In today’s blog, we are going to look at how penetration testing has changed during the pandemic. With the increase in users working from home and less reliance on a corporate network, certain aspects of penetration testing have become easier, or more likely to succeed, while others have become much more difficult. We will explore both. This should be helpful to both Red Teams and Blue Teams. Red Teams to understand what we are seeing, so they can compare and improve their methods. Blue Teams to know what attackers are looking for so they can adjust accordingly.
1. Spoofing Attacks are More Difficult
On an internal penetration test, one common way to get an initial foothold is through spoofing attacks. This can be NBNS/LLMNR spoofing or, more commonly, IPv6 spoofing attacks. These attacks rely on being on the same subnet as other users. However, with the current shift to working from home, it has become increasingly common for us to test on a corporate subnet with no users in it. This makes spoofing attacks much less fruitful for us during a penetration test.
It should be noted that the converse of this is also true. Most of the users who are not present in the office are most likely on the VPN subnet. Therefore, if our laptop (or an attacker’s system) happens to be on the VPN subnet, they may have success with these types of attacks. Further, they may be able to gather a lot more user credentials than they would otherwise, especially if you have segmentation in place on your internal network. To counter this, many firewalls allow you to implement Client Isolation on your VPN. In general, computers on the VPN need to access shared resources (such as the server VLAN) but they do not need to communicate directly with other computers on that VLAN.
2. More Opportunities for Password Sprays
Along with users shifting to working from home, generally speaking, IT teams have accommodated users and given them permissions they otherwise would not have. For example, most organizations have more users in the VPN group than they have ever had. This is obviously necessary because they have to work remotely, but that also provides penetration testers more opportunities for password spraying attacks, or reusing credentials captured elsewhere, such as with social engineering. As a result, you should ensure you have MFA enforced for all external login interfaces and educate users on how to choose stronger passwords and how to protect their other authentication factors (e.g. don’t provide OTPs to unknown individuals).
3. More Concerns Regarding Availability
Another way that penetration testing has changed during the pandemic is the increased concern about availability. Because IT teams are also working remotely, there is a lot more concern about the potential impacts of a penetration test. Simply put, if a system goes down because of our testing, they will have to drive to the office before they can troubleshoot, which increases the time and impact of anything going wrong during a penetration test. Triaxiom always puts an emphasis on ensuring availability during penetration tests. For example, we only use exploits that we have tested to ensure they have a low risk of causing disruptions. Also, we do not do any type of denial of service attacks. However, there is always the possibility of something going wrong during a penetration test. For more information on what can go wrong, check out some of our blogs on the subject.