Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - New Risks in Penetration Testing InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Risks in Penetration Testing

Published: 2010-02-22
Last Updated: 2010-02-22 13:58:22 UTC
by Rob VandenBrink (Version: 1)
10 comment(s)

In a recent IPS (Intrusion Prevention System) deployment, I noticed that the newest version of the OS for the appliance I was putting in had a new feature - "Reputation Filtering".  How this works from a customer point of view is:

  • if an inbound attack is seen, the IPS reports the attacker and the attack back to the reputation service.  This affects the reputation of the attacking IP address
  • The reports of all users of the reputation service are aggregated, and attackers are "scored"
  • Traffic inbound into the network is evaluated against the reputation database, such that traffic from lower reputation addresses is penalized from an IPS detection perspective

Since I work on the attack side of the things as well as the defence side, this got me thinking about Penetration Testing and Vulnerability Assessments.  This now means that when Pentesting, care should be taken in selecting the public ip address that you mount attacks from.  If you attack from home or from a free desk at work, you may find that because of this new Reputation Filtering feature, you've just blacklisted an IP address that you need every day to do "real work".  You might be blacklisting your entire company, or even worse, your spouse (from personal experience - you just never want to do this ! ). 

This adds another factor into the process of deciding where exactly you should run a Penetration Test or Vulnerability Assessment from.  Other factors might include:

  • ensuring that your ISP does not filter suspicious traffic, or in fact any ISP between you and your target
  • ensuring that your activity is actually legal on all ISP's between you and your target
  • if using GHDB (Google Hacking Database) methods, you can blacklist your public IP with Google (spouses hate this too!)
  • If the client uses load balancers, you may find that subsequent tests might be against different hosts


All these factors conspire to move your penetration test or vulnerability assessment as close as possible to the target systems.  Using the same ISP as your target is often a reasonable solution, but if you can negotiate it, using a free ip address and switch port on your target's external network takes care of a many of these issues nicely.
 

=============== Rob VandenBrink, Metafore ===============

10 comment(s)
Diary Archives