Internal Network Penetration Testing

Why would an organization want to conduct an internal penetration test? Our penetration testing team hears this question regularly when we discuss the cybersecurity needs of an organization. The reason behind conducting an internal penetration test is to assess the impact of an attacker that has physical or logical access to the network. Organizations often have a false sense of security when they assume internal vulnerabilities cannot be exploited because there is no way for an attacker to “bypass our firewalls”. The reality is most exposed network jacks, misconfigured wireless networks, and weak physical security controls, expose the internal network to digital attacks. Many organizations also either underestimate or entirely overlook the risks of threats like a phishing attack, a disgruntled worker, or a malicious insider to their internal network. Threat actors can bypass the organizations network perimeter and gain a “foothold” on the internal network with basic user access through phishing or waterhole attacks. According to the Verizon Data Breach Report (DBIR 2020), which reviews and compiles information from public breaches annually, phishing is still the top method used by attackers to penetrate an organization.  One of the main goals from these phishing attacks is to expose the internal attack surface. To truly understand your risk posture from a defense in depth perspective, internal penetration testing is a key element.

Internal network penetration testing mimics closely to what an attacker will do once inside the organizations network. The goal of the test is to demonstrate the risk and help organizations work on the remediation of that risk. Elliott Davis’s Cybersecurity team has conducted numerous internal penetration tests for organizations of various sizes. Elliott Davis utilizes the Penetration Testing Execution Standard (PTES) which mimics the tactics used by attackers to conduct their activities. Unlike vulnerability scans, exploitation is conducted with an internal penetration test to actualize the risk discovered. This includes steps that exploit privilege escalation, pivoting, and lateral movement throughout the internal network.

On a recent assessment, our team uncovered a flaw on a customer’s internal network that led to a complete compromise of that network. The customer environment had been previously assessed by numerous organizations that did not adequately determine the risk to their internal network. The customer felt confident that no actionable vulnerabilities would be found. The previous testers did not go to the necessary levels to uncover the issues which left our customer exposed for multiple years. Using our experience and real-world tactics, Elliott Davis engineers were able to uncover these serious findings and help improve our customer’s risk posture.

Another risk exposure example involved a bank, where our team identified issues associated with customer and credit data exposure. Our team was able to implement immediate protection for this dynamic community bank. They had previously completed a cybersecurity assessment and penetration test with another firm, but needed confirmation of those findings. They also wanted to assess the overall security posture of applications and systems, and protect customer data received through their PPP loan portal. Our approach was to perform Internal Penetration Testing on the entire network. Our team mimicked multiple threat scenarios to demonstrate the impact of findings on the internal network. The result was the ability to capture passwords and access domains, specifically a card issuance system that prints credit cards. We developed a successful remediation path for the customer’s IT team to implement, protecting the internal network.

One of the reasons that ransomware attacks are so successful is because internal networks at many organizations are not secured against privilege escalation and lateral movement. Ransomware attacks rely on same lateral movement and privilege escalation exploits that are used during Elliott Davis internal penetration tests. However, if an organization has remediated the vulnerabilities used for these attacks, the impact of a ransomware infection could be greatly diminished.

No matter your company business model or size, the Elliott Davis Penetration Testing team can assess your risk posture and leverage industry standard internal penetration techniques to assist you with securing your internal network. Our goal is to help organizations identify issues and assist organizations with remediating them before they are compromised by hackers. For more information on internal penetration testing for your organization, contact a member of the Elliott Davis Penetration Testing team.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.