these years, financial services organizations may have a routine in which they do the same kinds of pen test(s) regularly.
But if these businesses do not add spice to their routine, it may lead to a false sense of security.
The risks are numerous: not being aware of blind spots, not having tests that speak directly to the kinds of targeted attacks the business may face, and insufficient prioritization of ransomware resilience testing.
By using these following four examples as a starting point, a business can add fire to their routine that will allow them to test with more fidelity and decrease their attack surface.
Tiered Ransomware Proof of Concept (POC)
Run ‘defanged’ ransomware on your environment at progressively lower-level users to determine your ransomware risk.
Summary: The cybersecurity community’s razor focus on ransomware is for good reason – from 2019 to 2020 alone, ransomware attacks increased by 435%. This tiered style of test allows you to use different users to see how your organization could be affected by ransomware. What if a manager gets infected, or a bank teller? Are there different outcomes? How could or would the ransomware propagate to your central network, or stay in a remote branch?
Unique Advantage: Your previous pen tests may include a ransomware POC, but this probably just means that the testers have proven code execution. The tiered style of test goes deeper by using actual, defanged ransomware based on cutting edge research such as that unveiled at this year’s DEF CON. This style of tests allows you to safely test the propagation of real ransomware on your network from multiple entry points.
Super Assumed Breach
Start the penetration test as a highly privileged domain user, or even a domain administrator (DA). Yes, that may sound crazy, we know! Most penetration tests stop after someone gains DA, but what if that was only the beginning. Say you’re fully compromised from a domain perspective – what could a threat actor accomplish with these highly privileged credentials? E.g., If you are a financial institution, should a domain admin be able to wire money? Should a domain admin be able to access customer data files and exfiltrate that? Probably not, but you should want to verify that.
Summary: This style of engagement tests your defense-in-depth strategy by determining how a threat actor could use a worst-case scenario to pivot from network compromise to massive exfiltration, theft, or even significant business disruption. It answers the question of “what then?” after an attacker compromises your network and helps you to be prepared in the event of a real compromise.
Unique Advantage: Most pen tests treat achieving DA-level privileges as the final goal, with the risks inherent being theoretical. The assumption is that a DA could theoretically do anything, but a defense-in-depth strategy will help mitigate this. A super assumed breach test allows you to demonstrate the risks in a tangible way and test your controls among all levels of privilege.
Latent Data Collection
How long can a threat actor collect data in your network? What kind of data can be accessed? Latent data collection is an indefinite test with periodic check-ins.
Summary: Despite the recent surge of ransomware attacks, more targeted threat actors may not be interested in the immediate payoff of extorting money from a business; instead, they may be seeking intellectual property, personal information, financial records, and more. This test emulates the type of more careful, low and slow approach that may be targeting your business.
Unique Advantage: Certain styles of business, such as financial services, may be more prone to attackers slowly siphoning funds, as seen on a large scale in the infamous Bangladesh bank robbery. By using an open-ended test, this style of attack can be emulated without artificially constraining the time-based aspect.
That sure is a nice, new keyboard… but it would be a shame if someone had installed a malware loader on it! Deliver gifts to your high-ranking IT staff from unknown persons to see if the hardware gets properly vetted before being introduced to your environment.
Summary: Implant-based testing offers many advantages , and this test extends that idea by making implant delivery a part of the test. This test is a red team-style approach that allows for multiple entry points and tests your hardware security.
Unique Advantage: This test enables a unique social engineering scenario that goes beyond standard phishing campaigns and may be used to compromise accounts directly with high levels of access. Additionally, it tests the security of policies around new devices and drivers being added to your environment.
The Bottom Line
In the evolving threat landscape, it is imperative to test your security in ways that mimic advanced and creative threat actors. These four ideas are a starting point to demonstrate the kind of flexibility with which pen testing can be approached.
With this in mind, test in ways that speak directly to modern threats, combine these techniques, and keep it spicy!