The Verified service is Intruder’s proprietary managed vulnerability scanning solution, which provides expert insights and detailed security testing on top of automated scanning. As a consequence, it delivers a service which dives deeper into the security of your perimeter than any fully automated product on the market can provide.
This case study demonstrates the Verified service in action, and how it provided valuable insights for one of Intruder’s customers to allow them to identify threats beyond the capabilities of a fully automated security scanning solution.
The Verified service builds on top of Intruder’s continuous vulnerability monitoring service, by adding manual security testing performed by qualified penetration testers on top of your automated scans. Intruder’s security experts curate your scan results to analyse impacts, combine vulnerabilities and add business context to produce a more comprehensive security coverage which includes an expert human eye. For more information on what the Verified service includes, see here.
In Summer 2020, one of Intruder’s clients benefitted from the additional features of the Verified service to identify a serious weakness which could be easily exploited by a remote attacker. Like a lot of organisations with a vulnerability scanning requirement, the client’s technical team doesn’t have capacity to internally follow up on vulnerability scan results and prioritise them for remediation. This is where Intruder’s Verified team came in by notifying them of a serious weakness which presented an imminent risk to the business.
Intruder’s Verified team combines security issues present across your digital estate and “chains” them together, drawing on the available information to analyse where weaknesses can be escalated into more impactful attacks. This ensures that dangerous weaknesses which aren’t immediately apparent from an automated scan don’t slip under the radar. In this case, one server covered by the service was misconfigured to present verbose error messages which contained privileged information about its file structure. The server also suffered from a separate ‘local file inclusion’ weakness, which is where the server can be tricked into revealed information contained within sensitive files on the server. By chaining these two weaknesses together, Intruder was able to enumerate information about the file system in order to discover a sensitive configuration file which contained credentials for a database.
Though the affected system didn’t expose a database service of its own, another system covered by the Intruder service exposed a database to the internet. Intruder made use of the breached credentials and was able to log into the exposed database. This process of combining weaknesses performed by the Verified team could also be carried out by an attacker looking to breach the client’s systems, so an advisory was sent out to the business immediately to bring attention to the weakness and allow them to take action.
The Intruder team sent out an advisory right away to notify the customer of the security issue, how it could be exploited, and a recommendation on remediation action. This allowed the customer to respond promptly and put in place fixes to make sure malicious exploitation was prevented. Intruder also added some information on security best-practices which could be followed to help prevent similar weaknesses from arising in future.
The advisory was gratefully received, and Intruder’ Verified team confirmed that the fixes were effective, and that exploitation was no longer possible.
Fully automated solutions don’t understand context. Business context and circumstances of a vulnerability can affect the overall impact of the weakness if successfully exploited. Intruder triages Verified service weaknesses to modify the overall risk rating. Where the server in use is particularly sensitive, or circumstantially the vulnerability is more serious than it would normally be, impacts are adjusted upwards. Equally, where a vulnerability is only partially exploitable, or mitigating factors in place, impacts are adjusted downwards.
In the process of discovering the weaknesses outlined above, on top of the Verified advisory issued to the customer, Intruder reviewed the impact of the weaknesses reported. On its own, a generic local file inclusion vulnerability is normally reported as ‘High’ severity by the scanner, and Intruder normally reports an exposed database and verbose error messages as ‘Medium’ and ‘Low’ risk issues. In this case, the three weaknesses were combined into a ‘Critical’ level weakness, for which urgent action to remediate is recommended. This kind of Impact review helps customers to prioritise security fixes to where they are needed most in order to prevent a breach.
Technology is advancing every year, but it is yet to replace the vigilant human eye. While automated scanning tools will give you a certain degree of protection, they can never be as thorough as when you hire an external team of penetration testers to look after your systems. At Intruder, our certified penetration testers will continuously review your scan results, separate real weaknesses from false positives, and find serious vulnerabilities that require a well-versed human touch.
If you are interested in the Verified service and want to find out how it can help protect your business, contact us today.