lolloj - Fotolia

Can you trust pen-testers?

Pen-testers have knowingly posted security workarounds on the public internet that are now commonly used by hackers

Penetration testing, or pen-testing, aims to identify weaknesses in enterprise security, but the tools and techniques of pen-testers are actively being exploited by hackers, BlackBerry has warned.

In its new report, Thin red line: penetration testing practices examined, BlackBerry’s authors noted that the primary goal of penetration testing is to help clients reduce their risk. “Our review of more than two dozen companies offering pen-testing services has led us to conclude that certain common practices are actually resulting in the introduction of risks to clients with regard to privacy and confidentiality,” they said.

BlackBerry’s research found a plethora of cases where pen-testers themselves had published bypasses for built-in operating system protections and defensive security products such as antivirus software. “Soon afterwards, we have watched a range of advanced threat actors adopt and deploy them successfully,” BlackBerry warned in the report. “Apparently, this is happening without any coordinated disclosure with the defensive security companies.”

Josh Lemos, vice-president of research and intelligence at BlackBerry Cylance, said: “Over the past five years, the explosion of groups around the globe offering offensive testing services has led to practices that can materially compromise a company’s security posture.”

The report noted that there were a multitude of examples of public disclosure of security product bypasses by pen-testers resulting in speedy implementation by advanced persistent threat (APT) groups. “All that is needed is a simple search of the phrase ‘AV [antivirus] bypass’ on Twitter, given that roughly 80% of the results yield open postings by pen-testers,” it said.

In one case, which occurred on 19 April 2016, BlackBerry said a pen-tester published a blog post in which he presented a problem he had encountered in failing to bypass a built-in protective feature of Windows during client engagements. Hoping to assist other pen-testers who may have encountered the same problem, he then posted a legitimate bypass of that security feature.

According to BlackBerry, the pen-tester’s webpage has since been taken down, but an archived version is still available. “No sooner had the pen-tester posted the bypass than the technique was implemented in real-world attacks across hundreds of targets by more than half a dozen APT and criminal groups – a problem that has continued for years afterwards,” said the report.

Kevin Livelli, director of threat intelligence at BlackBerry Cylance, added: “We must hold ourselves accountable to each other and to ourselves to ensure that we remain good stewards for those who rely on our support – and be deserving of their trust.”

The report also found instances of trained experts at security companiies confusing pen-testers with threat actors.

Read more about pen-testing

  • Bug bounty programmes have recently become a popular method of vulnerability management, but poor programme management can lead to development teams becoming overwhelmed and bugs being missed.
  • By moving to the cloud, a business can offload some responsibility for lost or stolen data, but external penetration testing in the datacentre remains critical.

Read more on Hackers and cybercrime prevention