Security Controls Testing with Metasploit

July 24, 2013

In today's Whiteboard Wednesday, Chris Kirsch will talk about how you can audit your security controls with Metasploit. Chris will explain what security controls testing is and will give you examples around the controls that you can audit with Metasploit. He will also touch on why it is important to test individual controls rather than just including them in your regular penetration tests. Watch this video to learn more about security controls testing.

Video Transcript

Hello and welcome to this week's Whiteboard Wednesday. My name is Chris Kirsch. I'm the Product Marketing Manager for Metasploit here at Rapid7. So if you're working in security, chances are that you're spending the majority of your time on defensive security techniques, and maybe you're already using some offensive security techniques to test if these defenses are working as expected. Now traditionally, offensive security techniques have been used to step into the shoes of an attacker, and usually they are used as part of a penetration test.

Show more Show less

Now one issue with penetration tests is while it's very broad, and gives you a very holistic picture of a simulated attack, it's not very repeatable, and you might not get the same result when you repeat the same pen-test maybe with a different pen-tester for example.

So how do you solve that problem? There is a new methodology called security controls testing that we've seen emerge in different organizations. And a lot of customers are telling us that they're doing, maybe not very comprehensively all of them, but bits and pieces of these to get very laser focused results on one particular security control. So the security controls testing can be used either when you put a new defensive security control in place to test that it's working correctly, or some people do it on an ongoing basis. They might do it every quarter or so to audit their security controls and see if anything has changed. Let me give you some examples of what this means. So for example, IDS's are meant to detect attacks coming from the outside. So people have been using Metasploit to simulate an attack from the outside to see if their IDS is triggering.

Also with DLP, DLP is meant to find sensitive information that's being sent outside of the organization. So I've heard of companies that actually take Social Security numbers or credit card numbers and so on, of course kind of fake ones, but that still look like a real number, and they've been sending those out of the organization to see if their DLP triggers it by e-mail, by HTTP upload and so on. Then password auditing is another interesting aspect of security controls testing where you can brute force you passwords to check are people using the right complexity and so on, for Windows passwords but also beyond Windows.

Then firewall egress testing is very interesting. A lot of companies are looking at what ports are open, coming in to the organization, but firewall egress testing is actually checking what ports are open going out, because there are some very good reasons for blocking certain ports to stop some kind of attacks or exfiltration, etc. etc., some malware as well. So the new Metasploit Metamodule for a firewall egress testing, for example, is a really quick and easy way to do the firewall egress testing.

And then lastly, phishing, I would also see this as a security controls test because you're testing two different security controls. First of all, the technical controls you have in place, these could be a number of different things that are stopping people from receiving a malicious e-mail or actually reaching the website connected to a link in an e-mail that may be malicious or also maybe executing some malicious code on the client for example. But you're also testing the user security awareness. That shouldn't be overlooked as well. If you're putting in effort and resources to train your users, then you should also test whether they're susceptible to phishing attacks and actually measure that and build a trend over time.

All right. That's it for today, and I'll hope to see you next Wednesday. 

[Toolkit] CIS Top 20 Controls

Looking to implement the CIS top 20 security controls? Download our toolkit to get started.

Download Now