In this week’s Whiteboard Wednesday, Bob Rudis, chief data scientist at Rapid7, takes a peek “under the hoodie” to provide a data-driven digest on what happens on pen test engagements.
Hey true believers. Welcome to this week's Whiteboard Wednesday. My name is Bob Rudis and I'm Rapid7's chief data scientist. Today I'm going to give you a peek under the hoodie and provide a quick data-driven digest about what happens on pen test engagements. Now, for those who may not be familiar with penetration testing, or pen tests, they are authorized simulated attacks on computer systems or networks that look for security weaknesses. There are different types of these tests each with different goals. So some companies want to know if their software has any overt or hidden vulnerabilities, and others may want to know how far pen testers can get into their network and how long they can stay there and remain undetected. Also, many organizations use pen tests to determine if they have adequately secured access to sensitive information.
The hoodie reference comes from a new research paper that Rapid7 released at RSA this year titled "Under then Hoodie: Actionable Research From Penetration Testing Engagements." We looked at data from a representative sample of our Q4 2016 pen testing engagements. The sample ended up being about 128 pen tests. We sliced and diced them by industry test type, contracted objectives, and attach methodologies to put this dark art into perspective for CXOs and IT and app managers. So what did we find? Well, first, unfortunately, unsurprisingly pen testers evaded detection in nearly 70% of engagements. However, when they were detected, they were discovered in less than a day in nearly 22% of engagements and the detection rate was fairly homogenous across all industry sizes, sectors. Meaning large well funded financial services firms had an equally difficult time detecting pen test activities as did smaller shops. These results should not be too surprising for you because pen testers only have to find one system, or a few systems with weaknesses, while defenders have to try to protect all exposed devices and services.
Running these simulated attacks helps organizations find the weak spots they need to shore up. Furthermore, without properly configured detection tools, it's east for pen test to hide in the cacophony of alerts that plague most tech ops teams. Now speaking of pen test activities, pen testers utilized either software vulnerabilities or network mis-configurations in about 80% of successful compromises. This highlights the need for IT and app teams to crank up their visibility on and processes around patch and detect and configuration management. It's easy to say that and it's much harder to actually accomplish, especially if you're a large firm. But pen tests can be a great way to help prioritize these efforts.
Finally, as I looked at these engagements from a macro perspective, I personally was a bit surprised at two engagement level findings. The first surprise was that organizations are primarily focused on pen testing external apps and assets. Nearly 70% of engagements, again regardless of org demographics, only contract for this outside view and that's really strange given that most of the attacks facing orgs come from phishing employees to get directly inside the network and start rifling through servers and hard drives. The external focus is likely driven by mandatory, regulatory, or compliance requirements, but that doesn't mean orgs shouldn't go the extra mile to try to make their internal defenses better. The second macro view surprise was that most organizations limit engagements to one week or less. Attackers have all the time in the world and not providing at least two to four weeks of opportunity for a pen tester to work like an attacker seems less than ideal if the goal is to ultimately ID the weak spots that those with malicious intent will exploit.
There's tons more data in the report, you can grab a copy at community.rapid7.com, and shoot any questions you have about the findings, or methodology, over to research@ rapid7.com. That's it for this week's Whiteboard Wednesday, see you next time.
