Skip to content

Run an Insider Threat Pentest

You can deploy NodeZero to validate your organization's security posture against insider threats.

How to Run an Insider Threat Pentest

1. Navigate to Pentests to Run an Insider Threat Pentest

Once you've established a NodeZero Host that meets to requirements, navigate to Pentests to start an insider threat pentest.

Screenshot

2. Click + Run Pentest

Click + Run Pentest to open Test Categories screen, and select "Insider Threat Testing" from the "Operational Scenario Testing" category.

Screenshot Screenshot

3. Configure the Insider Threat Pentest

5.1 Name the Insider Threat Pentest

Name the Insider Threat Pentest and select a pentest template.

Pro-tip: Naming scheme

Determine and follow a naming convention to allow you to quickly find a pentest from your pentest list.

An example: [date]|[library]|[NodeZero Src]|[scope]

2021-09-01|NodeZero|East-Coast-Bizops|Full: This indicates that the NodeZero host was placed in the East Coast Bizops network and the scope was the entire enterprise.

Screenshot

5.2 Select a Scope

The pentest scope is a set of IPs and/or subnets (in CIDR notation) that you want NodeZero to test.

Depending on where your NodeZero host is deployed, reachability to the provided scope can be affected by how much privilege, access, and authentication NodeZero can capture or is given.

Unlike vulnerability tools that scan for device fingerprints and services, NodeZero enumerates devices in scope and then chains together context, exploitable vulnerabilities, misconfiguration, insecure or weak controls, and any data or loot that it captures, to identify attack paths by priority of impact while providing proof. Typically, the larger the scope, the more findings you'll see, as NodeZero has much more to chain together.

There are three options for the Include section (defined below):

  • Intelligent Scope
  • Full RFC 1918 (192.168.0.0/16, 172.16.10.0/24, 10.0.0.0/8)
  • Custom IP(s) or Subnet(s)
    • Auto-expand (Optional)

If you are running NodeZero in a more complex environment, we recommend setting the scope to cover as many subnets as possible. Be sure to ask your Network Administrator for a list of CIDR annotated subnets.

The Exclude section stops NodeZero from scanning or exploiting a set of IPs or subnets. The IPs within this section may be discovered by NodeZero via various techniques within the pentest, but NodeZero will not touch them. They may show up in the Out of Scope list within the pentest results. Note that this parameter also requires CIDR notation.

Additional CIDR notation reference and calculator app:

Intelligent Scope - Uses the IP of the NodeZero Host you are deploying the test from and enumerates then tests against the /16 subnet it's a part of. NodeZero then moves into /23 subnets to continue identifying other potential assets in its vicinity, then repeats the cycle until it can't see additional devices. The blast radius varies depending on the level of privilege and access NodeZero captures or is given.

Pro-tip: Intelligent Scope

Great for scenario testing - what can an attacker see and do from the position of my NodeZero host?

Full RFC 1918 (192.168.0.0/16, 172.16.10.0/24, 10.0.0.0/8) - The most thorough approach as it explicitly instructs NodeZero to attempt to enumerate and test every IP in the private IP range.

Pro-tip: Full RFC 1918

Great for ensuring complete coverage - what exists in my infrastructure today and what are its priorities from an attacker's perspective?

Custom IP(s) or Subnet(s) - Provide any IP(s) or subnet(s) in CIDR notation for NodeZero to test from its position. The option to auto-expand allows NodeZero to include in its test any additional devices that it's able to enumerate While NodeZero can be scoped to singular IPs, it's recommended to cast wider nets to maximize coverage and identify potential vulnerabilities across the network more effectively.

Pro-tip: Custom IP(s) or Subnet(s)

Great for testing small scopes and validating controls - what could an attacker chain together in the scope of focus and, if auto-expand is turned on, how could they pivot out to other segments?

Screenshot

When satisfied with your scope, scroll down.

5.3 Insider Threat Credential

Inject any user credential to simulate an insider threat scenario from their perspective - whether privileged or not. This required step helps identify vulnerabilities or weaknesses visible from the NodeZero host using the injected credential, caused by exploitability of accessible applications, human error, misconfigurations, or limitations in existing security tools. We recommend using a NodeZero host deployed in a position on the infrastructure that the user of the injected credential would start from.

Screenshot

5.4 AWS Accounts

Optionally add AWS accounts here. All cloud resources under these accounts will be treated as in scope.

Screenshot

5.5 Open Source Intelligence

Optionally add Domains, Company Names, Weak Password Terms, or Git accounts

Screenshot

5.6 Tripwires

If your organization has purchased Tripwires, use this option to allow NodeZero permission to drop tokens in exploitable assets during the pentest. No more than 100 tripwires will be deployed per test.

Screenshot

5.7 Advanced Configuration Options

Select the types of services and vulnerabilities NodeZero will attempt to enumerate and exploit.

Screenshot

5.8 Auto-Injected Credentials

Configure credentials to be auto-injected into the test by a NodeZero Runner

Screenshot

5.9 Runner

Use a NodeZero Runner to automatically deploy NodeZero on your Docker host.

Screenshot

5.10 Review the Insider Threat Pentest Configuration

Once satisfied with your pentest selections, check the box to indicate you've reviewed all advanced configuration settings. Then click Run Pentest to generate your curl script to launch your pentest.

Screenshot

6. Deploy NodeZero

While your pentest provisions and the ephemeral architecture is being spun up, copy and paste the one-time use bash script into your chosen NodeZero Host. If you selected a Runner, you can skip this step and NodeZero will automatically deploy the test once it's ready.

Screenshot

Real-Time View will show up, from where you can Inject Credentials and monitor pentest progress.

Screenshot

You've started an Insider Threat Pentest

NodeZero sends an email once the Pentest completes.

Tip

NodeZero can also run pentests from an authenticated perspective. Go to the Real-Time View and Inject Credentials to see the impact an attacker would have by leveraging compromised credentials!