We conduct a wide variety of assessments for a wide range of clients. We provide assessment services for universities, health care companies, law firms, telecommunication providers, and many more. Some of our clients have mature infrastructures, while others are still trying to develop an essential security operation. Regardless of the size or maturity, one of the things we rarely see is our clients conducting their own internal audits between penetration tests.
What We See
When we wrap an engagement, we provide a report complete with technical findings and the tooling we use. Aside from our vulnerability scanners (Burp Suite Pro and Nessus), most of the tools we use are open-source and common to the field. Even the tools I have written to use in my day-to-day are open source and available. What we rarely see, however, is our clients taking those tools into their environments and using them for conducting their own periodic audits.
While this may sound like a need for a purple team, it’s not necessary. While we are happy to help provide those services, the point is for a company to take ownership of those security needs between their testing cycles. Our reports are a true snapshot in time, and the results may sometimes be quite consequential. Imagine, then, if a team were to take the results of our testing and build upon them internally. For example, referencing our tools and techniques, a security operation could conduct their own IPv6 testing with mitm6 (https://github.com/dirkjanm/mitm6) or run Responder (https://github.com/lgandx/Responder) on the network on occasion to see if vulnerable hashes are coming through. These tests are generally safe when run in controlled durations and can be remedied by stopping the scans.
What You Can Do
The point here is to encourage security teams to identify threats before we do. We appreciate the quick wins, but we also appreciate it when a client has a mature security apparatus. The intention isn’t for a client to stop seeking services, either. Instead, it is to ensure that clients improve upon lessons learned between those engagements and build a more secure environment for their employees and customers.
If you’re interested in learning more about the tools and techniques we use, check out https://academy.tcm-sec.com, where we host hundreds of hours of educational content. Our team can also provide targeted training for your security teams in the safe operation of the same tools we use on every engagement. To learn more about these types of opportunities, don’t hesitate to contact us.