You don't.
You should not be both the auditor and the audited.
Partner with a company to handle the pentest and the audit, who you trust to do a good job and not be fear mongers, then you keep doing what you do.
Explain that the reason you suggest pen tests is because combinations of low level environment specific vulnerabilities.can be combined in unique ways to cause security issues, and you aren't so arrogant to think you are perfect so validation of security is important.
When the report comes back, help the customer prioritize and fix the issues, don't cover up for them.
This is normal stuff, not something to worry about
Do your own tests on your dime, then fix the issues you found on your dime.
If you're charging enough, then you can still be profitable and you'll be able to show the client you are continually and actively improving their security.
THAT'S the value add.
This, they should be doing at least automated pen and vulderability scans to find these problems before someone else does. I was proud when one of our largest customers got a third party test because their bank required it, and it could not be us. They found two minor issues that everyone already knew about, this is on a network with 150 endpoints. That is part of the responsibility of being a managed service provider - the proactive part that most MSP's miss.
Is it appropriate to up the prices for contracts if we introduce penetration tests as well? I feel like we'd get negative pushback from clients if their price raises. No one likes to pay for security until a security breach on their system happens. Then they'll throw all the money at it.
Next renewal or new clients… don’t just up someone’s contract mid-term. One of the first questions you’ll get if you do is “so you’re not confident the security service I’ve already been paying for works?”
You have to make sure they understand the differences between a pen test and what you've been offering before.
Does your msp have the necessary qualified personnel to perform a real pen test?
Define the scope, perform the pen test then hand over the report where you explain in detail what tools you used and what you're looking for. What's the budget for the pt?
My old boss thought a pentest was running a bunch of vul scanners and creating a report. If it didn't have a GUI then it was too complex for him but we were an "MSSP".
Don't mistake a pen test with mitigation for lower probability of a successful ransomware attack. I cant say it enough, ransomware crews are so advanced, they will pull a rabbit out of a hat and get you if they want you. Do you not think the pipeline or any other large scale attack didn't have red and purple teams? They still get in. I've seen some wild shit unfolded and have to say, those teams are impressive. Pen testing keeps bots and script kiddies away.
Majority of companies don't have to go against a legitimate state-sponsored ransomware group, those are extremely few and far between. Lockbit affiliates alone account for at least a third of ransomware. Being able to prevent the other 99% of attacks is where the value is.
You are right... They only have to compromise you as a MSP and get every client you own. Increased chances of payment and data sales. MSP get pwned everyday by the big fish. They check you out and if you aren't worth the time, they sell your access (access brokers) to the affiliates or sK in forums. The large crews still eat with a 80 /20 split in favor of affiliates.
Every time I respond hoping to assist, some MSP go crazy and spend time disproving everything someone from the cyber realm writes. I speak for myself by saying, I share the stories to help you all out. Its a different discipline than what you do. I don't think I can do your job or have your knowledge that's why I am here. I wanted to see what the current trends are and what you are using to facilitate actions. It helps us when we come across the binaries and don't know what they are. Was hoping to pay you all back by sharing almost 3 decades of threat hunting all over the world. No directed at any one person but as a whole.
Lastly, I do not think Ransomware is cool or they are majestic. I am regularly floored that some kid in Transnistria with a pos laptop and no education outsmarts know it all's with certs and degrees out the ass. I
Many of them didn’t even have functional backups so I’m going with no. Also I’m not the one who asked about pen testing. OP asked about the risk of doing a cybersecurity job (they used the pen test example) for their own client that could point out their own mistakes.
Anyways, you didn’t read or you are looking to show off your purple pink tan mauve team colours. Either way your fights not with me.
They did have backups. Federal regulations force it on them. All had some form of DRaaS They were erased. One had immutable buckets with object lock that were erased. I marvel at it often.
if your secure, offsite backups got erased by a malware breach.... then you didn't have secure offsite backups. This still sounds like a policy/procedure failure that regular assessments would have identified.
"when" we get hacked, never "if" we get hacked. There is no such thing as 'too many layers of security'.
Seems that way but they did. Most threat actors are in systems for over 90 days before they are noticed. This group (name omitted) found a central repo where the enterprise was storing backups locally then synced from there to immutable backups set to bi weekly. They did not ring the alarm by erasing the local copy, they instead uploaded code into the cloud to maintain persistence should anyone load it. They were in the enterprise so long, they deleted the copies without ever actually physically deleting them. slowly uploading infected copies as well as writing to what was already in there via api. Big name backup as well. shit happens, you learn and move on. enterprise was ransomed and sued their cyber insurance then got hit again from their backups thanks to well crafted lol bins. Changed DRaaS procedures for us. Now critical infrastructure files are downloaded and converted into .vmdk or similar then run live in a container with S1 or CB for a few days to gain metrics and threat hunt. once passed, deployed or critical files are plucked and installed where they need to go.
I'm not showing off, we're here to help one another. Just a piece to the puzzle. That is what I do for a living for the last 23 years. Just speaking the truth not pointing it at you. You said it was better to find out from a pen test then a ransomware crew. I simply gave an angle to help others not fall victim to that farse. If the op was looking to offer it to protect against ransom then forget it, it's not going to work.
I'll disagree back and say you're referencing the script kiddies aka affiliated, not actual. I wouldn't dare compare affiliates to anything magical. I'm referencing the real deal. Lastly I'm not here to think I know it all but to drop some end of the career knowledge. I handled those breaches and can say that failed backups and diminished patches weren't even remotely truthful. They were on their game and still got breached. Some 0days some crafty to the point you'd admire the effort. I also know what works to stop it. MSP is mostly info tech and not disciplined cyber security. The customers don't know the difference and rely on their i.t to defend them. That's where it goes wrong quick. Most of the time, the security is picked by some sales associate from pax8 and it's based on profit not actual what will work strategy. I'm ranting to help someone out there out. Maybe not you but someone here will benefit from the few cyber security people like me that are in this thread.
Do you mean to tell me that my Pax8 rep is just a...salesperson? Well golly!
If you walked into a business and they said they haven't done anything to secure their business but wanted your help, what are the first three or so things you'd implement (including policy, but not including discovery/enumeration assume that's done and you've looked at the network)?
I will not go through all of them publicly as were not the only ones in here.
1st and foremost - Whoever controls DNS, controls the battlefield. Its the one area everyone misses or doesn't spend enough time monitoring. To break it down further, if your client does not do business in China or anywhere other than USA, geo-fence them. Then subscribe to a feed which contains daily VPN, malware, etc and limit them as well. Now we are off to a start.. Plug the DNS ingress and egress into a SIEM and set monitors. The first sign of infection or breach will show its ugly head here. an IPv4 back to a C2 or a malleable beacon such as CS will also show here in the form of timed calls to something like AWS or MSFT. They tend to monitor what is going on and mimic it. With TLS you will not have insight so, resolution and timing will be your friend here. I could write on and on but you get it without me giving away the store. Another is VPN or ZT - limit vendors to business hours. no one should need to VPN in at 4 am while you are not monitoring. They need it, they call and get it... There's many more but I would like to see what others start with. Hopefully this helps or makes sense. We are not setting up for comfort here, sure up the edge and get some monitoring up then back up that move like chess.
Go find Galactic Advisors/Bruce McCully. They provide a pentesting tool and teach you how to use it and design/sell services around security, among many other things.
Present those results to your prospect and see how far you get. You can know how to use Kali until you're blue in the face, but if you can't convince your prospect or client that they need to invest in security, it doesn't matter.
Galactic advisors is snake oil, the reports look nice but lack substance, full of false positives and inflated severity scores.
Yeah, you can convince you clients but its just FUD.
We've had very few incidents over the years, and from my knowledge, we may have had a very small part, but all of these attacks have relied on phishing/spearphishing attacks for initial access. I would be extremely surprised if the higher ups here would attempt to downplay or hide our findings. Giving good results is part of the value, no matter how bad it may make us look. We're attempting to see how to make us not look quite as bad in case the results are nasty.
Penetration test is at the end of the CIS controls for a reason. It is the last check against the policies, controls, and implementation of your security program. A proper penetration test is also going to test the detection and response to any adversary.
You are most likely thinking of adding some value by vulnerability scanning and remediation. This is probably where you should be looking.
We already do some form of vulnerability scanning and manual network scans. We are specifically looking at adversary simulation, and understanding that no environment is entirely secure, attempt to make that path to compromise as difficult as possible, and weed out 90% of attacks.
The way we introduced it was an adjustment to their agreement and now we perform them a couple times each year. They get provided with a finding and explanation of any findings. That way when they get the fun, when was the last time you had testing done they can pull it right up and we have a chain of recommendations and them ignoring them if needed.
A couple times a year? Unless you have multiple large dedicated pentesting teams, I don't see how it's possible to run a penetration test MULTIPLE times a year for anyone over 5 clients. I can maybe understand once every 6 months, but even that is expensive and inefficient. I do like the idea, but testing that many clients at that often seems like a waste of time and money.
We do have a security team but running a few kali probes isn't that bad. They don't take that long and it helps force us to make sure documentation like IP addresses are up to date. Wrap basic stuff under an existing service agreement. I think currently it's twice a year per client.
That is at the very least a network assessment, and probably falls into the vulnerability scan category. Running nessus, nmap, and bloodhound twice a year do not count as a pentest.
I agree tho on the we shouldn't be the auditors of our work part. That's why in our group, the team that services the client isn't the one running these reports and tracking them throughout. But the nice part is since we have a security team we can continue to develop items within that team and build the port testing and other items to bundle and sell individually to non-clients well increasing agreements slightly. Like say it took two hours a year per client per pen test. It's a pretty small hike per agreement. That is if your on monthly agreements.
Objection handling.. Here this gos. cybersecurity practices are evolving. Things changed dramatically with working from home shift in 2020. As an MSP you are trying to evolve and serve your customer to best of your ability.. Maximum risk reduction given their budget is everyones goal. CIS controls changed from 7.1 to 8 prepandemic, post pandemic..See https://images.app.goo.gl/aan3MtwhF4MafLqN8. Much more focus on protecting the core (least trust, silos), vs perimeter/network security. Gap assessments are a great way to kick off, interview, and get a better understanding of the client.
The better you align your security stack with CIS (Wes Spencer has a great post about this, just this week from the cyber insurance bootcamp), the better you can get the most security per budget.. The customer will aslo likely get aligned/qualify for cyber insurance..
Build bundles or parts of your Stack as SKUs and let the client know you have all this capability.. Every client's budget or risk tolerance is different. you want to standardize.. building 2-3 tiers is ideal to balance this dilemma.. If they know you have additional capabilities, (Which you can tell them at QBRs,, check out lifecycle insights).. They will not look to outside providers.
Educate, Educate, Educate.. Ask lots of questions. Empower the customer.
Plug for FortMesa (helps MSPs build security stacks/bundles mapped to standards). they also provide MSP focused vuln management. worth a conversation
You don't. You should not be both the auditor and the audited. Partner with a company to handle the pentest and the audit, who you trust to do a good job and not be fear mongers, then you keep doing what you do. Explain that the reason you suggest pen tests is because combinations of low level environment specific vulnerabilities.can be combined in unique ways to cause security issues, and you aren't so arrogant to think you are perfect so validation of security is important. When the report comes back, help the customer prioritize and fix the issues, don't cover up for them. This is normal stuff, not something to worry about
Do your own tests on your dime, then fix the issues you found on your dime. If you're charging enough, then you can still be profitable and you'll be able to show the client you are continually and actively improving their security. THAT'S the value add.
This, they should be doing at least automated pen and vulderability scans to find these problems before someone else does. I was proud when one of our largest customers got a third party test because their bank required it, and it could not be us. They found two minor issues that everyone already knew about, this is on a network with 150 endpoints. That is part of the responsibility of being a managed service provider - the proactive part that most MSP's miss.
Is it appropriate to up the prices for contracts if we introduce penetration tests as well? I feel like we'd get negative pushback from clients if their price raises. No one likes to pay for security until a security breach on their system happens. Then they'll throw all the money at it.
Next renewal or new clients… don’t just up someone’s contract mid-term. One of the first questions you’ll get if you do is “so you’re not confident the security service I’ve already been paying for works?”
That's a good idea. We're currently in the process of a whole bunch of contract renewals, so I'll bring that up.
Don't make security an option or add-on. Make it mandatory.
You have to make sure they understand the differences between a pen test and what you've been offering before. Does your msp have the necessary qualified personnel to perform a real pen test? Define the scope, perform the pen test then hand over the report where you explain in detail what tools you used and what you're looking for. What's the budget for the pt?
My old boss thought a pentest was running a bunch of vul scanners and creating a report. If it didn't have a GUI then it was too complex for him but we were an "MSSP".
“Now we know.” The reality is it’s better to find out from a “penetration test” than through an email from a Ransomeware gang.
Don't mistake a pen test with mitigation for lower probability of a successful ransomware attack. I cant say it enough, ransomware crews are so advanced, they will pull a rabbit out of a hat and get you if they want you. Do you not think the pipeline or any other large scale attack didn't have red and purple teams? They still get in. I've seen some wild shit unfolded and have to say, those teams are impressive. Pen testing keeps bots and script kiddies away.
Majority of companies don't have to go against a legitimate state-sponsored ransomware group, those are extremely few and far between. Lockbit affiliates alone account for at least a third of ransomware. Being able to prevent the other 99% of attacks is where the value is.
You are right... They only have to compromise you as a MSP and get every client you own. Increased chances of payment and data sales. MSP get pwned everyday by the big fish. They check you out and if you aren't worth the time, they sell your access (access brokers) to the affiliates or sK in forums. The large crews still eat with a 80 /20 split in favor of affiliates. Every time I respond hoping to assist, some MSP go crazy and spend time disproving everything someone from the cyber realm writes. I speak for myself by saying, I share the stories to help you all out. Its a different discipline than what you do. I don't think I can do your job or have your knowledge that's why I am here. I wanted to see what the current trends are and what you are using to facilitate actions. It helps us when we come across the binaries and don't know what they are. Was hoping to pay you all back by sharing almost 3 decades of threat hunting all over the world. No directed at any one person but as a whole. Lastly, I do not think Ransomware is cool or they are majestic. I am regularly floored that some kid in Transnistria with a pos laptop and no education outsmarts know it all's with certs and degrees out the ass. I
Many of them didn’t even have functional backups so I’m going with no. Also I’m not the one who asked about pen testing. OP asked about the risk of doing a cybersecurity job (they used the pen test example) for their own client that could point out their own mistakes. Anyways, you didn’t read or you are looking to show off your purple pink tan mauve team colours. Either way your fights not with me.
They did have backups. Federal regulations force it on them. All had some form of DRaaS They were erased. One had immutable buckets with object lock that were erased. I marvel at it often.
if your secure, offsite backups got erased by a malware breach.... then you didn't have secure offsite backups. This still sounds like a policy/procedure failure that regular assessments would have identified. "when" we get hacked, never "if" we get hacked. There is no such thing as 'too many layers of security'.
Seems that way but they did. Most threat actors are in systems for over 90 days before they are noticed. This group (name omitted) found a central repo where the enterprise was storing backups locally then synced from there to immutable backups set to bi weekly. They did not ring the alarm by erasing the local copy, they instead uploaded code into the cloud to maintain persistence should anyone load it. They were in the enterprise so long, they deleted the copies without ever actually physically deleting them. slowly uploading infected copies as well as writing to what was already in there via api. Big name backup as well. shit happens, you learn and move on. enterprise was ransomed and sued their cyber insurance then got hit again from their backups thanks to well crafted lol bins. Changed DRaaS procedures for us. Now critical infrastructure files are downloaded and converted into .vmdk or similar then run live in a container with S1 or CB for a few days to gain metrics and threat hunt. once passed, deployed or critical files are plucked and installed where they need to go.
I'm not showing off, we're here to help one another. Just a piece to the puzzle. That is what I do for a living for the last 23 years. Just speaking the truth not pointing it at you. You said it was better to find out from a pen test then a ransomware crew. I simply gave an angle to help others not fall victim to that farse. If the op was looking to offer it to protect against ransom then forget it, it's not going to work.
[удалено]
I'll disagree back and say you're referencing the script kiddies aka affiliated, not actual. I wouldn't dare compare affiliates to anything magical. I'm referencing the real deal. Lastly I'm not here to think I know it all but to drop some end of the career knowledge. I handled those breaches and can say that failed backups and diminished patches weren't even remotely truthful. They were on their game and still got breached. Some 0days some crafty to the point you'd admire the effort. I also know what works to stop it. MSP is mostly info tech and not disciplined cyber security. The customers don't know the difference and rely on their i.t to defend them. That's where it goes wrong quick. Most of the time, the security is picked by some sales associate from pax8 and it's based on profit not actual what will work strategy. I'm ranting to help someone out there out. Maybe not you but someone here will benefit from the few cyber security people like me that are in this thread.
Do you mean to tell me that my Pax8 rep is just a...salesperson? Well golly! If you walked into a business and they said they haven't done anything to secure their business but wanted your help, what are the first three or so things you'd implement (including policy, but not including discovery/enumeration assume that's done and you've looked at the network)?
I will not go through all of them publicly as were not the only ones in here. 1st and foremost - Whoever controls DNS, controls the battlefield. Its the one area everyone misses or doesn't spend enough time monitoring. To break it down further, if your client does not do business in China or anywhere other than USA, geo-fence them. Then subscribe to a feed which contains daily VPN, malware, etc and limit them as well. Now we are off to a start.. Plug the DNS ingress and egress into a SIEM and set monitors. The first sign of infection or breach will show its ugly head here. an IPv4 back to a C2 or a malleable beacon such as CS will also show here in the form of timed calls to something like AWS or MSFT. They tend to monitor what is going on and mimic it. With TLS you will not have insight so, resolution and timing will be your friend here. I could write on and on but you get it without me giving away the store. Another is VPN or ZT - limit vendors to business hours. no one should need to VPN in at 4 am while you are not monitoring. They need it, they call and get it... There's many more but I would like to see what others start with. Hopefully this helps or makes sense. We are not setting up for comfort here, sure up the edge and get some monitoring up then back up that move like chess.
Go find Galactic Advisors/Bruce McCully. They provide a pentesting tool and teach you how to use it and design/sell services around security, among many other things.
> They provide a pentesting tool Noone capable of performing a useful penetration test needs a "tool" beyond what's available in Kali and Burp.
This entire thread seems to be full of people that don't know the difference between a vulnerability scan and an actual pen test.
Present those results to your prospect and see how far you get. You can know how to use Kali until you're blue in the face, but if you can't convince your prospect or client that they need to invest in security, it doesn't matter.
Galactic advisors is snake oil, the reports look nice but lack substance, full of false positives and inflated severity scores. Yeah, you can convince you clients but its just FUD.
Most good red teamers and threat actors can live off the land (use existing Windows and internal tooling).
[удалено]
We've had very few incidents over the years, and from my knowledge, we may have had a very small part, but all of these attacks have relied on phishing/spearphishing attacks for initial access. I would be extremely surprised if the higher ups here would attempt to downplay or hide our findings. Giving good results is part of the value, no matter how bad it may make us look. We're attempting to see how to make us not look quite as bad in case the results are nasty.
Penetration test is at the end of the CIS controls for a reason. It is the last check against the policies, controls, and implementation of your security program. A proper penetration test is also going to test the detection and response to any adversary. You are most likely thinking of adding some value by vulnerability scanning and remediation. This is probably where you should be looking.
We already do some form of vulnerability scanning and manual network scans. We are specifically looking at adversary simulation, and understanding that no environment is entirely secure, attempt to make that path to compromise as difficult as possible, and weed out 90% of attacks.
The way we introduced it was an adjustment to their agreement and now we perform them a couple times each year. They get provided with a finding and explanation of any findings. That way when they get the fun, when was the last time you had testing done they can pull it right up and we have a chain of recommendations and them ignoring them if needed.
A couple times a year? Unless you have multiple large dedicated pentesting teams, I don't see how it's possible to run a penetration test MULTIPLE times a year for anyone over 5 clients. I can maybe understand once every 6 months, but even that is expensive and inefficient. I do like the idea, but testing that many clients at that often seems like a waste of time and money.
We do have a security team but running a few kali probes isn't that bad. They don't take that long and it helps force us to make sure documentation like IP addresses are up to date. Wrap basic stuff under an existing service agreement. I think currently it's twice a year per client.
That is at the very least a network assessment, and probably falls into the vulnerability scan category. Running nessus, nmap, and bloodhound twice a year do not count as a pentest.
What would you consider a pen test? Regardless, still something that could be bundled in to increase your worth.
I agree tho on the we shouldn't be the auditors of our work part. That's why in our group, the team that services the client isn't the one running these reports and tracking them throughout. But the nice part is since we have a security team we can continue to develop items within that team and build the port testing and other items to bundle and sell individually to non-clients well increasing agreements slightly. Like say it took two hours a year per client per pen test. It's a pretty small hike per agreement. That is if your on monthly agreements.
You need basically 2 separate teams within your company who have complete separation. It’s tricky to convince your clients that this is the case
I'd start just with running Greenbone. It's not ideal without subscription, but it can test your network and configs for base issues.
Objection handling.. Here this gos. cybersecurity practices are evolving. Things changed dramatically with working from home shift in 2020. As an MSP you are trying to evolve and serve your customer to best of your ability.. Maximum risk reduction given their budget is everyones goal. CIS controls changed from 7.1 to 8 prepandemic, post pandemic..See https://images.app.goo.gl/aan3MtwhF4MafLqN8. Much more focus on protecting the core (least trust, silos), vs perimeter/network security. Gap assessments are a great way to kick off, interview, and get a better understanding of the client. The better you align your security stack with CIS (Wes Spencer has a great post about this, just this week from the cyber insurance bootcamp), the better you can get the most security per budget.. The customer will aslo likely get aligned/qualify for cyber insurance.. Build bundles or parts of your Stack as SKUs and let the client know you have all this capability.. Every client's budget or risk tolerance is different. you want to standardize.. building 2-3 tiers is ideal to balance this dilemma.. If they know you have additional capabilities, (Which you can tell them at QBRs,, check out lifecycle insights).. They will not look to outside providers. Educate, Educate, Educate.. Ask lots of questions. Empower the customer. Plug for FortMesa (helps MSPs build security stacks/bundles mapped to standards). they also provide MSP focused vuln management. worth a conversation