Archive for the ‘News’ Category

How much should you spend on penetration testing services?

The most common question asked is “how much will it cost for you to deliver a penetration test to us?”.  Rather than responding to those questions each time with the same exact answer, we thought it might be best to write a detailed yet simple blog entry on the subject.  We suspect that you’ll have no trouble understanding the pricing methods described herein because they’re common sense.

The price for a genuine penetration test is based on the amount of human work required to successfully deliver the test.  The amount of human work depends on the complexity of the infrastructure to be tested.  The infrastructure’s complexity depends on the configuration of each individual network connected device. A network connected device is anything including but not limited to servers, switches, firewalls, telephones, etc.  Each unique network connected device provides different services that serve different purposes.  Because each service is different each service requires different amounts of time to test correctly. It is for this exact reason that a genuine penetration test cannot be priced based on the number of IP addresses or number of devices.  It does not make sense to charge $X per IP address when each IP address requires a different amount of work to test properly.  Instead, the only correct way to price a genuine penetration test is to assess the time requirements and from there derive workload.

At Netragard the workload for an engagement is based on science and not an arbitrary price per IP.  Our pricing is based on something that we call Time Per Parameter (TPP).  The TPP is the amount of time that a Netragard researcher will spend testing each parameter.  A parameter is either a service being provided by a network connected device or a testable variable within a web application.  Higher threat penetration tests have a higher TPP while more basic penetration tests have a lower TPP.  Certainly this makes sense because the more time we spend trying to hack something the higher the chances are of success.  Netragard’s base LEVEL 1 penetration test is our most simple offering and allows for a TPP of 5 minutes. Our LEVEL 2 penetration test is far more advanced than LEVEL 1 and allows for a TPP of up to 35 minutes.  Our LEVEL 3 penetration test is possibly the most advanced threat penetration test offered in the industry and is designed to produce a true Nation State level threat (not that APT junk).  Our LEVEL 3 penetration test has no limit on TPP or on offensive capabilities.

The details of the methodology that we use to calculate TPP is something that we share with our customers but not our competitors (sorry guys).  What we will tell you is that the count based pricing methodology that is used by our competition is a far cry from our TPP based pricing. Here’s one example of how our pricing methodology saved one of our customers $49,000.00.

We were recently competing for a Penetration Testing engagement for a foreign government department.  This department received a quote for a Penetration Test from another penetration testing vendor that also created software used by penetration testers.   When we asked the department how much money the competitive quote came in at they told us roughly $70,000.00.  When we asked them if that price was within their budget they said yes.  Our last question was about the competitive pricing methodology.  We asked the department “did the competitor price based on how many IP addresses you have or did they do a detailed workload assessment?”.  The department told us that they priced based on the number of IP addresses that they had and that the number was 64.

At that moment we understood that we were competing against a vendor that was offering a Vetted Vulnerability Scan and not a Genuine Penetration Test.  If a vendor prices an engagement based on the number of IP addresses involved then that vendor is not taking actual workload into consideration.  For example, a vendor that charges $500.00 per IP address for 10 IP addresses would price the engagement at $5,000.00.  What happens if those 10 IP addresses require 1,000 man-hours of work to test because they are exceedingly complex?  Will the vendor really find a penetration tester to work for less than $1.00 an hour?  Of course not.  The vendor will instead deliver a Vetted Vulnerability Scan and call it a Penetration Test.  They will scan the 10 IP addresses, vet the results that are produced by the scanner and exploit things where possible, then produce a report.  Moreover they will call the process of vetting “manual testing” which is a blatant lie.  Any vendor that does not properly evaluate workload requirements must use a Vetted Vulnerability Scan methodology to avoid running financially negative on the project.

The inverse of this (which is far more common) is what happened with the foreign government department.  While our competitor priced the engagement at $1093.75 per IP for 64 IP’s which equates to $70,000.00, we priced at $21,000.00 for 11 IP’s (each of which offered between 2 and 6 moderately complex Internet connectable services).  More clearly, our competitor wanted to charge the department $57,968.75 for testing 54 IP addresses that were not in use which equates to charging for absolutely nothing!  When we presented our pricing to the department we broke our costs down to show the exact price that we were charging per internet connectable service.  Needless to say the customer was impressed by our pricing and shocked by our competitor, we won the deal.

While we wish that we could tell you that being charged for nothing is a rare occurrence, it isn’t.  If you’ve received a penetration test then you’ve probably been charged for nothing.  Another recent example involves a small company that was in need of Penetration Testing for PCI.  They approached us telling us that they had already received quotes from other vendors and that the quotes were all in the thousands of dollars range.  We explained that we would evaluate their network and determine workload requirements.  When we did that we found that they had zero responding IP addresses and zero Internet connectable services which equates to zero seconds of work.   Instead of charging them for anything we simply issued them a certificate that stated that as of the date of testing no attack surface was present.  They were so surprised by our honesty  that they wrote us this awesome testimonial about their experience with us.

Finally, our TPP based pricing doesn’t need to be expensive.  In fact, we can deliver a Penetration Test to any customer with any budget.  This is because we will adjust the engagement’s TPP to match your budget.  If your budget only allows for a $10,000.00 spend then we will reduce the TPP to adjust the project cost to meet your budgetary requirements.  Just remember that reducing the TPP means that our penetration testers will spend less time testing each parameter and increasing the TPP means that they will spend more time.  The more the time, the higher the quality.   If we set your TPP at 10 but we encounter services that only require a few seconds of time to test then we will allocate the leftover time to other services that require more time to test.  Doing this ensures that complex services are tested very throughly.

 

 

PDF Creator    Send article as PDF   

Whistleblower Series – The real problem with China isn’t China, its you.

Terms like China, APT and Zero-Day are synonymous with Fear, Uncertainty and Doubt (FUD).  The trouble is that, in our opinion anyway, these terms and respective news articles detract from the actual problem.  For example, in 2011 only 0.12% of compromises were attributed to zero-day exploitation and 99.88% were attributed to known vulnerabilities.  Yet, despite this fact the media continued to write about the zero-day threat as if it was a matter of urgency.  What they really should have been writing about is that the majority of people aren’t protecting their networks properly.  After all, if 99.88% of all compromises were the result of the exploitation of known vulnerabilities then someone must not have been doing their job. Moreover, if people are unable to protect their networks from the known threat then how are they ever going to defend against the unknown?

All of the recent press about China and their Advanced Persistent Threat is the same, it detracts from the real problem.  More clearly, the problem isn’t China, Anonymous, LulzSec, or any other FUD ridden buzzword.  The problem is that networks are not being maintained properly from a security perspective and so threats are aligning with risks to successfully affect penetration.  A large part of the reason why these networks are such soft targets is because  their maintainers are sold a false sense of security from both the services and technology perspective.

In this article we’ll show you how easy it was for us to hack into a sensitive government network that was guarded by industry technologies and testing best practices.  Our techniques deliberately mimicked those used by China.  You’ll notice that the  techniques aren’t particularly advanced (despite the fact that the press calls them Advanced) and in fact are based largely on common sense.  You’ll also notice that we don’t exploit a single vulnerability other than those that exist in a single employee (the human vulnerability).  Because this article is based on an actual engagement we’ve altered certain aspects of our story to protect our customer and their respective identity.  We should also make mention that since the delivery of this engagement our customer has taken effective steps to defeat this style of attack.

Here’s the story…

We recently (relatively speaking anyway) delivered a nation state style attack against one of our public sector customers.  In this particular case our testing was unrestricted and so we were authorized to perform Physical, Social and Electronic attacks.  We were also allowed to use any techniques and technologies that were available should we feel the need.

Lets start off by explaining that our customers network houses databases of sensitive information that would be damaging if exposed.  They also have significantly more political weight and authority than most of the other departments in their area.  The reason why they were interested in receiving a nation-state style Penetration Test is because another department within the same area had come under attack by China. 

We began our engagement with reconnaissance.  During this process we learned that the target network was reasonably well locked down from a technical perspective.  The external attack surface provided no services or application into which we could sink our teeth.  We took a few steps back and found that the supporting networks were equally protected from a technical perspective.  We also detected three points where Intrusion Prevention was taking place, one at the state level,  one at the department level, and one functioning at the host level.

(It was because of these protections and minimalistic attack surface that our client was considered by many to be highly secure.)

When we evaluated our customer from a social perspective we identified a list of all employees published on a web server hosted by a yet another  department.  We were able to build micro-dossiers for each employee by comparing employee names and locations to various social media sites and studying their respective accounts.  We quickly constructed a list of which employees were not active within specific social networking sites and lined them up as targets for impersonation just in case we might need to become someone else.

We also found a large document repository (not the first time we’ve found something like this) that was hosted by a different department.  Contained within this repository was a treasure trove of Microsoft Office files with respective change logs and associated usernames.  We quickly realized that this repository would be an easy way into our customers network.  Not only did it provide a wealth of META data, but it also provided perfect pretexts for Social Engineering… and yes, it was open to the public.

(It became glaringly apparent to us that our customer had overlooked their social points of risk and exposure and were highly reliant on technology to protect their infrastructure and information.  It was also apparent that our customer was unaware of their own security limitations with regards to technological protections.  Based on what we read in social forums, they thought that IPS/IDS and Antivirus technologies provided ample protection.)

We downloaded a Microsoft Office document that had a change log that indicated that it was being passed back and fourth between one of our customers employees and another employee in different department.  This was ideal because a trust relationship had already been established and was ripe for the taking.  Specifically, it was “normal” for one party to email this document to the other as a trusted attachment.  That normalcy provided the perfect pretext.

(Identifying a good pretext is critically important when planning on launching Social Engineering attacks.  A pretext is a good excuse or reason to do something that is not accurate.  Providing a good pretext to a victim often causes a victim to perform actions that they should not perform.)

Once our document was selected we had our research team build custom malware specifically for the purpose of embedding it into the Microsoft Office document.  As is the case with all of our malware, we built in automatic self-destruct features and expiration dates that would result in clean deinstallation when triggered.  We also built in covert communication capabilities as to help avoid detection.

(Building our own malware was not a requirement but it is something that we do.  Building custom malware ensures that it will not be detected, and it ensures that it will have the right features and functions for a particular engagement.)

Once the malware was built and embedded into the document we tested it in our lab network.  The malware functioned as designed and quickly established connectivity with its command and control servers.   We should mention that we don’t build our malware with the ability to propagate for liability and control reasons.  We like keeping our infections highly targeted and well within scope.

When we were ready to begin our attack we fired off a tool designed to generate a high-rate of false positives in Intrusion Detection / Prevention systems and Web Application Firewalls alike.  We ran that tool against our customers network and through hundreds of different proxies to force the appearance of multiple attack sources.  Our goal was to hide any real network activity behind a storm of false alarms.

(This demonstrates just how easily Intrusion Detection and Prevention systems can be defeated.   These systems trust network data and generate alerts based on that network data.  When an attacker forges network data then that attacker can also forge false alerts.   Generate enough false alerts and you disable ones ability to effectively monitor the real threat.)

While that tool was running we forged an email to our customers employee from the aforementioned trusted source.  That email contained our infected Microsoft Office document as an attachment.  Within less than three minutes our target received the email and opened the infected attachment thus activating our malware.  Once activated our malware connected back to its command and control server and we had successfully penetrated into our customer’s internal IT infrastructure.  We’ll call this initial point of Penetration T+1.  Shortly after T+1 we terminated our noise generation attack.

(The success of our infection demonstrates how ineffective antivirus technologies are at preventing infections from unknown types of malware.  T+1 was using a current and well respected antivirus solution.  That solution did not interfere with our activities.  The success of our penetration at this point further demonstrates the risk introduced by the human factor.  We did not exploit any technological vulnerability but instead exploited human trust.         )

Now that we had access we needed to ensure that we kept it.  One of the most important aspects of maintaining access is monitoring user activity.  We began taking screenshots of T+1’s desktop every 10 seconds.  One of those screenshots showed T+1 forwarding our email off to their IT department because they thought that the attachment looked suspicious.  While we were expecting to see rapid incident response, the response never came.  Instead, to our surprise, we received a secondary command and control connection from a newly infected host (T+2).

When we began exploring T+2 we quickly realized that it belonged to our customers head of IT Security.  We later learned that he received the email from T+1 and scanned the email with two different antivirus tools.  When the email came back as clean he opened the attachment and infected his own machine.  Suspecting nothing he continued to work as normal… and so did we.

Next we began exploring the file system for T+1. When we looked at the directory containing users batch files we realized that their Discretionary Access Control Lists (DACL’s) granted full permissions to anyone (not just domain users).  More clearly, we could read, write, modify and delete any of the batch files and so decided to exploit this condition to commit a mass compromise.

To make this a reality, our first task was to identify a share that would allow us to store our malware installer.  This share had to be accessible in such a way that when a batch file was run it could read and execute the installer.  As it turned out the domain controllers were configured with their entire C:\ drives shared and the same wide open DACL’s.

We located a path where other installation files were stored on one of the domain controllers.  We placed a copy of our malware into that location and named it “infection.exe”.  Then using a custom script we modified all user batch files to include one line that would run “infection.exe” whenever a user logged into a computer system.  The stage was set…

In no time we started receiving connections back from desktop users including but not limited to the desktops belonging to each domain admin.  We also received connections back from domain controllers, exchange servers, file repositories, etc.  Each time someone accessed a system it became infected and fell under our control.

While exploring the desktops for the domain administrators we found that one admin kept a directory called “secret”.   Within that directory were backups for all of the network devices including intrusion prevention systems, firewalls, switches, routers, antivirus, etc.  From that same directory we also extracted viso diagrams complete with IP addresses, system types, departments, employee telephone lists, addresses, emergency contact information, etc.

At this point we decided that our next step would be to crack all passwords.  We dumped passwords from the domain controller and extracted passwords from the backed up configuration files.  We then fed our hashes to our trusted cracking machine and successfully cracked 100% of the passwords.

(We should note that during the engagement we found that most users had not changed their passwords since their accounts had been created.  We later learned that this was a recommendation made by their IT staff.  The recommendation was based on an article that was written by a well-respected security figure. ).

With this done, we had achieved an irrecoverable and total infrastructure compromise.  Had we been a true foe then there would be no effective way to remove our presence from the network.  We achieved all of this without encountering any resistance, without exploiting a single technological vulnerability, without detection (other than the forwarded email of course) and without the help of China.  China might be hostile but then again so are we.

 

 

Create PDF    Send article as PDF   

Whistleblower Series – Finding a genuine Penetration Testing vendor.

There’s been a theme of dishonesty and thievery in the Penetration Testing industry for as long as we can remember.  Much in the same way that merchants sold “snake-oil” as a cure-all for what ails you, Penetration Testing vendors sell one type of service and brand it as another thus providing little more than a false sense of security.  They do this by exploiting their customers lack of expertise about penetration testing and make off like bandits.  We’re going to change the game; we’re going to tell you the truth.

Last week we had a new financial services customer approach us.  They’d already received three proposals from three other well-known and trusted Penetration Testing vendors. When we began to scope their engagement we quickly realized that the IP addresses that they’d been providing were wrong.  Instead of belonging to them they belonged an e-commerce business that sold beer-making products!  How did we catch this when the other vendors didn’t?  Simple, we actually take the time to scope our engagements carefully because we deliver genuine Penetration Testing services.

Most other penetration testing vendors do what is called count based pricing which we think should be a major red-flag to anyone.  Count based pricing simply says that you will pay X dollars per IP address for Y IP addresses. If you tell most vendors that you have 10 IP addresses they’ll come back and quote you at around $5,000.00 for a Penetration Test ($500.00 per IP). That type of pricing is not only arbitrary but is fraught with serious problems. Moreover, it’s a solid indicator that services are going to be very poor quality.

Scenario 1: The Overcharge (Too much for too little)

If you have 10 IP addresses but none of those 10 IP addresses are running any connectable services then there’s zero seconds worth of work to be done.  Do you really want to pay $5,000.00 for zero seconds worth of work?  Moreover, is it ethical for the vendor to charge you $5,000.00 for testing targets that are not really testable? While we don’t think its ethical we’ve seen many, many vendors do this very thing.

Scenario 2: The Undercharge (Too little money for too much work)

What if those 10 IP addresses were serving up medium complexity web applications? Lets assume that each web application would take 100 hours to test totaling 1,000 hours of testing time (not including the reporting, presentation, etc.).  If you do the math then that equates to an absolutely absurd hourly rate of $5.00 per hour for the Penetration Tester!  Of course, no penetration tester is going to work for that much money so what are you really paying $5,000.00 for?

Well, lets assume that the very-low-end cost of a penetration tester is around $60.00 per hour (its actually higher than that).  In order to deliver 1,000 hours of work at $5,000.00 the test would need to be 92.7% automated resulting in an exact hourly rate of $60.24 per hour. Do you really want to pay $5,000.00 for a project that is 92.7% automated? Moreover, is that even a Penetration Test?

The terms Penetration Test and Vulnerability Scan only have one correct definition.  The definition of Penetration Test is a test that is designed to identify the presence of points where something can make its way into or through something else.  Penetration Tests are not assessments (best guesses) of any kind.  A Penetration Test either successfully penetrates or it does not not, there is no grey zone; there are no false positives.  (This is why we can guarantee the quality of our penetration testing services.)

A Vulnerability Assessment on the other hand is a best guess or an educated guess as to how susceptible something is to risk or harm.  Because it is an assessment and not  a test there is room for error (guessing wrong) and so false positives should be expected.  A Vulnerability Scan is similar to a Vulnerability Assessment only instead of a human doing the guess work a computer program (with a much higher margin of error) does the guess work.

So, if 92.7% of a service is based on Vulnerability Scanning then how is it that Penetration Testing vendors can label such a service a Penetration Test?  They should call it what it really is, which is a Vetted Automated Vulnerability Scan; and a Vetted Automated Vulnerability Scan is about as effective as Penetration Testing a bulletproof vest with a squirt gun.  We’re not sure about you but we wouldn’t want to wear that vest into battle. These types of services provide little more than a false sense of security.

Back on track…

The question becomes how should a vendor price their services and build their proposals? While we won’t disclose our methodology here because we don’t want to enable copycats, we will provide you with some insight through an analogy.

Your car breaks down and you call a random mechanic.  You tell the mechanic what sort of car you drive and how many miles are on it but never provide any details as to what happened.  The mechanic then quotes you $300.00 to fix your car (without ever really diagnosing it) and $50.00 for a tow.  Would you bring your car to that mechanic? How can he afford to fix your car for $300.00 and make a profit?  To accomplish that must have an arsenal of junk parts gnome slaves working for peanuts, right?  Would you really trust the quality of his work? That is count based pricing.

Fortunately automobile mechanics (most of them anyway) are more ethical than that (and gnome slaves don’t really exist anyway).  Most of them won’t deliver a quote until after they’ve evaluated your car and successfully diagnosed the problem.  Once diagnosed they’ll provide you with an itemized quote that includes parts, labor, taxes, and a timeframe for service delivery.  They won’t negotiate much on price because in most cases you are getting what you pay for.

Genuine Penetration testing vendors are no different than genuine mechanics. All Penetration Testing vendors should be held to the same standard (including us).  What you pay for in services should be a direct reflection the amount of work that needs to be done. The workload requirement should be determined through a careful, hands-on assessment. This means that when pricing is done right there is no room to adjust pricing other than to change workload. Any vendor that offers a lower price if you close before the end of the month is either offering arbitrary pricing or they are padding their costs.

What if a vendor truly needs to discount services? When we deliver Penetration Testing services we don’t charge for automation.  If we automate 10% then our services are discounted 10%.  If we automate 100% then our services are delivered to our customers free of charge. (Yes, that’s right, we’ll scan you for free while other vendors might charge thousands of dollars for that). Why charge for automation when it takes less than 3 minutes of our time to kick off a scan?  Just because we can charge for something doesn’t mean that it’s ethically right.

Anyway, this article is one of many to come in our whistle blower series. Please feel free to share or contact us with any questions.

If you feel that what we’ve posted here is inaccurate and can provide facts to prove the inaccuracy then please let us know.  We don’t want to mislead anyone and will happily modify these entries to better reflect the truth.

 

PDF Download    Send article as PDF   

83% of businesses have no established security plan (but they’ve got Kool-Aid)

I (Adriel) read an article published by Charles Cooper of c|net regarding small businesses and their apparent near total lack of awareness with regards to security.  The article claims that 77% of small- and medium-sized businesses think that they are secure yet 83% of those businesses have no established security plan.  These numbers were based on a survey of 1,015 small- and medium-sized businesses that was carried out by the National Cyber Security Alliance and Symantec.

These numbers don’t surprise me at all and, in fact, I think that this false sense of security is an epidemic across businesses of all sizes, not just small-to-medium.  The question that people haven’t asked is why does this false sense of security exist in such a profound way? Are people really ok with feeling safe when they are in fact vulnerable?  Perhaps they are being lied to and are drinking the Kool-Aid…

What I mean is this.  How many software vendors market their products as secure only to have someone identify all sorts of critical vulnerabilities in it later?  Have you ever heard a software vendor suggest that their software might not be highly secure?  Not only is the suggestion that all software is secure an absurd one, but it is a blatant lie.  A more truthful statement is that all software is vulnerable unless it is mathematically demonstrated to be flawless (which by the way is a near impossibility).

Very few software vendors hire third-party  vulnerability discovery and exploitation experts to perform genuine reviews of their products. This is why I always recommend using a third-party service (like us) to vet the software from a security perspective before making a purchase decision.  If the software vendor wants to be privy to the results then they should pay for the engagement because in the end it will improve the product. Why should you (their prospective customer) pay to have their product improved?  Shouldn’t that be their responsibility?  Shouldn’t they be doing this as a part of the software development lifecycle?

Security vendors are equally responsible for promoting a false sense of security.  For example, how many antivirus companies market their technology in such a way that might be perceived as an end-all, be-all solution to email threats, viruses, and trojans, etc.,? Have you ever heard antivirus software vendors say anything like “we will protect you from most viruses, worms, etc.”?  Of course not. That level of honesty would leave doubt in the minds of their customers, which would impede sales.  Truth is, their customers should have doubt because antivirus products are only partially effective and can be  subverted, as we’ve demonstrated before.  Despite this fact, uninformed people still feel safe because they use antivirus software.

Let’s not only pick on antivirus software companies though, what about companies that are supposed to test the security of networks and information systems (like us for example)?  We discussed this a bit during our “Thank You Anonymous” blog entry.   Most businesses that sell penetration testing services don’t deliver genuine penetration tests despite the fact that they call their services penetration testing services.  What they really sell is the manually vetted product of an automated vulnerability scan.  Moreover, they call this vetting process “manual testing” and so their customers believe they’ve received a quality penetration test when in fact they are depending on an automated program like Nessus to find flaws in their customer networks.  This is the equivalent of testing a bulletproof vest with a squirt gun and claiming that its been tested with a .50 caliber rifle.  Would you want to wear that vest in battle?

It seems to me that security businesses are so focused on revenue generation that they’ve lost sight of the importance of providing clear, factual, complete and balanced information to the public.  It’s my opinion that their competitive marketing methodologies are a detriment to security and actually help to promote the false sense of security referenced in the c|net article above.  Truth is that good security includes the class of products that I’ve mentioned above but that those products are completely useless without capable, well-informed security experts behind them.  Unfortunately not all security experts are actually experts either (but that’s a different story)…

 

 

 

 

 

PDF    Send article as PDF   
Return top

INFORMATION

Change this sentence and title from admin Theme option page.