One of the lesser-known but extremely important roles the Trustwave Fusion portal, known as the Fusion Security Testing Suite (STS) plays is as a conduit for our clients when running a penetration testing program.
We've written about, Red Team and Purple Team penetration testing and the need to discover vulnerabilities before they become a problem over the last few months, but while those blogs covered the need for different types of testing, we also wanted to cover the process and tools used by our Trustwave SpiderLabs pentesters.
So, how do we go about conducting a penetration test and then present the results to our clients?
To start with, Trustwave's process has been in place for more than 10 years and is tied directly to our industry-leading Fusion platform.
Fusion is a cloud-based cybersecurity platform that serves as the foundation for the Trustwave Managed Security Services, Managed Detection and Response, and other cybersecurity offerings. Generally, Fusion gives clients an up-to-the-minute, single pane of glass view into their security situation, but it also serves an essential role in our pentest program.
Here we utilize a remarkable aspect of Fusion, the Security Testing Suite (STS), which gives the client an incredibly detailed view of the results of their pentest. As a result, Trustwave does not merely print out a report, drop it on the client's desk and leave.
Fusion STS brings visibility into the process and scalability, allowing Trustwave to conduct pentests for any size organization, from a small or medium-sized business to enterprise-class.
Trustwave's Penetration Testing Process
So, before a client gets to the point when information is available on Fusion, a pentest must be set up. The first step has a client purchasing the credits needed to run the test and then putting together a testing plan.
The Fusion STS enrollment page.
Three types of tests can be conducted. The first is a managed test that includes basic hygiene checks. Next is system scanning with actionable findings for remediation. Third, are network and application penetration tests. Each of these tests has four tiers of service: (Please click here for a complete breakdown of Trustwave’s offerings.). We can also deliver adhoc testing via the portal with more traditional day rates.
- Basic – a simulation of a basic attack executed by an attacker of limited sophistication with minimal skill, typically using freely available automated attack tools
- Opportunistic – a simulation of an opportunistic attack executed by a skilled attacker that does not spend an extensive amount of time executing highly sophisticated attacks, typically seeking easy targets using a mix of automated tools and manual exploitation
- Targeted – a simulation of a targeted attack executed by a skilled and patient attacker expending a significant effort trying to compromise a specific organization’s systems
- Advanced – a simulation of an advanced attack executed by a highly motivated, well- funded and sophisticated attacker, who will exhaust all options for compromise before relenting.
Setting an Assessment Schedule
Once testing has been purchased as a package or otherwise our operations team creates an account enabling each side to schedule an assessment. Retesting can also be purchased and scheduled to ensure the client fixed any issues found by the test.
Once the test is scheduled and the prerequisites have been entered into STS, it appears in the consultant view ready to be picked up or assigned. The team then ensures that the client has completed all the test prerequisites and are working as intended.
Once all these ducks are in a row, the test begins and is generally completed within the testing window for the particular piece of work.
We are capable of testing applications, internal and external networks, and infrastructure along with red and purple team exercises. Cloud and OS configuration reviews as well as other bespoke engagements are also covered.
Once the testing is complete, adhering to industry standards and the test classes defined in our delivery model we send the test for QA.
The QA team makes sure the report is not only technically correct but grammatically on target and that all the methodologies we are supposed to use were, in fact, followed during the test. This team also ensures the testing is consistent.
The report is then made available to the client within the portal.
Problems are Uncovered, What's Next?
Once the process is completed, and the client has viewed the results in Fusion STS, we discuss how to fix the issues.
This aspect generally falls into a couple of categories.
First, the report includes recommendations made by the Trustwave team on how to rectify any problems, along with a detailed description and the supporting reference information related to the problem(s).
Generally, a client takes this information and fixes the problems internally. Trustwave's role is to conduct a follow-up or maintenance test to check that its remediation actions have fixed those issues.
However, if a client does not have the internal capability to fix the problem, the client can call upon SpiderLabs to assist in remediation.
The Trustwave Difference
Trustwave believes in creating a direct and strong connection with all of our pentest clients. Therefore, we do not run a test, generate a PDF report, and then just toss it back to the customer and move on.
Fusion STS gives clients a centralized place where all their tests live. So, if you are running hundreds of pentests over a period of time all of them can be found in Fusion STS. This single pane of glass not only gives 24/7 visibility, but if the client contact leaves that company, their replacement has instant access without having to dig through emails or wort through a paper trail.
Fusion STS also has an API which allows all parties to track a problem from discovery to mitigation. The system assigns findings a unique identifier that we use to follow the workflow within the portal. The outcome can then be used for integration into ticketing systems such as those found in ServiceNow and save a great deal of manual data entry for clients.
We believe this capability is incredibly useful because a client can track the life cycle of that vulnerability in an automated way to the point where we can close that vulnerability.