What is the NIST Penetration Testing Framework?

With each passing year the risk of cyberthreat looms larger. While the integration of new technologies has created business efficiencies and increased interconnectivity, it has also exposed organizations to new forms of cyber-related risks. In response to this growing problem, the National Institute of Standards and Technology (NIST) produced the NIST Cybersecurity Framework (CSF). The framework serves as guidelines for managing your cybersecurity risks. One of the best ways to assess your adherence to NIST is by conducting a NIST-based penetration (pen) test. But what does the pentest framework entail? 

Let’s discuss. 

 

What is a NIST Penetration Test? 

A pen test is often referred to as a form of “ethical hacking.”  

If your organization wants to assess your cybersecurity vulnerabilities, few methods are more effective. It exposes your system’s strengths and weaknesses, which can then be exploited to see how deep down the proverbial rabbit hole a hacker could possibly go. By mimicking a real-world attack you can identify possible methods for bypassing the security features of your network, system, or application.

There are several benefits of a pen test, including:

• Gauge how rigorous your defenses are and how well your system tolerates a real-world attack. 
• Discover the necessary level of sophistication an attacker would need to have to successfully compromise your cybersecurity defenses.
• Determine further counter measures that could limit threats to the system.
• Learn how effectively you’re able to detect an attack and then respond to it. 

The more intensive the penetration test, the more useful and actionable information you’ll have to respond to. More info tends to lead to better security practices. According to NIST:

Penetration test scenarios should focus on locating and targeting exploitable defects in the design and implementation of an application, system, or network. Tests should reproduce both the most likely and most damaging attack patterns—including worst-case scenarios such as malicious actions by administrators. 

The pen testing process is relatively straightforward—the business and the tester agree to a strict set of testing parameters, and then the tester goes to work in one of two ways: 

 

External Pen Test 

External pen testing takes place from outside your organization’s security perimeter. 

Also known as black hat testing, it allows your business to measure your security posture as it would appear to outsiders that sought entry into your network (typically via the internet); the tester starts with zero knowledge of your cybersecurity environment. 

The goal of the external pen test is to reveal vulnerabilities that could be exploited by a malicious attacker. Although each approach differs, you can expect a tester to take the following route: 

• Reconnaissance – Tester goes on a fact finding mission, scouring the internet for publicly available information such as:
  • DNS server information
  • IP addresses   
  • OS
  • Newsgroup postings 
• Enumeration – Tester uses discoveries and scanning techniques to find external hosts as well as listening services. 
• Evasion – Tester applies evasion techniques to circumvent common perimeter defenses like:
  • Firewalls
  • Routers
  • Access controls
• Initial attacks – Tester sends the opening salvo of attacks in order to test the response of common application protocols. 
• Vulnerability attacks – After finding servers that are externally accessible, the tester seeks to gain access to internal servers and sensitive information. 
• Continued discovery – Tester looks for alternative access method exposures, including:
  • Wireless access points
  • Modems
  • Portals to internal servers

 

Need a Penetration Test? Learn more.

 

Internal Pen Test

Internal testing gives the attacker a head start of sorts. 

They’re provided information beforehand, which allows them to simulate an attack from an employee. This means they start from a privileged position.

An internal pen test reveals exploitable vulnerabilities, particularly those related to system-level security and configurations, including:

• Authentication
• Access control
• System hardening
• Application configuration
• Service configuration 

Usually, the tester begins with at least some level of access to the network, with the same privileges and information a typical user would have; although they could be granted even more privileges, depending on your specific goals of the test. 

The tester’s goal is to gain further access to other networks and systems via privilege escalation. From there, the mission is to determine how deep into a network a hacker could go as well as how much damage could potentially be done. 

The Pentest Framework Phases 

Whether the pen test is internal or external, the NIST penetration testing framework focuses on four overarching phases:

1. Planning
2. Discovery
3. Attack
4. Reporting

A tester doesn’t conduct a single test, rather several of them. This creates a feedback loop, where newfound information allows them to delve deeper into your system. You can see the visual representation of this loop in this this diagram:

 

Planning Phase 

The planning phase represents the pre-phase of penetration testing. During this initial stage, the pen tester will meet with your organization to outline the specifics of the test, including:

• Expectations
• Objectives
• Goals
• Legal implications

The tester seeks to gain a deep understanding of risks, culture, and what types of tests need to be done. After rules have been identified, your organization should get management approval with documentation.

It’s important to note that zero testing takes place in phase one.  

 

Discovery Phase 

The discovery phase can actually be broken up into two separate subphases:

Testing 

The tester begins the initial process of testing, which is intended to gather information and scan systems. Depending on the attacker, there are several different techniques that can be used to gather crucial details, including:

• Network port and service identification – Tester uses a port scanner to identify:
  • Network ports 
  • Services currently operating on active hosts
  • Applications running on each identified service

 

• Hostname and IP address information – Tester performs DNS queries, network sniffing, and Inter NIC queries to discover hostname and IP addresses. 
• System information – Although this is usually limited to internal tests, Network Information Systems and NetBIOS enumeration can be leveraged to find information such as shares and names.  
• Employee names and contact info – Tester searches your web servers or director servers to reveal employee information. 
• Application and service information – Banner grabbing allows testers to record version numbers. 
• Physical fact finding – In addition, physical walkthroughs of facilities or dumpster diving may provide further useful information. 

 

Vulnerability Analysis 

The next part of the discovery phase involves vulnerability analysis. 

During this stage, the tester will gather the services, applications, and OS of scanned hosts. They will then compare those categories against vulnerability databases and the tester’s own knowledge. 

This can be done using either digital or manual processes. Manual processes take longer but may be able to identify vulnerabilities that an automatic scanner could miss. 

Attack Phase

As the NIST phrases it, “Executing an attack is at the heart of any penetration test.”

Typically, the attack phase follows four steps, which are then repeated if successful:

1. Gaining access – If an attack is successful, the vulnerability is confirmed and possible mitigating responses listed. Most exploits don’t allow the tester to have the max level of access; rather they tend to teach the tester more about the network and its vulnerabilities.
2. Escalating privileges – In some cases an exploit may allow the tester to escalate their privileges on the network or system to ascertain the true risk level. 
3. System browsing – Information gathering processes allow testers to identify new ways to gain access to additional systems. 
4. Install additional tools – If the tester gets this far they can install more tools on the system or network, which would then enable them to delve into additional systems or resources. 

After step 4 takes place, you can leverage that new information to return to step 1 and begin the process anew. With each successive attack the tester is able to gather more information about the systems and network. This in turn allows them to exploit newly discovered vulnerabilities and gain even further access. 

Common vulnerabilities include: 

• Misconfigurations – Misconfigured security settings or partially insecure default settings. 
• Kernel flaws – The Kernel code—the central aspect of an OS—is in charge of executing the total security model.
• Buffer overflows – If programs don’t properly address input for the right length, arbitrary code with administrator level privileges may enter the system.
• Insufficient input validation – When applications fail to validate the input they receive from users, it exposes the system to SQL injection attacks. 
• Symbolic links – Also known as a symlink, this type of file sends you to another file. Symlinks could be exploited to compromise system files.
• Race conditions – If a program is in privileged mode, a user can carefully time their attack, using the elevated privileges as an entryway. 
• Incorrect file and directory permissions – Improper permissions could possibly expose your system to a host of different attacks.

 

Reporting Phase 

Although it’s technically last in order, the reporting phase should be occurring throughout the other three phases of the pen test. This is usually maintained via written logs and periodic reports.

Once the test is finished, the testing team will prepare a comprehensive report that includes:

• Known vulnerabilities
• Present risk ratings
• Remediation guidance 

In six months to a year’s time the test can be repeated to see how successful your organization was at mitigation your overall risk profile. 

 

The 5 Core Functions of the NIST Framework 

Pen testing helps your organization adhere to the framework set up by the NIST. 

The framework was created to improve your critical infrastructure’s cybersecurity by following the five core functions:

1. Identify – It’s mission critical that organizations develop a deep and comprehensive understanding of their security environment to better manage the various risks to their systems, assets, capabilities, and data. This knowledge enables you to prioritize your efforts according to a risk management strategy—one that’s tailored to your business needs. 

If you want to follow this function, you must have total visibility over your digital and physical assets. Doing so enables you to better understand your risk exposure and thus input risk mitigating actions.

1. Protect – Once you’ve identified risks, you must respond to them. How? By developing and implementing the proper protections to prevent or reduce the impact of an attack. This can be in a number of ways, including:
   1. Access controls
   2. Identify management
   3. Awareness and training
   4. Data security
   5. Information protection processes and procedures
   6. Protective technology
   7. Maintenance 
2. Detect – You need to install measures that can instantly detect an attack or anomalous activity. Monitoring should take place on a continuous basis so that your organization is able to maintain visibility on networks and thus respond to or anticipate an attack. By perpetually hunting for threats you can gauge the efficacy of your system and prepare for future threats. 
3. Respond – If a cyberbreach does occur, your organization must have plans in place to prevent it from doing serious damage. Your response plan should clearly innumerate the parties in charge of the response and the mitigating actions necessary to both stop the event and prevent future exposure. Once the event is over you have an opportunity to identify areas of improvement. 
4. Recover – What happens if an attack cripples or impairs your capabilities or services? You need to have a recovery plan in place that allows you to restore activities and capabilities. Typically, this will be based on a prioritized list of action points that function as the guidelines for a speedy recovery.  

 

NIST Pen Testing with RSI Security  

By mimicking a real-world attack a pen test is the one of the best methods you can employ to take stock of your organization’s cybersecurity defenses. And by doing it regularly, you can bolster your efforts to prevent hackers from accessing your mission critical systems and data. 

Penetration testing empowers you to: 

• Identify security gaps and exposures
• Prioritize cybersecurity risks
• Discover misconfigurations and backdoor exploits
• Understand all potential attack vectors
• Respond to a breach in a quick and effective manner 

But who can you trust to adequately perform a pen test according to the NIST penetration testing framework? 

RSI Security as pen testing specialists, we put you inside the heads of hackers so that you’re always a step ahead of them. So, if you need help today, look no further. Reach out to us today to see how we can help conduct an effective test and bolster your cybersecurity! 

 

 

---

Schedule a free consultation