An internal security assessment, which is commonly performed together with an assessment of the Active Directory environment, is a common way to evaluate an organizations defense-in-depth against an attacker. A common misconception is that the protection provided by perimeter defenses are sufficient to effectively stop and outside attacker, however this is rarely the case as credential leakage/guessing, phishing, the use of zero-day vulnerabilities and social engineering are all attacks that could aid an attacker in breaching the perimeter defenses.
What is an internal pentest?
A penetration test of the internal systems are commonly performed as what is called an “Assume Breach”-scenario, where the test simulates that a resource such as a workstation on the internal network has been compromised by an attacker. A test is typically conducted during 2 weeks (for an average-sized environment), even if the time allocation can vary depending on the scope of the test and which initial access methodology is chosen.
In the most common scenario, “Assume Breach”, Shelltrails security experts will assess the internal environment such as web applications, internal servers and services as well as the Active Directory in order to elevate privileges and move laterally to additional targets. The goal of the assessment is to detect vulnerabilities that after mitigation, will improve the company’s resilience during an attack. Additional targets may also be chosen such as finding and compromising backup-servers, hypervisors or gaining access to highly privileged accounts.
The pentest contains several parts and systems, including (but not limited to):
- Internal web applications
- Access Control Lists in the AD environment
- Configuration servers such as SCCM/MECM/ConfigMgr
- Certificate Services (AD CS)
- SQL servers
Why and when should we pentest our internal services?
The goal of a pentest is to increase the resilience of the internal network against a threat with limited access, by uncovering the paths the attacker may take to move laterally or elevate privileges. By identifying weak points, and reducing or removing their exploitability, the security posture of the entire network is strengthened.
We recommend all organizations with medium to large internal environments to conduct internal security assessments on a yearly basis, as new tools, techniques and attacks are constantly introduced.
The result of an internal pentest
An internal pentest concludes with a de-briefing meeting and a report summarizing the identified vulnerabilities, how they are exploited as well as how they can be fixed or mitigated.