A Limitation of Penetration Tests: Part 1
Penetration testing and other offensive cybersecurity assessments form an important component of most enterprise information security programs; indeed, many cybersecurity frameworks, such as PCI, require the use of these security assessments for compliance. However, penetration tests can fail to address the wholistic IT environment in which threat actors operate due to a prohibitively restrictive scope.
Real malicious actors have no qualms with attacking an employee’s personal device as a means to get into a corporate network, yet including an employee’s personal IT assets in a corporate cybersecurity assessment is typically prohibited due to privacy considerations. But, what about phishing the C-suite? What about conducting Business Email Compromise tests where actual corporate funds are exfiltrated? What about attacking a third-party partner? These are rarely in scope, but aren’t actual attackers using these vectors every day? Information security teams almost always artificially constrain the boundaries in which simulated attacks occur while testing their security posture.
This is the first post, in a series of three, where we present an argument for expanding the scope of penetration testing. In this particular post, we contend that excluding supply chain partners from offensive cybersecurity assessments produces an incomplete narrative of an enterprise’s security posture and offers a false sense of security in light of the prevalence of supply chain attacks (just ask Target, Home Depot, British Airways, Maersk, Merck, FedEx, Mondelez, Solarwinds victims, etc.).
A Case Study: Magecart
Trend Micro and RiskIQ have written extensively about the cybercriminals collectively known as Magecart. These malicious actors infect key points of the e-commerce supply chain with credit card skimming software. When an e-commerce website unwittingly loads the malicious software from a “trusted” third-party partner, Magecart steals the e-commerce site visitor’s credit card information. While Magecart groups have targeted global corporations such as Ticketmaster, British Airways and Newegg, a less attention-grabbing hack from 2019 highlights the perils of excluding supply chain partners from penetration testing engagements.
The 277 e-commerce sites victim to Magecart’s supply chain attack did not effectively consider the risk associated with their third-party partner Adverline. The TrendMicro article authors prescribe generic information security advice to combat Magecart, such as securing network infrastructure and regularly patching. However, we believe the authors missed an important opportunity to underline the importance of not implicitly trusting the security of third-party partners, as well as to advocate for stronger oversight of your supply chain.
Supply-Chain Scoped Penetration Testing
Securing the supply chain is an increasingly complex topic and one that this post cannot meaningfully address in such a short venue; however, we’d like to offer an additional mechanism to address cybersecurity risk generated by the supply chain.
Include high importance third-party partners in your offensive cybersecurity assessments.
We recognize this might be a controversial idea. Logistically, just getting consent from a third-party to include them in a penetration test might be prohibitive. But, consider a scenario where a vendor that has VPN access into your network, or supplies a critical plugin to your corporate website, is included in a penetration test. With proper permissions, your security assessor can attempt to not only attack your corporation directly, but also break in through known suppliers, which any persistent attacker would do. In a sense, this allows your simulated attackers to more closely mimic real attackers.
We're reminded of an assessment we recently conducted against a public utility. This organization used third-party software for a critical component of their web application. Throughout the course of the assessment, we learned that this third-party organization had remote access into the client’s network. If we were a malicious actor, we would have stopped attempting to bypass the utility’s external defenses, which were quite robust, and instead focused on breaching the small third-party company’s network. Breaking into a small software company is much easier than going up against the network defenses of a public utility (well, most of the time).
If the utility wanted a true test of what an actual threat actor would attempt in order to breach their perimeter, they would include high-impact third-party vendors in the assessment scope.
Also, consider the perspective of this small software vendor. We imagine they conduct security assessments to comply with contractual obligations to their clients. However, we doubt they spend as much money as a utility would to secure their business (in fact, we're positive, given the vulnerabilities we found in their software). While we can’t donate firewalls and personnel to protect them, including the small software vendor in a supply chain-scoped penetration test might benefit their security posture too.
We recognize what we're recommending is not easy. However, within the appropriate environment, a supply chain-scoped penetration test could empower organizations to more effectively manage their wholistic cybersecurity risk.