Penetration Test – Insider Threat

In this penetration test, our specialists simulate attacks from a regular internal user (employee) with basic privileges connected to your internal network. Unlike an Internal Infrastructure Penetration Test, which only tests a selected subset of internal services, the internal environment is tested as a whole.

Benefits

This test will verify your resilience against an attacker who already has access to your internal network. It simulates the scenarios of a malicious insider or a compromised employee identity (acquired by phishing, credential stuffing etc.).

According to publicly available surveys, 57% of successful cyberattacks involve a compromised identity, meaning the attackers can authenticate (illegitimately) through legitimate means. In an era of remote access, a single identity is often all that's needed to gain access to the internal network from the internet (through a VPN) and to obtain basic privileges in internal systems (including Active Directory and intranet applications).

The main goal is to uncover as many weaknesses as possible that would allow a regular user to escalate their basic privileges to a higher level and gain unauthorized access to data (files, emails, databases, etc.). In many cases, the vulnerabilities found can be combined to obtain domain administrator privileges and thus to compromise the entire environment.

We recommend this test as a suitable first test of the internal network when building cybersecurity capabilities, as well as a regular activity to check for any regressions. The protection of the internal network is dependent on the protection of the external perimeter and should be built upon it. For mature organizations, the next step up is Red Teaming.

Testing Process

For the test, we are given a fabricated employee identity that should correspond as closely as possible to a regular user's access: an MS Windows domain account, an email account, a standard company laptop/desktop (without administrator access), and also VPN and VDI access if applicable.

The following tests, among others, are performed under these conditions:

• We attempt to gain full control over the user's assigned laptop/desktop and use the information obtained to attack other computers on the internal network.

• Selected internal servers are subjected to security vulnerability scanning using automated tools. The goal of this step is to identify the weakest links in your internal infrastructure.

• Based on the expertise of our penetration testers, specific services are selected for manual testing and vulnerability research.

• Significant attention is given to weaknesses within the MS Windows domain, which are exploited for privilege escalation (ideally to Domain Admin level).

• Similarly, we try to demonstrate the exploitation of identified vulnerabilities on non-Windows systems (e.g., UNIX servers, network devices, or other equipment).

• The techniques and tactics used are based on the MITRE ATT&CK framework, with a focus on Privilege Escalation (TA0004) and Lateral Movement (TA0008).

All findings, along with proposed recommendations, are presented in the final report.

Other Types of Tests

This test can be combined with other supporting or follow-up tests:

• Red Teaming focuses on a more thorough simulation of the entire attack process. It may, for example, use persistence techniques or social engineering. It also specifically tests the detection capabilities and processes of the organization being tested.

• To identify potential entry points into the internal network, we can test the external perimeter and Wi-Fi.

• It is advisable to perform specific penetration tests on internal systems, such as testing web applications, APIs, or desktop applications.

• An Endpoint and VDI Penetration Test is a subset of this test and focuses specifically on the security of the endpoint device.

• Physical security can be verified with an Access Card Penetration Test.

In addition to the tests described above, we also provide our clients with many other types of penetration tests. For a full list, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.

This type of test is also sometimes called an internal penetration test.