CIS CSC #20 – Penetration Tests and Red Team Exercises

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Test the overall strength of an organization’s defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

This control includes eight (8) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are zero (0) IG1 controls and six (6) IG2 controls. This means that, at a minimum, we want to…. skip this one? For the sake of discussion, I’ve listed out the IG2 controls.

  • Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.
  • Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, e-mails or documents containing passwords or other information critical to system operation.
  • Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.
  • Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.
  • Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over.

Now that you’ve spent all this time implementing CIS 1-19, it is time to put them to the test! Here we’re looking at performing active tests against both the internal and external networks in use. The tests should look to emulate the threats you are likely to face – looking at industry trends (e.g. Verizon DBIR or MITRE ATT&CK) to see what the attackers are doing can be a great starting point.

These tests should include a mix of automated and manual tests and tools to provide adequate coverage, but also provide some of the “attacker mindset” instead of purely evaluating vulnerability scan results. These tools, and testing systems, include a lot of sensitive data and powerful tools, so you need to apply the appropriate controls here as well.

Relevant News Stories

In all seriousness, most security breaches occur based on vulnerabilities and weak configurations that would be identified in a penetration test and/or red team exercise.

Relevant Tools

CommercialOpen-Source & “Freemium”
Core Impact Pro (Core Security)Metasploit Framework (Rapid7)
CANVAS (Immunity)Armitage (Strategic Cyber)
Metasploit Pro (Rapid7)Kali Linux (Offensive Security)
Saint Security Suite (Saint)
Cobalt Strike (Strategic Cyber)

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #20 page here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s