Penetration Testing Services Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering October 2, 2024 On this page SANS Platform Review: Continuous Attack Surface Discovery and Penetration Testing with BreachLock Written by Dave Shackleford, Senior SANS Instructor Introduction It’s an accepted fact today that most mature security organizations look at their exposed threat surface and also perform some regular penetration testing by internal teams, consulting, or both. However, in today’s realm of fast-moving technology changes and complex on-premises and cloud infrastructure, keeping pace with what assets are deployed and exposed or performing regular pen tests can be challenging, and there are many reasons for this. First, most teams rely on vulnerability scanning to locate assets and potential avenues of exploitation, and these can be disruptive and produce a lot of false positives to weed through. This doesn’t mean we won’t continue to rely on vulnerability scanners, but their usefulness in attack surface discovery and management, or comprehensive pen testing, can be somewhat limited. Secondly, in the realm of vulnerability management, manual pen tests are always somewhat of a “point in time” endeavor, and may have limited value over a longer period of time. Fortunately, new technologies are emerging to help provide automated attack modeling with more consistent, repeatable pen tests that mimic real-world attack techniques. Security teams need to perform more continuous validation of assets, both to satisfy compliance requirements and to keep pace with the rapidly changing technology landscape in both on-premises and cloud environments. On top of the operational challenges we see at SANS regarding pen testing and continuous monitoring due to a lack of staffing and time, it’s difficult to track vulnerabilities announced, exploits and attacks released in the wild, and attacker techniques that are changing regularly. SANS had the opportunity to review the BreachLock platform, focusing on both penetration-testing-as-a-service (PTaaS) and attack surface management (ASM). Both of these platforms are offered in a SaaS format to facilitate simple startup and execution, as well as integration into numerous other technologies. The BreachLock team set us up with a review environment that included a full account on both the ASM and PTaaS platforms, some sample configured scans, and a range of targets to explore. As SaaS offerings, getting started with both of these was incredibly simple, and we were able to jump in and explore the review environment immediately. PTaaS The first product we reviewed was the BreachLock penetration-testing-as-a-service (PTaaS) platform, offered in a SaaS format. There are several key benefits to the platform: Simple deployment: In internal network penetration test, BreachLock manages the deployment of the Internal foothold within the client’s environment. From that foothold, the penetration tester performs all attacks within the environment, and only requires communication to the SaaS service for coordination, updates, and reporting the vulnerabilities. Exploitation verification: BreachLock performs actual exploitation techniques with real-world tools and tactics, ensuring that any vulnerability exploited is fully verified to cut down on false positives. What differentiates BreachLock is enhanced AI-based asset and vulnerability analysis coupled with live penetration testing teams that assess findings. Flexible asset scanning and reporting: BreachLock offers robust scanning capabilities for both network ports and services, as well as web applications and interfaces. Reporting options are simple to configure for compliance-specific needs (such as PCI DSS, SOC 2 and other compliance frameworks) and various industry frameworks such as NIST, Council of Registered Ethical Security Testers (CREST), Open Source Security Testing Methodology Manual (OSSTMM), and Open Web Application Security Project (OWASP). Our review found many useful and beneficial features that security operations teams can make use of to perform more consistent, well-documented, and continuous penetration tests. First was the ease-of-use within the user interface. Security teams can kick off a penetration test within minutes by following a simple series of steps that include adding scope (IP addresses and ranges, web applications, etc.) and specific exclusions and/or types of testing. Templates are available for quick execution, too. The initial dashboard we viewed was the “Overview” dashboard, which provides a real-time view of the progress of any pen tests scheduled, underway, or completed (see Figure 1). This dashboard shows that a web application test and external network assessment have completed. One important thing to note is that BreachLock works a bit differently from many of the other PTaaS platforms on the market. Live pen testing consultants are involved with your account and can help to start scans, assess vulnerabilities, and validate findings or retest results. In this case, the BreachLock team kicked off the testing for us, leaving us to assess the results. We were also able to perform scheduled retests ourselves once the initial testing was performed, which was simple and required no additional interaction with the pen testing team at BreachLock. We first visited the main dashboard, showing our account and the overall results from the pen testing service. In Figure 2 you can see the targeted assets, risk scoring, and trends (as applicable and reportable). In this case, we didn’t patch anything for reassessment, so there are aren’t any trends to show there. You can easily configure whether to use an invasive or non-invasive set of test modules for all types of testing. All scans and tests can be configured to run manually (immediate scans) or daily/weekly/monthly/quarterly/yearly as needed or desired. See Figure 3 for a simple configuration for scanning. We started our evaluation with the external network scanning capabilities. This can be configured for individual assets or IP addresses. We scanned two web-facing assets, as shown in Figure 4. Similar to the main dashboard viewed earlier, the external network scanning dashboard broke down vulnerabilities, risk levels, and patching status detected during the scans (see Figure 5). We could easily view the breakdown of detected vulnerabilities from this dashboard or the dedicated “Vulnerabilities” link, and any of these can easily be marked as false positives or retested for validation in a single click (see Figure 6). In addition, these vulnerability results can be exported to CSV or XLS files in seconds. We then evaluated the web application scanner, which offers a wide variety of testing plugins as well. In our test configuration, we opted for the non-invasive option for scanning, and we could tune and tailor the plugins easily for this model (see Figure 7). As with the external network scanning vulnerabilities, we could easily get to the issues discovered through the main dashboard or a separate vulnerabilities dashboard, and each vulnerability provided a sound amount of data to validate the issue, investigate more details in the community, and accurately determine the risk (see Figure 8). Proofs of concepts (POCs) are included with all testing results, demonstrating the impact of a vulnerability or exploit within the system. Each POC includes very comprehensive details along with remediation recommendations to help prioritization. Each POC includes details such as: ID number and name (for tracking purposes) Description of vulnerability Risk score (low, medium, high, critical) CVSS score and vector Assets impacted Proof of concept with detailed asset information and exploit impact Remediation recommendations All scans and penetration tests can be scheduled easily, and reports are available immediately in PDF format. Customers can also easily generate a “security badge” for their site(s) that can be added into the HTML code of the site to let visitors know that regular BreachLock testing is performed (see Figure 9). Likewise, a security certificate suitable for printing and handing to auditors, regulators, customers, and so on can easily be generated in the portal (see Figure 10). One of the features we found useful in the BreachLock PTaaS platform is the built-in ticketing system. Tickets can be created very quickly, with ranking for priority, category information (troubleshooting, vulnerabilities, issue validation, etc.), and organization. These tickets are reviewed by the BreachLock project management team and penetration testers to assist customers with any issues or requests, and can easily be used to align different groups internally (Security, DevOps, etc.) as well. An example of ticket detail is shown on the next page in Figure 11. Although we didn’t specifically test this capability, BreachLock does have a number of integration partners (Jira, Okta, Trello, Jenkins, and Slack), with an open RESTful API that also can be flexibly integrated into a number of other applications and services. Built-in native integrations and notifications capability provide flexibility to fine-tune the alerts to an end user or for the IT Service Management (ITSM) platforms that can be sent to these integrated platforms for different vulnerability types and risk levels, or sent via email, as well. New users and groups within an organization are also easy to set up with just a few simple clicks. ASM BreachLock’s attack surface management (ASM) platform gives security teams continuous visibility and intelligence into systems, services, and applications exposed on the internet. Security operations teams can proactively and continuously scan the internet with ASM to discover and protect their real-time asset inventory (known and unknown assets) and highlight vulnerabilities associated with each asset that threat actors can see online. It gives you real-time visibility into critical risks and exposures you may have been unaware of before. We started, as always, with the main dashboard—this shows us assets, vulnerabilities, the overall risk score, and additional information like data breach exposure (if detected), credential breaches, and more (see Figure 12). It was also easy to see the different assets discovered in the “Asset Discovery” dashboard. For each asset, you can see whether domain discovery scanning and/or data breach scanning has been performed (the B and D icons next to each asset), or web scans for subdomains and network scans for IP addresses or blocks. Each asset can also have IP and DNS details added easily, and assets that are discovered can also be flagged as false positives to remove them from the inventory for scanning and security evaluation (see Figure 13). Running scans on assets is simple—you can add an asset manually or have it discovered automatically (in an IP block or as a subdomain). To add an asset, click “Add Asset” and then choose domains, subdomains, or IP addresses (bulk asset imports are also supported through a file upload), as shown in Figure 14. Simply checking an asset and clicking “Run Scan” then allows you to run scans on domain discovery or data breaches (covered in just a moment), and to run the scan immediately or on a schedule. This is shown in Figure 15. Within each domain we have listed, subdomain scans can also be initiated to run “black box” assessments (with no additional information, leading to more time spent on discovery), and authenticated scans with basic authentication using a username and password, as well as login sequence file authentication through a JSON file that leverages a BreachLock Chrome plugin (see Figure 16).Similarly, IP addresses discovered for assets can be scanned as well (see Figure 17). For organizations that want to automate scans on assets regularly, scan schedules can be managed and edited in the “Scan Schedule” category of the platform, which allows admins to pause or delete scheduled scans quickly (see Figure 18). One of the unique features BreachLock offers is a strong artificial intelligence (AI) engine that processes vulnerability data as well as identified accounts and possible credentials that could be exposed. This contributes to the “Data Breach” category of reporting, which can be immensely useful if an account has been compromised or seen in a data breach elsewhere. In addition, the BreachLock team is continually scouring the dark web to look for evidence of exposure and breaches that are correlated with scanning and assessment results. Our test scenario did not include any of these, but the dashboard would definitely be valuable for organizations to monitor (see Figure 19). Similar to the scanning vulnerability dashboards we observed in the PTaaS platform, the ASM vulnerability breakdown is simple to read and can be clicked for additional details, as shown in Figure 20. A more detailed vulnerability explanation is shown in Figure 21, which includes details about assets impacted, CVSS scores and vectors, and detailed proof-of-concept output that serves to demonstrate the impact of a security vulnerability or exploit within the system, from the assessments performed. All ASM activities are record in an Activities Log, which can help to keep tabs on what users have done regarding specific assets (see Figure 22). By drilling down into a specific asset, organizations can see a breakdown of vulnerabilities and activity information, seen in Figure 23. In addition, you can track exactly what times activities occurred, as shown in Figure 24 for a network scan. All assets (both manual and automatic discovery) are listed in the Asset Inventory section of the platform for quick analysis and configuration. Assets can be grouped, deactivated, or deleted here (see Figure 25). Asset groups can be defined by domain, subdomain, or IP, too (see Figure 26). Finally, the ASM platform creates some excellent automated reports that can be exported as CSV or PDF files. This report summarizes all the details from the various dashboards noted. The Reports screen is shown in Figure 27. Reports can be generated for ASM information as well as network and web-centric automated penetration tests. Single and aggregate assets can be selected for report generation, which may help to streamline report output. Help and support information was readily available within the platform, too. Additional BreachLock Services Although we didn’t test them explicitly during this review, one of the key differentiators for BreachLock is its range of enterprise managed services. The packages available differ by use case and applicability to each organization. (Smaller organizations may simply need compliance validation, where as larger organizations may need help with Red Team operations, incident response, and more.) A basic breakdown of the types of services packages available is listed below: Package A: 1-Time Security Validation: Suitable for point-in-time security assessments Common use cases: Vendor assessment Startup product launches, etc. Package B: Annual Security Validation: Suitable for annual comprehensive security assessment coverage Common use cases: Compliance (SOC 2, PCI DSS, ISO 27001, HIPAA, GDPR, NIST) Internal security policies Annual assessments Production assets and security (SDLC) Package C: Continuous Security Validation: Suitable for companies with high testing workloads requiring fast and painless assessments Common use cases: High-volume, recurring application testing Continuous security posture management Consolidating assessment vendors Incident response (post-breach and need to assess attack pathways) As mentioned earlier, having a variety of actual managed services with human expertise involved is a key differentiator for offensive security services like PTaaS and ASM. Although automation, simple coordination, and monitoring are integral to improving visibility and security posture overall, having hands-on expertise available to assist with vulnerability assessments, validation, and even response efforts can ease the operational capacity gaps we see at SANS in many organizations of all types and sizes. Conclusion After reviewing the BreachLock platform, we determined that there is a lot to love for busy security professionals. The platform excels in ease-of-use, and both PTaaS and ASM products offer a simple, integrated, easy-to-deploy asset/vulnerability discovery and pen testing platform that can help organizations perform tests more frequently, with more control and consistency than ever before. With the addition of intelligent vulnerability assessment and reporting models driven by machine learning and AI, along with actual human professional services aligned with the platforms and customer interactions and requests, these types of services will definitely make sense for organizations of many types and varied sizes to consider. Author Dave Shackleford Senior Instructor, SANS Institute Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.