Industry Trends

Proactive Hacking to Build Better Security

By Aamir Lakhani | October 03, 2016

Fortinet has developed a talented group of security experts and veterans that work together to design, execute, and administer every conceivable type of networking and security infrastructure. These infrastructures serve the largest enterprises, university campuses, and industry conferences, to small and mid-sized businesses, inter-connected retail locations, and even storm-battered cargo ships.

Designing and building any network infrastructure poses unique challenges, and requires extreme diligence in the planning, implementation, and administration. As part of that security diligence, it is not uncommon for security vendors to run Red Team exercises – think hacker war games – against their own equipment. In such a scenario, a designated “Red Team” plays the role of an attacker, while the “Blue Team” monitors and defends the network. This is the process Fortinet uses to quickly test and validate networks to fortify the network security posture, and is especially useful for projects that need to be spun up and put online in a matter of a few days.

In my role as a security strategist, I get to regularly put on my Red Team hat and work with my colleagues to try and break into the networking and security technologies and architectures deployed by our target/client. Our goal is to find any seams, gaps, or holes in these networks before a hacker can. This is often referred to as proactive hacking, and it can significantly reduce the chances of an organization having to react to a real hacker.

These sorts of exercises also help security vendors, systems engineers, and network administrators develop best practices for appliance installations and configurations, draft defensive documentation like cookbooks, identify and troubleshoot potential network issues, prioritize traffic monitoring, and better understand vectors likely to be used in an attack. 

The Process of Penetrating a Network

My team uses sophisticated penetration techniques and tools to attempt to bypass authentication, gain access to management consoles, and generally wreak havoc within the targeted network. Meanwhile, the Blue Team employs their sensors, tools, and analytics to monitor, detect, and counter any indicators of compromise. Blue Team network engineers also work to configure management interfaces so they may only be accessed for specific, segmented points in the network. Stress testing helps ensure there are no misconfigurations, or other unforeseen unknowns that make this possible.

Our primary objective is to improve our ability to prevent a determined and skilled attacker from accessing corporate or conference assets, and/or gaining unauthorized management access to equipment. To accomplish this, we often need to go beyond typical network testing procedures and the limitations of popular off-the-shelf security and vulnerabilities scanners. In spite of their marketing, most of these tools are simply unable to reveal some of the latest or more obscure vulnerabilities that are often used by a skilled attacker.

Another key objective of the Red team is to ensure that attackers are not able to access management interfaces without proper credentials. We employ the latest threat vectors and penetration techniques in our attacks to try to bypass authentication barriers and gain access to the management consoles. Our insider knowledge of the people and systems gives us an advantage over the typical hacker using social engineering, web vulnerabilities, and zero-day attacks.

Since it is (hopefully) unlikely that attackers will find an open port to a management interface unprotected by authentication, it is more likely they will try and expose software vulnerabilities, using such attacks as cross-site scripting (XSS) or session hijacking. Using both common and custom-written tools and scripts, we test against these and many other types of attacks.

The advanced testing and analysis conducted is very similar to the global threat research conducted by the Fortinet team on a daily basis. We constantly monitor Dark Net markets and hacker forums to discover new vulnerabilities or exploit methods. Many of the claims on these sites don’t pan out, but regardless, it’s our job to test against these methods. Our internal threat research teams also routinely test our software against zero-day attacks. They even write custom “fuzzers” that can replicate the sort of iterative zero-day variants that are likely to develop in the wild. Any vulnerabilities we find are submitted to CVE, and sent to our product security (PSIRT) teams for patching.

Lastly, we also test against physical security. The Fortinet Red Team tests how easy it is to gain physical access to network equipment, like wireless access points, how much of a deterrent current physical security tools and protocols are to potential attackers, and finally, what attackers may be able to do should they manage to gain physical access to the devices or network ports they manage to plug into.

We not only check for unauthorized access and attacks to devices, management ports, and consoles. We also check to see if attackers can plug into management segments, and if they do, how quickly we can detect them, as well as ensuring that attackers that manage to gain physical access to devices cannot access restricted or management segments of the network.

Conferences are especially challenging, and each Red Team exercise conducted for these is unique because these environments are protected by a composite of devices, policies, and protocols. In such an environment, each networking and security vendor is usually responsible for providing standard practices and configurations for their own devices within any given organization, and then take steps to test the implementation of their own solution. The internal technology teams and/or solution providers must then turn this bundle of different – and sometimes conflicting - practices into a working infrastructure, ensuring that all the different devices and systems work together seamlessly. And as the security team at any enterprise can tell you, such a task is easier said than done.

Join the Discussion