Pen Testing, Ben Thornhill, Claranet

Ben Thornhill, Group Security Manager at Claranet, about Pen Testing

This week Philipp Pelkmann had an interview with Ben Thornhill, Group Security Manager at Claranet. The discussion went around one of the most often discussed topics in the cybersecurity services: Pen Testing. For some it might sound rather boring, but many companies we meet are just evaluating for the first time whether and how to conduct a pentest.

Ben Thornhill, Group Security Manager Claranet

Dear Ben, can you please introduce yourself by letting our community know about your background and how you came into the cybersecurity market?

With a degree in European integration and languages and after a successful career in real estate, I decided on a change of direction and moved into cybersecurity in 2008. I’d always had a keen interest in IT and was looking for an area that was set to grow. I should have purchased lottery tickets that day because I was right!

Although the industry was a lot smaller back then, there was still a lot to learn, but the business I joined delivered penetration testing and that proved to be an excellent way of gaining a thorough understanding about cyber threats, how to discuss and categorise risk and the best way of advising customers regarding security strategy.

In 2017 the business was acquired by Claranet and went from strength to strength. Following success as a salesperson and then sales manager, I moved into a role as practice lead responsible for running penetration testing and compliance services as well as developing new offerings to meet the ever-evolving challenges faced by our customers.

When an opportunity arose to work in a group role helping colleagues from across Claranet countries to develop and grow their security practices and coordinate security services internationally, I knew straight away that this would bring together all of my work and life experience and one year into the new role, I can honestly say that I have loved every minute of it!

Can you provide a brief overview of Claranet’s services?

Claranet offers a wide range of penetration testing services and a choice of delivery methods. Whilst there is always most demand for web and mobile application and network infrastructure testing, as our customers’ security postures mature, we are also seeing an increased demand for social engineering, red team and cloud configuration review.

We have a lot of experience in many countries now and we’re constantly developing new techniques and approaches to suit new requests from our ever-widening customer base to provide visibility of risk in emerging technology. Our mantra is that we can test anything that hackers can target.

What types of organizations or industries typically benefit the most from Pen Testing?

Pen testing is a means to gain visibility of risk that, if left unaddressed, could be exploited to cause a business impact. As such, it’s appropriate for any organisation that stores or processes data over which it has a duty of care to protect. Add into that organisations whose finances would be seriously impacted by any disruption to their operating model and you have the vast majority of organisations and industries.

There are some stand-out examples of organisations that need to take particular care to protect sensitive data. They include healthcare, banking and finance and government.

The benefit gained from pen testing is not directly proportionate to the size of the organisation taking it though. A large or enterprise sized organisation is usually better equipped to survive the damage caused by a cyber attack than a small or medium sized organisation who may not be able to continue operating. Therefore, there are situations where penetration testing and the additional security it enables, is more critical to smaller organisations.

What is certain is that the kind of visibility of risk provided by penetration testing is a vital tool in the security defence of all organisations.

What are in your experience success factors before, during, and after?

At Claranet we believe in getting our customers speaking to our security experts as quickly as possible so the initial discussions to gain a clear understanding of the objective of the testing lead straight into the scoping exercise where we gather all the information needed to define the duration of the engagement required.

The scoping exercise is thorough and covers all aspects of the testing needed. It’s delivered by experienced pen testers who guide the customer through the process, discuss the various approaches and why certain pieces of information are required to produce an accurate proposal.

Once defined, the proposal for the work is summarized in a Statement of Work which reflects the agreed scope and describes at a high level, the work that will be delivered.

Although completed quickly, this stage is thorough and detailed because it informs the entire engagement from this point and a quality penetration test is everyones’ objective.

Timescales are often under pressure when our customers come to us with a testing requirement. When there are deadlines and go-live dates rapidly approaching, it can be challenging. Claranet has a project management team dedicated to scheduling and the detail captured at scoping stage helps with finding dates that meet our customers’ needs. Claranet has a large team of penetration testers, so flexibility with dates and quick turnarounds is an area we excel in.

We believe in openness and good communication and during testing, our testers provide updates on progress and key findings each day which helps instill confidence and provides valuable insight to our customers.

Following delivery of the report we strongly encourage a debrief call to discuss the results and suggested remediation paths. This discussion combined with the detail in the report enables our customers to form a clear and prioritized remediation plan, enhances the value of the test and increases the chances of a more robust security posture for our customers.

What are the most common Do’s and Don’ts in Penetration Testing?

Do

  • provide the testing company with a clear, detailed and comprehensive scope for white box testing.
  • provide a clear brief and discuss expectations and priorities with the testing provider for any black box or time-limited penetration testing.
  • ensure that access and credentials for the target system/environment have been provided and confirmed before the start of any penetration testing.
  • ensure that other internal and external stakeholders are aware of the pen testing and when it is being delivered and that you have any permissions needed.
  • agree on what will be communicated during a test. Often testing providers will provide regular updates on what they have been doing and highlights of what they have found and will always communicate any high-risk vulnerabilities straight away, but it’s always best practice to discuss this during scoping to set expectations.
  • ensure that you have a debrief call with the testers to ensure that all of the findings in the report are completely understood before any remediation begins.
  • consider retesting against the same target once remediation has been completed. It is a very useful way of validating that remediation of vulnerabilities has been successful.

Don´t

  • change the scope just before or during a testing engagement. It can create confusion and disrupt the testing plan. It’s likely that the number of days scheduled for the test was based on the original scope and significant scope changes will need a different number of days. The testing diaries of successful providers are always busy and so its not just a case of adding a few days to the end of a test. In these situations, the test should be re-scoped and re-scheduled to ensure that there is sufficient time to cover the target using the appropriate testing methodology.
  • think that anyone can deliver penetration testing. It’s a highly skilled service based on robust, well-established methodologies that have been refined over thousands of engagements by penetration testers that have undergone extensive and rigorous training and shadowing and whose capabilities are underscored by many specific and industry recognized qualifications.

What are the key differences between a Red Team engagement and a standard penetration test, and how do you decide which approach is best suited for a client’s specific needs?

Both Penetration Testing and Red Team exercises emulate real threat actor behaviour, but they differ significantly.

Penetration Testing is scoped based on specific assets to comprehensively test (websites, IPs, devices, etc.). The goals are to identify all possible weaknesses, assess the level of risk this introduced into the organisation and to prioritise suitable remediations based on metrics such as impact and probability.

Red Team exercises are objective based, for example “Achieve Domain Admin” or “Access critical intellectual property”, and simulate a live, motivated cyber attack. The goals here are to identify weaknesses and strengths in

security controls, demonstrate a threat actor’s ability to achieve specific objectives, assess the likelihood of a targeted attack achieving a predefined impact and to map and prioritise defensive controls around relevant tactics, techniques and procedures.

Can you explain the different types of penetration tests (e.g., black-box, gray-box, and white-box testing) and when each is most appropriate?

Explaining and understanding the difference between these testing approaches is fairly easy – selecting the most appropriate approach for a customer engagement can be more challenging as customers often have their own ideas – we welcome that debate.

Black box testing – this is where the penetration tester is provided with no information and has to mirror the approach of an attacker with no privileges.

Grey box testing – this is where the penetration tester is provided with limited information for example login credentials for a standard user. This can be useful to understand the risk presented by privilege escalation within the target system.

White box testing – this is where all relevant information is provided to the penetration tester including system architecture, access and user accounts with different levels of privileges etc

These approaches, and others, are discussed at length with customers during the scoping stage to ensure that the most appropriate testing type is selected. Usually, the preference is for white box testing due to the value it presents in terms of coverage, vulnerabilities discovered, and remediation actions identified. Black box testing can produce interesting results for a target that has already been exhaustively tested and remediated but in other situations the results can be difficult to interpret – for example if the tester is unable to find and exploit vulnerabilities during a black box test, does this mean that the target is secure? What would have happened if the tester had more time? Real-world attackers have unlimited time so what kinds of conclusions can be drawn?

Both black and grey box testing have their uses, but they need careful consideration and guidance from experienced and articulate security experts.

Often black box testing is requested because the assumption is that it’s a less expensive option due to the limited duration. For these situations, we recommend bringing budget into the scoping discussion and looking for ways to deliver a time-limited test focusing on the areas agreed as being the most important. This way the report can highlight what wasn’t possible to test during the time and recommending what should be covered in subsequent testing.

Can you provide an example of a recent penetration testing engagement and the value it brought to the client?

Claranet works with many organisations within the healthcare sector. During the Covid-19 pandemic, there was an urgent need for NHS Trusts in the UK to quickly and frequently move and deploy highly skilled staff between hospitals to provide expert care where it was most needed. Previously the identity checks needed had been a time-consuming manual paperwork exercise, but the UK NHS had developed a ‘digital staff passport’ where medical employees could use an app which connected to HR systems to quickly and seamlessly verify the identity of each staff member and ensuring that the right people were in the right place at the right time.

The challenge was to validate the security of the considerable amount of sensitive personal data that the system had access to.

In addition to providing fast and comprehensive penetration testing of all aspects of the front and back-end system, Claranet’s security team went further in reviewing the design and concept throughout to ensure that security was built in at every stage.

We’re very proud of the work that we deliver at Claranet and being able to support healthcare in this way during the global crisis was extremely rewarding.

What kind of reporting can clients expect, and how can they use this information to improve their security posture?

For us, reports are key because they contain the results of the exercise and need to reflect the whole picture accurately and concisely – it’s no use delivering a superb penetration test if the results can’t be understood or used in a practical way, right?

Claranet reports are clear and concise and include a short summary which can be used to explain the highlights to a non-technical audience.

Of course, they include all the technical detail that you would expect in a penetration testing report; vulnerabilities ranked in order of risk, risk categorized according to impact and probability, screenshots and details of how the vulnerability was exploited, and suggested remediation.

We always recommend that report delivery is accompanied by a debrief call between the testers and our customer to ensure that the results and suggested remediation are fully understood.

Our customers find it easy to use our reports to create a prioritized remediation action plan and to explain and assign the remediation tasks internally, which more than justifies the cost of the penetration test and ensures that maximum benefit to the customer’s security posture is realized.

How frequently should organizations conduct penetration tests, and how can they integrate these tests into their overall security strategy?

Traditional thinking was always to test annually or after any significant change to the target. With the constant and increasing pace of change in technology, new threats are emerging all the time and testing for vulnerabilities needs to occur more often to identify and fix exploitable vulnerabilities and minimize the window of risk.

This is a challenge that we understand, and we have developed new ways for our customers to consume penetration testing such as Continuous Security Testing which constantly scans the target to identify vulnerabilities before manual pen testing techniques are used to quanlify the risk. This removes our customers’ exposure to high-risk vulnerabilities and ensures that defensive teams can stay on top of remediation as vulnerabilities are identified.

With the ever-widening attack surface, organisations face a difficult challenge in assessing all of it, all the time, for vulnerabilities. Pen Testing is a useful tool to provide a comprehensive, point-in-time snapshot of risk for example for systems and applications before they go live, and Continuous Security Testing can be used against applications that carry more valuable or sensitive data that needs to be free of risk at all times.

Categorizing the data, or the importance of a system or application to the business and selecting the type of testing and frequency based on that categorization is a useful way of embedding pen testing into security strategy and ensuring that it’s providing the type of visibility of risk required.

In addition to Pen Testing, what other security services does Claranet offer to help organizations strengthen their security posture and protect against cyber threats?

Claranet’s cybersecurity services fall into two groups; offensive and defensive.

Offensive security provides our customers with visibility of risk by simulating attacks or delivering a security audit against a target.

In addition to Pen Testing, these services include;

* Continuous Security Testing

* SAP Security Check

* PCI DSS QSA Consultancy

* ISO27001 Consultancy

* Cyber Essentials Assessments

Defensive security provides continuous 24×7 monitoring of our customer environments by experienced and highly trained SOC Analysts who respond to security alerts as soon as they occur whenever they occur.

These services include;

* Endpoint Detection & Response

* Managed Detection & Response

If you could send a message to all CIOs and CISOs, what would it be?

Choose a partner with whom you can develop a long-term relationship – it will speed up your journey towards security maturity. Pen testing providers are often rotated regularly – the thinking is that by changing provider, the customer will gain a wider perspective on its security. My advice is to develop a strong relationship with a provider that understands both offensive and defensive security and can use the results of one type of engagement to better configure the other. At Claranet, the most effective work we deliver is for customers who have worked with us as their security partner over many years so please factor in these benefits when selecting your security partner.

Whatever the challenge you are facing, at Claranet we relish the opportunity to help you find the right solution and if my years of experience tells me one thing, it’s that all the best solutions start with a conversation so please come and talk to us.

Thanks to Ben Thornhill for his time!

In our day-to-day business, as your independent partner we analyze customer requirements towards cybersecurity and identify suitable providers of products and services. Therefore, we have collected a significant number of interesting provider and solution profiles. Of course, this does not include any recommendations for products or providers. If you are interested in an interview with us, please send a short message to cybercompare@bosch.com.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.