This blog series discusses how to set up a network penetration testing (aka pentest) environment where one can perform security audits and test security capabilities of a network (typically called cyber ranges). Instead of using an enterprise data center, we'll be using a life-like environment on AWS or Google Cloud as the pen test environment.
Rob Joyce, chief of the NSA’s Tailored Access Operations (TAO) gave a great talk at the USENIX Enigma conference earlier this year. If you’re unfamiliar with TAO - it’s the NSA’s elite network infiltration and exploitation team. Their motto is “Your data is our data, your equipment is our equipment - any time, any place, by any legal means.” If that doesn’t scare you just a little bit, I’m not sure what will. If you haven’t already read my previous blog post about running a simple penetration testing lab on Ravello, check it out. We’ll be using some of the same tools this time, but will be focusing primarily on network infiltration and exploitation. In this blog post, we play the attacker, and walk you through exploiting a multi-node playground environment for fun and profit, with minimal prior knowledge about the environment.
Ravello’s nested virtualization technology allows you to make realistic copies of your network infrastructure and run them in encapsulated environments on Amazon Web Services or Google Cloud Platform. Within these environments, you can perform security audits and test the security capabilities of your network without side effects. This is also popularly known as a Cyber Range, popularized by the Department of Defense and associated governmental agencies for the purpose of finding security holes in the mock environment before attackers find and exploit them in operational environments.
"If you really want to protect your network, you really have to know your network. You have to know the devices, the security technologies, and the things inside it. Why are we successful? We put the time in to know that network, we put the time in to know it better than the people who designed it and the people who are securing it, and that's the bottom line." — Rob Joyce
Many of the high profile security and data breaches in recent years were only possible because attackers exploited a weak link in the victim’s network. Whether this is a Point-of-Sale (PoS) system plagued with vulnerabilities or an external vendor with access to your network that had their credentials stolen, you need to assume that you cannot realistically keep watch on all locked doors. Attackers will be able to enter your network if they have the patience and knowhow. The real question is what they are able to achieve after they get in. Typically, attackers that gain access to a single node will try to gather as much information as they can about the network topology. After getting a good understanding of open ports, operating systems, and exposed services of nodes in the network, they will pivot and try to secure access to other nodes in the network, constantly on the lookout for valuable information on the exploited nodes. After doing this repeatedly, they will have gained access to your entire network.
In the next post we’ll get your pentesting environment set up using the “Network Penetration Testing Playground” published on the Ravello Repo.