Pentera: Take control of time, not just a snapshot
In this episode, we are discussing if manual penetration testing - is it an effective way to validate cybersecurity effectiveness? Is Automated Penetration Testing the solution for maintaining a completely secure network?
Subscribe to our podcast
IN THIS EPISODE…
Key discussion points:
- Challenges of manual pen tests
- Why Pentera?
- What makes Pentera Different
- What we have seen from scans
- What trends are the scans identifying
- What should we be preparing for in the future
- Is manual penetration still required
- Learn about Penteras Ransomeware Ready Release
Host: Kelly Allen and Phil Howe
Guest: Shak Pentera
Guest: Jo Holliday
Sponsored by: Pentera
We are all ransomware aware, but how confident are you that your organization is ransomware ready?
A new methodology is in order. To validate your ability to defend against the latest ransomware attacks you must take up testing and emulation. Running continuous and automated testing of attack scenarios that are as close to the real attack vectors as possible is how you can validate your overall ability to detect and prevent those attacks before the adversary has their turn. Challenging your entire security stack is how you can ensure your EDR, NDR, SIEM, SOAR, DLP, WAF, FW and any other security services are effective and properly configured. It goes without saying that this testing must proceed in a safe and controlled manner, without impeding business continuity and without interrupting operations.
Without validation, security spending can seem like a bottomless pit, always on the verge of spiraling out of control with diminishing returns. The result? After all that spending and scaling effort, you are back to square one, still wondering “Am I ransomware ready?”. Gaining confidence in your cyber resilience – if this is what you are after – means it’s time to start emulating real-world ransomware attacks in your organizational network and validating your security controls.
The evidence is clear: prevention & detection alone can only go so far. It’s time to shift the focus from building higher walls to blocking attackers at every turn, once they find their way inside. You wouldn’t go on stage without a grand rehearsal. You wouldn’t trust your fire code without a fire drill. Becoming ransomware ready is no different. Trust your security controls when you see them in action.
PenTera Podcast Transcript:
KA: Welcome to the S.Com podcast. This is our Security and Compliance podcast created by Core to Cloud. I’m Kelly and I work at the marketing department.
PH: And I’m Phil from the technical team. And we’re going to take you through all our technology in a really interesting way.
KA: Phil talks technical while I keep it light hearted with a selection of exciting guest speakers. Let’s get started.
PH: Today, we’re talking a lot about that kind of automated side of the penetration testing, and I think that is absolutely key.
And obviously, when people are currently doing pen-tests- some people are just doing it once a year. And really what happens in businesses is there’s so many changes that are coming in, different systems getting put in at different times through the year.
So that snapshot that you think everything’s OK suddenly isn’t and you don’t really know until the next year. So it’s a bit like an M.O.T on a car, you know, it’s really only good for that time when you’ve actually driven out of the garage.
So I think what we’ve been doing with PenTera is really kind of working with the customers and sort of showing them how they can do that, more regular testing, making sure that they’re covering the right areas as well.
And I think with a lot of customers as well, we’ve- it’s really about that skill set as well- making sure that they know how to remediate and how to make sure that they can make those lasting changes to the network.
And I think that’s a clear distinction to make between PenTera, and perhaps a vulnerability scanner, which is just looking at patches, because this isn’t just looking at patches, because at the end of the day, patch Tuesday comes out and you’re never, ever going to find that every single patch is done.
You know what I mean, so this is making lasting changes that are going to really secure people’s environments. And, you know, because as Kelly mentioned, the customers that we’re working with, you know, they’ve got a lot of sensitive data.
You know, we work across many different sectors, but the data is all sensitive and they want something that’s going to kind of stay. And again, we can expand on this a bit as we go through.
But look, if an attacker gets into my network through a phishing attack, which, you know, is another podcast we’re doing, but, you know, if an attacker gets into our network through it through a different route, how do we stop them escalating, having that lateral movement and actually being able to stop them, causing some pain on our IT network.
JH: So, can I ask a question then?
You talked about how, traditionally, organizations will have a once a year manual pen test. They’ll most likely use a consultancy to support that that need.
JH: With deploying something like PenTera, does that negate the need for that manual pen-test or does it complement that manual pen-test?
PH: I think there’s a couple of answers to that. It depends on what you trying to do. The ultimate testing tool that we use, it runs internally. So, you would still have an external test. Most of our customers have replaced our full pen-test with it.
Some organizations require certain accreditations to happen and certain governing bodies like Crest or, you know, accreditation of standards. That’s what they use it for. They still have the tool, but they’ll walk through it and they’ll remediate all the issues so that when they get their formal pen-test, which then really is a tick box exercise, they come in, they run the test, everything’s great. They pass on, they leave. You know, so it’s very much a preparation thing.
JH: So it really reduces the impact that a manual pen-test can have on a business when they’ve identified lots of issues.
PH: Yeah, the thing with PenTera is obviously there’s a couple of new features coming, which I’m sure are going to cover later on. But there’s obviously, if you’re doing a pen-test once a year, you need to make sure that those new features are being tested.
You know, like you could have a pen-test and a major issue could get released after six months. With PenTera updating every two weeks and every quarter you get a major release. You know, I’m sure we’re going to cover the fact that they did a lot a lot of improvements around Active Directory testing and their now doing a lot of new features around testing for ransomware.
Again, it’s all evolving. It’s making sure that you’re constantly moving as things are changing.
KA: And I think from my understanding of it is that you’ve basically got someone that’s 24/7 giving you a penetration test where normally you’d only have that done, like you said, once a year.
So you for you for when you were using as a customer, you were able to see things every day. Is that right? And you could come in and see a report when you came in of where there was weaknesses and problems and stuff.
PH: Yeah. I mean, you can schedule it to run overnight. So, you know, and again, that’s another thing. If you have a pen-test, they come in on a specific day.
You know, sometimes people’s backup jobs or things are running overnight are a problem- so you can do your test then and you can also do as you say, you can schedule it. You can say. Right. And we help the customers. Basically, we do a bit of a baseline with them. And then we scan those kind of key areas of the network.
And then we say, write what you want your test to look like. And they’ll say, right, we’re going to do a server one, we’re going to do a user one, and we can scheduled to run in.
KA: Can I ask a question, though?
So I don’t know about everyone. Like when you get ready for attacks. You do preparation, don’t you, to try and pass that test?
PH: Good question.
KA: If you know someone’s coming in to do a penetration test, do you generally do a bit of prep so that you know that you’re OK?
Is it fair that it is a realistic version of your environment? Because obviously, I think a benefit for PenTera is the fact that it is doing it all the time. And when people are making mistakes, or having a bad day, or a little bit tight, it can happen.
Right. So I guess there’s kind of two levels to it, isn’t that there’s the, you know, the real life and environment. And then there’s one that you’re probably strategically got a little bit ready for because he knew someone was popping in to attack.
PH: Really good question, actually, because what does happen with a lot of traditional scans are they’ll say, right, can you give us one of your Windows machines and one of this machine? And what happens is they’re scanning against the gold image.
KA: And we all know that they haven’t got marketing!
PH: Yeah. I mean, obviously things change, things get installed, you know, a gold image sounds like it’s a gold image, but in reality, in reality, something like PenTera, as it’s completely clientless, and scanning everything, you know, it’s not going to get pulled down a rabbit hole like, you know, a manual pen test.
It’s going to literally have a look at absolutely everything that’s there because it doesn’t have a client. And again, I think not having a client is absolutely key. And it obviously follows that, you know, the micro-tech framework maps out exactly how an attacker would attack, and it follows that as it goes through.
So it’s using exactly the same techniques an attacker would use. So literally, if PenTera can’t get it, you know, your attack is going to come on your network and note be able do it. The other thing you can do with PenTera, obviously, I’m saying it picks up, you know, the patches, that have got vulnerabilities against them, as a key thing, and then picks up things on the wire, you know, stops you being able to sniff passwords, stops data going over the wire, getting unencrypted, it will tell you about that kind of thing. But you can do targeted tests, say, look, what happens if I picked up Joe’s account or Kelly’s account?
What could I get to?
KA: I think I remember rightly when I came when we first started working with you, you showed- I think we did a test on that and we saw how quickly PenTera could access people’s passwords and credentials.
And that was quite EYE-OPENING, how quickly PenTera could get to it.
PH: Yeah. I mean, it’s not unusual for us to have to have Domain Admin in ten minutes.
KA: Yeah, I wasn’t actually saying out loud if I didn’t realize if I could say that.
PH: Yeah. I mean, I wouldn’t name the people.
KA: No, I was going to say I remember I think we did it and it came up pretty quick.
JH: So that would help organizations identify additional challenges or policy weaknesses in terms of password management policies and that type of thing as well. I mean, just a simple one is like you have organizations and they have a really good complex password policy.
Then you might have a service desk that’s re-setting the password to password with a capital P and a few numbers. It’s kind of an obvious long password, you know. I mean, and I’ve had it where service desks are actually re-set when they reset passwords or setting up accounts using the same password.
I’ve seen it where you’ve had 200 new accounts created. They all have the same password. And they all say ‘user will change your next login’.
And it just goes like a knife through butter. So they will say, ‘hang on- we need to change our working practices’. So it’s not always that you need to put a big a password. It can be, you know. And I’ve seen obviously one of the key things it picks up is things like nested groups.
Now what a nested group means is you’ve got a group called Group A. And you can see all the people in it. Then you’ll see in the middle of A somewhere there’s a group B, so there’s a whole load of users in group B that are now a member of group A.
So somebody can access things, somebody else, and it goes, well, I want to have somebody in the group before X, Y, Z, not realizing it’s in group A. And I’ve seen it where we cracked a user’s account and all of a sudden they could log onto systems that they should not be logging onto an ID.
And they said, I’m going to say exactly what it was. The access was unbelievable. And it was literally caused by nested group that had every single user in the organization.
JH: And is that quite a common issue in terms of how infrastructures are created?
PH: I think because obviously active directories and, you know, are grown organically, you know, people started with NT4 to identify more, and then they put their Active Directory servers in about 2000 and instead of going through and cleaning it all up, things are just going, oh, we need a group here, we’ll add this here and that there. And then you end up with a bit of a mess.
KA: I mean, do you think that’s massively happened this year, though? Even more so with how we’ve had to accelerate digital transformation, which we talk about all the time.
But now we’re all working in different places and things like that. Do you think, actually, things that you probably picked up on PenTera probably might even be ten times worse because things had to be done.
PH: And I also think if you’re talking about kind of the changes have been put in place to cope with homeworking Covid and that type of thing, I mean- projects have been rushed through. So it’s very important to them now to say, OK, we need to just make sure that we’ve not caused any big issues and then go back and retest.
And obviously, the beauty of this product is, you know, you’re getting all the advance pen testing tools, which, you know, you can download. Some of them are proprietary. Some of them, you know, are available of the Internet type thing, but basically PenTera has made them all safe and they’re all in a contained platform. And you and customers, I’ve seen it. Anybody can use it.
JH: I mean, does it apply in cloud as well? So organizations that have migrated from on prem environment to a cloud environment. Does it help in that circumstance as well?
PH: In terms of I mean, PenTera itself runs on the infrastructure layer internally. It will test easier and it obviously will test if you’ve got like a connection out to the cloud and there’s an IP address and you can get from your environment. Yes, it’ll test it as part of your network.
JH: So in a deployment, is it you’ve deployed it as a customer and you obviously support our customers in their deployments. How quickly can you get value from your Pentair deployment?
PH: Well, let’s talk about APAC. You know, when we do APAC with a customer, I send them a laptop. We have one hour in the morning, one hour in the afternoon. And we’ve shown the vaue.
KA: Yeah, it’s pretty fast, isn’t it?
PH: Very, very fast. And I think that’s been a key thing, I think everything that Core to Cloud has done. You know, you’re talking even beyond PenTera, we always make sure that the product is doing all the heavy lifting.
Yeah. You know, and it shows you how to fix things. And basically we work with the customers as well. But it’s very much about making that lasting change and helping folks.
KA: I think one thing we did mention earlier is that actually it’s kind of a plug and go thing, isn’t it?
It doesn’t have too much effect. I mean, one thing I’ve learned, I’ve always thought that a huge organization would have an absolutely massive I.T. team. Loads of people on the ground, especially cybersecurity. My lack of understanding until actually working in the industry and now getting to know us and our customers.
And where I first met you was like, oh, this is just you guys. And you’ve got to look after all of this, from my understanding, PenTera actually doesn’t put too much pressure on your team or actually alleviate some of that pressure.
Would you say that’s fair?
PH: Exactly. I mean, obviously, I think especially people are struggling to get cybersecurity specialist because it’s so expensive and not available. So in a lot of organizations, I’ve said oh I want to recruit this person.
Then they might say, actually, I can’t get this person. What I would do is put tools in place that people can use in my existing team to build to do the same things, effectively utilizing the software. And yes, something like Pantera is extremely easy, literally.
You’re putting in what IP addresses you want to scan and press go.
KA: And from little old who’s working in the marketing department, I know you test us with Pantera. I’ve never actually noticed it or that is affecting my day to day.
So it doesn’t have much impact on people working when it’s running, does it?
PH: No, it doesn’t. Again, it’s deploying the payloads. But, you know, you don’t notice it when you’re carrying on with the pieces. Yeah. And it does a full clean-up at the end of the test as well for the users themselves.
Don’t notice the only stuff that you will notice what you want to notice is the existing security you’ve got. The whole point of PenTera, as well as doing what we’ve talked about so far with a pen test – it’s also, you know, testing your endpoint security, testing you network detection and response software.
And, you know, if that stuff isn’t flagging up, then you’ve got a problem. Either you’ve got a blind spot in your network or something isn’t working correctly or isn’t configured. So, you know, we do. And also that then leads on to the stuff, you know, are the stuff paying any attention to the labs are coming. This is a real test. And I know so many people because they get bombarded. They then just filter it in a folder to never look at it.
KA: I mean, like your emails keep everything and you don’t email him with a CC…
KA: It just goes into a folder. I’ve learned the hard way.
JH: Oh, I used to do that all the time, and I say if it’s CC’d, it goes into a folder, it needs to say it always in the main body of the email he is in
PH: Cuts down the number of emails you have to have a look at.
KA: That’s how he filters out all the noise.
PH: It’s a bit like that with the product. I mean, at the end of the day, we make sure the products that we put in don’t generate that noise.
For example, you know, like say PenTera, as it’s called, formerly known as Psysys, PenTera. You know, we’ll test what we put in vector. And we know that vector, it doesn’t generate noise. It just shows you the things that you need to see.
KA: And again, that’s the whole point of this. I think that’s one thing that I really loved when we came to you and you did the PenTera attacks and we could see it on the vector dashboard. Yeah, I think that was the first time.
I mean, for me, like I couldn’t really understand the attack, but it was the first time in real time I could see it lighting up like a Christmas tree.
PH: How would you know it’s working otherwise?
JH: So it’s a good validation tool.
Technologies that businesses have selected, or if you’re going through a refresh- I was just thinking of businesses are growing as well, are looking at making significant changes to their infrastructure- PenTera can help guide them through the challenges by making those changes. Pentera, can support almost like a companion tool.
PH: So I mean, give you an example of that, we’ve got a customer that’s in a worldwide customer and they’re based in the UK, but they’ve got customer sites all around the world. And what they’ve done is they’ve got service providers in those countries, and they had no way of knowing if that service provider was doing what they say they’re doing.
So they have deployed remote attack nodes in all those locations. And they now can test that service provider, hold them to account- what’s going on to secure the network. So that’s something they’ve been doing a lot with. And obviously, I know we’ll speak to Shak from Pentera (Psysys) as well.
But one of the key things that they’re bringing in now is the ability to test ransomware.
JH: And yeah, you mentioned that. Can you go into a bit more detail?
PH: Yeah, we’re actually beta testing this at the moment with two of our customers, because obviously what that effectively does is it will run the kind the main ransomwares. And it’ll go through and you can choose an area, but it basically exfiltrate files that try encrypting them. So, you know, and it’ll actually, it will follow the whole ransomware process and you get to see whether that’s going to get protected or not.
You know, again, Shak will go into a lot of detail on this, it’s very new. And again, we’re going to work with a lot of our customers when that comes out. And that’s the key thing that that’s why we’ve got involved in the postseason. So in a kind of early stages of beta testing.
KA: OK, so from a marketing person, why is that a really new sexy feature? If you were telling me in layman’s terms, why was that exciting for a customer?
PH: Because I think obviously we’ve had about a lot of attacks in Ireland.
You know, there’s been a lot of ransomware attacks, you know, that have been going on. And people are putting in all this protection from effectively, you know, trying to stop the intruder getting in. You know, this is kind of saying, hang on, if they do get in, are the tools going to work?
That’s the approach, because, you know-
KA: You have to almost walk to the fact that the intruders are going to get in. OK, so we’re assuming that they’re always going to go in.
JH: I think when you in the businesses, maybe prevention is just not a thing, though, is it?
PH: Yeah. You still have that perimeter prevention, but you just say, right, OK, when they get in, let’s limit what could happen, you know, protect our systems. You know, like even simple things, like even by testing this ransomware site, they’ll test the software, but it’ll make the clients think, for example, do they have backup?
Do they have a way that they can get their files back so they’re not encrypted? You know, how long is that going to take to restore, you know, what protections can they put in place? So it’s kind of that that whole story that we can talk around.
And I think that as we’ve been working with the customers, talking about ransomware now, you know, earlier we were talking about nested groups. We’ve worked with those customers to fix those issues. It’s not a case that, you know, you’ve got nested groups.
You’ve got common passwords. There are tools that we can put in that will solve those problems so they don’t happen again and again. That’s a journey we’ve been on with lots of our customers. You know, I think that, you know, probably you speak to customers yourselves and you will on some of these podcasts, but we really are kind of a member of that team effectively.
Yeah. And we’re kind of like guiding them to say, right, do this and then do this. Right now, you really need to look at this and that that journey, you know, the customers have all been on to try to secure their environments.
KA: Could you talk to us a little bit about, obviously, when you came to Core to Cloud? What was the- what was the issue and the pain point and why were you looking for something different? Well, that wasn’t helping you at the time.
PH: You’re talking about PenTera in Bolton? OK, I mean, obviously, the way it worked was we had Vectra at Bolton and that network detection response tool, which, you know, my boss and CTO at the time, we were like, right, we really need something soon to give us visibility because we just didn’t know what we didn’t know effectively.
So we put we put Vectra in- fantastic. Now we feel that there’s something unusual is going on. We can see it. And then it came up with that. Right? OK, great. So how do we know it’s working? And that conversation came out and obviously we wanted a tool that was going to just effectively do exactly what an attacker was going to do on our network and fire that off. And that’s what happened, we did that to see how it looked in Vectra so that to stop scammers run, we could see attacking, then you could see it going up the quadrants in Vectra
KA: That’s the cool bit that I like
PH: The light starts off bottom left and it goes up to top right. If there’s a real issue, obviously that’s kind of what happened within seconds. It was kind of going off that top right quadrant and firing off. And obviously within PenTera, you’ve got various options of stealthiness as well.
If you put it on aggressive mode- I mean, simplistically, it’ll just scan every single port. If you put it on quiet mode, it’ll just pick a few key points quietly. So again, we could see and it sort of helped to tune the products effectively.
So we did that. And then obviously on the back of that, we then looked at the results, coming out of Psysys, now PenTera. And we looked at that went- hang on, there are some real fundamental issues here that we need to fix, and things that we weren’t necessarily aware of before.
But, you know, when you get pen-tests on manually, they don’t always tell you how to fix it.
KA: So I didn’t realize that- so when they come up, they don’t tell you how to fix it- they don’t do like a best practice
PH: They sometimes give you a link or something. But it’s vague.
PenTera did as it said. Right. These are the changes to make. And we just went. Right, OK. And this we picked a few key things, started fixing them, and we could see that when we were rerunning PenTera- what a difference it was making.
And the amount of time it was taking to sort of get that foothold and move forward. So we kind of did that. And then obviously on the back of that, we then looked at another product to kind of do the remediation it was flagging up around passwords. So we put a product in that got rid of all the common passwords. It stopped, got rid of all the nested groups, you know, so we were making those changes alongside Pantera.
KA: So Pentera kind of gave you a project plan, of what you needed to fix on what you needed.
PH: Yeah. I mean, it basically tested everything. Made my stuff at the time, make sure they were looking at the alerts and then also help with that remediation side of things.
So we were kind of comfortable that, you know, it was achievable remediation. I think that- that’s right. And I kind of mentioned this a bit earlier on, that, you know, if you do a scanning tool, it’ll just show you got a million patches missing.
You know, depending what day you run it, you’ll fix it. Then on the next day there’ll be loads of other patches. Where penTera kind of works in different ways.
Shak: It’s really interesting because I don’t think I’ve heard that story. You know, that origin story where he started with Pentera or Psysys at the time. And so it’d be really interesting to look at that report or, you know, how things look, you know, further down the road.
But you’re right. You know, when you do manual pen testing, the thing is just getting consistency. Yeah. And if you’re doing it all the time, it depends on the skill set of the person that’s running the tests and what they’re looking for.
And when you’re automating these kind of things, it’s really you know, there’s always the same sort of game plan ready here. And we’re going to go in. We’re going to find what’s live on the network on that given day and then go after, I guess, the most advantageous, attack vector and say, you know, we can youcan find these vulnerabilities to exploit. There is a bit of manual input in terms of like a semi-automated fashion where you can drive certain attack vectors and say, well, this looks interesting, what happens if I exploit this particular server or endpoint.
But yeah, I think the key thing is that consistency. Right. And that remediation work is about sort of prioritizing what’s really important and what you can fix really easily, as opposed to having, I guess, a massive list of different things that you could go in different directions to fix
PH: – to get massive list of events that they won’t do any of it.
KA: Well, yeah. And sometimes, you know, that’s true of anyone. If you have a massive list, you wont be able to do that, you know, just all of that.
Shak: Yeah. And yeah. And I think the other aspect of that is that if you’re doing it once a year, it’s like, well, listen to me here.
Just get we’ll get around to that at some point. And then most of the time we find that, you know, people just never get around to even doing any of it. I mean, it’s like, well, you know, it’s kind of time for the annual pen-test again.
You know, what do we do? Sometimes it depends. Right. You know, so how focused people are and like you said, is that motivation of trying to tackle a big list of things to do on top of everything else.
JH: What other tools are available? Because, I mean, PenTera seems to stand alone in terms of the capability that they have. What would businesses do previously? Is it more vulnerability scanning that organizations tend to do?
PH: I would say it’s more vulnerability scanning or testing a gold image rather than this more wide. Yeah. Clients. Yeah.
KA: Did you have to do more manual tests? A Yeah. Is that what we’re saying.
Shak: It really varies, and I think, you know, it depends on what people know and the skill set that they have in-house, as well as, you know, bringing in skill sets from external parties. And I would say it varies from the very simple doing a vulnerability scan.
And, you know, let’s patch things. I think there’s always a mandate to say we need to be patched and updated, but it’s going beyond that. Right. What’s the consequences of not patching a particular system? And I think that becomes really important because it’s now more contextual.
It’s based on your environment. What we see that we can exploit. So the analogy I always give is like, you know, from a vulnerability perspective, you see an open window. Right? You want to close that window. But ultimately, from PenTera, when we see that window, we then show the consequences of that open window means how somebody can then break into the house and do whatever.
And we actually sort of, you know, help people visualize that through of attack vectors, show his affordability. And this is how we’ve moved through that chain to to really explain.
PH: And I was going to say that’s expanding out now, isn’t it? Because you guys are moving into sort of doing some more ransomware tests as well
KA: Yeah, we touched on this earlier. So, you know, there’s some new exciting stuff going on with the ransomware piece. Would you happy to go into that and a bit more detail?
Shak: Yeah, sure. So we call it ransomware ready. It’s based on and, you know, as you know, a lot of things that we see in the news around ransomware attacks and, you know, sort of top of mind and quite important that you’re able to test how- what your capabilities against a given ransomware attack.
And nobody really has that ability, you know, to do that. So with PenTera, we’ve introduced the concept of emulating a particular family of ransomware. Usually, the ones that we see in the news like R-evil, wannacry previously in 2017.
But some of the newer families and some of the newer variants that we’re seeing crop up now. And it’s really being able to effectively use the same techniques that we see with ransomware in terms of dropping or encrypting files.
And usually ransomware always goes after the data. So we’re talking about documents, critical user data that once it’s encrypted, you know, it’s kind of gone. So we sort of replicate that same technique to encrypt files. And on the other side, from a defensive sort of aspect, it’s how does our EDR or endpoint solution react or behave?
And so it’s really about stress testing, your sort of endpoint controls, whether it’s on servers, whether it’s on endpoints to see, you know, what detection capability they have and potentially a response capability as well. So how can they then stop us from being able to encrypt those files?
KA: To give you a practice dry run.
Shak: Effectively, yes.
PH: So I think that you’de probably find that if you ask most customers, do you think your endpoint security will stop ransomware? They all look at you blankly and go, I’m not sure.
KA: Well, you’re not going to know until you’ve been attacked, right?
Yeah, normally. Yeah.
Shak: And it’s interesting because listening to the CEO on the in response to Corsair is talking about, you know, his conversations with FireEye. He was talking about is not, you know, a matter of if you’ll get attacked, but it’s when.
Right. So we know it’s a matter of time. And it’s like, what is the fallout of a given attack and is trying to really sort of replicate that to say what would happen. You know, it is. And it’s that visibility of our- do we have the right controls in place to be able to block it?
And how far would it go? What ultimately are the consequences? And it’s kind of then being able to sort of, I guess, devise a playbook, you know, a plan of action plan that allows you to work on all of all of this sort of, I guess, in terms of that sort of security stack and your response detection capability, your alert processes, you know, how do they behave?
Because it’s not just about, let’s say, your idea or endpoint solution, but it’s also about people. It’s about, you know, when we detect it, what happens? You know, interesting use cases like you might have defend or ATP alerts afforded to an SMS service.
So if somebody is out of the office, when you see a detection, you get a message on your phone. OK, this might be the start of something interesting and perhaps I need to dig into it. So you’re able to sort of test those kind of processes as well
PH: -and help reduce our tax office footprint effectively.
You know, there’s a lot less to go out effectively by making those changes.
Shak: That’s really important. You know, it goes back to that sort of fallout. If we can reduce that attack surface and minimize it- so at least, you know, it’s isolated to one system, one box, and we then detected it and blocked it. Great. Because then the worst thing that can happen is these things move, laterally across the network, especially when there is somebody orchestrating the attack on the other side, then looking for interesting things to go after.
You know, can we find the crown jewels? Go after the servers, get it. Get the big important files or data. Yeah. I guess, you know, there’s a tipping point when, you know, there are businesses. Perhaps, you know, the consequences of an attack is that, you know, they go out of business, people lose their jobs or whatever.
And I guess, you know, there is a human element as well in- and there is that tipping point when we see people’s lives being affected in that way. And I think health care is probably, you know, a good example of that.
When you have downtime with systems, that people sort of take it more seriously. And, you know, and I think we also reach that tipping point where everybody knows or heard about, you know, ransomware attacks or, you know, I guess cyber-attacks and, you know, ultimately the consequences of these kind of things.
KA: Yeah, definitely.
JH: It’s definitely prevalent in health care in terms of it’s an industry that has previously been understood to have legacy, older networks, older systems. Certainly, there’s been a big investment, hasn’t there, in an NHS, particularly in the last sort of five years, six years, where there’s more percentage of budget be spent on cyber specifically.
So that’s you know- we obviously do a lot of work in health care.
PH: Yeah, we do. I mean, as you say, the value of health care data is huge. Yeah. And we often seen sort of like malware being written specifically against specific medical devices to try and get that data off.
You know, so again, it’s having that kind of- those tools in place to make sure that you’re staying one step ahead effectively. And the thing is, you know, it’s all part of a kind of an ecosystem. You know, it’s not just one thing that you have to do.
It’s all part and parcel, all works together to kind of give you that security and understanding and visibility of your weak points before they’re exploited effectively, you know. And as we know, I think, you know, something I’ve sort of talked about at other times that an attacker often just sits in your network for a long time before they necessarily, you know, pull that trigger.
You know, so I mean, we’ve got the tools that give you the visibility and PenTera gives you the kind of, you know, work on that, reduce what they can do when they do pull that trigger.
You know, I mean, so, again, it’s all part of the kind of the key things to work on.
JH: So quite often so you can have a an executable or something that’s been put on the network, somehow got on there has been dormant for 18 months.
And with PenTera, I can find that and exploit it to see what the consequence of finding it would be?
PH: PenTera will more show you what will happen when it does execute.
Yeah. I mean, yeah.
Shak: So if you think of it, we are now behaving like the attacker. So that executable would come from us and we can- I think you talked about the stealthiness level. So how noisy are we when we go into a network?
We can be very noisy on one side of the scale or, you know, towards the left side of the scale. And then there are controls that might pick those things up. There’s like network monitoring tools and things. Okay, some unusual activity.
What’s going on? And it’s designed to stress test those kind of controls and see if they pick us up. So it’s more you know, you’re kind of marking your own homework and you’ve got, you know, on the other side of the scale, we can be very stealthy and perhaps over a longer period of time, drop an executable and then do something with it and then so on and so forth.
So it’s then, you know, where’s that sort of point in that scale of how much noise we make that your controls pick us up effectively?
KA: I don’t think I’ve ever been to a hospital and never thought that I would be able to be treated because there might have been cyberattack. Everything that’s ever come through my head like I, you know, you have the thoughts of like they might not be-
PH: Ironically, though, like I wouldn’t want to talk about Wannacry anymore. But ironically, at that time, you know, a lot of hospitals, even those that are in the news, a lot of hospitals were not affected, right?
But even the ones that weren’t affected still pull things off the network to make sure they weren’t affected by, you know, like if they had two analysers, they might pull one of them off until they worked out what was going on.
So even when they weren’t affected, patient care could be affected because of that, you know, to try to put that resilience in a case of the problem. So, you know, it’s-
JH: -they had that in Ireland didn’t they- shut down the entire health system. So that had an impact on surgeries.
KA: And I just don’t think me as a Day-To-Day person would have ever thought he’d go to hospital today. And that may not be, you know, we have to get the full treatment or access to everything or things might be delayed because of cyber.
I don’t think we, I don’t know if its at the forefront of everyone’s mind, really.
PH: If you think about it, in the past, the away hospital, I mean, I’m not an expert, but the way that hospitals used to work, everything was on paper.
You discharge on paper. You know, these days they’re opening electronic patient records. And so the whole process of moving patients, prescribing medicines is all electronic.
JH: Even getting blood and that sort of thing is all electronically connected to the patient and the British system.
PH: Yeah, the fridges are.
JH: So that could have an impact if that system was compromised.
PH: And obviously, if those systems go offline, as if you think about the amount of data that’s going through, there’s only a certain amount of time that you can go with it off before you really can’t get a lot of data back in.
JH: Oh, I didn’t know that.
PH: You know, if they’re running on paper, you say, see, running up, I’m up and doing the exact times that you’re running tape for half an hour. You might then say, write somebody, please input that data and get us back up- they’re running for hours and hours.
JH: They’ll just go. Right, just write off.
PH: And then obviously things are- I think because obviously if you’re prescribing medicines that say, I’m going to be ordering that medicine again, and if you start to prescribe on paper, your stock levels are wrong.
So you’ve got to adjust your stock levels. You know, I mean, so it’s all very efficient, but you’ve got to make sure you’re keeping these systems safe.
Shak: So and I guess, you know, Phil’s sort of seen this as well around things like password hygiene.
Yeah, that comes up a lot. This is crazy. The amount of times we see-
KA: -password one, two, three?
Shak: And I would say privileged accounts.
PH: Often the worst, the privileged accounts!
Shak: One can say like, you know, I don’t want to be a part of this policy, although I guess we should go back to like legacy systems. Right. They’re very sensitive to, I guess, management and update and things like that and trying to get access to them. So it’s always, you know, we want easy access. And then that becomes an attack vector or let’s say of a vulnerability- an attacker is going to go after those systems and find those weak passwords.
And then they’ve got now, you know, some sort of admin level access or system level access that, you know, the consequences of that is that you’ve got a breached network. So any kind of compromised system where somebody is able to then grab those credentials, they can move across the network and do whatever they want.
So I would I would say, you know, we see that a lot. We see so and there’s going to be, I guess at some point some change in the way people, you know, look at passwords. And, you know, there is, I guess, long term sort of conversations around, you know, how identity and profiles and passwords are managed.
PH: We’ve done a lot a lot of work with a lot of Trusts, a lot of police work with like a federal account. So they don’t have the admins and they only give them when they’re needed, you know, things like, you know, top logins, getting rid of passwords, single sign-ons.
They don’t have passwords, you know. And I think we were talking earlier about when places get hacked. I mean, one thing that I’ve commented on before is that, for example, if website X gets hacked and they’ve perhaps they’ve used- for example, my Core to Cloud email address with that account and a password. If I’m using that password somewhere else, they may have hacked that site, but they might go and try that using a password on 10 other sites. And if you’re using a common password, all of a sudden your one turns into 10, you know?
Shak: Yeah, it’s a very common technique. You know, it was like you said, and then it’s endless, really, as to what people can do if they’ve got any access. They’ve been able to perhaps compromise your work system, that they’ve been able to move onto your Facebook account, to your Gmail account.
And if you think of all of the different things that you use and what data and what information you’ve got on there, that’s all gold.
KA: OK, so for me, like for me, I’m like I’ve got a Facebook account. There’s nothing really that exciting on it. Why is that really bad that someone could get on my Facebook account?
PH: Its your personal account all your pictures, isn’t it? I mean, you don’t necessarily want your pictures of your kids getting out or, you know, you don’t necessarily want people taking pictures of you off your Facebook.
JH: You could use it for an impersonation as well. Right.
PH: I mean, yeah, you could have like date of birth, you know. That’s all your data that you then you know your bank uses for specific questions.
It could be. Where were you? Where were you born? What was your date of birth? Most of them probably figured out what’s the name of your dog probably on there.
KA: So they’re making a profile of me.
Shak: Yeah, it’s that whole reconnaissance piece.
Right. And, you know, that’s where attackers start to build up that sort of, I guess, information about you and especially high value targets. And it becomes like, OK, you know, where do they live? You know, where could we potentially be?
And they’re looking at your work, your home.
KA: You do things really innocently, don’t you? Because I can think about a time when my cousin, she moved into a new house. So she took a picture outside the house, which actually had the number, and then the street of the cul-de-sac.
Yeah. And then that week, she took pictures of like all the new stuff that was arriving, like the TV. And I’m really excited and did it. And then three weeks later, she posted that she was on holiday. Oh.
And I remember texting her ‘I probably wouldn’t say that you were on holiday’. And she was like, what are you on about. And I was like, whoa. Two, three weeks prior, you put your cul-de-sac, the number. You also said all the pictures of the new sofa, your TV, and now you’ve told everyone that, you know, that she was like- oh, God, I hadn’t thought about that. And her profile at the time, I think was public. This is like a few years back. But I don’t think you think of really instant highlights of your life that you want to share with people can be basically a big old hello
PH: It can be as simple as you’re out of office.
KA: I hadn’t even thought of that!
PH: You put an external email going out. I am away from the office now for two weeks.
People going, oh, this person’s on holiday. I mean, you know, these are simple things, I mean, again, you’ll see you’ve got the computer side of things and the controls which you’re talking about. There’s always the user site you need to, you know, train the users.
And I think something like PenTera of that actually kind of goes, look, this is what I’ve managed to do. Has the impact of people, people actually think because, you know, if you say you’re vulnerable to this, you go okay wait a minute.
Yeah. If you say and we’ve managed to do this, this and this on the back of it, the people got OK with.
KA: That’s what makes it real, though. Yeah. Yeah. I think that’s when I saw this. I saw PenTera for the first time- When you actually see the effect and what it could do, it makes it more real for everybody.
Shak: Yeah, I think it goes back to something that Phil mentioned earlier. It’s that visibility. Sometimes people just don’t know what’s out there. And just in terms of your estate, what your etate looks like what systems are, I guess, around or available given time.
So if we were to test early in the morning, we may see different uses, different systems, so that visibility becomes important just to try and understand what does the landscape look like. And then even from a OS perspective, do we have any legacy systems?
The really basics we and sometimes people don’t have even that kind of visibility. So that becomes important.
KA: Can you see, is there like silly things like human behaviour of how do we make errors maybe later in the week or by the afternoon or stuff?
Can you start seeing things like that, a human error does that? Can you start seeing patterns-
PH: Obviously if somebody made something more open than it was before it would come up. You know, it depends on the change.
PH: I think one thing I was just thinking when Shak was talking as well. Yeah. Because a couple of things about PenTera to mention, really. One is that it’s really easy to upgrade and actually get sthe latest tools by just pressing one upgrade button.
OK, the second one is that when we’re talking about visibility, there’s a really easy way now of, because we talked about previously about a large customer we had around the world, and they’ve got the permanent remote attack nodes.
You can now do dynamic attack nodes within PenTera. And what that means is literally you click, you click a button, you say a Windows machine and a different part of your network, and you can use that machine to sniff all the traffic.
So previously, for example, you might have to move your PenTera device or change where it’s connected. So, for example, I’m up in Preston. Let’s use that as an example for, you know, and I could then select my machine in our office up there and then use that machine to sniff all traffic.
JH: And that’s a really helpful change.
PH: So it’s very easy to then get that visibility.
Shak: So that, you know, is the whole piece around scaling across your whole state. Right. And like you said, you’d be impressed and then you’ve got to take your laptop and you’re coming down to Oxford or wherever it is this time.
Right. And it’s resources as well. And I think that’s the important thing, especially when you’re stretched as an IT team and you have a security team or your, you know, a one-man band. How do you manage all of the other sort of pressures on the business and the workload and all those things?
It really just helps in terms of having a platform where you can go or hit run and it’ll go off and start doing the reconnaissance piece, all of the attack vectors and things that we talked about and find those things.
And you go back and you just look at the output. So, you know, even of that process, you pick up the output and say, well, here’s one, two, three in terms of the critical things that I need to go and fix.
And this is how to fix them. You go and fix them. And then let’s say a week later, the same scan runs because it’s been set on a schedule now. And you get the same output again and you compare it against last week.
So you’ve now you’ve got this sort of trend analysis over time, being able to look at your estate and get to a point where you’re getting that that resilience, that improvement.
PH: And if something you drops in that’s going to knock the score down again. We shall know about it. Not wait a whole 12 months.
Shak: Yeah. You know, I guess this is you know, it’s sort of it’s the automation and it is key. And that’s how the automation really helps us with PenTera or to be able to consistently and continuously test.
JH: What other trends have you seen? You mentioned password.
Shak: Yeah, so passwords is a big one. I think these days people are pretty good at patching systems, I find. Occasionally you’ll have the odd system on a network that for whatever reason, hasn’t been touched because it’s owned by a third-party vendor.
And it’s kind of, there’s a great line as to who patches it or who updates it or, you know, you can’t update it because it’s being managed by an external entity. So then getting that visibility that this system needs to be updated is patched.
We’ve seen systems that are still vulnerable to Wannacry. You know, we’re 2021 and that was 2017.
PH: Yeah. It’s one that gets missed. It’s quite it does happen.
Shak: And it’s usually the old system. Right. And like we said, it’s that kind of scenario where, you know, there’s a great line, there’s a grey area.
PH: And the idea of if you got really hard and well controlled system, it just takes one weak link and that’s your ruin.
Shak: Yeah. And that’s it. You know, it goes back to, you know, the scaling across your state that nobody has the time to you know, and especially when you talk about- I guess it could be an internal tester, it could be an external you need a full-time resource to go around and continuously test all of these different systems.
KA: And that’s the really great thing about it, isn’t it? Is that you don’t need a huge resource, which we touched on earlier, that people don’t have huge teams.
I think that was one of the most shocking things when I first went to Bolton. I just assumed because the hospital was quite huge, that a team would match that and to go in and say like, oh, you know, like no idea what I imagined. I just imagined Willy Wonka factory but for like, cybersecurity people. It wasn’t it was just a small team. And you just think, oh, gosh, you’ve got to look after all these- all these elements and all these cogs, it’s quite unreal.
The longer I’ve been in this industry, I’ve realised that it’s not just healthcare. Yeah. Like when we do Case Studies and they’re like, oh, no, it’s just me and this guy. We do the whole world. Well, that surprised me.
PH: When I started speaking to people outside the NHS.
Sometimes we’ve even got a smaller team.
KA: Yes, you know, it’s really surprising how small teams are.
JH: Yeah. And it’s not just cyber is it’s all the business applications and workflows.
PH: And, you know, you need just business as usual.
JH: It’s just software to work for you, don’t you? Yeah. That’s key to PenTera, isn’t it, with the automation?
Shak: You know, I was just thinking about the use cases. There’s so many different- So I guess customer profiles in use is PenTera. We talked about health care, but, you know, then we talk about, I guess, larger enterprises that have dedicated teams are doing these kind of things. You know, day in, day out.
And even they love the pain that we take away. You know, to making a lot of this stuff. But, you know, I think we’ve had a couple of customers where we’ve talked about that aspect of doing the testing manually, but then spending the evenings writing out the reports on the findings.
Where as- as soon as the test runs, you get the output, you get the findings straight away. It’s not a case of somebody having to understand all of the data and interpret the data.