In a past blog post, we introduced how we utilize the “assumed breach” methodology for our penetration tests. Within the cybersecurity industry, there is a realization that the conventional defenses for the network perimeter, such as firewalls, email security gateways, and web filtering controls are not enough to thwart persistent threats. Therefore, many recent breaches are not “sophisticated” and result from password-based attacks, insider threats, and social engineering. In this blog, we will introduce our new internal network penetration assessment – the endpoint breach assessment, which is an offensive security assessment designed to tackle these overlooked aspects head-on.
Endpoint Breach Assessment Motivation
What happens when the threat originates from within? Insider threats, whether malicious or accidental, are the most common and damaging. Endpoints, the numerous devices that connect to your network, can be the weakest link in a layered control environment. In this case, we are referring to an endpoint as a workstation, laptop, VDI host, or anything between that a standard user accesses to perform day-to-day activities. If most breaches occur on an endpoint, it seems obvious that we should be validating that the controls meant to protect an endpoint are well-designed. From here, we can begin scoping an internal assessment from an insider perspective.
Testing is performed directly on a sample representative endpoint that you provision to provide a realistic perspective on the worst-case scenario: a threat actor has achieved initial access. The goal here is not to suggest that any organization will be breached. Rather, we are able to put your defenses to the test and ensure proper safeguards are in place to minimize the potential damage of a breach.
Endpoint Breach Assessment Overview
Our endpoint breach assessment isn’t your run-of-the-mill penetration test. It’s a specialized service that simulates an insider attack, focusing on the endpoints of your network. This is meant for institutions that have performed network penetration tests in the past and have dealt with low-hanging fruit issues that many penetration testers utilize in environments. Here’s how it works:
- We start by scrutinizing and identifying the relevant endpoint that should be targeted or sampled. This isn’t just a cursory check for vulnerabilities. Once provisioned, we detonate our customized malware implant on the endpoint and begin testing.
- Using a Command and Control (C2) framework, DenSecure’s offensive security experts replicate the actions of an insider. This simulation isn’t about causing damage or disrupting business operations; it’s about understanding how an actual breach could occur.
- By simulating attacks, we can reveal how an insider could move laterally within the network, escalate their privileges, and even exfiltrate sensitive data. This provides a clearer picture of your gaps in defenses and how an actor may abuse specific dependencies, vulnerabilities, and misconfigurations in a chain to achieve their objectives.
Why It Matters
Traditional network penetration tests might give you a false sense of security. Typically, these penetration tests are performed via a remote dropbox or a virtual machine that is connected to the network. They are still extremely important, and we do not mean to diminish this approach. In fact, we often recommend starting there for many clients going through their first offensive security test. However, they do not provide the accuracy and realism an endpoint assessment achieves. Below, we outlined the tactical considerations when examining the different approaches between an internal network penetration test and an endpoint breach assessment:
- Traditional Network Penetration Test:
- Typically performed on a host that lacks the same controls applied by management
- Ran using Kali Linux or some other offensive security platform where tools are already installed
- Efficient at identifying low-hanging fruit in an environment
- “QA” style of assessment against the internal network
- Endpoint Breach Assessment:
- Provides more accuracy and realism by testing on a host you provision
- Has the same controls applied on the endpoint (EDR, logging, etc.)
- Less efficient at examining breadth of issues that may exists
- Requires planning and the execution relies on using Command and Control frameworks like real adversaries
By specifically targeting the threats that originate from within, this assessment fills a critical gap in most cybersecurity strategies. This can also help in crafting strategies that are not just theoretical, but tested against the kind of sophisticated tactics that modern attackers employ.
Our endpoint breach assessment is proactive step towards understanding and mitigating the risks posed by internal threats and endpoint vulnerabilities. In today’s ever-changing cyber landscape, it’s an essential component of a comprehensive cybersecurity strategy and as cyber threats evolve, so must our approaches to combating them.
The endpoint breach assessment extends our internal network penetration offering to clients that are prepared for a more in-depth and realistic assessment. Are you interested in utilizing this assessment to bolster your cybersecurity program? Our DenSecure experts are here to assist!
