Internal assessments

Red team assessments and digital penetration tests not always involve trying to penetrate an organization's network or premises from the outside; sometimes you are tasked with checking what an insider or an adversary that physically got in can see from within your networks.

I've talked about this a bit in the hole in the wall and chasing the ghost in the machine but I just want to give you another example.

In this particular project I performed an internal vulnerability and security assessment: once I was connected to their network with all the proper credentials I was to scan and map all the vulnerabilities I could find, focusing on high level executives and the engineering department. I was given a week for this assessment.
The information security manager provided me with a cover, I was supposed to be an employee from the offices in Europe and I was in the premises due to a presentation I was supposed to prepare for the CFO. I was given a nice space on an office with a desk, a chair and plenty of coffee, but most importantly I was given a username and a full access to both the wired and wireless networks. I was one of the many users on their system.

The most difficult task here is the initial mapping. You don't want to miss any networks segments. In this particular network, the IT department did a great job with the segmentation, with each sub-network serving a specific department. For example, the marketing department would have its own network, while the human resources department would have its own separate network as well. Each network has its own access controls and restrictions. However, since the IT department has to have access to all the networks there is always a way to creep in.
I used a variety of tools to discover and map the different segments and I created a master file where I would love each new network and the hosts I've found on them. Once this was done I moved to a simple and fast port scan. Since we were inside some of the IPS/IDS protection that this company installed on their outside facing network did not apply and I found that my port scans and ping requests were being executed freely. First vulnerability found: too much trust on the internal network.
This speeded things up since I now could discover applications, protocols and purpose for each computer very efficiently and with no alarms apparently being triggered anywhere. This led me to the discovery of several ways to bypass the restrictions on the different segments and ultimately gave me access to the entire network. Moreover, the fileservers and domain controllers all have the user's files and data unencrypted and open. I was able to collect several sensitive documents.

A few days into the assessment I found several systems with remote access enabled and either a simple password or no password at all. I had full control of their computers, including the computer of the personal assistant of the VP of marketing. I also found several older versions of different flavors of VNC, some of which had nasty vulnerability that was able to exploit enabling me to record in real time full videos of the people working on their computers typing emails, documents, etc.
The final piece of good intel I collected was the full list of the employees, their personal addresses, phone numbers, salaries, etc. The main server from HR was completely open to a wide variety of attacks, from a simple Null Session all the way to a full reverse shell connection.

The people planning and setting the different aspects of information security often think that once you are inside the network then you are safe and that data should flow freely. I usually tell them that this is wrong. As a result of that malicious users, malware and other nasties can roam free and almost undisturbed inside their network.
What I usually recommend is to treat the internal networks as potential threats, the same way an external network is. Moreover, I recommend that all information that is sensitive be encrypted and that several layers of security be put in place: IPS/IDS, honeypots, access controls, strict firewall rules, etc.

Internal assessments are a good way to discover, sanitize and prepare for potential threats coming from the inside, threats such as corporate espionage, a disgruntled employee, malware and spyware extracting information and others.